10-01-2003 05:21 AM - edited 03-09-2019 04:59 AM
Greetings. I am new to Cisco PIX firewalls. I am learning though. We have just recieved a PIX 506E that my boss wants to set up. I know it defaults to being closed to all incoming traffic. I was at the point where I felt I opened the ports needed to run Exchange 2000 and a few other things that people needed to do, however, my boss came to me just 1 hour ago telling me to open all ports and then close them as attacks come up. I flet this was a bad idea and whenever I made a good point and he had to think of a reason why we need to have the port open he would resort to, "Do as I say". So now I am looking for a quick and easy way to just open all ports. I would then create Deny rules to close them again. Can anyone help me?
Solved! Go to Solution.
10-01-2003 06:40 AM
access-list outside_access permit ip any any
access-group outside_access in interface outside
However, the ASA algorithm on the PIX will still be checking for sequence number violations, malformed packets, etc.. You will also need to setup your xlates to allow the external clients to build conns to the inside hosts. One way to do this is:
access-list nonat permit ip any any
nat (inside) 0 access-list nonat
Good luck.
Scott
10-01-2003 05:26 AM
That is the most ridiculous thing I have ever heard. Try to get him to put that order in writing or in an e-mail to cover you a** and also put in writing your objections and that you are doing this under duress. I know how to accomplish the task but I'll be damned if I will be a party to that madness.
10-01-2003 05:33 AM
Yeah, well, I have both in writing and his boss signed it. I guess thats what ya get for working in government.
10-01-2003 05:43 AM
Well prepare for some attacks coming your way. You have the branch of the government that you work for listed here. Not everyone here is a nice guy like me. You have my condolences.
10-01-2003 06:40 AM
access-list outside_access permit ip any any
access-group outside_access in interface outside
However, the ASA algorithm on the PIX will still be checking for sequence number violations, malformed packets, etc.. You will also need to setup your xlates to allow the external clients to build conns to the inside hosts. One way to do this is:
access-list nonat permit ip any any
nat (inside) 0 access-list nonat
Good luck.
Scott
10-01-2003 01:18 PM
No, you can´t be serious?
I´m a consultant working for government parties on a daily base, but I never ran into such stupidity as this. Is this guy out of his mind or what?
IMHO he does not seem to understand that ASA takes care of all returning traffic, and so he´s thinking that closing all ports will prevent him for having fun browsing.
Anyway, what Scott provided is indeed opening your PIX for all traffic coming in from the outside. Simply removing the access-group command will close all ports again in case of an attack. The command needed for this would be:
no access-group outside_access in interface outside
I would never set all ports open for traffic, not even if my boss signed a hundred documents, I rather got fired. Even if he signed for the risk of this config, you are the one getting all the sh*t when you are being attacked.
If you decide to listen to your boss and continue this config, let us all join the fun and post your outside IP here *evil grin*
Good luck,
Leo
10-02-2003 02:20 AM
Well, to be honest, I wont be following his choice. His worries were somewhat valid. If there is a port I forget to open and suddenly our Dialup users can't access something they could before, they will react as though the world has ended. I have seen it before. (Some of these people carry guns so I have a valid reason to be afraid!) However, I convinced him that with the help of the ISP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide