Re: FWSM 6509 firewall module info

["Veronica Timm" <veronica@xxxxxxxx>]

Loizos, 
The problem I have experienced appear to be a 'design feature' to 
protect the secure hosts rather
than (maybe) a problem per se.  Devices on the outside required tftp 
from the outside  inbound
to a protected server.  We discovered later that there were application 
problems on the protected
server that may have caused the tftp session to hang.   This resulted in 
the FWSM closing down
tftp on the protected interface.  Without knowing more about the FWSM 
internal architecture I would say:
1)  the FWSM took the right action (from a security point of view)
2)  the FWSM should have blocked tftp only to the affected  server host 
rather than the entire interface. 

After much troubleshooting  a 'clear xlate' restored tftp service on the
FWSM interface.  Of course, a) the affected clients on the interface saw 
this as a firewall problem.
                                            b) Off hours, I was unable 
to replicate the (server hung and )  tftp problem

If you encounter this problem, two internal bug numbers to reference 
when talking to TAC are:
   CSCeb51412   CSCec67252

Veronica Timm
York University
Toronto, Canada

LoizosCisco wrote:

> Veronica,
>
> Thank you for the links. I have seen those. Do you
> have any sample real life configs. Have you exprienced
> any problems or do you have any tips? 
>
> You can e-mail me at: ylouis2@xxxxxxx
>
> Thank you
>
> Loizos
> CCIE # 10702
>
>
> --- Veronica Timm <veronica@xxxxxxxx> wrote:
>  
>
> > Loizos, 
> > Good documentation?  I would describe them as fair. 
> > I am aware of only one set of FWSM documents which
> > I'm sure you have seen. 
> > Does anyone know of any additional documentation?
> >
> >
> >    
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_1_1/fwsm112/fwsm112.pdf
>  
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_1_1/fwsm112/bascfg.pdf
>  
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_1_1/fwsm112/advcfg.pdf
>  
>
> > In FWSM 1.1(2) I was informed by TAC to ignore the 
> > *'firewall 
> > multiple-vlan-interfaces' *command.*
> > *This will be used in a future release.
> >
> > Veronica Timm
> > York University
> > Toronto, Canada
> >
> >
> >
> >
> > LoizosCisco wrote:
> >
> >    
> >
> > > Does anyone have any ifno or configs on the FWSM
> > > modules. I can not find any good documentation on
> > > Cisco web site.
> > >
> > > Thank you
> > >
> > > Loizos
> > > CCIE # 10702
> > >
> > >
> > > --- Chris Larson <CLarson@xxxxxxxxx> wrote:
> > >
> > >
> > >      
> > >
> > > > It has been some time since I have worked with
> > > > Netscreen, but I have noticed they continually
> > > >        
> > beat
> >    
> >
> > > > out competition including Cisco in most firewall
> > > > "shootouts". I am concerned about Juniper now
> > > >        
> > owning
> >    
> >
> > > > them as Juniper has no experience in the
> > > > firewall/security market but that is probably
> > > > minor... who knows. 
> > > >
> > > > The netscreen is gui through a browser, lacks (or
> > > > did) any good debugging for troubleshooting but is
> > > > very simple. If you understand the basics of
> > > > firewalling and VPN this is very easy to deploy.
> > > >        
> > At
> >    
> >
> > > > the time Netscreen was about to introduce the 1000
> > > > that was vlan aware. Of course now so is the FWSM
> > > > but. I think the netscreen is an excellent and
> > > >        
> > easy
> >    
> >
> > > > to use product for its pricing that apparently
> > > > outperforms most other firewalls according to
> > > > independant "shootouts".. I would imagine that has
> > > > to do with the design around ASICS rather then a
> > > > processor. Price to performance, you prolly can't
> > > > beat it. Feature wise though it may be lacking....
> > > >        
> > > >
> > > > Chris #12380
> > > >
> > > >
> > > >
> > > >
> > > > 	-----Original Message----- 
> > > > 	From: Wright, Jeremy [mailto:wright@xxxxxxxxxxxx]
> > > >        
> > > >
> > > > 	Sent: Wed 3/24/2004 11:35 AM 
> > > > 	To: 'security@xxxxxxxxxxxxxx' 
> > > > 	Cc: 'ccielab@xxxxxxxxxxxxxx' 
> > > > 	Subject: PIX vs. Netscreen
> > > > 	
> > > > 	
> > > >
> > > > 	Has anyone had experience with both of these
> > > > products? If so, what are the
> > > > advantages/disadvantages of both? Thanks.
> > > > 	
> > > > 	
> > > > 	
> > > > 	
> > > > 	
> > > > 	
> > > > 	
> > > > 	 *****************************************
> > > > 	              Jeremy Wright
> > > > 	              CCIE# 11168
> > > > 	              Network Engineer
> > > > 	              Archer Daniels Midland
> > > > 	              wright@xxxxxxxxxxxx
> > > > 	              (217)451-4063
> > > > 	
> > > > 	*****************************************
> > > > 	
> > > > 	
> > > > 	CONFIDENTIALITY NOTICE:
> > > > 	        This message is intended for the use of
> > > >        
> > the
> >    
> >
> > > > individual or entity to which it is addressed and
> > > > may contain information that is privileged,
> > > > confidential and exempt from disclosure under
> > > > applicable law.  If the reader of this message is
> > > > not the intended recipient or the employee or
> > > >        
> > agent
> >    
> >
> > > > responsible for delivering this message to the
> > > > intended recipient, you are hereby notified that
> > > >        
> > any
> >    
> >
> > > > dissemination, distribution or copying of this
> > > > communication is strictly prohibited.
> > > > 	        If you have received this communication
> > > >        
> > in
> >    
> >
> > > > error, please notify us immediately by email reply
> > > > or by telephone and immediately delete this
> > > >        
> > message
> >    
> >
> > > > and any attachments.  In the U.S. call us toll
> > > >        
> > free
> >    
> >
> > > > at (800) 637-5843.
> > > > 	        Spanish, French, French (Canada),
> > > > Portuguese, Polish, German, Dutch, Turkish,
> > > >        
> > Russian,
> >    
> >
> > > > Japanese and Chinese: 
> > > > http://www.admworld.com/confidentiality.htm.
> > > >
> > > >
> > > >   
> > > >
> > > >        
> > _______________________________________________________________________
> >    
> >
> > >      
> > >
> > > > Please help support GroupStudy by purchasing your
> > > > study materials from:
> > > > http://shop.groupstudy.com
> > > >
> > > > Subscription information may be found at: 
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >   
> > > >
> > > >        
> > > __________________________________
> > > Do you Yahoo!?
> > > Yahoo! Finance Tax Center - File online. File on
> > >      
> > time.
> >    
> >
> > > http://taxes.yahoo.com/filing.html
> > >
> > >      
> > _______________________________________________________________________
> >    
> >
> > > Please help support GroupStudy by purchasing your
> > >      
> > study materials from:
> >    
> >
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at: 
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >      
> > --
> > Veronica Timm
> > Senior Network Specialist
> > Network Operations
> > York University		Voice: (416) 736-2100 x.22682
> > Toronto, Ontario	  Fax: (416) 736-5701
> > Canada.  M3J 1P3	Email: veronica@xxxxxxxx
> >
> >
> >    
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
>  

--
Veronica Timm
Senior Network Specialist
Network Operations
York University		Voice: (416) 736-2100 x.22682
Toronto, Ontario	  Fax: (416) 736-5701
Canada.  M3J 1P3	Email: veronica@xxxxxxxx

_______________________________________________________________________
Please help support GroupStudy by purchasing your study materials from:
http://shop.groupstudy.com

Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html