Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
350
Views
0
Helpful
6
Replies

Opening up for a disaster?

Go to solution
ChuckDLC
Level 1
Level 1

‎10-01-2003 05:21 AM - edited ‎03-09-2019 04:59 AM

Greetings. I am new to Cisco PIX firewalls. I am learning though. We have just recieved a PIX 506E that my boss wants to set up. I know it defaults to being closed to all incoming traffic. I was at the point where I felt I opened the ports needed to run Exchange 2000 and a few other things that people needed to do, however, my boss came to me just 1 hour ago telling me to open all ports and then close them as attacks come up. I flet this was a bad idea and whenever I made a good point and he had to think of a reason why we need to have the port open he would resort to, "Do as I say". So now I am looking for a quick and easy way to just open all ports. I would then create Deny rules to close them again. Can anyone help me?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scoclayton
Level 7
Level 7
In response to travis-dennis_2

‎10-01-2003 06:40 AM

access-list outside_access permit ip any any

access-group outside_access in interface outside

However, the ASA algorithm on the PIX will still be checking for sequence number violations, malformed packets, etc.. You will also need to setup your xlates to allow the external clients to build conns to the inside hosts. One way to do this is:

access-list nonat permit ip any any

nat (inside) 0 access-list nonat

Good luck.

Scott

View solution in original post

0 Helpful
6 Replies 6

Go to solution
travis-dennis_2
Level 7
Level 7

‎10-01-2003 05:26 AM

That is the most ridiculous thing I have ever heard. Try to get him to put that order in writing or in an e-mail to cover you a** and also put in writing your objections and that you are doing this under duress. I know how to accomplish the task but I'll be damned if I will be a party to that madness.

0 Helpful

Go to solution
ChuckDLC
Level 1
Level 1
In response to travis-dennis_2

‎10-01-2003 05:33 AM

Yeah, well, I have both in writing and his boss signed it. I guess thats what ya get for working in government.

0 Helpful

Go to solution
travis-dennis_2
Level 7
Level 7
In response to ChuckDLC

‎10-01-2003 05:43 AM

Well prepare for some attacks coming your way. You have the branch of the government that you work for listed here. Not everyone here is a nice guy like me. You have my condolences.

0 Helpful

Go to solution
scoclayton
Level 7
Level 7
In response to travis-dennis_2

‎10-01-2003 06:40 AM

access-list outside_access permit ip any any

access-group outside_access in interface outside

However, the ASA algorithm on the PIX will still be checking for sequence number violations, malformed packets, etc.. You will also need to setup your xlates to allow the external clients to build conns to the inside hosts. One way to do this is:

access-list nonat permit ip any any

nat (inside) 0 access-list nonat

Good luck.

Scott

0 Helpful

Go to solution
l.mourits
Level 5
Level 5
In response to scoclayton

‎10-01-2003 01:18 PM

No, you can´t be serious?

I´m a consultant working for government parties on a daily base, but I never ran into such stupidity as this. Is this guy out of his mind or what?

IMHO he does not seem to understand that ASA takes care of all returning traffic, and so he´s thinking that closing all ports will prevent him for having fun browsing.

Anyway, what Scott provided is indeed opening your PIX for all traffic coming in from the outside. Simply removing the access-group command will close all ports again in case of an attack. The command needed for this would be:

no access-group outside_access in interface outside

I would never set all ports open for traffic, not even if my boss signed a hundred documents, I rather got fired. Even if he signed for the risk of this config, you are the one getting all the sh*t when you are being attacked.

If you decide to listen to your boss and continue this config, let us all join the fun and post your outside IP here *evil grin*

Good luck,

Leo

0 Helpful

Go to solution
ChuckDLC
Level 1
Level 1
In response to l.mourits

‎10-02-2003 02:20 AM

Well, to be honest, I wont be following his choice. His worries were somewhat valid. If there is a port I forget to open and suddenly our Dialup users can't access something they could before, they will react as though the world has ended. I have seen it before. (Some of these people carry guns so I have a valid reason to be afraid!) However, I convinced him that with the help of the ISP I will look at the logs of incoming traffic and determine which traffic we get is legit and those ports need to be opened. Setting up VPN access would be nice, however we would get large amounts of complaints as to how slow accessing Exchange and the other things is. Least for those going on Dialup. So anyway, things are looking up. I just need to wait for those logs.

0 Helpful
Customers Also Viewed These Support Documents