Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
3
Helpful
5
Replies

pix firewalls

carl_townshend
Spotlight
Spotlight

‎09-21-2006 03:15 PM - edited ‎03-03-2019 05:10 AM

Are firewalls the same as CBAC on a router, and do they work by checking out going connections then checking the return traffic, , also say i had a web server, how does the pix make sure no other traffic or protocols get through ?

cheers

Labels:
0 Helpful
5 Replies 5

m-haddad
Level 5
Level 5

‎09-21-2006 03:26 PM

Hello Carl,

CBAC or Firewall Feature Set IOS does most of what PIX firewall does. However, PIX firewall is designed for complex and advanced configurations.

Moreover, PIX firewall are more robust because the IOS is design mainly for security and you have a hardware based firewall. Therefore, it really depends on the requiremetns to usually spec a PIX firewall or router with IOS firewall.

As for your question, PIX inspect all traffic comming from inside to outside and outside to inside. You can restrict traffic by using Access-list on the outside and inside interface. Moreover, there is security level on each interface 100 being for inside and 1 being from outside. This means everything from outside to inside is denied unless you implement an access list permitting specific type of traffic.

I hope I did help and answer your questions,

Regards,

carl_townshend
Spotlight
Spotlight
In response to m-haddad

‎09-22-2006 02:42 AM

so if we have a web server and only want say http traffic to come in and out, how would I do this and what would the pix do to stop any other traffic comming in ?

0 Helpful

mbacklund2
Level 1
Level 1
In response to carl_townshend

‎09-22-2006 04:53 AM

You configure a rule that accept connection from say Internet any to the webserver with port 80/tcp on outside interface and deny any other traffic.

0 Helpful

m-haddad
Level 5
Level 5
In response to carl_townshend

‎09-22-2006 07:47 AM

By default, everything from outside to inside will be denied. To allow Http access to the web server you have to do Static NAT (one to one NAT) for the webserver and create an access-list allowing http to the webserver public IP and apply to the outside interface.

IN this way, only http access will be allowed to your webserver.

Hope this clarifies the issue,

Regards,

0 Helpful

srue
Level 7
Level 7
In response to m-haddad

‎09-22-2006 11:09 AM

one thing the other answers are missing is an explanation of the fixup command in PIX (6.3), in 7.x the fixup command has been replaced with policy maps. The pix will do deep packet inspection on (for example) http packets to make sure they are actually http packets and not something piggy backing over tcp/80 (or 443). CBAC to my knowledge doesn't do this.

in PIX 7.x, the syntax is something like:

policy-map global_policy

class inspection_default

inspect http

In PIX 6.x, the syntax is:

fixup protocol http 80

0 Helpful
Customers Also Viewed These Support Documents