James, I would still practice RFC1918 and RFC2827 at your edge router
Stephen Wilcox R & D Specialists Universal Computer Systems Voice: (713) 718-1800 ext. 2172 Email: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 14, 2002 7:24 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: PIX Question You need no protection. The PIX will withstand what is put against it. All the advice you are receiving about BDS fw, IOS FW and the like doesn't address your specific need. Key being. You are terminating IPSEC. You put another FW in front and you risk losing the IPSEC. I work with PIX daily. It needs no protection. Telnet: As far at telnet (you cannot telnet to the outside of a PIX- impossible) PDM: Set up access via the command: http <host_IP_address> 255.255.255.255 outside for each host you want to have access from. Better yet, open none of that and VPN to the PIX and then use telnet/ssh/pdm from inside the VPN tunnel. Don't run CBAC unless you have a 3600 series router or above. If you really want protection that the PIX does not provide, get your ISP to limit the ICMP traffic to a max of 20 % of incoming traffic. help protect against DDOS Got questions, email me offline >Sent: Monday, November 04, 2002 8:47 PM >To: [EMAIL PROTECTED] >Subject: Protecting PIX Firewall at the Perimeter Router > > >Hi All, > > >I wanted some suggestions\practical experiences for protecting a >Firewall wall at the Perimeter Router Level. > > >We have a PIX Firewall connected to our Cisco Router, which is >connected to the Internet. Should there be any IOS Firewall Rules in >the Router, other than blocking Telnet,FTP etc to the Firewall itself >? > > >PIX will be doing NAT, protecting DMZ machines, and IPSec >connections. > > >Regards \\ Naman >
