Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
259
Views
0
Helpful
3
Replies

PIX515 and 1721 Firewall Configurations

mikeh
Level 1
Level 1

‎08-12-2003 05:07 AM - edited ‎03-09-2019 04:24 AM

We have multiple sites. In some locations, we have a PIX515 behind a 1720 Router. In others, we have only a 1721 with the Firewall Software Set installed (c1700-k9o3sy7-mz.122-11). All equipment was installed and configured by a channel partner with whom we are no longer working. I have been reviewing and learning about the configs, but am by no means an expert.

Using the ShieldsUp port scanner available at www.grc.com, the PIX configurations show all ports in "Stealth" mode. This means that the PIX does not even respond when the ports are scanned.

The 1721 configs however, do respond to the port scanner but do not pass the traffic. This is "closed" in ShieldsUp terminology. We would prefer the "stealth" performance.

The only thing that jumps out at me in the configs is that the 1721 does not have any FIXUP protocols running.

What is the difference, or what could be missing from the 1721 configuration?

Thanks!

Labels:
0 Helpful
3 Replies 3

jmia
Level 7
Level 7

‎08-12-2003 05:23 AM

Hi -

I presume (without seeing your config) that you have the following command on the PIX : icmp deny any outside - basically by using this command you are saying to deny any ICMP traffic on the outside interface thus if any scanners try to scan your network the PIX will go into 'stealth' mode or become invisible to the outside world.

I'm glad to see that you used Steve Gibsons www site for your testing.

Can you post your config of the 1721 but please remember to change 'real' IP's and passwords or if you like you can post off-line to me direct - jmia@ohgroup.co.uk

Thanks - Jay

0 Helpful

osam
Level 1
Level 1

‎08-12-2003 06:30 AM

You are not missing anything.. "ShieldsUP Port Scanner" will indicate a Stealth status as a normal behavior of a PIX with NAT/PAT configured in responce to port probes, even if you are allowing ICMP packets to pass the PIX to the network, this won't help.. And it has nothing to do with fixup as well.

The "Stealth" status indicate as far as I believe a possible NAT/PAT operation.

Are you running any PAT on the 1721?

0 Helpful

mikeh
Level 1
Level 1
In response to osam

‎08-12-2003 12:28 PM

I believe so. The config lines relating to NAT are as follows (IP Add's changed to protect the innocent):

ip nat pool MY_NAT_POOL 192.168.1.1 192.168.1.1 netmask 255.255.255.248

ip nat inside source route-map nonat pool MY_NAT_POOL overload

route-map nonat permit 10

match ip address 100 (we use VPNs, so access-list 100 identifies "interesting traffic" that does NAT)

interface FastEthernet0

ip address 172.16.1.1 255.255.255.0

ip nat inside

interface Serial0

ip address 10.0.0.1 255.255.255.252

ip nat outside

Thanks for your comments!

0 Helpful
Customers Also Viewed These Support Documents