topic Re: blocking ssh version 1, snmp version 1 and allow only passiv in Network Security

blocking ssh version 1, snmp version 1 and allow only passive FTP on pix

daviddtran — Mon, 11 Mar 2019 09:28:58 GMT

I need to migrate some customers from Checkpoint over

Cisco Pix firewalls, NOT ASA.

Currently in the checkpoint security policy, we only

allow snmp version 2 and version 3 to traverse the

firewalls. Furthermore, we also allow only ssh

version 2 from traversing the firewalls. In other

words, ssh version 1 and snmp version 1 are NOT

allowed and will be dropped by Checkpoint Smartdefense.

Is this something that can be done with Cisco Pix

firewalls version 7.2(2)? If so, how?

Is it also possible to allow ONLY passive ftp through

the pix firewall? On the checkpoint firewall, I have

a static NAT of a private host IP of 192.168.1.1 to a

public IP address of 129.174.1.5. I only allow passive

ftp from External this host, NO active FTP is allowed.

BTW, I understand well how passive and active ftp work.

It seems to me that if I have static NAT involved,

the Pix firewall can not allow ONLY passive ftp through

it. Worse, I use "no fixup protocol ftp 21", both

passive and active ftp stops working with NAT.

If I disable NAT, then I can block active ftp on the

pix firewall by setting up properly ACL and "no fixup

protocol ftp 21".

Is it possible to allow only passive FTP through the pix

firewall 7.2(2) with static NAT? It doesn't seem to be

working for me in my testing.

any ideas?

David

Re: blocking ssh version 1, snmp version 1 and allow only passiv

Fri, 09 Feb 2007 14:31:43 GMT

PAT works with Domain Name Service (DNS), FTP and passive FTP, HTTP, mail, remote-procedure call (RPC), rshell, Telnet, URL filtering, and outbound traceroute.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Re: blocking ssh version 1, snmp version 1 and allow only passiv

mhellman — Fri, 09 Feb 2007 15:55:30 GMT

Hello again David. You've certainly got your work cut out for you. You should be able to do the SNMP inspection. Go into the global properties->inspect maps->snmp. click add. name the inspection map and click which versions you want to disallow. Now go into the security policy->service policy rules. Edit the default rule. In the rule actions, make sure SNMP is checked and click configure. select the map you created earlier.

As far as FTP. I'm strictly a PIX gui user at this point and I see no option for restricting the type to active or passive.