PIX Firewall

Unanswered Question
l.mourits Wed, 09/24/2003 - 15:10
User Badges:
  • Silver, 250 points or more

Besides the fact that it is not recommended to use conduits anymore and Cisco advices to use access-lists instead, the normal operation indeed would be (as the other guys allready stated) that from high to low is implicit permitted, and from low to high is implicit denied (due to ASA).


But as you seem to be able to open session from low to high without having a conduit that permits that, I can only think of one thing that could be wrong. I think you are having an established command at the PIX also. Using conduits with established commands could drill some serious securityholes if used incorrectly. So, check to see if there are any established command, and there are any, search on CCO for the established command, and you will find some pretty good documents about how to use this command and still keep it secure.


What you are describing is NOT normal operation for a PIX and is in fact a big security hole.

So, check as soon as possible.


Also, consider tranfroming your config into using ACL´s instead of conduits.


Hope this helps,

Leo

mathia5 Thu, 09/25/2003 - 04:18
User Badges:

Do you have any NAT or Static setup for the higher security level?

mike-banks Thu, 09/25/2003 - 07:00
User Badges:

It is true that you do not need a conduit or access-list to go from a higher to lower security level. Please provide more information on whether going from a dmz to outside, inside to outside, etc. It could be that you are just missing your NAT, STATIC or global commands.

Actions

This Discussion