Super-Networking Blog

Do you want your workstations to connect to PPTP VPNs through a Cisco Pix firewall without having to setup a static NAT for each one.

Are you getting the following error in your syslogs when you try:

“regular translation creation failed for protocol 47″

All you should have to do is add a new fixup protocol entry.

“fixup protocol pptp 1723″

Now assuming that you have a PAT for all traffic from inside to outside you PPTP connections should work.

There are other factors that could cause this to fail, make sure that you are on at least version 6.3 of the Pix software.

If you still have problems check your syslogs.

So continuing on the config things through the registry topic, not because I am trying to be a hardcore geek but because I need to bootleg something.

So what do you do when you only can get on a box (Server 2003 or Windows XP SP2) remotely and the firewall is enabled. Either out of shear luck or in my case shear skill, you know it, you can stop the Windows Firewall/Internet Connection Sharing (ICS) service. Then you can remote desktop into the box.

Say now that you want to enable the firewall on one of the adapters and not the other. You go into properties on the adapter - > go into Advanced - > Settings. It tells you the service is stopped and if you want to configure it you will need to start the service. If you have it start the service you will be kicked off the box with the firewall now on, back to square one.

So what you do is go into the good old registry:

HKEY_Local_Machine\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
-or-
HKEY_Local_Machine\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

Change the setting of firewall from on to off. 0-Being Off and 1-Being On. Now start the ICS service and you should stay connected and the firewall should stay off on the box.

Now you can go into properties on the adapter you want the firewall on - > go to Advanced - > Settings - > Click “On” in the general tab then go to the advanced tab and uncheck the adapter you want the firewall turned off on. Ok out of everything and now you have the firewall enable on the adapters you want and off on the others instead of by default all adapters go on/off together.

Best part is you didn’t have to drive to the remote location to do it.

I ran across a pretty sweet product today. It is called Yoggie Pico and it is a security suite for your laptop that is based off of a USB stick. It is a hardened Linux box running off a 520MHz processor is a USB stick. It is supposed to provide all of the security you need on your laptop and you can move it from PC to PC.

Features:

Yoggie Pico combines best-of-breed enterprise-class software with proprietary patent pending developments to provide a comprehensive security solution. With its stateful inspection firewall and NAT, Yoggie hides the laptop�s IP address from the outside world and closes any unnecessary network connection. In addition, the hardware design and hardened OS prevents any tampering on the Firewall (a common Spyware, Viruses behavior). Deep packet inspection is performed by a robust intrusion detection/prevention solution to detect attacks as they begin their operation.

The application layer includes four transparent proxies, two for web traffic (HTTP, FTP) and two for email traffic (SMTP and POP3). Using a powerful true-type detection engine, the proxies can deal with any content type, including decompiled elements such as compressed class and file attachments. These elements are analyzed by seven security agents:

• Adaptive Security Policy�
• Multi-Layer Security Agent�
• Layer-8 Security Engine�
• URL Categorization & Filtering
• Anti-Spam
• Anti-Phishing
• Antispyware
• Antivirus
• Transparent Email Proxies (POP3; SMTP)
• Transparent Web Proxies (HTTP; FTP)
• Intrusion Detection System / Intrusion Prevention System
• VPN Client
• Stateful Inspection Firewall

I have been seeing some “Critical Syslog Events” coming through lately from my Cisco FWSM (Firewall Switch Module). The event number is FWSM-2-106017 or if you have a PIX it would be PIX-2-106017.

When you go to Cisco’s site for the explanation this is what they give you:

Error Message    %FWSM-2-106017: Deny IP due to Land Attack from IP_addr to IP_addr

Explanation    This message indicates that the module received a packet with the IP source address equal to the IP destination and the destination port equal to the source port. This indicates a spoofed packet that is designed to attack systems. This attack is referred to as a land attack. If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.

Recommended Action    None.

This is fine and dandy but doesn’t help me track down what the problem is. I don’t believe this is truly a lan attack since it only seems to happen when the Sysadmins are working on this box. The IP it is coming from is a web server and this web server has an internal IP and a natted external IP. When changes are made you want to test the website. So you go the website on the server it resolves to the natted IP which goes out through the firewall hits the router then is converted back to the internal IP and sent back through the firewall. This is where the Land attack comes in because the traffic is coming from  the same IP it is going to and on different interfaces on the firewall.

I haven’t seen a fix for this, you could probably disable this rule in the firewall or just make sure you got to the internal IP instead of the natted IP when testing from the web server itself.

