Not to be a total flamer, well ok, I will be. What kind of crap are you
telling these people? I would love to say, here is some offical doc's
from the documents team telling you how to use a crossover cable with a
PIX:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/advanced.htm
This is the standard pix v5.0 config guide, it also tells you to use a
crossover cable:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/pixrn501.htm
This is part of the v5.1 intro for new users, it also tells you to use
a crossover cable:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/install/intro.htm
Most of them even go as far as telling me how to make one.
As for security risks, I would say you are right, but connecting up a hub
purely so you can do autonegotiation?! Someone needs to learn how to
configure their ports. Also, who puts glue in their hubs? I would love
some officially sealed envelope saying don't do this when they have doc's
telling me how.
On Wed, 5 Jul 2000, Dario N. Ciccarone wrote:
> a) he was connecting a web server to the DMZ - only have to connect two interfaces:
>the pix & the web server - glue the other ports, if you want . . . .
>
> b) if someone who can be a security risk can get closer to the pix enough to connect
>something to the hub/switch, i think it's pointless discussing this . . . . you
>already have a bigger security problem . . . .
>
> c) once again: the link negotiation is the problem . . . read the previous mail. and
>which added security are you talking about? about something connecting a sniffer to
>the same segment your inside OR outside interfaces? once again: if someone gets that
>near to your firewall without you knowing, you have bigger problems . . .
>
> d) about an officially sealed envelope with Cisco written all over it, and inside a
>sheet of paper saying "please, don't do this": no, i do not have such a document.
>sorry, i'm just using my previous experience and the knowledge available to me from
>my co-workers . . . . . guess i should ask the pix documentation team to add a
>warning on the docs about using a crossover cable . . . ;)
>
>
> dario
>
>
> At 12:32 PM 7/5/00 -0700, Network Operations wrote:
> >I NEVER have a switch/Hub off the outside interface. I consider it a security risk
>having an access point off the outside interface....Call me crazy..
> >
> >Do you actually have any "Cisco" documentation that states not to attach DTE's
>directly to the PIX ?? The only problem Ive ever seen is when the link goes down, you
>need to reboot both the PIX and the Router to reestablish link negotiation. A small
>inconvenience for the added security.
> >
> >The DMZ yes Obviously you need several devices out there...
> >
> >Marc...
> >
> > >>> "Dario N. Ciccarone" <[EMAIL PROTECTED]> 07/05/00 11:57AM >>>
> >that's exactly the reason why we do not recommend using a crossover cable: link
>negotiation. use instead another VLAN or a hub.
> >
> >the problem is, if you connect an end station to the PIX using a crossover, it
>sometimes work, sometimes not, and you end with a problem you don't know if it's a
>hardware or configuration one . . . .
> >
> >
> >At 02:46 PM 7/5/00 -0400, Gordon Macpherson wrote:
> >
> > >I've connected PIX's (different models) to ethernet interfaces on
> > >routers with crossover cables many times.
> > >
> > >Link negotiation may be a problem in some cases - in this case you can
> > >explicity set the interface parameters in the PIX config.
> > >
> > >"Dario N. Ciccarone" wrote:
> > >
> > > > rob:
> > > >
> > > > yo can not directly connect something to the pix, not even
> > > > w/ a crossover cable. define a new VLAN on the switch, a two port
> > > > one, and connect the dmz interface of the pix and the web server to
> > > > that vlan.
> > > >
> > > > A
> > >
> > >Gordon MacPherson
> > >Senior Systems Administrator [EMAIL PROTECTED]
> > >Base4 Inc. www.base4.com
> > >6299 Airport Rd. Suite 601 Voice: (905) 677-0532 ext.
> > >223
> > >Mississauga, Ontario L4V 1N3 Fax: (905) 677-1122
> > >
> > >
> >
> >Dario N. Ciccarone
> >Internship SE
> >Cisco Systems
> >Argentina, Paraguay, Uruguay y Bolivia
> >Ing. Enrique Butty 240 Piso 17
> >C1001ABF, Buenos Aires , Argentina
> >Phone/Vmail: 54-11-4341-0203
> >Fax: 54-11-4341-0149
> >mailto:[EMAIL PROTECTED]
> >Pager: 54 -11-4348-9000 PIN:1268307 or mailto:[EMAIL PROTECTED]
> >
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
> Dario N. Ciccarone
> Internship SE
> Cisco Systems
> Argentina, Paraguay, Uruguay y Bolivia
> Ing. Enrique Butty 240 Piso 17
> C1001ABF, Buenos Aires , Argentina
> Phone/Vmail: 54-11-4341-0203
> Fax: 54-11-4341-0149
> mailto:[EMAIL PROTECTED]
> Pager: 54 -11-4348-9000 PIN:1268307 or mailto:[EMAIL PROTECTED]
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
