1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Slides:



Advertisements
Similar presentations
© 2004, Cisco Systems, Inc. All rights reserved.
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
1 Enabling Secure Internet Access with ISA Server.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Chapter 6: Packet Filtering
© 2002, Cisco Systems, Inc. All rights reserved..
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Services Networking for Home and Small Businesses – Chapter.
Access Control List ACL. Access Control List ACL.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Access Control Lists (ACLs)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.2: Using NBAR for Classification.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
Access Control List (ACL)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
ACLs ACLs are hard. Read, read, read. Practice, practice, practice ON TEST4.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall.
Configuring the PIX Firewall Presented by Drew Spesard.
ACCESS CONTROL LIST.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
Chapter 3 Managing IP Traffic. Objectives Upon completion of this chapter you will be able to perform the following tasks: Configure IP standard access.
Tracking Rejected Traffic.  When creating Cisco router access lists, one of the greatest downfalls of the log keyword is that it only records matches.
Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping.
Voice Over Internet Protocol (VoIP) Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Presentation 5 – VoIP and the OSI Model.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—5-1 Lesson 5 Configuring Inbound Access Thru a Cisco Security Appliance.
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2001, Cisco Systems, Inc. CSPFA 2.0—6-1 Chapter 6 Configuring Multiple Interfaces.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling.
Only Two Ways through the PIX Firewall
Access Control Configuration and Content Filtering
Cisco IOS Firewall Context-Based Access Control Configuration
Introducing ACL Operation
Access Control Lists CCNA 2 v3 – Module 11
Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 9 – Configure Filtering on a PIX Security Appliance

3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 9.1 Configure ACLs and Content Filters 9.2 Object Grouping 9.3 Configure a Security Appliance Modular Policy 9.4 Configure Advanced Protocol Inspection

4 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.1 Configure ACLs and Content Filters

5 © 2005 Cisco Systems, Inc. All rights reserved. PIX Security Appliance ACLs

6 © 2005 Cisco Systems, Inc. All rights reserved. access-list command

7 © 2005 Cisco Systems, Inc. All rights reserved. access-group command

8 © 2005 Cisco Systems, Inc. All rights reserved. nat 0 access-list command

9 © 2005 Cisco Systems, Inc. All rights reserved. ACL Line Numbers

10 © 2005 Cisco Systems, Inc. All rights reserved. icmp command

11 © 2005 Cisco Systems, Inc. All rights reserved. NAT 0 ACLs

12 © 2005 Cisco Systems, Inc. All rights reserved. Turbo ACLs Turbo ACL processingRegular ACL processing ACL A Entry 1 Entry2 Entry 3 Entry N Compiled data table Packet header value IndexACL Entry Bit Maps ACLs organized internally as linked lists. Linear search to find matching entry to deny or permit packet. Increased search time when ACL A contains large number of entries, which leads to performance degradation. ACLs compiled into sets of lookup data tables. Improved search time for large ACLs. Required minimum of 2.1 MB of memory. ACL A

13 © 2005 Cisco Systems, Inc. All rights reserved. Turbo ACL access-list compiled access-list acl_ID compiled pixfirewall(config)# Enables the Turbo ACL feature for a specific ACL. Enables the Turbo ACL feature on all ACLs. Turbo compiles all ACLs with 19 or more entries.

14 © 2005 Cisco Systems, Inc. All rights reserved. Java Applet Filtering Java applet filtering enables an administrator to prevent the downloading of Java applets by an inside system. Java programs can provide a vehicle through which an inside system can be invaded. Java applets are executable programs that are banned within some security policies.

15 © 2005 Cisco Systems, Inc. All rights reserved. ActiveX Blocking ActiveX controls are applets that can be inserted in web pages or other applications. ActiveX controls can provide a way for someone to attack servers. The PIX Security Appliance can be used to block ActiveX controls.

16 © 2005 Cisco Systems, Inc. All rights reserved. filter activex | java Command Filters out ActiveX usage from outbound packets. Filters out Java applets that return to the PIX Security Appliance from an outbound connection. pixfirewall(config)# filter activex | java port [-port] local_ip mask foreign_ip mask

17 © 2005 Cisco Systems, Inc. All rights reserved. pixfirewall(config)# url-server [(if_name)] [vendor websense] host local_ip [timeout seconds] [protocol TCP | UDP version [1 | 4]] Designate the URL-Filtering Server Designates a server that runs a Websense URL-filtering application. The URL-filtering host is on the DMZ interface at IP address The PIX Security Appliance performs a username lookup and then the URL-filtering server handles URL filtering and username logging. pixfirewall(config)# url-server (dmz) host protocol TCP version 4 pixfirewall(config)# url-server [(if_name)] vendor n2h2 host local_ip [port number][timeout seconds][protocol TCP | UDP] Designates a server that runs an N2H2 URL-filtering application.

