Firewall Wizards mailing list archives
Re: Fw: cisco pix does not log traffic targetted to itself?
From: Brian Ford <brford () cisco com>
Date: Tue, 14 Jan 2003 09:40:35 -0500
Kevin,Maybe I misread the follow up to your original. What version of PIX OS are you using?
You can have one inside interface and one outside interface. The inside is always security level 100. the outside is security level 0. Think of it as "I trust the inside 100%" and "I trust the outside 0%".
You can have additional interfaces in many models and these additional interfaces can have the same security level. Say you create DMZ-In and DMZ_Out; and you set both to a security level of 50. In this configuration DMZ_In and DMZ_Out will not pass traffic to one another directly. No matter what ACLS or route you have set up in the PIX. You can make them pass traffic but that traffic would need to leave the PIX and get routed back via an external router.
Setting up additional interfaces (other than inside and outside) to the same security level is supported by TAC. Dave Chapman ()author of the book your referenced) may have been mistaken there.
The PIX will log traffic all traffic by default sent to the outside interface. Check your log level. The packets get dropped and the PIX issues a log message that a non-IPSec packet was received on the interface. Packets that the PIX processes (i.e. IPSec connections) are also logged.
Are you trying to log traffic that is sent to the inside interface? In order to do that your would need to violate a security policy. Then that would be logged.
A trick I sometimes use to log everything is to create an ACL that permits the types of traffic that I allow through and denies other stuff (rather than a list that contains just deny statements). The PIX will log all ACLs that execute.
Hope this helps. Liberty for All, Brian At 05:12 PM 1/13/2003 -0800, Kevin Steves wrote:
On Mon, Jan 13, 2003 at 07:25:25AM -0500, Brian Ford wrote: > > i'm told you can assign > >multiple interfaces the same security level > > No. i did find the source of that information, and it was something i had read. in "cisco secure pix firewalls" pg. 55 it says: "While it is possible to configure two or more interfaces with the same ASA Security Level, it is not a TAC-supported configuration". > Regarding the original question: Sure it does. the original question concerned traffic to self, and my testing shows: no, all traffic to the pix itself that is dropped is not logged. simple test, telnet to port 81 on the outside IP (assuming no static). i don't see a log entry. > And there is a "deny all" at the end of an ACL in PIX (just like in IOS). yes, but does an access list for traffic to self apply? even with: access-list outside-in deny ip any any access-group outside-in in interface outside i can ping outside unless i do: icmp deny any outside
Brian Ford Consulting Engineer, Security & Integrity Specialist Office of Strategic Technology Planning Cisco Systems Inc. http://wwwin.cisco.com/corpdev/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 13)
- Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 14)
- Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 14)
- Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 15)
- Pix to Vigor VPN Richard Worwood (Jan 17)
- Re: Pix to Vigor VPN Ben Nagy (Jan 20)
- Re: Fw: cisco pix does not log traffic targetted to itself? Brian Ford (Jan 14)
- Re: Fw: cisco pix does not log traffic targetted to itself? Kevin Steves (Jan 14)