https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633331#M1026948 <HTML><HEAD></HEAD><BODY><P>Hello David,</P><P></P><P>Do you need any other assistance with respect to this case?</P><P></P><P>Raj</P></BODY></HTML> Tue, 06 Feb 2007 23:42:01 GMT sachinraja 2007-02-06T23:42:01Z https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633327#M1026941 <P>Hi All,</P><P>I would like to block nachi worm on a Cisco </P><P>Pix firewall running version 7.2(2) code. </P><P>On Cisco IOS, I do this:</P><P></P><P>access-list 199 permit icmp any any echo</P><P>access-list 199 permit icmp any any echo-reply</P><P>route-map nachi-worm permit 10</P><P> match ip address 199</P><P> match length 92 92</P><P> set interface Null0</P><P>interface f0/0 </P><P> no ip unreachables</P><P> ip route-cache policy</P><P> ip policy route-map nachi-worm</P><P></P><P>This can be very easily with Checkpoint</P><P>firewalls 'cause I've done it many times.</P><P>I would like to accomplish this Cisco Pix</P><P>7.x code. Is it possible? Thanks.</P><P></P><P>David</P><P></P><P></P> Mon, 11 Mar 2019 09:28:56 GMT https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633327#M1026941 daviddtran 2019-03-11T09:28:56Z https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633328#M1026944 <HTML><HEAD></HEAD><BODY><P>Hello David,</P><P></P><P>PIX will not do source based routing.. anyway, the way pix works is different than router !! On a PIX, all packets are blocked by default from outside to inside, which is not a feature on routers... You can put the following access-list on the PIX, to block nachi based traffic going from inside to outside .....</P><P></P><P>access-list acl_inside deny icmp any any echo</P><P>access-list acl_inside deny icmp any any echo-reply</P><P>access-list acl_inside deny tcp any any eq 135</P><P>access-list acl_inside deny udp any any eq 135</P><P>access-list acl_inside deny udp any any eq 69</P><P>access-list acl_inside deny tcp any any eq 137</P><P>access-list acl_inside deny udp any any eq 137</P><P>access-list acl_inside deny tcp any any eq 138</P><P>access-list acl_inside deny udp any any eq 138</P><P>access-list acl_inside deny tcp any any eq 139</P><P>access-list acl_inside deny udp any any eq 139</P><P>access-list acl_inside deny tcp any any eq 445</P><P>access-list acl_inside deny tcp any any eq 593</P><P>access-list acl_inside permit ip any any</P><P></P><P>access-group acl_inside in interface inside</P><P></P><P>This is the best thing you can do with a firewall.. if you want more protection, i think you have to have an IPS in place.... Please refer to this security notice:</P><P></P><P><A class="jive-link-custom" href="http://cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html" target="_blank">http://cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html</A></P><P></P><P>Hope this helps.. all the best.. rate replies if found useful..</P><P></P><P>Raj</P></BODY></HTML> Mon, 05 Feb 2007 00:34:40 GMT https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633328#M1026944 sachinraja 2007-02-05T00:34:40Z https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633329#M1026946 <HTML><HEAD></HEAD><BODY><P>Hi Raj,</P><P>Point very well taken. However, I think you may want to rephrase this:</P><P></P><P>"This is the best thing you can do with a firewall". </P><P></P><P>I think what you meant to say is "Cisco Pix/ASA</P><P>firewall" because I can accomplish this quite</P><P>easily with both Checkpoint and Juniper </P><P>Firewalls.</P><P></P><P>Thanks.</P><P>David</P></BODY></HTML> Mon, 05 Feb 2007 02:03:27 GMT https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633329#M1026946 daviddtran 2007-02-05T02:03:27Z https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633330#M1026947 <HTML><HEAD></HEAD><BODY><P>Hello David,</P><P></P><P>what i meant was, firewalls give only 70 % security to the network.. if there are some ports opened on the firewall, it generally passes the traffic on those ports, without doing application inspection, the level in which normal IPS does.. with the modern ASA firwalls, you can have IPS modules inbuilt on the firewall (with SSM), which can give you much more better protection !! probably the firewalls u had, had the built in IPS functionality !!! .... anyway, with Cisco, you can do everything that is possible with other firewalls... i dont think there can be anything missed out.. the biggest positive of Cisco ,anyday, is the support or documentation, which is not even 50 % of what other vendors provide....</P><P></P><P>Hope this helps.. all the best... rate replies if found useful.</P><P></P><P>Raj</P></BODY></HTML> Mon, 05 Feb 2007 03:37:44 GMT https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633330#M1026947 sachinraja 2007-02-05T03:37:44Z https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633331#M1026948 <HTML><HEAD></HEAD><BODY><P>Hello David,</P><P></P><P>Do you need any other assistance with respect to this case?</P><P></P><P>Raj</P></BODY></HTML> Tue, 06 Feb 2007 23:42:01 GMT https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633331#M1026948 sachinraja 2007-02-06T23:42:01Z https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633332#M1026949 <HTML><HEAD></HEAD><BODY><P>Hi Raj,</P><P></P><P>Basically no. I just got confirmed from Cisco TAC that what I am trying to do is not possible</P><P>with Cisco Pix. I don't understand why Cisco </P><P>doesn't design firewall like other vendors such</P><P>as Juniper or Checkpoint. Checkpoint had this</P><P>capability since version 4.1, like six years ago.</P><P></P><P>David</P></BODY></HTML> Wed, 07 Feb 2007 13:29:29 GMT https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633332#M1026949 daviddtran 2007-02-07T13:29:29Z https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633333#M1026950 <HTML><HEAD></HEAD><BODY><P>Hello David</P><P></P><P>I think each vendor has his own architecture.. with PIX, there are features which arent available as routers , since they are functionally two different products (like soure routing/route maps etc)... With 7.x version of PIX, you do have QOS , with classmaps, policy maps etc... you can make sure you dont allow junk traffic like nachi across your PIX, by configuring QOS, and shaping... I'm really not sure if this will solve ur issue.. anyway, as I had given above, the following URL will give u a basic protection again nachi's...</P><P></P><P><A class="jive-link-custom" href="http://cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html" target="_blank">http://cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html</A></P><P></P><P>and of course, all firewalls arent same <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> there can be pros and cons for any manufacturer !!! anyway, cisco works a lot to put more features as time goes !! probably they will incorporate the features u need in the future releses ...</P><P></P><P>Hope this helps.. all the best.. rate replies if found useful.</P><P></P><P>Raj</P></BODY></HTML> Thu, 08 Feb 2007 07:57:50 GMT https://community.cisco.com/t5/network-security/blocking-nachi-worm-with-cisco-pix-7-x/m-p/633333#M1026950 sachinraja 2007-02-08T07:57:50Z