18 © 2005 Cisco Systems, Inc. All rights reserved. Configure the PIX Security Appliance to Work with a URL-Filtering Server Prevents outbound users from accessing URLs that are designated with the URL- filtering application. pixfirewall(config)# pixfirewall(config)# filter url http allow filter url port[-port] | except local_ip local_mask foreign_ip foreign_mask [allow] [proxy-block] [longurl-truncate | longurl-deny][cgi-truncate] Tells the PIX Security Appliance how to filter requests.

19 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.2 Object Grouping

20 © 2005 Cisco Systems, Inc. All rights reserved. Grouping Objects of Similar Types Services SMTP FTP Protocols UDP IPSec Networks/Hosts Subnet / MYSERVICES MYPROTOCOLS MYCLIENTS

21 © 2005 Cisco Systems, Inc. All rights reserved. Using Object Groups in ACLs pixfirewall(config)# access-list ACLOUT permit object-group MYPROTOCOLS object-group CLIENTS object-group SERVERS pixfirewall(config)# access-list ACLOUT permit tcp host pixfirewall(config)# access-list ACLOUT permit icmp host pixfirewall(config)# access-list ACLOUT permit tcp host pixfirewall(config)# access-list ACLOUT permit icmp host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host pixfirewall(config)# access-list ACLOUT permit tcp host host pixfirewall(config)# access-list ACLOUT permit icmp host host

22 © 2005 Cisco Systems, Inc. All rights reserved. Configuring and Using Object Groups Complete the following tasks to create object groups and use them in your configuration: Task 1—Use the object-group command to enter the appropriate subcommand mode for the type of group you want to configure. Task 2—In subcommand mode, define the members of the object group. Task 3—(Optional.) Use the description sub-command to describe the object group. Task 4—Use the exit or quit command to return to configuration mode. Task 5—(Optional.) Use the show object-group command to verify that the object group has been configured successfully. Task 6—Apply the access-list command to the object group. Task 7—(Optional.) Use the show access-list command to display the expanded access-list entries.

23 © 2005 Cisco Systems, Inc. All rights reserved. object-group Command Assigns a name to an ICMP-type group and enables the ICMP-type subcommand mode. pixfirewall(config)# object-group network CLIENTS pixfirewall(config)# object-group network grp_id object-group service grp_id tcp | udp | tcp-udp object-group protocol grp_id object-group icmp-type grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol subcommand mode. Assigns a name to a Service group and enables the Service subcommand mode. Assigns a name to a Network group and enables the Network subcommand mode. Assigns the name CLIENTS to a Network group and enables the Network subcommand mode.

24 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Network Object Groups Creates a Network object group named CLIENTS which consists of host , and network pixfirewall(config)# object-group network CLIENTS pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object network-object host host_addr | host_name pixfirewall(config-network)# pixfirewall(config)# object-group network grp_id Assigns hosts to the Network object group. Assigns a name to the group and enables the Network sub-command mode. network-object net_addr netmask pixfirewall(config-network)# Assigns networks to the Network object group.

25 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Service Object Groups pixfirewall(config)# object-group service MYSERVICES tcp pixfirewall(config-service)# port-object eq http pixfirewall(config-service)# port-object eq ftp port-object eq service pixfirewall(config-service)# Assigns a single TCP or UDP port number to the Service object group. Creates a Service group named MYSERVICES, which contains HTTP and FTP. port-object range begin_service end_service pixfirewall(config-service)# Assigns a range of TCP or UDP port numbers to the Service object group. object-group service grp_id tcp | udp | tcp-udp pixfirewall(config)# Assigns a name to a Service group and enables the Service sub-command mode.

26 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Protocol Object Groups pixfirewall(config)# object-group protocol MYPROTOCOLS pixfirewall(config-protocol)# protocol-object icmp pixfirewall(config-protocol)# protocol-object tcp protocol-object protocol pixfirewall(config-protocol)# Assigns a protocol to the Protocol object group. Creates a Protocol group named MYPROTOCOLS, which contains ICMP and TCP. object-group protocol grp_id pixfirewall(config)# Assigns a name to a Protocol group and enables the Protocol sub-command mode.

27 © 2005 Cisco Systems, Inc. All rights reserved. Configuring ICMP-Type Object Groups pixfirewall(config)# object-group icmp-type PING pixfirewall(config-icmp-type)# icmp-object echo pixfirewall(config-icmp-type)# icmp-object echo-reply icmp-object icmp-type pixfirewall(config-icmp-type)# Assigns an ICMP message type to the object group. Creates an ICMP-Type group named PING which contains echo and echo-reply message types. object-group icmp-type grp_id pixfirewall(config)# Assigns a name to an ICMP-Type group and enables the icmp-type sub-command mode.

