a) he was connecting a web server to the DMZ - only have to connect two interfaces:
the pix & the web server - glue the other ports, if you want . . . .
b) if someone who can be a security risk can get closer to the pix enough to connect
something to the hub/switch, i think it's pointless discussing this . . . . you
already have a bigger security problem . . . .
c) once again: the link negotiation is the problem . . . read the previous mail. and
which added security are you talking about? about something connecting a sniffer to
the same segment your inside OR outside interfaces? once again: if someone gets that
near to your firewall without you knowing, you have bigger problems . . .
d) about an officially sealed envelope with Cisco written all over it, and inside a
sheet of paper saying "please, don't do this": no, i do not have such a document.
sorry, i'm just using my previous experience and the knowledge available to me from my
co-workers . . . . . guess i should ask the pix documentation team to add a warning on
the docs about using a crossover cable . . . ;)
dario
At 12:32 PM 7/5/00 -0700, Network Operations wrote:
>I NEVER have a switch/Hub off the outside interface. I consider it a security risk
>having an access point off the outside interface....Call me crazy..
>
>Do you actually have any "Cisco" documentation that states not to attach DTE's
>directly to the PIX ?? The only problem Ive ever seen is when the link goes down, you
>need to reboot both the PIX and the Router to reestablish link negotiation. A small
>inconvenience for the added security.
>
>The DMZ yes Obviously you need several devices out there...
>
>Marc...
>
> >>> "Dario N. Ciccarone" <[EMAIL PROTECTED]> 07/05/00 11:57AM >>>
>that's exactly the reason why we do not recommend using a crossover cable: link
>negotiation. use instead another VLAN or a hub.
>
>the problem is, if you connect an end station to the PIX using a crossover, it
>sometimes work, sometimes not, and you end with a problem you don't know if it's a
>hardware or configuration one . . . .
>
>
>At 02:46 PM 7/5/00 -0400, Gordon Macpherson wrote:
>
> >I've connected PIX's (different models) to ethernet interfaces on
> >routers with crossover cables many times.
> >
> >Link negotiation may be a problem in some cases - in this case you can
> >explicity set the interface parameters in the PIX config.
> >
> >"Dario N. Ciccarone" wrote:
> >
> > > rob:
> > >
> > > yo can not directly connect something to the pix, not even
> > > w/ a crossover cable. define a new VLAN on the switch, a two port
> > > one, and connect the dmz interface of the pix and the web server to
> > > that vlan.
> > >
> > > A
> >
> >Gordon MacPherson
> >Senior Systems Administrator [EMAIL PROTECTED]
> >Base4 Inc. www.base4.com
> >6299 Airport Rd. Suite 601 Voice: (905) 677-0532 ext.
> >223
> >Mississauga, Ontario L4V 1N3 Fax: (905) 677-1122
> >
> >
>
>Dario N. Ciccarone
>Internship SE
>Cisco Systems
>Argentina, Paraguay, Uruguay y Bolivia
>Ing. Enrique Butty 240 Piso 17
>C1001ABF, Buenos Aires , Argentina
>Phone/Vmail: 54-11-4341-0203
>Fax: 54-11-4341-0149
>mailto:[EMAIL PROTECTED]
>Pager: 54 -11-4348-9000 PIN:1268307 or mailto:[EMAIL PROTECTED]
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Dario N. Ciccarone
Internship SE
Cisco Systems
Argentina, Paraguay, Uruguay y Bolivia
Ing. Enrique Butty 240 Piso 17
C1001ABF, Buenos Aires , Argentina
Phone/Vmail: 54-11-4341-0203
Fax: 54-11-4341-0149
mailto:[EMAIL PROTECTED]
Pager: 54 -11-4348-9000 PIN:1268307 or mailto:[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
