Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Dynamic changes firewall

Status
Not open for further replies.
mohta

mohta

Technical User
Jan 13, 2003
5
US

Hi there:

I'm posting here after searching through the forums, and after having spoken to a CISCO pre-sales support rep. who told me that none of the CISCO firewall products have a built-in feature to accomplish what I want to do, but that he has seen PERL scripts do the job. I Google'd for such scripts but came up empty-handed. I'm hoping someone here can help.

PROBLEM: Our customers/subscribers must access a secure resource (i.e., server) behind the corporate firewall. Each time a customer connects, he will have a different IP address. First he will login to our corporate web-site which will authenticate him (via standard http username/password), then grab his IP address. This IP address then needs to be added to the firewall which sits between the corporate web-site and the resource which he is going to access. Only after it has been added, will the firewall permit him access. When he terminates his session, the IP address needs to be taken off the firewall.
Adding and deleting the IP address needs to be done dynamically, with no interruption to other subscribers who may be connected concurrently to said resource.

The CISCO pre-sales rep said that the PIX family of firewalls allow such dynamic updating via PERL scripts, and that he wasn't aware of any builtin functions which would facilitate that.

I've looked for such scripts but haven't found any. Does anybody have any suggestions? Scripts? Web-sites? Other forums? Workarounds? Other firewall products which make this procedure easier?

All assistance greatly appreciated.

Regards,

V





 
Sort by date Sort by votes
Have you overruled the VPN capability of the PIX to achieve your goal?

Andy
 
Upvote 0 Downvote
Yes Andy. We looked into it. VPN is not an option in this scenario.

Thanks.

V

 
Upvote 0 Downvote
Well... you would need a script that first monitors users who have just been authenticated then grab their IP addresses. Once it has the IP address it would have to telnet/ssh into the PIX, go to configuration mode create an ACL entry allowing the required traffic for this new IP address. Then it would need to keep monitoring the session to determine when the user ends its session, then the script would need to telnet/ssh into the PIX again, go to configuration mode and remove the ACL entry. You might also need to clear the xlate table which will drop all connections.

How about using AAA and authenticate the users at the PIX instead of the corporate server? The link below explains authentication through the PIX:

 
Upvote 0 Downvote
VPN is the logical workaround, and would be the most effective solution. However...

The reason you gave for the functionality doesn't make any sense. Why would any app require that a hole be opened up through the firewall for a particular IP address? If you are serving web requests, just open the web port to everyone, or SSL your web site and require authentication to it.

What you want the PIX to do, it doesn't do. You could probably accomplish something this obscure and difficult easier with a Linux/FreeBSD firewall...but it's still a hack as far as I'm concerned.

If external customers need VPN sort of access, give them a VPN connection. Don't make a custom hacked solution on a device that wasn't intended to support it. Best practice is best practice. From where I'm sitting, what you're trying to do is not best practice, nor is it practical at all.
 
Upvote 0 Downvote
First of all... What access does this remote user need?

Also, have you ever considered citrix web client? A remote desktop but over the browser.
 
Upvote 0 Downvote
Yea I agree

what happens when that PERL script fails and botches up the access-list/access-group killing all traffic??

BuckWeet
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
221
hairlessupportmonkey
hairlessupportmonkey
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
142
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
139
hall5942
hall5942
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
153
ChrisHirst
ChrisHirst
DataCenter23
  • Locked
  • Question
Cisco Firewall Help!
Replies
1
Views
107
imbadatthis
imbadatthis

Part and Inventory Search

Sponsor

Back
Top