Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fw: cisco pix does not log traffic targetted to itself?

From: Brian Ford <brford () cisco com>
Date: Tue, 14 Jan 2003 09:40:35 -0500
Kevin,
Maybe I misread the follow up to your original. What version of PIX OS are you using?
You can have one inside interface and one outside interface. The inside is always security level 100. the outside is security level 0. Think of it as "I trust the inside 100%" and "I trust the outside 0%".
You can have additional interfaces in many models and these additional interfaces can have the same security level. Say you create DMZ-In and DMZ_Out; and you set both to a security level of 50. In this configuration DMZ_In and DMZ_Out will not pass traffic to one another directly. No matter what ACLS or route you have set up in the PIX. You can make them pass traffic but that traffic would need to leave the PIX and get routed back via an external router.
Setting up additional interfaces (other than inside and outside) to the same security level is supported by TAC. Dave Chapman ()author of the book your referenced) may have been mistaken there.
The PIX will log traffic all traffic by default sent to the outside interface. Check your log level. The packets get dropped and the PIX issues a log message that a non-IPSec packet was received on the interface. Packets that the PIX processes (i.e. IPSec connections) are also logged.
Are you trying to log traffic that is sent to the inside interface? In order to do that your would need to violate a security policy. Then that would be logged.
A trick I sometimes use to log everything is to create an ACL that permits the types of traffic that I allow through and denies other stuff (rather than a list that contains just deny statements). The PIX will log all ACLs that execute. 

Hope this helps.

Liberty for All,

Brian

At 05:12 PM 1/13/2003 -0800, Kevin Steves wrote:

On Mon, Jan 13, 2003 at 07:25:25AM -0500, Brian Ford wrote:
> >  i'm told you can assign
> >multiple interfaces the same security level
>
> No.

i did find the source of that information, and it was something i had
read.  in "cisco secure pix firewalls" pg. 55 it says:

"While it is possible to configure two or more interfaces with the
same ASA Security Level, it is not a TAC-supported configuration".

> Regarding the original question: Sure it does.

the original question concerned traffic to self, and my testing shows:
no, all traffic to the pix itself that is dropped is not logged.

simple test, telnet to port 81 on the outside IP (assuming no static).
i don't see a log entry.

> And there is a "deny all"  at the end of an ACL in PIX (just like in IOS).

yes, but does an access list for traffic to self apply?

even with:
access-list outside-in deny ip any any
access-group outside-in in interface outside

i can ping outside unless i do:

icmp deny any outside



Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://wwwin.cisco.com/corpdev/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: