10-07-2002 08:07 PM - edited 02-20-2020 10:17 PM
I just upgraded a clients' pix from 6.0.1 to 6.2.2 sw and just for kicks, we went to a few online scan services such as grc and sygate to run a few scans against the PIX. Prior to the upgrade, any port showeed up as stealth or blocked. After the upgrade, we ran the tests again and the ports showed up as "closed".
WTF?
Granted, many online tests have to be taken with a grain of salt per their results, but still, it was quite shocking to the client. I rolled the pix back to 6.01 and re-ran the same tests, now they come back as stealth or blocked.
10-08-2002 06:41 AM
Beginning in PIX Software version 5.2.1, ICMP is still permitted by default, but PIX ping responses from its own interfaces can be disabled with the icmp command (that is, a "stealth PIX"):
icmp permit|deny [host] src_addr [src_mask] [type] int_name
10-08-2002 06:38 PM
That is great for icmp, but it doesn't answer the original question.
icmp has been "locked" down on this particular pix
10-08-2002 08:02 PM
Have you compared the config file from the 6.0.1 install to the config after the 6.2.2 upgrade to make sure that nothing has changed? I am not talking about the PDM, go in and print out the config and compare line for line. Also, what are you actually scanning, clients behind the pix or the outside interface of the pix?
Bob Staaf
Southern Web Services
Central, SC
10-09-2002 08:10 AM
The config is the same except for an alias command for 1 web server. I am referring to the outside interface of the pix. can't use the pdm with the alias command (prefer the cli anyway) and will replace the alias later on with the new DNS (nat?) feature. I will venture a guess that it may have to do with the new bi-directional nat feature.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide