Re: PIX conduit access lists [7:26684]
Thanks again Allen, Does that mean the responses to my outbound requests are allowed in by default? For example, my request for a web page is allowed through the firewall. Would the page in response of that request be allowed through the firewall? Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... NAT or internal servers with real IP addresses using NAT 0 can access anything until you block it. Outbound requests (such as http, ftp, etc) are all enabled by default. Users outside the firewall cannot access internal IPs without access-list or conduit statements. In short, all outbound enabled and all inbound disabled by default. For your conduit permit icmp any any I would enable echo reply only rather than full icmp. Echo reply only allows replies back to the person pinging or tracerouting. Full icmp can be exploited in DOS attacks. example: access-list 10 permit icmp any any echo-reply access-group 10 interface outside (apply one to interface inside for outbound) Allen - Original Message - From: Steve Alston To: Sent: Wednesday, November 28, 2001 4:08 PM Subject: Re: PIX conduit access lists [7:26684] Patrick Allen, Thanks for the responses -- helps loads. I'm still slightly confused. I did a clear conduit expecting to block all incoming traffic. Following the clear conduit, I did a show conduit to verify there were not any conduits in operation. At that time, I was still able to receive web traffic at my workstation. For that matter, the conduit statements only applied to specific servers so why am I able to receive http at my workstation? I did try to PING an IP address which failed when I removed the conduits and worked when I restored conduit permit icmp any any -- that behaved as expected. Thanks, Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Very true and a good point, but the original question was about conduits which only apply to lower-higher. Higher-lower requires NAT. I accidentally typed access-list below but meant conduit. ;) *slap self get more coffee*. It still applies but wasn't what I meant to say. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit access lists [7:26684] Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27737t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Patrick Allen, Thanks for the responses -- helps loads. I'm still slightly confused. I did a clear conduit expecting to block all incoming traffic. Following the clear conduit, I did a show conduit to verify there were not any conduits in operation. At that time, I was still able to receive web traffic at my workstation. For that matter, the conduit statements only applied to specific servers so why am I able to receive http at my workstation? I did try to PING an IP address which failed when I removed the conduits and worked when I restored conduit permit icmp any any -- that behaved as expected. Thanks, Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Very true and a good point, but the original question was about conduits which only apply to lower-higher. Higher-lower requires NAT. I accidentally typed access-list below but meant conduit. ;) *slap self get more coffee*. It still applies but wasn't what I meant to say. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit access lists [7:26684] Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27588t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX conduit access lists [7:26684]
Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26684t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26700t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
