Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

blocking ssh version 1, snmp version 1 and allow only passive FTP on pix

I need to migrate some customers from Checkpoint over

Cisco Pix firewalls, NOT ASA.

Currently in the checkpoint security policy, we only

allow snmp version 2 and version 3 to traverse the

firewalls. Furthermore, we also allow only ssh

version 2 from traversing the firewalls. In other

words, ssh version 1 and snmp version 1 are NOT

allowed and will be dropped by Checkpoint Smartdefense.

Is this something that can be done with Cisco Pix

firewalls version 7.2(2)? If so, how?

Is it also possible to allow ONLY passive ftp through

the pix firewall? On the checkpoint firewall, I have

a static NAT of a private host IP of 192.168.1.1 to a

public IP address of 129.174.1.5. I only allow passive

ftp from External this host, NO active FTP is allowed.

BTW, I understand well how passive and active ftp work.

It seems to me that if I have static NAT involved,

the Pix firewall can not allow ONLY passive ftp through

it. Worse, I use "no fixup protocol ftp 21", both

passive and active ftp stops working with NAT.

If I disable NAT, then I can block active ftp on the

pix firewall by setting up properly ACL and "no fixup

protocol ftp 21".

Is it possible to allow only passive FTP through the pix

firewall 7.2(2) with static NAT? It doesn't seem to be

working for me in my testing.

any ideas?

David

2 REPLIES
Anonymous
N/A

Re: blocking ssh version 1, snmp version 1 and allow only passiv

PAT works with Domain Name Service (DNS), FTP and passive FTP, HTTP, mail, remote-procedure call (RPC), rshell, Telnet, URL filtering, and outbound traceroute.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Gold

Re: blocking ssh version 1, snmp version 1 and allow only passiv

Hello again David. You've certainly got your work cut out for you. You should be able to do the SNMP inspection. Go into the global properties->inspect maps->snmp. click add. name the inspection map and click which versions you want to disallow. Now go into the security policy->service policy rules. Edit the default rule. In the rule actions, make sure SNMP is checked and click configure. select the map you created earlier.

As far as FTP. I'm strictly a PIX gui user at this point and I see no option for restricting the type to active or passive.

215
Views
0
Helpful
2
Replies
CreatePlease login to create content