28 © 2005 Cisco Systems, Inc. All rights reserved. Configuring Nested Object Groups Complete the following steps to configure nested object groups: Step 1—Assign a group identity to the object group that you want to nest within another object group. Step 2—Add the appropriate type of objects to the object group. Step 3—Assign a group identity to the object group within which you want to nest another object group. Step 4—Add the first object group to the group that will contain it. Step 5—Add any other objects that are required to the group.

29 © 2005 Cisco Systems, Inc. All rights reserved. group-object Command pixfirewall(config)# object-group service SERVICESA tcp pixfirewall(config-service)# port-object eq smtp pixfirewall(config-service)# port-object eq ftp pixfirewall(config-service)# exit pixfirewall(config)# object-group service SERVICES tcp pixfirewall(config-service)# group-object SERVICESA group-object object_group_id pixfirewall(config-group-type)# Nests an object group within another object group.

30 © 2005 Cisco Systems, Inc. All rights reserved. access-list Command for Object Grouping pixfirewall(config)# access-list ACLIN permit tcp object-group REMOTECLIENTS object-group LOCALSERVERS object-group MYSERVICES access-list acl_ID deny | permit object-group protocol_obj_grp_id object-group network_obj_grp_id [object-group service_obj_grp_id] object-group network_obj_grp_id object-group service_obj_grp_id pixfirewall(config)# Create an access list containing object groups.

31 © 2005 Cisco Systems, Inc. All rights reserved. Nested Object Group Example pixfirewall(config)# object-group network HOSTGROUP1 pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit pixfirewall(config)# object-group network HOSTGROUP2 pixfirewall(config-network)# network-object host pixfirewall(config-network)# network-object host pixfirewall(config-network)# exit pixfirewall(config)# object-group network ALLHOSTS pixfirewall(config-network)# group-object HOSTGROUP1 pixfirewall(config-network)# group-object HOSTGROUP2 pixfirewall(config-network)# exit pixfirewall(config)# access-list ALL permit tcp object-group ALLHOSTS any eq ftp pixfirewall(config)# access-group ALL in interface inside

32 © 2005 Cisco Systems, Inc. All rights reserved. Multiple Object Groups in ACLs pixfirewall(config)# show object- group object-group network REMOTES network-object host network-object host object-group network LOCALS1 network-object host network-object host object-group network LOCALS2 network-object host network-object host object-group network ALLLOCALS group-object LOCALS1 group-object LOCALS2 object-group service BASIC port-object eq ftp port-object eq smtp pixfirewall(config)# access-list INBOUND permit tcp object-group REMOTES object-group ALLLOCALS object-group BASIC pixfirewall(config)# show static static(inside,outside) netmask static(inside,outside) netmask static(inside,outside) netmask static(inside,outside) netmask

33 © 2005 Cisco Systems, Inc. All rights reserved. no object-group service grp_id tcp | udp | tcp-udp Removing Configured Object Groups Removes a specific service object group. Removes all object groups or all object groups of a specific type. pixfirewall(config)# no object-group network ALLHOSTS pixfirewall(config)# clear object-group protocol pixfirewall(config)# clear object-group [protocol | service | icmp-type | network] pixfirewall(config)# Removes object group ALLHOSTS and all Protocol object groups. Removes a specific protocol, network or icmp-type object group. no object-group protocol | network | icmp-type grp_id pixfirewall(config)#

34 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.3 Configure a Security Appliance Modular Policy

35 © 2005 Cisco Systems, Inc. All rights reserved. Modular Policy Overview

36 © 2005 Cisco Systems, Inc. All rights reserved. Modular Policy

37 © 2005 Cisco Systems, Inc. All rights reserved. Assign a Class Map Name

38 © 2005 Cisco Systems, Inc. All rights reserved. Class Map – Define a Class of Traffic

39 © 2005 Cisco Systems, Inc. All rights reserved. Policy Map Overview

40 © 2005 Cisco Systems, Inc. All rights reserved. Assign a Policy Map Name

41 © 2005 Cisco Systems, Inc. All rights reserved. Assign a Policy Map Name

42 © 2005 Cisco Systems, Inc. All rights reserved. Service Policy

43 © 2005 Cisco Systems, Inc. All rights reserved. Module 9 – Configure Filtering on a PIX Security Appliance 9.4 Configure Advanced Protocol Inspection

44 © 2005 Cisco Systems, Inc. All rights reserved. Need for Advanced Protocol Handling Some popular protocols or applications behave as follows: Negotiate connections to dynamically assigned source or destination ports or IP addresses. Embed source or destination port or IP address information above the network layer. A good firewall has to inspect packets above the network layer and do the following as required by the protocol or application: Securely open and close negotiated ports or IP addresses for legitimate client-server connections through the firewall. Use NAT-relevant instances of IP addresses inside a packet. Use PAT-relevant instances of ports inside a packet. Inspect packets for signs of malicious application misuse.

