Home > Archive > CCNP > July 2001 > Pix configuration questions?





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Pix configuration questions?
beenframed

2001-07-19, 8:55 pm

On a pix 515 running code verion 4.3 I have come across the following configs and I think I know what they are for but would like to see if someone out here with more expertise then me can verify that for me.

1. conduit permit icmp any any --- it's my impression that is just for allowing pings to test for connectivity and I can turn it off if I like.

2. conduit permit tcp any eq 1723 any --- I thought this works with conduit permit gre any any to allow for VPN connections?
MadChef

2001-07-20, 6:18 am

1. That's what most people use it for. Be aware that it allows all icmp messages in and out of your network including echos, echo replies, unreachables, etc.

2. tcp 1723 is the control port for PPTP vpns. There is, however, no good reason to allow this inbound to all devices. If you're using pptp to a device behind the firewall, restrict the traffic to just that device. "conduit permit tcp host <globabl ip> eq 1723 any" would probably be more appropriate.

Lastly, you're running 4.3 which is susceptable to a number of vulnerabilities that have been addressed in newer code revisions. See http://www.cisco.com/warp/customer/707/advisory.html for more info.

MadChef
beenframed

2001-07-20, 9:54 am

So since I have three Windows 2000 Servers running routing and remote access behind the firewall I should remove the command conduit permit tcp any eq 1723 any---- and replace it with three commands like conduit permit tcp host (r&r access host ip) eq 1723 any

Thanks...

bf
MadChef

2001-07-22, 5:00 pm

quote:
Originally posted by beenframed
and replace it with three commands like conduit permit tcp host (r&r access host ip) eq 1723 any


I would.

MC
depamo

2001-07-22, 5:16 pm

I agree with the others in evaluating your information. Having ping turned on is good for troubleshooting but you might want to limit who can do if from outside your network to inside your network. Hackers will sweep known registered IP Addresses looking for vulnerabilities and equipment that will allow them to jump off onto other systems. Reducing your footprint on the internet will help keep automated scanning tools and amature hackers from identifing the interior of your DMZ.

Cisco won't say to turn it off but it also only identifies that it should only be used for troubleshooting.
Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net