Re: PIX ASA logic

augnevenok · ‎09-24-2006

Hi,

I have PIX 501 configured with static NAT for an internal host. Suppose I configure a rule that allows any incoming traffic from anywhere to the internal host. Will Cisco Adaptive Security Algorithm be still inspecting traffic to that host? Will the PIX prevent attacks from outside? Or setting "permit any" rule would disable firewall capabilities and would be similar to exposing the internal host directly to the Internet?

Thank you.

puagarwa · ‎09-24-2006

if you have configured a static then you have to apply an access-list on the outside interface for allowing which traffic is permitted. now this does not mean that the internal host is vulnerable. only the ports which you have allowed in the access-list are open for that host. the host is by default protected any TCP SYN attack i.e. the number of embroyonic connections. you can limit the number of maximum concurrent connections to that host. also only the valid sequence number and ports are allowed to that host.

if you want explicit inspection for that host then you can turn on ips on the 501.

please do tell if this answers your question.

augnevenok · ‎09-25-2006

It does answer the question.Thank you.

Is it possible to disable stateful inspection for some hosts or for the whole PIX?

puagarwa · ‎09-26-2006

it is not possible to disable stateful inspection!! it is an in built feature of ASA. i am not sure why would you wanna didsable the stateful inspection.

please rate the post if it helped answer your question!!