asked on

How to configure PIX Firewall to block all ports

Greetings Experts,

The network diagram is as follows:

Internet <---> Cisco Router 800 Series <---> Cisco PIX 501 <----> Network Switch (connect to the rest of the PCs)

I appreciate if experts out there could help me in the configuration of the PIX Firewall. If able, a step by step configuration for a rookie like me.

Internal network address (Thru DHCP):
192.168.1.1 -> IP address reserve for firewall
255.255.255.0 -> Subnet mask

Requirements:

Firewall: Blocks all incoming/outgoing ports (yes, even from inside to outside) but permit 80(http), 25(smtp) and 110(pop3) only.

Thank you.

geoffryn

This config should get you started. By default everything is blocked inbound.

nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname mypix
domain-name mypix.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
object-group service default-services tcp
port-object eq domain
port-object eq www
port-object eq pop3
port-object eq smtp
port-object eq https
object-group service default-udp tcp-udp
description default UDP services
port-object eq domain

access-list inside_access_in permit udp 192.168.2.0 255.255.255.0 gt 1023 any object-group default-udp
access-list inside_access_in permit udp 192.168.2.0 255.255.255.0 gt 1023 any object-group default-services
access-list inside_access_in deny tcp any any
access-list inside_access_in deny udp any any

pager lines 24
logging on
logging timestamp
logging standby
logging queue 5000
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.yyy 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit name Ingress-inf info action alarm
ip audit name Ingress attack action alarm
ip audit interface outside Ingress-inf
ip audit interface outside Ingress
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
no snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
sysopt noproxyarp inside
telnet timeout 5
dhcpd address 192.168.2.101-192.168.2.131 inside
dhcpd dns 4.2.2.1 4.2.2.2
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

daveteh

ASKER

Thanks Geoffryn,

Sorry, I am not so familiar with the command though I have the command reference guide by my side. Can you point out to me which line is involved in determining the port to be block from inside to outside? And I see you have some added commands to "lock down" the firewall, can you also point those out to me?

Thanks alot!

ASKER CERTIFIED SOLUTION

geoffryn

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

daveteh

ASKER

Thanks geoffryn, thanks alot for your help!

daveteh

ASKER

By the way, what does "gt 1023" in the following statement stands for?

access-list inside_access_in permit udp 192.168.2.0 255.255.255.0 gt 1023 any object-group default-udp

geoffryn

It specifies that the source port must be above 1023.

trath

This is the real deal. The answer presented here is complete and accurate. Great Job!!!!!