I am getting ready to put a Cisco PIX506e in front of an existing mail/web/sql server that is collocated at an ISP. I am then going to separate the mail and web services onto two different machines which will use each other for back-up file storage. I want to be able to manage those machines securely from my office and to also offer secure and fast publicly acessible web, mail and ftp services for my clients - all things I am doing now, but with less security and reliability than I hope to have with the new config.
I have had some experience assisting a client in troubleshooting their Cisco configuration, so I have become familiar with the command-line interface and the procedure for adding/removing lines from the config file. I do not, however, have enough experience to do the config I am about to do entirely from scratch without assistance...
So, I'm asking - what I would really like is a solid basic sample configuration for my requirements. I've searched on the web and not found much of anything that really was very helpful. I do have a couple of the Cisco books, and am studying them, but I thought I'd give this a shot as well, thinking someone may have worked enough with similar configs that they could throw something back at me pretty easily. Could be wrong, but it's worth a shot...
Here are my basic specs:
The external IP ranges are xx.xxx.x.144 -xx.xxx.x.175 (with 175 being reserved as the address for the PIX external interface)
The internal IP range will be 192.168.1.1 - 192.168.1.254
The primary IP for the mail server will be xx.xxx.x.144 ---> 192.168.1.10
The primary IP for the web/SQL server will be xx.xxx.x.145 ---> 192.168.1.31
The public IP address of my home/office router is xx.xx.xx.75
I need to be able to either VPN in or to allow myself terminal service and Enterprise Manger access to the servers behind the firewall via my own IP address. On my end at the office, I am using a small netgear cable/dsl router (RT314). I'd be pysched if I were able to actuall "Network" to the servers behind the firewall, but I'm not sure I have everything I need on both ends to do that -- I would be willing to spend an additional $500 for that ability, but not much more.
Here are my initial routing requirements --->
For the mail services, I need to route the following external IPs to the indicated internal IPs on the mail server. I want to restrict the traffic to only those ports and types of traffic required, which include: smtp, pop3, and ports 143, 366, 389, 465, 995, 1000, 3000 and 3002:
xx.xxx.x.144 --> 192.168.1.10
xx.xxx.x.146--> 192.168.1.11
xx.xxx.x.157--> 192.168.1.12
xx.xxx.x.158 --> 192.168.1.13
xx.xxx.x.165 --> 192.168.1.14
For the web services, I need to route these external IPs to the web/sql server unit and restrict the traffic to 80, 443, 21:
xx.xxx.x.145--> 192.168.1.31
xx.xxx.x.148--> 192.168.1.32
xx.xxx.x.153--> 192.168.1.33
xx.xxx.x.158--> 192.168.1.34
xx.xxx.x.162--> 192.168.1.34
One or two lines of examples of how to set up the routing for IP and Ports to each server are sufficient - I don't need to whole config, just the stuff to get me started - but I would really appreciate guidance on efficiency items like named access-lists if I should go that route. I add a new site/domain maybe once a month or so and mail services (usually to the same IP, but sometimes I choose to dedicate a new IP) about 1/2 as often. We are posting files to the servers daily and have about 5 cleints that we grant FTP access to their sites.
The other thing I'm looking for is some idea of what statements are not really necessary but that might pop up in the default config, as well as clarity on which statements MUST exist.
If it's helpful as a starting point, here is the current config on the PIX that I want to set up to take to the ISP (anything in here is due to default settings or my attempts to set some things up experimentally):
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxx
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 0.0.0.0 inside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.50-192.168.1.150
inside
Any and all help is definitely appreciated -- I have already benefitted a lot from this forum and really appreciate the exchange.
billbiv
