first & foremost: all my involvement in this list is based on my own experience &
knowledge. my opinions/comments are my personal opinions, and not necessariy the
official position of the company about anything. i just want to help (if i can) the
people that needs some help using our products, and is not necessarily the one & only
answer about anything.
now that i've made myself clear on the subject, i would like to point only two things:
a) i've had personally had issues when using a crossover cable. you can manually
configure the interface on the PIX on whatever setup you need, say 100 or 10, full or
half duplex, what you need on any case. but if you leave the autodetect setting on,
you can run in some issue w/ some NICs card connected to that port on the PIX. so, YOU
CAN DO THAT, but can run on some issues, issues that can be solved by setting
parameters on the configuration of one or both equipments. so, just as a piece of
personal advice, i suggested doing that.
b) i'm sorry if at any moment it sounded like i was flaming or misinterpreting
something. i regret if that happened, but once again, it was my personal fault.
thanks,
dario
At 09:55 PM 7/5/00 -0700, Ben Smith wrote:
>Not to be a total flamer, well ok, I will be. What kind of crap are you
>telling these people? I would love to say, here is some offical doc's
>from the documents team telling you how to use a crossover cable with a
>PIX:
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/advanced.htm
>This is the standard pix v5.0 config guide, it also tells you to use a
>crossover cable:
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/pixrn501.htm
>This is part of the v5.1 intro for new users, it also tells you to use
>a crossover cable:
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/install/intro.htm
>Most of them even go as far as telling me how to make one.
>
> As for security risks, I would say you are right, but connecting up a hub
>purely so you can do autonegotiation?! Someone needs to learn how to
>configure their ports. Also, who puts glue in their hubs? I would love
>some officially sealed envelope saying don't do this when they have doc's
>telling me how.
>
>On Wed, 5 Jul 2000, Dario N. Ciccarone wrote:
>
> > a) he was connecting a web server to the DMZ - only have to connect two
>interfaces: the pix & the web server - glue the other ports, if you want . . . .
> >
> > b) if someone who can be a security risk can get closer to the pix enough to
>connect something to the hub/switch, i think it's pointless discussing this . . . .
>you already have a bigger security problem . . . .
> >
> > c) once again: the link negotiation is the problem . . . read the previous mail.
>and which added security are you talking about? about something connecting a sniffer
>to the same segment your inside OR outside interfaces? once again: if someone gets
>that near to your firewall without you knowing, you have bigger problems . . .
> >
> > d) about an officially sealed envelope with Cisco written all over it, and inside
>a sheet of paper saying "please, don't do this": no, i do not have such a document.
>sorry, i'm just using my previous experience and the knowledge available to me from
>my co-workers . . . . . guess i should ask the pix documentation team to add a
>warning on the docs about using a crossover cable . . . ;)
> >
> >
> dario
> >
> >
> > At 12:32 PM 7/5/00 -0700, Network Operations wrote:
> > >I NEVER have a switch/Hub off the outside interface. I consider it a security
>risk having an access point off the outside interface....Call me crazy..
> > >
> > >Do you actually have any "Cisco" documentation that states not to attach DTE's
>directly to the PIX ?? The only problem Ive ever seen is when the link goes down, you
>need to reboot both the PIX and the Router to reestablish link negotiation. A small
>inconvenience for the added security.
> > >
> > >The DMZ yes Obviously you need several devices out there...
> > >
> > >Marc...
> > >
> > > >>> "Dario N. Ciccarone" <[EMAIL PROTECTED]> 07/05/00 11:57AM >>>
> > >that's exactly the reason why we do not recommend using a crossover cable: link
>negotiation. use instead another VLAN or a hub.
> > >
> > >the problem is, if you connect an end station to the PIX using a crossover, it
>sometimes work, sometimes not, and you end with a problem you don't know if it's a
>hardware or configuration one . . . .
> > >
> > >
> > >At 02:46 PM 7/5/00 -0400, Gordon Macpherson wrote:
> > >
> > > >I've connected PIX's (different models) to ethernet interfaces on
> > > >routers with crossover cables many times.
> > > >
> > > >Link negotiation may be a problem in some cases - in this case you can
> > > >explicity set the interface parameters in the PIX config.
> > > >
> > > >"Dario N. Ciccarone" wrote:
> > > >
> > > > > rob:
> > > > >
> > > > > yo can not directly connect something to the pix, not even
> > > > > w/ a crossover cable. define a new VLAN on the switch, a two port
> > > > > one, and connect the dmz interface of the pix and the web server to
> > > > > that vlan.
> > > > >
> > > > > A
> > > >
> > > >Gordon MacPherson
> > > >Senior Systems Administrator [EMAIL PROTECTED]
> > > >Base4 Inc. www.base4.com
> > > >6299 Airport Rd. Suite 601 Voice: (905) 677-0532 ext.
> > > >223
> > > >Mississauga, Ontario L4V 1N3 Fax: (905) 677-1122
> > > >
> > > >
> > >
> > >Dario N. Ciccarone
> > >Internship SE
> > >Cisco Systems
> > >Argentina, Paraguay, Uruguay y Bolivia
> > >Ing. Enrique Butty 240 Piso 17
> > >C1001ABF, Buenos Aires , Argentina
> > >Phone/Vmail: 54-11-4341-0203
> > >Fax: 54-11-4341-0149
> > >mailto:[EMAIL PROTECTED]
> > >Pager: 54 -11-4348-9000 PIN:1268307 or mailto:[EMAIL PROTECTED]
> > >
> > >
> > >-
> > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > >"unsubscribe firewalls" in the body of the message.]
> > >
> > >-
> > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > >"unsubscribe firewalls" in the body of the message.]
> >
> > Dario N. Ciccarone
> > Internship SE
> > Cisco Systems
> > Argentina, Paraguay, Uruguay y Bolivia
> > Ing. Enrique Butty 240 Piso 17
> > C1001ABF, Buenos Aires , Argentina
> > Phone/Vmail: 54-11-4341-0203
> > Fax: 54-11-4341-0149
> > mailto:[EMAIL PROTECTED]
> > Pager: 54 -11-4348-9000 PIN:1268307 or mailto:[EMAIL PROTECTED]
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> >
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Disclaimer:
These are my opinions and not neccessarily those of Cisco systems
Dario N. Ciccarone
Internship SE
Cisco Systems
Argentina, Paraguay, Uruguay y Bolivia
Ing. Enrique Butty 240 Piso 17
C1001ABF, Buenos Aires , Argentina
Phone/Vmail: 54-11-4341-0203
Fax: 54-11-4341-0149
mailto:[EMAIL PROTECTED]
Pager: 54 -11-4348-9000 PIN:1268307 or mailto:[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
