robert100
asked on
PIX Initial Setup
Hi,
We are going to setup a PIX 515E as our firewall. We have three interfaces, one internal, one DMZ,and one external. Where can I find information for initial setup and configuration?
Also, on our current firewall, Raptor 6.0 on NT box, we set rules for internal users to using different services, such as Telnet, FTP, etc. Currently, we put those users in a NT group, the firewall rule just allows only this group to use FTP, for example. Can I do the similar thing on PIX?
Another questions, we are running a content filtering software, Web Inspector from ELRON software, which basically filter out some sites so that you can't go there. Is there any similar software that can be integrated with firewall? Can PIX be configured to do the similar thing?
Thanks in advance.
Robert100
We are going to setup a PIX 515E as our firewall. We have three interfaces, one internal, one DMZ,and one external. Where can I find information for initial setup and configuration?
Also, on our current firewall, Raptor 6.0 on NT box, we set rules for internal users to using different services, such as Telnet, FTP, etc. Currently, we put those users in a NT group, the firewall rule just allows only this group to use FTP, for example. Can I do the similar thing on PIX?
Another questions, we are running a content filtering software, Web Inspector from ELRON software, which basically filter out some sites so that you can't go there. Is there any similar software that can be integrated with firewall? Can PIX be configured to do the similar thing?
Thanks in advance.
Robert100
ASKER
Thanks for help.
Is there anything we can do to configure a similar, if not the same, settings without TACAS+ server?
Thanks
Is there anything we can do to configure a similar, if not the same, settings without TACAS+ server?
Thanks
You can use a Radius server to achieve the same thing. I guess, the Microsoft Radius server will suffice, but I haven't tested it.
You can avoid using a TACACS+ or RADIUS server and still do the same, if you can place the users in different ip ranges, and then create an access-list that allows different things for each range.
You can avoid using a TACACS+ or RADIUS server and still do the same, if you can place the users in different ip ranges, and then create an access-list that allows different things for each range.
Sorry, but there is no way around it with the PIX:
You can use access lists to control traffic based on IP address and protocol, but to control access and use for specific users or groups, you need to use authentication and authorization. Authentication, which is the process of identifying users, is supported by the PIX Firewall for RADIUS and TACACS+ servers. Authorization identifies the specific permissions for a given user.
You can use access lists to control traffic based on IP address and protocol, but to control access and use for specific users or groups, you need to use authentication and authorization. Authentication, which is the process of identifying users, is supported by the PIX Firewall for RADIUS and TACACS+ servers. Authorization identifies the specific permissions for a given user.
I want to explain the last part of my comment a bit.
In the PIX you can base authorisation on either ip addresses or an authentication server like radius or tacacs+.
If a radius or tacacs+ server is not an option, you are stuck on using ip addresses for authorisation.
If you still need authentication, you will have to install a mechanism to use ip addresses for authentication as well.
This can be done by splitting up your network and only allowing users physical access to those parts of the network that has specific access through the pix or, for individual authentication, you will have to configure fixed ip addresses for users and trust them not to change the addresses themselves.
In the PIX you can base authorisation on either ip addresses or an authentication server like radius or tacacs+.
If a radius or tacacs+ server is not an option, you are stuck on using ip addresses for authorisation.
If you still need authentication, you will have to install a mechanism to use ip addresses for authentication as well.
This can be done by splitting up your network and only allowing users physical access to those parts of the network that has specific access through the pix or, for individual authentication, you will have to configure fixed ip addresses for users and trust them not to change the addresses themselves.
ASKER
Thanks very much for the help.
For RADIUS, Windows 2000 has support, Internet Authentication Services. Have any of you had use it? Any comments?
For URL content filtering, websence is very expensive, what about other software, like ELRON's web inspector, which is what we have. Do you have any experience using with any firewall, not limited to PIX?
Thank you.
Robert100
For RADIUS, Windows 2000 has support, Internet Authentication Services. Have any of you had use it? Any comments?
For URL content filtering, websence is very expensive, what about other software, like ELRON's web inspector, which is what we have. Do you have any experience using with any firewall, not limited to PIX?
Thank you.
Robert100
For the RADIUS part, there is a document describing how to use IAS in a VPN setup, so my guess is that you will be able to use it.
With regards to ELRONs web inspector, I can't see anything in the online documentation that indicates that you will be able to use the url filter function in the PIX. As I understand it, Web Inspector is placed as a unit between the internet and your users as a sort of bridge, that inspects traffic and blocks the traffic when a rule is hit.
I can't see any reason why it wouldn't work as such with a PIX firewall in front of it, though.
With regards to ELRONs web inspector, I can't see anything in the online documentation that indicates that you will be able to use the url filter function in the PIX. As I understand it, Web Inspector is placed as a unit between the internet and your users as a sort of bridge, that inspects traffic and blocks the traffic when a rule is hit.
I can't see any reason why it wouldn't work as such with a PIX firewall in front of it, though.
You can use Microsoft's Radius in Windows 2000 instead of TACACS+. These detailed instructions are for setting them up to authenticate inbound users, but you can use the same basics for outbound when combined with the AAA instructions provided in my first post above.
http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html
http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html
ASKER
Thanks.
What is the difference between RADIUS and TACACS+? Cisco document mentions TACACS+ more than RADIUS. Cisco ACS seems working with this situation, havw an idea how exensive it is?
Our major concern here is to monitor and control which internal group can use what type of services, such as FTP, NNTP, etc. Since we are a government agency, this is the policy. Restrict IP seems not work well since clients may move to other subnets (we ahve 6 subnets), all use DHCP. If Windows 2000 IAS can do the job, we will do that. Currently we have a NT 4.0 domain, can IAS run on Windows 2000 member server in NT domain, or ADS is required? We are planning to migrate to Windows 2000 ADS, but it won't happen overnight.
Thanks again
Robert 100
What is the difference between RADIUS and TACACS+? Cisco document mentions TACACS+ more than RADIUS. Cisco ACS seems working with this situation, havw an idea how exensive it is?
Our major concern here is to monitor and control which internal group can use what type of services, such as FTP, NNTP, etc. Since we are a government agency, this is the policy. Restrict IP seems not work well since clients may move to other subnets (we ahve 6 subnets), all use DHCP. If Windows 2000 IAS can do the job, we will do that. Currently we have a NT 4.0 domain, can IAS run on Windows 2000 member server in NT domain, or ADS is required? We are planning to migrate to Windows 2000 ADS, but it won't happen overnight.
Thanks again
Robert 100
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/bafwcfg.htm
Yes, you can group users, but you would have to use a TACACS+ server to setup the rules/access
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/mngacl.htm
Yes, PIX integrates with WebSense:
The url-server command designates a server that runs Websense, a URL filtering application. Once you designate the server, enable the URL filtering service with the filter command.
http://www.websense.com
Free eval download...