02-04-2007 08:03 AM - edited 03-11-2019 02:28 AM
Hi All,
I would like to block nachi worm on a Cisco
Pix firewall running version 7.2(2) code.
On Cisco IOS, I do this:
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
route-map nachi-worm permit 10
match ip address 199
match length 92 92
set interface Null0
interface f0/0
no ip unreachables
ip route-cache policy
ip policy route-map nachi-worm
This can be very easily with Checkpoint
firewalls 'cause I've done it many times.
I would like to accomplish this Cisco Pix
7.x code. Is it possible? Thanks.
David
02-04-2007 04:34 PM
Hello David,
PIX will not do source based routing.. anyway, the way pix works is different than router !! On a PIX, all packets are blocked by default from outside to inside, which is not a feature on routers... You can put the following access-list on the PIX, to block nachi based traffic going from inside to outside .....
access-list acl_inside deny icmp any any echo
access-list acl_inside deny icmp any any echo-reply
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny udp any any eq 69
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny udp any any eq 137
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq 138
access-list acl_inside deny tcp any any eq 139
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny tcp any any eq 593
access-list acl_inside permit ip any any
access-group acl_inside in interface inside
This is the best thing you can do with a firewall.. if you want more protection, i think you have to have an IPS in place.... Please refer to this security notice:
http://cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html
Hope this helps.. all the best.. rate replies if found useful..
Raj
02-04-2007 06:03 PM
Hi Raj,
Point very well taken. However, I think you may want to rephrase this:
"This is the best thing you can do with a firewall".
I think what you meant to say is "Cisco Pix/ASA
firewall" because I can accomplish this quite
easily with both Checkpoint and Juniper
Firewalls.
Thanks.
David
02-04-2007 07:37 PM
Hello David,
what i meant was, firewalls give only 70 % security to the network.. if there are some ports opened on the firewall, it generally passes the traffic on those ports, without doing application inspection, the level in which normal IPS does.. with the modern ASA firwalls, you can have IPS modules inbuilt on the firewall (with SSM), which can give you much more better protection !! probably the firewalls u had, had the built in IPS functionality !!! .... anyway, with Cisco, you can do everything that is possible with other firewalls... i dont think there can be anything missed out.. the biggest positive of Cisco ,anyday, is the support or documentation, which is not even 50 % of what other vendors provide....
Hope this helps.. all the best... rate replies if found useful.
Raj
02-06-2007 03:42 PM
Hello David,
Do you need any other assistance with respect to this case?
Raj
02-07-2007 05:29 AM
Hi Raj,
Basically no. I just got confirmed from Cisco TAC that what I am trying to do is not possible
with Cisco Pix. I don't understand why Cisco
doesn't design firewall like other vendors such
as Juniper or Checkpoint. Checkpoint had this
capability since version 4.1, like six years ago.
David
02-07-2007 11:57 PM
Hello David
I think each vendor has his own architecture.. with PIX, there are features which arent available as routers , since they are functionally two different products (like soure routing/route maps etc)... With 7.x version of PIX, you do have QOS , with classmaps, policy maps etc... you can make sure you dont allow junk traffic like nachi across your PIX, by configuring QOS, and shaping... I'm really not sure if this will solve ur issue.. anyway, as I had given above, the following URL will give u a basic protection again nachi's...
http://cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html
and of course, all firewalls arent same :) there can be pros and cons for any manufacturer !!! anyway, cisco works a lot to put more features as time goes !! probably they will incorporate the features u need in the future releses ...
Hope this helps.. all the best.. rate replies if found useful.
Raj
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: