Re: What makes the outside interface "outside" ?

From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Fri Mar 14 2008 - 18:56:42 ARST

Inline...

Farrukh Haroon @ 14/03/2008 17:37 -0200 dixit:
> Carlos I'm afraid your findings are incorrect, one can telnet to security
> level 90 or all the way upto sec-level 1 interfaces, as long as the
> appropriate 'telnet <ip> <mask> <interface' command is there.

Farrukh,
may be my conclusion is wrong, but here's what I did:

Pix 515 running 7.2, stock default config, eth1 as inside, 10.0.0.1/24.
1) Added telnet 10.0.0.0 255.0.0.0 inside and so was able to telnet from
inside host 10.0.0.10
2) Changed sec level to 0, telnet connected but no prompt
3) Changed sec level to 100, telnet ok again
4) Changed to 50, telnet connected but no prompt
5) Changed to 90, still no go
6) Changed to name outside, and sec level to 100, telnet back ok.

(At that time I had 2 outside interfaces, although eth0 was down.

>
> One cannot telnet to the outside (sec-level 0) interface. A VPN connection
> needs to be setup in order to make that work. SSH works of course.

The whole point of my argument is finding out what is outside.
(If you are a programmer type, outside seems to be way overloaded)

So please don't assume name and sec level go hand in hand!
And I have read the way it is supposed to be (done). Was trying to
reverse engineer the when it works "as advertised" so to say.

> Regarding the original question, the 'nameif outside' command tells the
> PIX/ASA which interface is the outside. For any nameif other than 'inside',
> the OS automatically sets the security-level to 0 (this includes nameif
> outside, dmz, internet, abcd etc).

But you can change it back..., and the name will stick.

>
> "no takers on why transparent pix does PING destination to learn its mac?"
>
> Can you please clarify your question there? Are you referring to this:
>
> http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/bridga
> rp.html#wp1039938
>
> "Packets for remote devicesThe security appliance generates a ping to the
> destination IP address so that the security appliance can learn which
> interface receives the ping reply."
>
> If Yes, then CCO answers your question: "so that the security appliance can
> learn which interface receives the ping reply"

I don't understand why it cares.
And to send a ping, it would have to know routing, and use it's
knowledge of routes instead of the original frame intended L2
destination ??? The original frame had an intended L2 destination,
why subverting it ? Why makes a difference if it's L3 destination is
local or not ?

>
> Regards
>
> Farrukh (CCIE # 20184 - Security)

-Carlos (CCIE #13838 R&S, CC*P, JNCIS, CCSI, student for life :)

>
> On Fri, Mar 14, 2008 at 9:55 PM, Carlos G Mendioroz <tron@huapi.ba.ar>
> wrote:
>
>> You need, try it.
>> Seeing I'm not the only one, I did lab it (7.2).
>> And the answer is ... security_level <> 100.
>>
>> I made an interface "outside" and could login w/o trouble.
>> But as soon as I changed the sec level to 90, the telnet connects
>> but you get no service (i.e. no password or login prompt)
>>
>> So telnet only works on sec level 100 interfaces (wich is an ok
>> policy for me!, just wanted to know it :)
>>
>> -Carlos
>> P.S.
>> no takers on why transparent pix does PING destination to learn its mac?
>>
>> Hoogen @ 14/3/2008 16:30 -0600 dixit:
>>> I dont think you need an static nat statement...just enabling telnet on
>> the
>>> outside interface is good enough...
>>>
>>> Well Carlos you are right you can name anything you like to...outside is
>>> just that mostly internet links are connected to...so the outside world
>> can
>>> access it..least secure zone..usually zero...But you can even name it
>>> internet give it a security level of 30 too...just have to remember that
>>> your more secure zones...servers placed in dmz or your internal lan
>> inside
>>> zones need to have more security level..and not lesser than the outside
>> or
>>> internet zone...
>>>
>>> -Hoogen
>>>
>>>
>>> On 3/14/08, Tony Varriale <tvarriale@flamboyaninc.com> wrote:
>>>> The nameif command and the security-level.
>>>>
>>>>
>>>> Tony
>>>>
>>>> -----Original Message-----
>>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>>> Carlos G Mendioroz
>>>> Sent: Friday, March 14, 2008 11:59 AM
>>>> To: ccielab@groupstudy.com
>>>> Subject: OT?: What makes the outside interface "outside" ?
>>>>
>>>> Pixen do not allow telnet to the outside interface w/o ipsec.
>>>> There are a number of ways out (ipsec, static to inside, etc).
>>>>
>>>> But what makes an interface an "outside" interface ? The name ?
>>>> The sec level ? Just curious if somebody knows (and lazy to go
>>>> and lab it up!)
>>>>
>>>> Regards,
>>>> -Carlos
>>>> --
>>>> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>> --
>> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> 

-- 
Carlos G Mendioroz  <tron@huapi.ba.ar>  LW7 EQI  Argentina

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART