Solved

PIX Initial Setup

Posted on 2002-04-10
10
390 Views
Last Modified: 2008-02-07
Hi,

We are going to setup a PIX 515E as our firewall. We have three interfaces, one internal, one DMZ,and one external. Where can I find information for initial setup and configuration?

Also, on our current firewall, Raptor 6.0 on NT box, we set rules for internal users to using different services, such as Telnet, FTP, etc. Currently, we put those users in a NT group, the firewall rule just allows only this group to use FTP, for example. Can I do the similar thing on PIX?

Another questions, we are running a content filtering software, Web Inspector from ELRON software, which basically filter out some sites so that you can't go there. Is there any similar software that can be integrated with firewall? Can PIX be configured to do the similar thing?

Thanks in advance.

Robert100
0
Comment
Question by:robert100
  • 4
  • 3
  • 3
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 6932588
Initial setup:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/bafwcfg.htm

Yes, you can group users, but you would have to use a TACACS+ server to setup the rules/access
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/mngacl.htm

Yes, PIX integrates with WebSense:
The url-server command designates a server that runs Websense, a URL filtering application. Once you designate the server, enable the URL filtering service with the filter command.

http://www.websense.com

Free eval download...
0
 

Author Comment

by:robert100
ID: 6942590
Thanks for help.

Is there anything we can do to configure a similar, if not the same, settings without TACAS+ server?

Thanks

0
 
LVL 4

Expert Comment

by:svindler
ID: 6951841
You can use a Radius server to achieve the same thing. I guess, the Microsoft Radius server will suffice, but I haven't tested it.
You can avoid using a TACACS+ or RADIUS server and still do the same, if you can place the users in different ip ranges, and then create an access-list that allows different things for each range.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Expert Comment

by:lrmoore
ID: 6957274
Sorry, but there is no way around it with the PIX:
You can use access lists to control traffic based on IP address and protocol, but to control access and use for specific users or groups, you need to use authentication and authorization. Authentication, which is the process of identifying users, is supported by the PIX Firewall for RADIUS and TACACS+ servers. Authorization identifies the specific permissions for a given user.

0
 
LVL 4

Expert Comment

by:svindler
ID: 6959298
I want to explain the last part of my comment a bit.

In the PIX you can base authorisation on either ip addresses or an authentication server like radius or tacacs+.

If a radius or tacacs+ server is not an option, you are stuck on using ip addresses for authorisation.

If you still need authentication, you will have to install a mechanism to use ip addresses for authentication as well.

This can be done by splitting up your network and only allowing users physical access to those parts of the network that has specific access through the pix or, for individual authentication, you will have to configure fixed ip addresses for users and trust them not to change the addresses themselves.
0
 

Author Comment

by:robert100
ID: 6961344
Thanks very much for the help.

For RADIUS, Windows 2000 has support, Internet Authentication Services. Have any of you had use it? Any comments?

For URL content filtering, websence is very expensive, what about other software, like ELRON's web inspector, which is what we have. Do you have any experience using with any firewall, not limited to PIX?

Thank you.

Robert100
0
 
LVL 4

Expert Comment

by:svindler
ID: 6964111
For the RADIUS part, there is a document describing how to use IAS in a VPN setup, so my guess is that you will be able to use it.

With regards to ELRONs web inspector, I can't see anything in the online documentation that indicates that you will be able to use the url filter function in the PIX. As I understand it, Web Inspector is placed as a unit between the internet and your users as a sort of bridge, that inspects traffic and blocks the traffic when a rule is hit.
I can't see any reason why it wouldn't work as such with a PIX firewall in front of it, though.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6982432
You can use Microsoft's Radius in Windows 2000 instead of TACACS+. These detailed instructions are for setting them up to authenticate inbound users, but you can use the same basics for outbound when combined with the AAA instructions provided in my first post above.

http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html
0
 

Author Comment

by:robert100
ID: 6987050
Thanks.

What is the difference between RADIUS and TACACS+? Cisco document mentions TACACS+ more than RADIUS. Cisco ACS seems working with this situation, havw an idea how exensive it is?

Our major concern here is to monitor and control which internal group can use what type of services, such as FTP, NNTP, etc. Since we are a government agency, this is the policy. Restrict IP seems not work well since clients may move to other subnets (we ahve 6 subnets), all use DHCP. If Windows 2000 IAS can do the job, we will do that. Currently we have a NT 4.0 domain, can IAS run on Windows 2000 member server in NT domain, or ADS is required? We are planning to migrate to Windows 2000 ADS, but it won't happen overnight.

Thanks again

Robert 100
0
 
LVL 4

Accepted Solution

by:
svindler earned 150 total points
ID: 6988317
RADIUS is udp based, TACACS+ is tcp based. In theory, this can make firewalling a TACACS+ more secure at the expense of performance.
In Radius, only the password is encrypted on the network. In Tacacs+, all data is encrypted.
Both Radius and Tacacs+ are good at authentication and accounting, but Tacacs+ is better at authorisation, where individual commands can be authorized when logged into Cisco equipment. This does not sound necessary in your setup.
Radius is used much more, and more implementations are available.

A comparison from Cisco: http://www.cisco.com/warp/public/480/10.html

IAS should be able to do the job. ADS is not necessary.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question