Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
0
Helpful
2
Replies

blocking ssh version 1, snmp version 1 and allow only passive FTP on pix

daviddtran
Level 1
Level 1

‎02-04-2007 08:58 AM - edited ‎03-11-2019 02:28 AM

I need to migrate some customers from Checkpoint over

Cisco Pix firewalls, NOT ASA.

Currently in the checkpoint security policy, we only

allow snmp version 2 and version 3 to traverse the

firewalls. Furthermore, we also allow only ssh

version 2 from traversing the firewalls. In other

words, ssh version 1 and snmp version 1 are NOT

allowed and will be dropped by Checkpoint Smartdefense.

Is this something that can be done with Cisco Pix

firewalls version 7.2(2)? If so, how?

Is it also possible to allow ONLY passive ftp through

the pix firewall? On the checkpoint firewall, I have

a static NAT of a private host IP of 192.168.1.1 to a

public IP address of 129.174.1.5. I only allow passive

ftp from External this host, NO active FTP is allowed.

BTW, I understand well how passive and active ftp work.

It seems to me that if I have static NAT involved,

the Pix firewall can not allow ONLY passive ftp through

it. Worse, I use "no fixup protocol ftp 21", both

passive and active ftp stops working with NAT.

If I disable NAT, then I can block active ftp on the

pix firewall by setting up properly ACL and "no fixup

protocol ftp 21".

Is it possible to allow only passive FTP through the pix

firewall 7.2(2) with static NAT? It doesn't seem to be

working for me in my testing.

any ideas?

David

Labels:
0 Helpful
2 Replies 2

Not applicable

‎02-09-2007 06:31 AM

PAT works with Domain Name Service (DNS), FTP and passive FTP, HTTP, mail, remote-procedure call (RPC), rshell, Telnet, URL filtering, and outbound traceroute.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

0 Helpful

mhellman
Level 7
Level 7

‎02-09-2007 07:55 AM

Hello again David. You've certainly got your work cut out for you. You should be able to do the SNMP inspection. Go into the global properties->inspect maps->snmp. click add. name the inspection map and click which versions you want to disallow. Now go into the security policy->service policy rules. Edit the default rule. In the rule actions, make sure SNMP is checked and click configure. select the map you created earlier.

As far as FTP. I'm strictly a PIX gui user at this point and I see no option for restricting the type to active or passive.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card