I need to migrate some customers from Checkpoint over
Cisco Pix firewalls, NOT ASA.
Currently in the checkpoint security policy, we only
allow snmp version 2 and version 3 to traverse the
firewalls. Furthermore, we also allow only ssh
version 2 from traversing the firewalls. In other
words, ssh version 1 and snmp version 1 are NOT
allowed and will be dropped by Checkpoint Smartdefense.
Is this something that can be done with Cisco Pix
firewalls version 7.2(2)? If so, how?
Is it also possible to allow ONLY passive ftp through
the pix firewall? On the checkpoint firewall, I have
a static NAT of a private host IP of 192.168.1.1 to a
public IP address of 184.108.40.206. I only allow passive
ftp from External this host, NO active FTP is allowed.
BTW, I understand well how passive and active ftp work.
It seems to me that if I have static NAT involved,
the Pix firewall can not allow ONLY passive ftp through
it. Worse, I use "no fixup protocol ftp 21", both
passive and active ftp stops working with NAT.
If I disable NAT, then I can block active ftp on the
pix firewall by setting up properly ACL and "no fixup
protocol ftp 21".
Is it possible to allow only passive FTP through the pix
firewall 7.2(2) with static NAT? It doesn't seem to be
working for me in my testing.