If you were Registered and logged in, you could reply and use other advanced thread options
|
Posted by AM on June 20, 2005, 10:05 pm
Hi all,
denying traffic to a particular port from external source (Internet) to internal
servers will be
seen a status filtered by programs like nmap.
I would traffic coming on a particular IP be redirected by rules. Is it
possible? I mean ports I
interested to must be effectively redirected to my server, all the other should
be redirected to a
virtual IP.
I would, moreover, select action to do based on packets' source. I have a PIX
running 6.3(4).
Perhaps it is possible on a router but not sure on PIX.
Thanks,
Alex.
|
|
Posted by Walter Roberson on June 21, 2005, 2:03 am
:I have a PIX running 6.3(4).
:denying traffic to a particular port from external source (Internet) to
internal servers will be
:seen a status filtered by programs like nmap.
That is normal. nmap reports that because it does not get back a
TCP SYN ACK response, and also does not get back an ICMP time-exceeded
or ICMP network-unreachable or ICMP port-unreachable . nmap is,
in other words, detecting that the packets are being dropped somewhere
along the line.
There is a 'service' which tells the PIX to generate TCP RST instead
of just dropping the packets. That's usually not turned on because
it makes it easier for outsiders to map your network (and to detect
that it's a PIX protecting the network.)
:I would traffic coming on a particular IP be redirected by rules. Is it
possible? I mean ports I
:interested to must be effectively redirected to my server, all the other should
be redirected to a
:virtual IP.
That's not as easy to configure as one might prefer, in that static
without ports has higher priority than static with ports -- so one
cannot configure as "static through these particular ports, and
for everything else, fall back to the regular static that covers
all the ports."
I believe, though, that one might be able to configure it using
policy static; it might take a bit of fiddling to work.
:I would, moreover, select action to do based on packets' source.
That's the realm of policy static. Policy static is, though,
nearly the lowest priority: only regular nat is lower priority
(and possibly policy nat too.) To make things work out, one
might end up having to use a bunch of "range" specifiers.
--
The rule of thumb for speed is:
1. If it doesn't work then speed doesn't matter. -- Christian Bau
|
| Similar Threads | Posted | | Cisco 876 - Filtered VPNs | September 27, 2006, 11:40 am |
| how to avoid voip jitter | September 25, 2008, 2:04 am |
| Avoid Password Recovery on Cisco 5300 | October 6, 2005, 2:15 pm |
| How to avoid getting BGP routes while getting a router's routing table | January 24, 2006, 10:39 am |
| How to get a report of VPN connections on a PIX | July 25, 2007, 9:40 am |
| Trying to avoid slow response time with ADSL when there is traffic | January 18, 2006, 1:56 pm |
| How to report bugs to Cisco | October 25, 2009, 7:17 am |
| Unused switch port report for 1/3 months | September 3, 2008, 10:42 am |
| Switch port consumption report and capacity planning. | July 14, 2006, 1:45 pm |
| Cisco Custom Historical Report for Cisco Customer Response Applications | January 17, 2006, 12:34 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map