09-22-2008 01:03 AM - edited 03-11-2019 06:47 AM
Hi
Why can I telnet through the PIX when there is no reference to telnet in the class inspection default list or in the default inspection traffic list?
I see there is a reference to ICMP so that explains why transit pings do not work, but I can^t get my head round the workings of telnet.
Here is the Class inspection deafault
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
and here is the default inspection traffic
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 radius-acct---udp--1646
rpc-------udp--111 rsh-------tcp--514
rtsp------tcp--554 sip-------tcp--5060
sip-------udp--5060 skinny----tcp--2000
smtp------tcp--25 sqlnet----tcp--1521
tftp------udp--69 xdmcp-----udp--177
dscp Match IP DSCP (DiffServ CodePoints)
flow Flow based Policy
port Match TCP/UDP port(s)
precedence Match IP precedence
rtp Match RTP port numbers
tunnel-group Match a Tunnel Group
09-22-2008 04:26 AM
The Adaptive Security Algorithm, used by the security appliance for stateful application inspection,
ensures the secure use of applications and services. Some applications require special handling by the
security appliance and specific application inspection engines are provided for this purpose.
Applications that require special application inspection engines are those that embed IP addressing
information in the user data packet or open secondary channels on dynamically assigned ports.
Telnet does not require special handling, so it is not added in global policy.
HTH...rate if helpful..
09-22-2008 11:36 AM
So would I be right in saying that in addition to this, stateful inspection is geared up more for connection oriented traffic ie TCP (telnet here) and that all TCP traffic is inspected. I still don't see why other TCP ports are included in the default inspection traffic in my origional post and yet port 23 is not. How does the class inspection default relate to this default inspection traffic list?
Thanks for the interest.
09-22-2008 10:07 PM
Some of the application requires special handling which includes for an example an application requiring something like opening an dynamic port when an connection is established which require special handling so it is considered as part of application inspection,which inspects packets traveling through firewall.
Rate it helps!
Regards,
Archana.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: