[c-nsp] PIX Question

Paul Stewart pauls at nexicom.net
Sun Mar 6 20:27:54 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks... unfortunately the policy has to become strict because of some
abuse that's been going on at the client site.... that's what has
prompted this .. unfortunately...

I'm in Canada by the way..;)

Paul


Matt Hill wrote:
| Hi Paul,
|
| That really doesn't look too difficult actually...
|
| That could easily be done with a router doing CBAC and using the
| port-map command to identify the extra ports (10000, 8443) as extra http
| ports.
|
| You could also try playing with the fixup protocol <protocol> <port
| number> command on the pix for the extra http ports.  Don't forget no
| fixup protocol <protocol> for all the traffic you don't want to be
| inspected/fixed.
|
| Use an outbound ACL to permit what you like and deny all the rest.
|
| Just make sure I never work at this site (if I move to the States)
| because I would hate a network policy like that ;)
|
| Cheers,
| Matt
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCK64aqMetgU57IuQRAsqLAJ9lKGK29LgvbGNGUEPOFQ/CFaO5ewCfVpee
nQFE3KXShG7n7wzrO1CYjvk=
=8OYo
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list