Keywords: PIX PDM
Configuration
PIX 5xx
PIX OS 6.3
Tested with IE 6.0 SP1 and Firefox 1.03
Issue
Sometimes it is desirable to make a quick and easy change to a PIX config without having to deal with the bloat of PDM or the overhead of remote control to a PC with a TTY session to the console port.
This is also a good tool for Help Desk situations, where the Help Desk can be given a web page with links to a home user’s PIX in order to check status or make minor modifications.
Although I have not done this, this technique could also be used to write an app that polls statistics or periodically updates remote PIX configurations by using a tool such as cURL or other scriptable browser widgets.
HowTo
PIX OS 6 can accept URLs in the following form:
https://pixipaddress/exec/some command
The browser will prompt for a login, and will then run the command as if you were connected via console, telnet, or SSH. The command output (if any) will be displayed in the browser.
The browser will “escape” the spaces (turn spaces in to %20), but if you are using an odd user agent or script component, you may need to manually substitute the spaces manually.
Assumptions:
A. management subnet: 192.168.99 / 24
B. PIX management interface: 192.168.102.1
1. Add the following lines to the PIX config (assumes your management subnet is 192.168.99 / 24):
pdm location 192.168.99.0 255.255.255.0 inside
http 192.168.99.0 255.255.255.0 inside
http server enable
2. In a browser, go to the following URL:
https://192.168.102.1/exec/sh arp
Archives
All posts for the month May, 2005
Keywords: PIX PDM JRE
Configuration
PIX 5xx
Tested on 515, 515E, 501
PDM 3.0
PIX OS 6.3
Issue
PIX PDM runs on Java
PDM fails to initialize when running on JRE 1.5 (also called J2SE Runtime Environment 5.0).
Error message: “Applet failed to initialize”
Cause
(Unknown / Don’t care)
Resolution
Downgrade to J2SE JRE 1.4.2 or earlier.
Keywords: PIX Virus Slowdown
Configuration
PIX 5xx configured as NAT firewall between private network and internet
Tested on PIX 515, 515E, 506, 506E, and 501
PIX OS 6.3
Issue
When a PC inside the network (higher security level) becomes infected with a network-aware virus, it can cause the PIX firewall to create bogus NAT translations, which cause the PIX to slow down and eventually crash.
Cause
Many network viruses and DDoS zombies send out packets with random source addresses. Since the infected PC is INSIDE the network, the PIX creates a translation for the source address, and tries to forward the packet on the outside interface (or DMZ interface, etc…).
As the bogus translations build up, they consume memory and CPU to the point where the PIX will slow down, appear to lock up (just pull the network cable and wait for the timeout!), or crash.
As few as 1-2 infected PCs on the inside can cause this condition.
Resolution
The default NAT entry on a PIX is 0/0:
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
By changing this to a more specific subnet, this causes the PIX to drop packets whose source address is not in the range of the subnet, thus causing the PIX to do a “sanity check” on each source packet.
Example: Assuming you have a branch office whose subnet is 192.168.102 / 0, the NAT command would be:
NAT (inside) 1 192.168.102.0 255.255.255.0 0 0
The best way to implement this is to add the new NAT entry (which may cause a warning message stating that it is ineffective) and then remove the “world” NAT entry with a NO command:
NO NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
In PDM, this can be done by modifying the translation rules (you must add a new one, and then remove the default).
Keywords: Install Win9x Win98 WinME Millenium
Issue
If you re-install Windows 98 over Windows ME or Windows 98 SE, you receive an error similar to the following:
“Operating system installed is newer, can’t upgrade”
Cause
I had forgotten about this. When you install Win98, SE, or ME, it scans the root folder and 1st-level subfolders for win.com.
Resolution
- Rename (never delete anything) win.com to win.bak or win.old
- Re-run setup
SETUP /im /is /id
/im=Skip memory test
/is=Skip scandisk
/id=Skip disk space check