Saturday, 24 January 2015

Fun with the pix

I had a flash of inspiration - I need a manual! The pix manuall, which I have as a PDF, is 1014 pages long, so I'm not going to print it out. And although I dare say it's a comprehensive reference, it isn't very easy to read and learn from. So I bought two books.

Cisco Networking for Dummies. Only a small part of this book is about firewalls, and it assumes that you have an ASA 5505. Which I don't.

Cisco Pix Firewalls. This is *much* better. For example, I'm finally convinced that "incoming" means from the point of view of the pix. So stuff that's travelling from my "inside" interface to the outside world via the "outside" interface, is "incoming" from the point of view of the "inside" interface, and "outgoing" from the point of view of the outside interface. Whereas access to my server from the world, is incoming from the point of view of the "outside" interface, but outgoing frmo the point of view of the "inside" interface.

So, I'm making some slight progress. But it's two steps forward, one step back,

For example. With Fedora Core 9 (which I run a lot of), is you want to mount a shared directory from the server "donor" to the server "recipient", the syntax is:

mount -tcifs -o user=niceguy,password=letmein //donor/usefulstuff /home/niceguy/stuff

But you don't want the world to know that your password is "letmein". So you make a file called "credentials", which looks like this:

password= letmein

And you make that file readonly,  and only readable by niceguy. So now it's secure against prying eyes. This works well on many of my servers, but not on Fedora 9, and it took me a very long time to find this out. First, I was assuming that it was something to do with the firewall. Then I found that using the "mount -tcifs -o user=niceguy,password=letmein //donor/usefulstuff /home/niceguy/stuff" worked. So I went a-googling. And eventually I found something that inspired me to think that the answer was to leave the final byte (which is a newline) off the credentials file. but how to do that? A text editor wouldn't, I tried two hex editors that I couldn't work out how to reduce the file size by one byte, and eventually I used this:

echo  "username=niceguy" > credentials
echo -n "password=letmein" >> credentials
The -n says to echo "don't put a newline at the end".

And it worked!

But now I've encountered a nasty Pix problem. I'm going to need to be able to mount shared directories across the firewall. So I was doing just that, and nounting and unmounting happily, when suddenly it stopped working, and I hadn't changed the pix configuration. I was getting:

 %PIX-3-201011: Connection limit exceeded 10/10 for outbound packet from up-works/0 to vampire/38589 on interface  inside

vampire is a server in the "dmz", up-works is a server in the "inside".

So what's going on?

There's a limit on the number of connections that can be made from one server to another. I've set that at 1000 for these servers, so why is it thinking there's a limit of 10? So I googled the error message, and that led me to Cisco bug CSCsg52106. To read about it, you have to register. So I registered, although when I gave it the serial number of my pix, it said "Never heard of it", which I think might be because it's obsolete. But at least it let me read about the bug. They say that there's no permanent fix, and since it's obsolete (the expression they use is "end of life"), I don't think there ever will be a fix. They said that a temporary fix is to remove and add the static, but when I tried that, it didn't work. I had to reboot the pix with "reload in 1".

This is very unsatisfactory. If it happens again, I'm going to get worried about whether I can actually use this box.

One small plus - this happened on the pix 525, which isn't going to be the production pix, just the test pix. I'm hoping that the 515e doesn't give this problem.

No comments:

Post a Comment