mailing list archives
Re: VPNs on PIX
From: "Brian Loe" <knobdy () gmail com>
Date: Mon, 20 Feb 2006 16:52:20 -0600
On 2/20/06, Paul Melson <pmelson () gmail com> wrote:
Not that you asked, but this is "A Bad Idea(tm)" and is all too common where
PIX firewalls are concerned (because of the all-too-commonly-used 'sysopt
connection permit-ipsec'). Remember, every time you do this, you accept
risk that you cannot manage. I've never seen a setup that actually needed
to be that way. I honestly don't know why that command even exists.
Which part, specifically, are you addressing here - allowing their
entire network to access ours?
A quick google of that command comes back with a lot of info on VPN
software client connections (which we use concentrators for).
Yes it can be done on a PIX using the static command (or a global pool if a
large range is used). It's going to look a lot like the router config.
And if I had googled well enough the first time I would have found the
specific Cisco document on how to do it - which I did do today, about
5 minutes for another helpful lister sent me the link.
So you've got "OOB" secondary interfaces of internal AIX servers connected
to the same network as an internet-facing Windows server? And you're having
to make a case for why this is a bad idea? That sucks for you. Mostly
because it means that you're firewall admins don't get it.
Well, let me make sure I'm explaining the best way possible. On DMZ1
are internet facing boxes with routable IPs configured on their NICs
(no NATing). On the DMZ2 interface are those machine's secondary NICs
wth private IPs. The Internet-facing windows machine is also found
there with a private IP - NATted to a public IP.
Yeah...still sucks, no matter how you describe it.
This is a good idea. Surely nothing can go wrong with your apathetic
firewall admins at the helm and the syslog server that nobody wants to
build. (Is the sarcasm coming across correctly? I can never tell in
It's pretty loud. :) I'm trying to be THE firewall admin - based on
having just a little more knowledge (perhaps) than the rest of the
team, and at least the inclination to make the network difficult to
get on as opposed to user/admin friendly.
Anyway, the DoD probably won't be any worse off than it is now.
Apparently this is a pretty rough standard to get to - according to
our one customer that already adheres to it. It's apparently very
expensive since it requires us to duplicate parts of our environment
just for them. It also requires a lot of common sense measures to be
in place, and as it happens, most (if not all of them) have been in
some state of implementation since I got here (or in the case of a
centralized syslog server, had an aborted attempt made). Like I said,
I welcome it. I don't know how well off the DoD is (they should be in
pretty good shape if they adhere to their own guidlines) but its bound
to whip us into shape. Oh, it's called DITSCAP...anyone dealt with it
firewall-wizards mailing list
firewall-wizards () honor icsalabs com