One of the benefits of having a firewall in your network is for the logging of the traffic that passes through it. By default when you turn on logging every single connection through the firewall is logged both on setup and teardown. In a high traffic network this can cause huge databases of syslogs and makes it much harder to find the events you are looking for. Here are a little of syslog messages you can turn off to elimate this unwanted chatty syslogs.

no logging message 109011
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 302016

You will still see all of the denys and other events most people want to see. These commands should work both on the Cisco PIX models and the Cisco Firewall Switch Module.

Here are some good config guides to help you setup your Cisco Firewall Service Module.

Guide for your FWSM running version 2.3:

FWSM Config Guide 2.3

Guide for you FWSM running version 3.1:

FWSM Config Guide 3.1

Guide for setting up your FWSM into Transparent Mode:

FWSM Transparent Mode Config Guide

Here is a good read for those of you wanting to upgrade your Cisco Firewall Service Module from 2.X software to a 3.X version of the software.

FWSM Upgrade

I just upgrade our FWSM and had no issues, quite painless.

I am currently looking into putting additional security onto a network by adding a firewall in-place of an ACL. This network does a ton of traffic and is quite complex so putting in a firewall normally would be no easy task. This network is being run with a 7600 series router which gives me an additional option when it comes to firewalls. I am looking at the Cisco Firewall Module (WS-SVC-FWM-1-K9=). This module has two main modes: Routed Mode and Transparent Mode. Routed mode is your normal firewall mode where you give an IP to each interface and the traffic is routed and possibly NATTed through the firewall. This can pose challenges and basically a network redesign to put a firewall in where there was none. Transparent mode on the other hand allows you to do a “bump in the wire” install so it basically bridged all traffic through the firewall which allows you to keep your current network design. You don’t change any of your NATTing on the router or default gateways on your networks. Now bridges typically are layer 2 only but the firewall is designed to enforce your layer 3 restrictions on this traffic. This mode also still is stateful and maintains your security by session. Main things you lose in this mode are you can’t NAT traffic and you can’t route traffic.

More info on this if I end up putting this in place.

Just wanted to post about controlling services like DNS, FTP, SMTP etc… If you don’t have a firewall and have a Cisco router you can control ports with ACLs. You will need to use an extended ACL so the that command will start out with “ip access-list extended” typically with these since it can be confusing when you have a lot of them use a name to describe either what traffic it is affecting for what you are trying to do with it. The command would look like this then “ip access-list extended test” test being the name of the ACL. Under that command you will get a submenu and the commands here will be deny or permit then protocol like ip or tcp or udp then the source traffic affected X.X.X.X X.X.X.X then destination X.X.X.X X.X.X.X the first set of Xs is the IP network and the second is the wildcard mask so example would be 192.168.0.0 0.0.255.255 would be anything in the 192.168.0.0 networks. You can also do one IP address by specifying host X.X.X.X and no wildcard mask this would be in place of the IP network and wildcard mask. Another good thing to remember is that the any keyword can be used to mean everything so maybe you want traffic from 192.168.0.0 0.0.255.255 to any destination. With any extended ACL you can specify ports by using with the tcp or udp keyword after the permit or deny then after the source and destination part put eq then the port number.

Here is an example extended ACL:

ip access-list extended test

permit tcp 192.168.0.0 0.0.255.255 any eq 80

deny ip any any log

That ACL named test allowed http traffic from the 192.168.0.0 networks to anywhere on port 80 then the next line denys everything else. You will notice that I used the keyword log which will take any matches to that access list and send to a syslog server if you have one setup.

There are a lot of thing you can play around with here but this will get you started, now as I started the conversation out with you have to be careful with things like FTP when you put ACLs in place because certain services like FTP with jump ports midsession and ACLs can block them. That is why if you are having problems or are serving out content from servers through an ACL a lot of times you need the permit tcp any any established which will let most of this traffic through. This is not the perfect solution, you may still get some stuff blocked and this might let some unwanted traffic through. The better solution is to get a PIX firewall from Cisco. I will not go into the commands on this box in this post but the PIX is able to watch the sessions that go in and out its interfaces and open ports as needed and only needed ports between the two talking host. It does this with a protocol called “fixup protocol” I will go more in detail about this stuff in later posts unless someone comments on a specific question. In summery if you really want to control access in and out of your network a PIX is the right way to do it, a router with ACLs is a temp solution

For those of you who say I can’t put a firewall in-between my segments then there is an IOS firewall solution where the Cisco router runs something called CBAC which can do the same basic inspection as a PIX. More info later.