[c-nsp] Telnet FROM a PIX Appliance?

Higham, Josh jhigham at epri.com
Mon Jun 30 11:41:41 EDT 2008


> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
> 
> I guess it's more as a "working right" educational purpose, 
> so you won't use your firewall as a debugging client.
> In newer versions there's the packet tracker that can help 
> you debug connectivity problems.
> Ziv

As an FYI, the ASA/Pix packet capture cannot currently be completely
trusted (version 8.0).  I found an annoying bug where I would capture
the frame on a span session monitoring the port connected to the
firewall, but it wouldn't show up on the firewall capture.

The packet in question was also being dropped by the firewall, but with
no logging (and with a permit ip any any rule in place).  The 'fix' was
to apply a nat translation and then remove it.  TAC was completely
unhelpful (worst ever TAC experience).

Blocking outbound sessions on the firewall also means that it can't be
used to bounce an attack, if compromised.

Thanks,
Josh

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
> Sent: Monday, June 30, 2008 2:21 PM
> To: Aaron R
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> 
> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote:
> > It is disabled as a security feature. I have also wanted to 
> do the same for
> > troubleshooting purposes.
> 
> And why exactly is this a security feature? What is the 
> *gain* in security?
> 
>  Ciao
>   Joerg
> --
> Joerg Mayer                                           
> <jmayer at loplof.de>
> We are stuck with technology when what we really want is just 
> stuff that
> works. Some say that should read Microsoft instead of technology.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> 
> 
> **************************************************************
> **********************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, 
> vandals & computer viruses.
> **************************************************************
> **********************
> 
> 
> 
> 
> 
> 
>  
>  
> **************************************************************
> **********************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, 
> vandals & computer viruses.
> **************************************************************
> **********************
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


More information about the cisco-nsp mailing list