Thanks for all the input. Problem solved. Both speed and duplex on the
PIX were configured for auto. The device the PIX was connecting to did
not support auto and was set to full/100. If the duplex on the PIX was
forced to full before the speed was forced to 100, the interface would
shut down. But, forcing the PIX interface speed to 100 first and then
forcing the duplex to full works just fine. So, it appears that you
can't leave speed in auto when forcing full duplex on the PIX.



-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
firewall-wizards-request@listserv.icsalabs.com
Sent: Monday, April 23, 2007 11:00
To: firewall-wizards@listserv.icsalabs.com
Subject: firewall-wizards Digest, Vol 12, Issue 12

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailma...rewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: PIX 515E 7.2 Duplex problem (Florin Andrei)
2. Re: PIX 515E 7.2 Duplex problem (Chris Buechler)
3. Tomahawk patch for L3 devices (Kowsik)
4. Re: PIX 515E 7.2 Duplex problem (robbie.jacka@regions.com)
5. Re: H323 NAT problems with A Cyberguard. (sai)


----------------------------------------------------------------------

Message: 1
Date: Thu, 19 Apr 2007 17:16:44 -0700
From: Florin Andrei
Subject: Re: [fw-wiz] PIX 515E 7.2 Duplex problem
To: Firewall Wizards Security Mailing List

Message-ID: <4628066C.8060209@andrei.myip.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Drumheller, Michael wrote:
> The interface on the PIX shuts down when duplex is changed from auto

to
> full. The switch it connects to is configured for full duplex but the


> PIX still shows half duplex when in auto negotiate mode. Changing to
> half duplex on both the switch and PIX works but the PIX interface

goes
> down when it's changed to full duplex. Has anyone else experienced

this
> problem?


Sound like a bad interface to me.

I always configure the PIX and the switch to full duplex. Auto creates
problems usually. Just enforce full duplex whenever possible.

--
Florin Andrei

http://florin.myip.org/


------------------------------

Message: 2
Date: Fri, 20 Apr 2007 11:04:51 -0400
From: Chris Buechler
Subject: Re: [fw-wiz] PIX 515E 7.2 Duplex problem
To: Firewall Wizards Security Mailing List

Message-ID: <4628D693.8020103@chrisbuechler.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Drumheller, Michael wrote:
>
> The interface on the PIX shuts down when duplex is changed from auto
> to full. The switch it connects to is configured for full duplex but
> the PIX still shows half duplex when in auto negotiate mode.
>


Of course - when you force one end to full and leave the other on auto,
the auto side ends up half duplex and you end up with a duplex mismatch.

That's what is expected to happen when you misconfigure things like
this. You can't set one side to full and the other on auto.
suggested reading:
http://www.sun.com/blueprints/0704/817-7526.pdf
http://en.wikipedia.org/wiki/Autonegotiation

What if you just set the port and the PIX to auto? I hate seeing
networks where people force duplex, 90% of them I see end up with duplex

mismatches all over because too many people don't understand how
autonegotiation works. Every vendor including Cisco recommends using
auto whenever both ends support it.

It *shouldn't* be an issue to set both ends, and all 515E's should have
only 10/100 ports. But it's not recommended, personally I wouldn't care
why it doesn't work.

You may want to check for a firmware update for your switch regardless.
Since your PIX seems to be on the latest version it should be fine.



------------------------------

Message: 3
Date: Fri, 20 Apr 2007 23:24:43 -0700
From: Kowsik
Subject: [fw-wiz] Tomahawk patch for L3 devices
To: firewall-wizards@honor.icsalabs.com, focus-ids@securityfocus.com
Message-ID:
<7db9abd30704202324p5e40b700qd14e58d2f35d67c8@mail. gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

We just posted a patch for tomahawk (http://tomahawk.sourceforge.net/)
to allow playbacks of pcap's through L3 devices (IP rewriting on
different subnets).

You might find it useful when you are load testing (or amplifying
attacks for) firewalls/IPS/UTM's that operate in L3 mode.

http://labs.musecurity.com/

K.

ps: Posting from my organize-my-mailing-lists-into-labels account
---
Kowsik Guruswamy
Founder/CTO, Mu Security
http://labs.musecurity.com/rss2
http://www.musecurity.com/news/rss.html


------------------------------

Message: 4
Date: Thu, 19 Apr 2007 17:03:37 -0500
From: robbie.jacka@regions.com
Subject: Re: [fw-wiz] PIX 515E 7.2 Duplex problem
To: mdrumhel@harris.com
Cc: firewall-wizards-bounces@listserv.icsalabs.com, Firewall Wizards
Security Mailing List

Message-ID:

MSOUTH.COM>

Content-Type: text/plain; charset=us-ascii

Running PIX 7? I've run into this issue when using PIX7 on a 525 using a
straight through cable to a CSS11503. 100FD hardcoded on both ends
results
in the firewall 'negotiating' to half-duplex, but putting both sides in
auto results in 100FD with no issues.
--
robbie





vbwilliams@neb.rr

.com

Sent by:
To
firewall-wizards- Firewall Wizards Security Mailing

bounces@listserv. List

icsalabs.com
st.com>


cc
04/19/2007 03:27
firewall-wizards@listserv.cybertrus
PM t.com


Subject
Re: [fw-wiz] PIX 515E 7.2 Duplex

Please respond to problem

vbwilliams@neb.rr

.com; Please

respond to

Firewall Wizards

Security Mailing

List


@listserv.icsalab

s.com>









Only time I've experienced it was when we had a bad NIC. Did you try
doing the same thing on another interface?

----- Original Message -----
From: "Drumheller, Michael"
Date: Thursday, April 19, 2007 1:05 pm
Subject: [fw-wiz] PIX 515E 7.2 Duplex problem
To: firewall-wizards@listserv.cybertrust.com

> The interface on the PIX shuts down when duplex is changed from
> auto to
> full. The switch it connects to is configured for full duplex but the
> PIX still shows half duplex when in auto negotiate mode. Changing to
> half duplex on both the switch and PIX works but the PIX interface
> goesdown when it's changed to full duplex. Has anyone else
> experienced this
> problem?
>
>
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards





------------------------------

Message: 5
Date: Sat, 21 Apr 2007 10:39:55 +0500
From: sai
Subject: Re: [fw-wiz] H323 NAT problems with A Cyberguard.
To: "Firewall Wizards Security Mailing List"

Message-ID:
<41d04d600704202239p1155356cwdee8da6f0cf9875c@mail. gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

>From what I remember about SIP, you need the firewall to preserve the

source and destination ports. NAT usually changes the source port for
outgoing traffic.



On 4/17/07, David Garrard wrote:
> HI;
>
> I am currently installing a Cyberguard 410 D to sit between a VOIP
> server network and a private network. Getting NAT to work is extremely
> challenging, has anyone reading this list done this before?
>
>
>
>
>
> All the best;
>
>
>
>
>
> David
>
>



------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards


End of firewall-wizards Digest, Vol 12, Issue 12
************************************************
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards