Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

New Member

PIX515 and 1721 Firewall Configurations

We have multiple sites. In some locations, we have a PIX515 behind a 1720 Router. In others, we have only a 1721 with the Firewall Software Set installed (c1700-k9o3sy7-mz.122-11). All equipment was installed and configured by a channel partner with whom we are no longer working. I have been reviewing and learning about the configs, but am by no means an expert.

Using the ShieldsUp port scanner available at www.grc.com, the PIX configurations show all ports in "Stealth" mode. This means that the PIX does not even respond when the ports are scanned.

The 1721 configs however, do respond to the port scanner but do not pass the traffic. This is "closed" in ShieldsUp terminology. We would prefer the "stealth" performance.

The only thing that jumps out at me in the configs is that the 1721 does not have any FIXUP protocols running.

What is the difference, or what could be missing from the 1721 configuration?

Thanks!

3 REPLIES
Gold

Re: PIX515 and 1721 Firewall Configurations

Hi -

I presume (without seeing your config) that you have the following command on the PIX : icmp deny any outside - basically by using this command you are saying to deny any ICMP traffic on the outside interface thus if any scanners try to scan your network the PIX will go into 'stealth' mode or become invisible to the outside world.

I'm glad to see that you used Steve Gibsons www site for your testing.

Can you post your config of the 1721 but please remember to change 'real' IP's and passwords or if you like you can post off-line to me direct - jmia@ohgroup.co.uk

Thanks - Jay

New Member

Re: PIX515 and 1721 Firewall Configurations

You are not missing anything.. "ShieldsUP Port Scanner" will indicate a Stealth status as a normal behavior of a PIX with NAT/PAT configured in responce to port probes, even if you are allowing ICMP packets to pass the PIX to the network, this won't help.. And it has nothing to do with fixup as well.

The "Stealth" status indicate as far as I believe a possible NAT/PAT operation.

Are you running any PAT on the 1721?

New Member

Re: PIX515 and 1721 Firewall Configurations

I believe so. The config lines relating to NAT are as follows (IP Add's changed to protect the innocent):

ip nat pool MY_NAT_POOL 192.168.1.1 192.168.1.1 netmask 255.255.255.248

ip nat inside source route-map nonat pool MY_NAT_POOL overload

route-map nonat permit 10

match ip address 100 (we use VPNs, so access-list 100 identifies "interesting traffic" that does NAT)

interface FastEthernet0

ip address 172.16.1.1 255.255.255.0

ip nat inside

interface Serial0

ip address 10.0.0.1 255.255.255.252

ip nat outside

Thanks for your comments!

82
Views
0
Helpful
3
Replies
CreatePlease to create content