RE: PIX Logging Analysis

[Dave Rinker <firewall () dsrtech com>]

I found ipaudit to be excellent. I deployed one interface on the outside
of the FW with a loopback host ip and the other to a management
interface as not to bypass the pix all together (pix 525). then employed
iptables to block all connections on the outside interface. the box
still listens to the traffic but drops any connection attempts. this way
I get to see all the hack attempts on the outside. note you'll need
either a hub (for the 501) or a switch to span the ports. Cat 2950 does
not work with this app. I used a cat 3500 but 2912 or 2924 will do as
well. cat 2950 puts the interface up/down and the box does not see the
link.

below are the dynamic and static. I had issues as well. the pix 6.2.2
code did not accept the pppoe statement at the end of the command
"ip address outside <ip_address> <mask> pppoe" for me (static). I
believe it to be related to my ISP as I've removed all the vpdn config
entries and I still connect with no issues (go figure). if I remember
correctly I also had an issue with the "setroute" statement and had to
add a default to get it to work. These both worked with an ADSL
connection.

I haven't seen any bugs acknowledged by cisco for the pppoe issues I've
had but we'll see in the new code if it differs.

best of luck.


********************dynamic********************

ip address outside pppoe setroute
!
vpdn group isp request dialout pppoe
vpdn group isp localname <username-for-dsl>
vpdn group isp ppp authentication chap
vpdn username <username-for-dsl> password <password-for-dsl>
vpdn enable outside


*********************static*********************

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix501
access-list 101 deny ip 0.0.0.0 255.0.0.0 any
access-list 101 deny ip 127.0.0.0 255.0.0.0 any
access-list 101 deny ip 10.0.0.0 255.0.0.0 any
access-list 101 deny ip 192.168.0.0 255.255.0.0 any
access-list 101 deny ip 169.254.0.0 255.255.0.0 any
access-list 101 permit tcp any host 1.1.1.1 eq www
access-list 101 permit tcp any host 1.1.1.1 eq smtp
!
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1492
mtu inside 1500
ip address outside 1.1.1.1 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
!
global (outside) 1 interface
nat (inside) 1 192.168.0.5 255.255.255.255 0 0
nat (inside) 1 192.168.0.6 255.255.255.255 0 0
!
static (inside,outside) tcp interface www 192.168.0.2 www netmask
255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.0.2 smtp netmask
255.255.255.255 0 0
access-group 101 in interface outside
!
route outside 0.0.0.0 0.0.0.0 1.1.1.x 1
!
vpdn group isp request dialout pppoe
vpdn group isp localname <username-for-dsl>
vpdn group isp ppp authentication chap
vpdn username <username-for-dsl> password <password-for-dsl>
vpdn enable outside
: end




On Wed, 2003-03-05 at 15:03, Paul Stewart wrote:
> Thanks very much.. I'd love to see a copy of your configs as I'm having
> problems with 6.2 and DSL right now.  I highly agree that even with lots of
> automation that a human is needed hence why we'll charge a good fee
> monthly..:)  And, thanks for the link to ipaudit.. Sounds like what we're
> looking for..
>
> Take care,
>
> ---
> Paul Stewart
> Network Solutions Specialist
> Nexicom Inc.
> http://www.nexicom.net/
> (705)932-4127 Office
> (705)932-2329 Fax 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards