dsl77
asked on
PIX 506E configuration review & tune up recommendations
Hi guys..
I’m trying to configure my PIX so it can match my network settings and meet my needs to operate fast, secure and reliable.
Since I don’t have a test environment, a lot depends on this configuration to be up and running when first powered up behind the ISP router.
I addition to allow Exchange, FTP and Web to flow, I also need some 10 VPN (PPTP) clients/accounts to be added.
My network (Windows 2000 Servers)
Server A : 192.168.0.210 : DC, Exchange Server 2000, IIS Server 5 (FTP&Web running)
Server B : 192.168.0.211 : DC, Backup Exec
Server C : 192.168.0.212 : AV Server (Panda AdminSecure)
IP scope: 192.168.0.100-192.168.0.18
Subnet: 255.255.0.0
DHCP enableded
WAN IP: 195.184.116.126
Below my PIX configuration… was is(not) missing? ;)
Thanks in advanced!
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.100-192.168.1.15
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
terminal width 80
Cryptochecksum:1fb573c35dc
I’m trying to configure my PIX so it can match my network settings and meet my needs to operate fast, secure and reliable.
Since I don’t have a test environment, a lot depends on this configuration to be up and running when first powered up behind the ISP router.
I addition to allow Exchange, FTP and Web to flow, I also need some 10 VPN (PPTP) clients/accounts to be added.
My network (Windows 2000 Servers)
Server A : 192.168.0.210 : DC, Exchange Server 2000, IIS Server 5 (FTP&Web running)
Server B : 192.168.0.211 : DC, Backup Exec
Server C : 192.168.0.212 : AV Server (Panda AdminSecure)
IP scope: 192.168.0.100-192.168.0.18
Subnet: 255.255.0.0
DHCP enableded
WAN IP: 195.184.116.126
Below my PIX configuration… was is(not) missing? ;)
Thanks in advanced!
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.100-192.168.1.15
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
terminal width 80
Cryptochecksum:1fb573c35dc
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>dhcpd enable inaside
You need to disable dhcpd on the PIX if SRV A still runs DHCP
no dhcpd enable inside
Looks like the rest of it should work fine..
You need to disable dhcpd on the PIX if SRV A still runs DHCP
no dhcpd enable inside
Looks like the rest of it should work fine..
ASKER
When trying to create the static port mappings i get this error: "ERROR: Invalid global IP address smtp"
I'm using Device Manager 3.0 (Command Line Interface) to insert the command - any ideas?
Is there an easy way to convert a txt file to a PIX image?
I'm using Device Manager 3.0 (Command Line Interface) to insert the command - any ideas?
Is there an easy way to convert a txt file to a PIX image?
My bad....
static (inside,outside) tcp www interface 192.168.227.210 www
static (inside,outside) tcp ftp interface 192.168.227.210 ftp
static (inside,outside) tcp ftp-data interface 192.168.227.210 ftp-data
Should be...
static (inside,outside) tcp interface www 192.168.227.210 www
static (inside,outside) tcp interface ftp 192.168.227.210 ftp
static (inside,outside) tcp interface ftp-data192.168.227.210 ftp-data
static (inside,outside) tcp interface smtp 192.168.227.210 smtp
The PIX config is already a text file. From PDM File | show running config in new window
IE File | Save As...
Save as .txt file somewhere
static (inside,outside) tcp www interface 192.168.227.210 www
static (inside,outside) tcp ftp interface 192.168.227.210 ftp
static (inside,outside) tcp ftp-data interface 192.168.227.210 ftp-data
Should be...
static (inside,outside) tcp interface www 192.168.227.210 www
static (inside,outside) tcp interface ftp 192.168.227.210 ftp
static (inside,outside) tcp interface ftp-data192.168.227.210 ftp-data
static (inside,outside) tcp interface smtp 192.168.227.210 smtp
The PIX config is already a text file. From PDM File | show running config in new window
IE File | Save As...
Save as .txt file somewhere
ASKER
thanks lrmorre
access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
is saying: "ERROR: invalid protocol 192.168.227.0 - any ideas here? :)
How do I import the txt into PDM?
access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
is saying: "ERROR: invalid protocol 192.168.227.0 - any ideas here? :)
How do I import the txt into PDM?
Yes, once again I must have been running on too much caffeine..
> access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
Should be:
access-list no_nat_VPN permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
^^
You can import the text by opening it up in Notepad, select, copy, the use the Multi command line option, paste, submit..
> access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
Should be:
access-list no_nat_VPN permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
^^
You can import the text by opening it up in Notepad, select, copy, the use the Multi command line option, paste, submit..
ASKER
Hi again..
Yesterday I finally installed my PIX – but nothing happened - no email, no internet!? So now I’m looking for that glass of aspirin I threw away :)
I changed all the servers IP, IP Scope, Subnet and DHCP. There where no errors in the Event Viewer, after rebooting the servers.
Clients running DHCP (192.168.227.1xx) are not able to ping the router. Clients on a static IP (192.168.1.2) can ping the router, but cannot get online.
What to do now… ?
lrmoore – just so you know, I really appreciate your help!
