• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Cisco Pix/ASA.. Where to place the firewall

Started by UltraZero, February 27, 2011, 10:11:41 AM

Previous topic - Next topic


I have a question about firewalls.
I've been reading the Cisco website and I seem to see there are several places to put
the firewall when installing it.

I kinda don't see why to put the firewall behind a router unless there are some functions that
can't be done on the firewall.

Next, I was wondering if the firewall is placed in front of the router (Cable connection) can for example a Pix
handle the DHCP, and doing it's job for IPv4 (v6.33) or IPv4 and IPv6 (v7.x or 8.x)

Now.. If I don't have a static IP address (IPv4) is it possible to put up a dual stack website. I would assume this would happen in the DMZ.   

Also, can the tunnel occur on the firewall? if not, I would assume I would need to reverse the rolls and put the router up front then the firewall behind.


You cannot have a tunnel on an Asa or pix.  You would want to have the tunnel on the router and set the firewall behind the router.  If your address is dynamic, you just need to update your dns records and the ip address onthe he site so your tunnel keeps working.  There are scripts that you can use to make that easier


Cool.  I actually am in the process of tearing my network appart.  I am putting a different router in front of this one.  Then I will put the Pix in behind it.   I guess that means I am running the nat on the router correct??


Yes, it is easier to do all your NAT/PAT and tunneling on the router and just use the PIX or ASA as a straight firewall. Its what they are best at.


Is there any particular thing a hacker goes after??

Meaning, they wouldn't go after the tunnel would they??   If a person could not get into the router, could
someone figure out there is a tunnel?

Sounds to me like network access needs to be removed and physical access is the best secure way to work on the router.  leaving ssh or telnet up is a potential risk.. (Not so much with ssh)


They'll go after whatever they can.  Lock everything down unless you use it.  The ASA has a IPv6 firewall that works the same way as IPv4. 

Deny everything unless you need it.  (Except ICMP)


As far as routers go the bad guys are probably looking for a place to relay traffic from. That way they can use your IP as a jumping off point to attack other people while hiding their true source IP. They would also probably be interested in using access to a router to setup packet captures and man in the middle attacks to try and steal passwords and the like that pass though the router. Or they could be jerks and just erase the router's start up config, change the enable password, disable password recovery, and reboot the thing. And of course they would probably try and use the router to gain access to other things on your LAN. Who knows, they are nasty people who like to kick over other people's sand castles for fun and profit.

I think that the IPv6 internet hasn't caught the attention of many black hats because it just isn't big enough for them to bother with yet. This will change very quickly of course. Once IPv6 deployment starts to take off I'm sure we'll see all the same nasty stuff start to show up on our IPv6 tunnels and networks that we see being flung all over the IPv4 internet today.

Telnet... yeah, turn it off. ;)

SSH is only really as secure as your user name and password combination. It can be brute forced by default on IOS and such an attack can spike the router's CPU and result in a denial of service condition. Personally I would use an access list to limit access to port 22 on the router to external IPs that you trust. If your up for it implementing a client VPN for remote management is also an excellent idea. Gotta love the security of IPSec.

Quote from: cholzhauer on February 28, 2011, 01:18:02 PM
Deny everything unless you need it.  (Except ICMP)



The change password/blow config part doesn't scare me, i have it all printed and backed up.  The scary part is being locked out of the equipment. That would suck.

BTW - I've got a little problem. I put the pix online with no functions.  Just for now, i just want to put it in place.  The problem I have is this.

internet net-------router------firewall------router---------internet

From the network, I can not get to the internet.  DNS seems to work but slowly adn I can not get a ping reply.

From the router next to the internet, i can ping the internet normally and DNS works.  From the same router, I can ping back into the network.

Any Ideas as to why?  I've been beating this one all day and as usual, I think it's something simple.

Nat and the tunnel are on the edge router as well.  If It's possible to put the tunnel behind the firewall, I'd like to, but, I hear it won't work.


If It's possible to put the tunnel behind the firewall, I'd like to, but, I hear it won't work.

You can, but it's much easier if you have multiple IP addresses




Hmm. I'll have to think about this one.   I'll think I will put it on the back burner.  I need to get my net back online.

I was in the middle of totally moving the entire net somewhere else when I ran into a distane issue.  175 feet, and i have no signal.  tested, and tested and re-tested and nothing.  Can't get the router to light up.


O.K.  Here is a new one.

I have removed the config from the pix. Base line of nothing.  Entered a domain name,  user name and that's it.  (ip address to outside and inside ports) 

What allows these two to pass data?? 

Found out my other problem earlier.  It was an access list for my Pat.. 
Woops...   ::) ::)     I forgot to put it in..  Stupid me... 
I can't send any data through it, ping or internet traffic.

I guess it's really doing its job.   ??? ???  Blocking all traffic.
Security is set at 100 for both in and out ports.

Any suggestions, give me a shout..


Anyway..  Trying to get the pix to pass data and I actually removed it in order to get the net back online.

Any suggestions.


make the outside port 0 (untrusted) and the inside 100 (trusted)