Firewall Wizards mailing list archives

Re: PIX 520 Help.....

From: Avishai Wool <avishai_w () yahoo com>
Date: Mon, 20 Aug 2001 09:16:40 -0700 (PDT)

Ross,

I was surprised to see that you posted your PIX config to the
net, many people don't do that (which is a form of security by 
obscurity really IMHO...).

But since you did, I grabbed it and ran it thru the Lumeta Firewall
Analyzer (LFA). I'll send you the report in a private email. The
analysis showed that, as you experience, no ICMP traffic can come into your
network from the outside, despite the fact that you have a 
conduit statement and a couple of access lists defined.

I believe that the reason is that you have no 'static' command exporting your
internal ip addresses to inbound connections. The 'nat'/'global'
will let you make outbound connections (the LFA report shows that
you can, e.g., browse the web). 

Hope this helps,
 Avishai




=====
Avishai Wool, Ph.D.,  Chief Scientist & Co-Founder, Lumeta Corp.
220 Davidson Ave, 4th Floor, Somerset, NJ 08873, USA
Email: yash () acm org        Web: http://research.lumeta.com/yash/
Phone: (732) 357-3511  Cell: (973) 420-5919  Fax: (732) 564-0731
    ** Want to audit or debug your firewall's policy? **
Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

PIX 520 Help..... R. Corona (Aug 20)
- Re: PIX 520 Help..... Avishai Wool (Aug 22)
- RE: PIX 520 Help..... Sonya Gilly (Aug 22)
- <Possible follow-ups>
- RE: PIX 520 Help..... Payne, Patrick (Aug 23)