[cisco-ttl] PIX 515 Port Porblemi

From: Ilker YILMAZ (ilkeryilmaz_at_netone.com.tr)
Date: Thu Sep 18 2003 - 05:49:26 GMT

  • Next message: Genco Yilmaz: "[cisco-ttl] CEF"

     
    Merhaba, su siralar PIX firewall da yaptigim bir konfigurasyon
    degisikligi sonucu bana gore olmamasi gereken portlar PIXe dahil IP
    blogumun tümünde acik gozukmekte. Asagidaki basit sekilde bir port
    scanner’dan alinan cikti bulunmakta:
     
    + X.X.X.2
             |___ 21 File Transfer Protocol [Control]
             |___ 80 World Wide Web HTTP
                       |___ HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..
             |___ 389 Lightweight Directory Access Protocol
             |___ 1720 h323hostcall
      + X.X.X.3
             |___ 21 File Transfer Protocol [Control]
             |___ 389 Lightweight Directory Access Protocol
             |___ 1720 h323hostcall
      + X.X.X.4
             |___ 21 File Transfer Protocol [Control]
             |___ 389 Lightweight Directory Access Protocol
             |___ 1720 h323hostcall
      + X.X.X.5
             |___ 21 File Transfer Protocol [Control]
             |___ 389 Lightweight Directory Access Protocol
             |___ 1720 h323hostcall
      + X.X.X.6
             |___ 21 File Transfer Protocol [Control]
             |___ 389 Lightweight Directory Access Protocol
             |___ 1720 h323hostcall
      + X.X.X.7
             |___ 21 File Transfer Protocol [Control]
             |___ 389 Lightweight Directory Access Protocol
             |___ 1720 h323hostcall
     
     
     
    wall# sh conf
    : Saved
    :
    PIX Version 6.0(1)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security10
    enable password WVzs6/AKShXo/RmW encrypted
    passwd WVzs6/AKShXo/RmW encrypted
    hostname wall
    domain-name ciscopix.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list smtp permit tcp any host X.X.X.2 eq www
    access-list smtp permit tcp any host X.X.X.2 eq smtp
    access-list smtp permit tcp any host X.X.X.2 eq pop3
    access-list smtp permit icmp host X.X.X.2 any
    access-list smtp permit icmp host X.X.X.2 any echo
    access-list smtp permit icmp host X.X.X.2 any echo-reply
    access-list smtp permit icmp host X.X.X.2 any unreachable
    access-list smtp permit icmp host X.X.X.2 any time-exceeded
    access-list smtp permit icmp any host X.X.X.2 echo-reply
    access-list smtp permit icmp any host X.X.X.2 echo
    access-list smtp permit icmp any host X.X.X.2 unreachable
    pager lines 24
    logging on
    logging trap notifications
    logging history notifications
    logging host dmz X.X.X.3 6/1468
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    #
    #
    #
    #....
     
    Web sunucusu “dmz” bacaginda ve yaptigim son degisiklik web sunucumun
    yanina bir Syslog server koyup “static” komutu ile onu internete
    cikarmam oldu.
     
    Herhangi bir fikri olan var mi?
     
    Ilker
     
     
     
     
     
     
     
     
     
     



    image001.jpg

    This archive was generated by hypermail 2.1.5 : Thu Sep 18 2003 - 09:51:01 GMT