[c-nsp] Telnet FROM a PIX Appliance?

Tony Varriale tvarriale at comcast.net
Mon Jun 30 12:05:06 EDT 2008 

Any chance you could give the group more details before saying it can't be 
trusted?

tv
----- Original Message ----- 
From: "Higham, Josh" <jhigham at epri.com>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, June 30, 2008 10:41 AM
Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?


>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
>>
>> I guess it's more as a "working right" educational purpose,
>> so you won't use your firewall as a debugging client.
>> In newer versions there's the packet tracker that can help
>> you debug connectivity problems.
>> Ziv
>
> As an FYI, the ASA/Pix packet capture cannot currently be completely
> trusted (version 8.0).  I found an annoying bug where I would capture
> the frame on a span session monitoring the port connected to the
> firewall, but it wouldn't show up on the firewall capture.
>
> The packet in question was also being dropped by the firewall, but with
> no logging (and with a permit ip any any rule in place).  The 'fix' was
> to apply a nat translation and then remove it.  TAC was completely
> unhelpful (worst ever TAC experience).
>
> Blocking outbound sessions on the firewall also means that it can't be
> used to bounce an attack, if compromised.
>
> Thanks,
> Josh
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
>> Sent: Monday, June 30, 2008 2:21 PM
>> To: Aaron R
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>>
>> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote:
>> > It is disabled as a security feature. I have also wanted to
>> do the same for
>> > troubleshooting purposes.
>>
>> And why exactly is this a security feature? What is the
>> *gain* in security?
>>
>>  Ciao
>>   Joerg
>> --
>> Joerg Mayer
>> <jmayer at loplof.de>
>> We are stuck with technology when what we really want is just
>> stuff that
>> works. Some say that should read Microsoft instead of technology.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>>
>> **************************************************************
>> **********************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code,
>> vandals & computer viruses.
>> **************************************************************
>> **********************
>>
>>
>>
>>
>>
>>
>>
>>
>> **************************************************************
>> **********************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code,
>> vandals & computer viruses.
>> **************************************************************
>> **********************
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list