blocking ssh version 1, snmp version 1 and allow only passive FTP on pix

Unanswered Question
Feb 4th, 2007

I need to migrate some customers from Checkpoint over

Cisco Pix firewalls, NOT ASA.

Currently in the checkpoint security policy, we only

allow snmp version 2 and version 3 to traverse the

firewalls. Furthermore, we also allow only ssh

version 2 from traversing the firewalls. In other

words, ssh version 1 and snmp version 1 are NOT

allowed and will be dropped by Checkpoint Smartdefense.

Is this something that can be done with Cisco Pix

firewalls version 7.2(2)? If so, how?

Is it also possible to allow ONLY passive ftp through

the pix firewall? On the checkpoint firewall, I have

a static NAT of a private host IP of 192.168.1.1 to a

public IP address of 129.174.1.5. I only allow passive

ftp from External this host, NO active FTP is allowed.

BTW, I understand well how passive and active ftp work.

It seems to me that if I have static NAT involved,

the Pix firewall can not allow ONLY passive ftp through

it. Worse, I use "no fixup protocol ftp 21", both

passive and active ftp stops working with NAT.

If I disable NAT, then I can block active ftp on the

pix firewall by setting up properly ACL and "no fixup

protocol ftp 21".

Is it possible to allow only passive FTP through the pix

firewall 7.2(2) with static NAT? It doesn't seem to be

working for me in my testing.

any ideas?

David

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Fri, 02/09/2007 - 07:55

Hello again David. You've certainly got your work cut out for you. You should be able to do the SNMP inspection. Go into the global properties->inspect maps->snmp. click add. name the inspection map and click which versions you want to disallow. Now go into the security policy->service policy rules. Edit the default rule. In the rule actions, make sure SNMP is checked and click configure. select the map you created earlier.

As far as FTP. I'm strictly a PIX gui user at this point and I see no option for restricting the type to active or passive.

Actions

This Discussion