Here is an updated list:
Router: 192.168.1.1 / 255.255.255.0
DC & DHCP Server: 192.168.227.210 / 255.255.255.0
DHCP IP Scopes: 192.168.227.100 - 192.168.227.200
192.168.228.100 - 192.168.228.200
Router: 192.168.1.1
DNS Server: 192.168.227.210 & 192.168.227.211
My running PIX config:
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq ftp-data
access-list no_nat_VPN permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.228.100-192.168.22
pdm location 192.168.227.0 255.255.255.0 inside
pdm location 192.168.227.210 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.227.210 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.227.210 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.227.210 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.227.210 ftp-data netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.227.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication pap
vpdn group PPTP ppp authentication chap
vpdn group PPTP ppp authentication mschap
vpdn group PPTP ppp encryption mppe auto
vpdn group PPTP client configuration address local VPN_Pool
vpdn group PPTP client configuration dns 192.168.227.210 192.168.227.211
vpdn group PPTP pptp echo 60
vpdn group PPTP client authentication local
vpdn username dsl77 password *********
vpdn enable outside
dhcpd auto_config outside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
terminal width 80
Cryptochecksum:43babccec88
: end
[OK]
Yesterday I finally installed my PIX – but nothing happened - no email, no internet!? So now I’m looking for that glass of aspirin I threw away :)
I changed all the servers IP, IP Scope, Subnet and DHCP. There where no errors in the Event Viewer, after rebooting the servers.
Clients running DHCP (192.168.227.1xx) are not able to ping the router. Clients on a static IP (192.168.1.2) can ping the router, but cannot get online.
What to do now… ?
lrmoore – just so you know, I really appreciate your help!
Here is an updated list:
Router: 192.168.1.1 / 255.255.255.0
DC & DHCP Server: 192.168.227.210 / 255.255.255.0
DHCP IP Scopes: 192.168.227.100 - 192.168.227.200
192.168.228.100 - 192.168.228.200
Router: 192.168.1.1
DNS Server: 192.168.227.210 & 192.168.227.211
My running PIX config:
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq ftp-data
access-list no_nat_VPN permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.228.100-192.168.22
pdm location 192.168.227.0 255.255.255.0 inside
pdm location 192.168.227.210 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.227.210 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.227.210 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.227.210 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.227.210 ftp-data netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.227.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication pap
vpdn group PPTP ppp authentication chap
vpdn group PPTP ppp authentication mschap
vpdn group PPTP ppp encryption mppe auto
vpdn group PPTP client configuration address local VPN_Pool
vpdn group PPTP client configuration dns 192.168.227.210 192.168.227.211
vpdn group PPTP pptp echo 60
vpdn group PPTP client authentication local
vpdn username dsl77 password *********
vpdn enable outside
dhcpd auto_config outside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
terminal width 80
Cryptochecksum:43babccec88
: end
[OK]
You have to change this:
>ip address inside 192.168.1.1 255.255.255.0
to this:
>ip address inside 192.168.227.1 255.255.255.0
Making sure that the dhcp scope points to this as the default gateway..
>ip address inside 192.168.1.1 255.255.255.0
to this:
>ip address inside 192.168.227.1 255.255.255.0
Making sure that the dhcp scope points to this as the default gateway..
ASKER
>Making sure that the dhcp scope points to this as the default gateway..
By this you mean change the 003 Router under scope options so it points to...?
By this you mean change the 003 Router under scope options so it points to...?
Yes. If you have it pointing now to 192.168.1.1, then you must change it to 192.168.227.1
You can't assign the PIX interface an IP address in a different subnet, and you can't point a default gateway to an IP that is not local to the client..
You can't assign the PIX interface an IP address in a different subnet, and you can't point a default gateway to an IP that is not local to the client..
ASKER
I’m glad that you picked this one up! As I assumed I am in over my head on this one, but more at ease knowing you’re correcting my ideas :)
Just to sum up your reply (recommendations).
Change my servers IP’s and subnet to:
SRV A: 192.168.227.210 / 255.255.255.0
SRV B: 192.168.227.211 / 255.255.255.0
SRV C: 192.168.227.212 / 255.255.255.0
Change IP scope: 192.168.127.110-192.168.22
SRV A still runs DHCP!
With the network changes in mind and the rewritten PIX config how is ‘it’ looking now? :)
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
no fixup protocol smtp 25
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.227.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
ip address inside 192.168.227.1 255.255.255.0
static (inside,outside) tcp www interface 192.168.227.210 www
static (inside,outside) tcp ftp interface 192.168.227.210 ftp
static (inside,outside) tcp ftp-data interface 192.168.227.210 ftp-data
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq ftp-data
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inaside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
ip local pool VPN_Pool 192.168.228.100-192.168.22
access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
nat (inside) 0 access-list no_nat_VPN
sysopt connection permit-pptp
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication pap
vpdn group PPTP ppp authentication chap
vpdn group PPTP ppp authentication mschap
vpdn group PPTP ppp encryption mppe auto
vpdn group PPTP client configuration address local VPN_Pool
vpdn group PPTP client configuration dns 192.168.227.210 192.168.227.211
vpdn group PPTP pptp echo 60
vpdn group PPTP client authentication local
vpdn username user1 password *********
vpdn username user2 password *********
vpdn username user3 password *********
vpdn username user4 password *********
vpdn username user5 password *********
vpdn username user6 password *********
vpdn enable outside
terminal width 80
Cryptochecksum:1fb573c35dc