Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Opening up for a disaster?

Greetings. I am new to Cisco PIX firewalls. I am learning though. We have just recieved a PIX 506E that my boss wants to set up. I know it defaults to being closed to all incoming traffic. I was at the point where I felt I opened the ports needed to run Exchange 2000 and a few other things that people needed to do, however, my boss came to me just 1 hour ago telling me to open all ports and then close them as attacks come up. I flet this was a bad idea and whenever I made a good point and he had to think of a reason why we need to have the port open he would resort to, "Do as I say". So now I am looking for a quick and easy way to just open all ports. I would then create Deny rules to close them again. Can anyone help me?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Opening up for a disaster?

access-list outside_access permit ip any any

access-group outside_access in interface outside

However, the ASA algorithm on the PIX will still be checking for sequence number violations, malformed packets, etc.. You will also need to setup your xlates to allow the external clients to build conns to the inside hosts. One way to do this is:

access-list nonat permit ip any any

nat (inside) 0 access-list nonat

Good luck.

Scott

6 REPLIES

Re: Opening up for a disaster?

That is the most ridiculous thing I have ever heard. Try to get him to put that order in writing or in an e-mail to cover you a** and also put in writing your objections and that you are doing this under duress. I know how to accomplish the task but I'll be damned if I will be a party to that madness.

New Member

Re: Opening up for a disaster?

Yeah, well, I have both in writing and his boss signed it. I guess thats what ya get for working in government.

Re: Opening up for a disaster?

Well prepare for some attacks coming your way. You have the branch of the government that you work for listed here. Not everyone here is a nice guy like me. You have my condolences.

Re: Opening up for a disaster?

access-list outside_access permit ip any any

access-group outside_access in interface outside

However, the ASA algorithm on the PIX will still be checking for sequence number violations, malformed packets, etc.. You will also need to setup your xlates to allow the external clients to build conns to the inside hosts. One way to do this is:

access-list nonat permit ip any any

nat (inside) 0 access-list nonat

Good luck.

Scott

Silver

Re: Opening up for a disaster?

No, you can´t be serious?

I´m a consultant working for government parties on a daily base, but I never ran into such stupidity as this. Is this guy out of his mind or what?

IMHO he does not seem to understand that ASA takes care of all returning traffic, and so he´s thinking that closing all ports will prevent him for having fun browsing.

Anyway, what Scott provided is indeed opening your PIX for all traffic coming in from the outside. Simply removing the access-group command will close all ports again in case of an attack. The command needed for this would be:

no access-group outside_access in interface outside

I would never set all ports open for traffic, not even if my boss signed a hundred documents, I rather got fired. Even if he signed for the risk of this config, you are the one getting all the sh*t when you are being attacked.

If you decide to listen to your boss and continue this config, let us all join the fun and post your outside IP here *evil grin*

Good luck,

Leo

New Member

Re: Opening up for a disaster?

Well, to be honest, I wont be following his choice. His worries were somewhat valid. If there is a port I forget to open and suddenly our Dialup users can't access something they could before, they will react as though the world has ended. I have seen it before. (Some of these people carry guns so I have a valid reason to be afraid!) However, I convinced him that with the help of the ISP I will look at the logs of incoming traffic and determine which traffic we get is legit and those ports need to be opened. Setting up VPN access would be nice, however we would get large amounts of complaints as to how slow accessing Exchange and the other things is. Least for those going on Dialup. So anyway, things are looking up. I just need to wait for those logs.

107
Views
0
Helpful
6
Replies