45 © 2005 Cisco Systems, Inc. All rights reserved. inspect Command

46 © 2005 Cisco Systems, Inc. All rights reserved. FTP Inspection FTP uses two channels: Command connection (TCP) Data connection (TCP) FTP Inspection Address translation in the message Dynamically create openings for FTP data connections Stateful tracking of request and response messages Optionally—FTP strict prevents web browsers from sending embedded commands in FTP requests. FTP Deep Packet Inspection: Added to strict inspection functionality Command filtering--disallow specific commands.

47 © 2005 Cisco Systems, Inc. All rights reserved. FTP Deep Packet Inspection – Command Filtering

48 © 2005 Cisco Systems, Inc. All rights reserved. HTTP Inspection

49 © 2005 Cisco Systems, Inc. All rights reserved. ICMP Inspection

50 © 2005 Cisco Systems, Inc. All rights reserved. SNMP Inspection

51 © 2005 Cisco Systems, Inc. All rights reserved. Why Multimedia Is an Issue Multimedia applications behave in unique ways: Use dynamic ports. Transmit a request using TCP and get responses in UDP or TCP. Use the same port for source and destination. The PIX Security Appliance: Dynamically opens and closes conduits for secure multimedia connections. Supports multimedia with or without NAT.

52 © 2005 Cisco Systems, Inc. All rights reserved. Real-Time Streaming Protocol Real-Time audio and video delivery protocol uses one TCP and two UDP channels. Transport options: Real-Time Transport Protocol (RTP). Real Data Transport Protocol (RDT). Sync or resend channel: Real-Time Control Protocol (RTCP). UDP resend. RTSP-TCP-only mode does not require special handling by the PIX Security Appliance. Supported applications: Cisco IP/TV. Apple QuickTime 4. RealNetworks: RealAudio. RealPlayer. RealServer. RDT Multicast is not supported.

53 © 2005 Cisco Systems, Inc. All rights reserved. Standard RTP Mode In standard RTP mode, RTSP uses the following three channels: Control connection (TCP). RTP data (simplex UDP). RTCP reports (duplex UDP). For outbound connections, the PIX Security Appliance opens inbound ports for RTP data and RTCP reports. For inbound connections, the PIX Security Appliance handles standard RTP mode as follows: If outbound traffic is allowed, no special handling is required. If outbound traffic is not allowed, it opens outbound ports for RTP and RTCP.

54 © 2005 Cisco Systems, Inc. All rights reserved. RealNetworks’ RDT Mode In RealNetworks’ RDT mode, RTSP uses the following three channels: Control connection (TCP). UDP data (simplex UDP). UDP resend (simplex UDP). For outbound connections, the PIX Security Appliance handles RealNetworks’ RDT mode as follows: If outbound traffic is allowed, it opens an inbound port for UDP data. If outbound traffic is not allowed, it opens an inbound port for UDP data and an outbound port for UDP resend. For inbound connections, the PIX Security Appliance handles RealNetworks’ RDT mode as follows: If outbound traffic is allowed, it opens an inbound port for UDP resend. If outbound traffic is not allowed, it opens an outbound port for UDP data and an inbound port for UDP resend.

55 © 2005 Cisco Systems, Inc. All rights reserved. H.323 Real-time multimedia communications delivery specification uses two TCP and several UDP sessions for a single “call”. H.323 protocols and standards: H.225—Registration, Admission, and Status (RAS). H.225—Call Signaling. H.245—Control Signaling. TPKT Header. Q.931 Messages. Abstract Syntax Notation (ASN.1) (PIX Security Appliance 5.2). Supported H.323 versions: H.323 v1. H.323 v2 (software versions 5.2 and higher). Supported applications: Cisco Multimedia Conference Manager. Microsoft NetMeeting. Intel Video Phone. CUseeMe Networks: MeetingPoint. CUseeMe Pro. VocalTec: Internet Phone. Gatekeeper.

56 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IP Phones and the PIX Security Appliance’s DHCP Server Cisco IP phones: Download their configurations from a TFTP server. Request an IP address and the IP address of a TFTP server from a DHCP server. The PIX Security Appliance: Supports DHCP option 150 for providing the IP addresses of a list of TFTP servers. Supports DHCP option 66 for providing the IP address of a single TFTP server.

57 © 2005 Cisco Systems, Inc. All rights reserved. DNS Inspection

58 © 2005 Cisco Systems, Inc. All rights reserved. DNS Record Translation

59 © 2005, Cisco Systems, Inc. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.