Solved

PIX Initial Setup

Posted on 2002-04-10
10
393 Views
Last Modified: 2008-02-07
Hi,

We are going to setup a PIX 515E as our firewall. We have three interfaces, one internal, one DMZ,and one external. Where can I find information for initial setup and configuration?

Also, on our current firewall, Raptor 6.0 on NT box, we set rules for internal users to using different services, such as Telnet, FTP, etc. Currently, we put those users in a NT group, the firewall rule just allows only this group to use FTP, for example. Can I do the similar thing on PIX?

Another questions, we are running a content filtering software, Web Inspector from ELRON software, which basically filter out some sites so that you can't go there. Is there any similar software that can be integrated with firewall? Can PIX be configured to do the similar thing?

Thanks in advance.

Robert100
0
Comment
Question by:robert100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 6932588
Initial setup:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/bafwcfg.htm

Yes, you can group users, but you would have to use a TACACS+ server to setup the rules/access
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/mngacl.htm

Yes, PIX integrates with WebSense:
The url-server command designates a server that runs Websense, a URL filtering application. Once you designate the server, enable the URL filtering service with the filter command.

http://www.websense.com

Free eval download...
0
 

Author Comment

by:robert100
ID: 6942590
Thanks for help.

Is there anything we can do to configure a similar, if not the same, settings without TACAS+ server?

Thanks

0
 
LVL 4

Expert Comment

by:svindler
ID: 6951841
You can use a Radius server to achieve the same thing. I guess, the Microsoft Radius server will suffice, but I haven't tested it.
You can avoid using a TACACS+ or RADIUS server and still do the same, if you can place the users in different ip ranges, and then create an access-list that allows different things for each range.
0
Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

 
LVL 79

Expert Comment

by:lrmoore
ID: 6957274
Sorry, but there is no way around it with the PIX:
You can use access lists to control traffic based on IP address and protocol, but to control access and use for specific users or groups, you need to use authentication and authorization. Authentication, which is the process of identifying users, is supported by the PIX Firewall for RADIUS and TACACS+ servers. Authorization identifies the specific permissions for a given user.

0
 
LVL 4

Expert Comment

by:svindler
ID: 6959298
I want to explain the last part of my comment a bit.

In the PIX you can base authorisation on either ip addresses or an authentication server like radius or tacacs+.

If a radius or tacacs+ server is not an option, you are stuck on using ip addresses for authorisation.

If you still need authentication, you will have to install a mechanism to use ip addresses for authentication as well.

This can be done by splitting up your network and only allowing users physical access to those parts of the network that has specific access through the pix or, for individual authentication, you will have to configure fixed ip addresses for users and trust them not to change the addresses themselves.
0
 

Author Comment

by:robert100
ID: 6961344
Thanks very much for the help.

For RADIUS, Windows 2000 has support, Internet Authentication Services. Have any of you had use it? Any comments?

For URL content filtering, websence is very expensive, what about other software, like ELRON's web inspector, which is what we have. Do you have any experience using with any firewall, not limited to PIX?

Thank you.

Robert100
0
 
LVL 4

Expert Comment

by:svindler
ID: 6964111
For the RADIUS part, there is a document describing how to use IAS in a VPN setup, so my guess is that you will be able to use it.

With regards to ELRONs web inspector, I can't see anything in the online documentation that indicates that you will be able to use the url filter function in the PIX. As I understand it, Web Inspector is placed as a unit between the internet and your users as a sort of bridge, that inspects traffic and blocks the traffic when a rule is hit.
I can't see any reason why it wouldn't work as such with a PIX firewall in front of it, though.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6982432
You can use Microsoft's Radius in Windows 2000 instead of TACACS+. These detailed instructions are for setting them up to authenticate inbound users, but you can use the same basics for outbound when combined with the AAA instructions provided in my first post above.

http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html
0
 

Author Comment

by:robert100
ID: 6987050
Thanks.

What is the difference between RADIUS and TACACS+? Cisco document mentions TACACS+ more than RADIUS. Cisco ACS seems working with this situation, havw an idea how exensive it is?

Our major concern here is to monitor and control which internal group can use what type of services, such as FTP, NNTP, etc. Since we are a government agency, this is the policy. Restrict IP seems not work well since clients may move to other subnets (we ahve 6 subnets), all use DHCP. If Windows 2000 IAS can do the job, we will do that. Currently we have a NT 4.0 domain, can IAS run on Windows 2000 member server in NT domain, or ADS is required? We are planning to migrate to Windows 2000 ADS, but it won't happen overnight.

Thanks again

Robert 100
0
 
LVL 4

Accepted Solution

by:
svindler earned 150 total points
ID: 6988317
RADIUS is udp based, TACACS+ is tcp based. In theory, this can make firewalling a TACACS+ more secure at the expense of performance.
In Radius, only the password is encrypted on the network. In Tacacs+, all data is encrypted.
Both Radius and Tacacs+ are good at authentication and accounting, but Tacacs+ is better at authorisation, where individual commands can be authorized when logged into Cisco equipment. This does not sound necessary in your setup.
Radius is used much more, and more implementations are available.

A comparison from Cisco: http://www.cisco.com/warp/public/480/10.html

IAS should be able to do the job. ADS is not necessary.
0

Featured Post

Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question