09-21-2006 03:15 PM - edited 03-03-2019 05:10 AM
Are firewalls the same as CBAC on a router, and do they work by checking out going connections then checking the return traffic, , also say i had a web server, how does the pix make sure no other traffic or protocols get through ?
cheers
09-21-2006 03:26 PM
Hello Carl,
CBAC or Firewall Feature Set IOS does most of what PIX firewall does. However, PIX firewall is designed for complex and advanced configurations.
Moreover, PIX firewall are more robust because the IOS is design mainly for security and you have a hardware based firewall. Therefore, it really depends on the requiremetns to usually spec a PIX firewall or router with IOS firewall.
As for your question, PIX inspect all traffic comming from inside to outside and outside to inside. You can restrict traffic by using Access-list on the outside and inside interface. Moreover, there is security level on each interface 100 being for inside and 1 being from outside. This means everything from outside to inside is denied unless you implement an access list permitting specific type of traffic.
I hope I did help and answer your questions,
Regards,
09-22-2006 02:42 AM
so if we have a web server and only want say http traffic to come in and out, how would I do this and what would the pix do to stop any other traffic comming in ?
09-22-2006 04:53 AM
You configure a rule that accept connection from say Internet any to the webserver with port 80/tcp on outside interface and deny any other traffic.
09-22-2006 07:47 AM
By default, everything from outside to inside will be denied. To allow Http access to the web server you have to do Static NAT (one to one NAT) for the webserver and create an access-list allowing http to the webserver public IP and apply to the outside interface.
IN this way, only http access will be allowed to your webserver.
Hope this clarifies the issue,
Regards,
09-22-2006 11:09 AM
one thing the other answers are missing is an explanation of the fixup command in PIX (6.3), in 7.x the fixup command has been replaced with policy maps. The pix will do deep packet inspection on (for example) http packets to make sure they are actually http packets and not something piggy backing over tcp/80 (or 443). CBAC to my knowledge doesn't do this.
in PIX 7.x, the syntax is something like:
policy-map global_policy
class inspection_default
inspect http
In PIX 6.x, the syntax is:
fixup protocol http 80
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide