?
Solved

Suggest me a how secure is my setup..

Posted on 2003-03-02
21
Medium Priority
?
352 Views
Last Modified: 2010-04-17
the following is the PIX configuration i have done in my setup.As this is for first time i need some security inputs from the Experts to make this setup stable and secure.

ISP---router---pix---LAN
the setup is as follows..(sorry for the size)
I have a ACS(win2k) server and VPN dialin clients also

Thanks in advance...

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********* encrypted
passwd ********* encrypted
hostname test
domain-name test.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol ils 389
fixup protocol smtp 25
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sqlnet 1521
names
name 172.24.80.40 ISA-server
name 202.54.1.18 Router
name 172.24.80.0 myLAn
object-group service Services tcp
  description Services allowed
  port-object eq ftp
  port-object eq pop3
  port-object eq domain
  port-object eq https
  port-object eq www
  port-object eq smtp
object-group service Domain udp
  description Domain
  port-object eq domain
object-group network LAusers
  network-object myLAn 255.255.248.0
object-group network LAusers_ref
  network-object 202.54.104.0 255.255.248.0
object-group service VPNservices tcp
  description This is for VPN services
  port-object eq 1723
  port-object range 1701 1701
  port-object range 500 500
access-list compiled
access-list inside_access_in permit tcp host ISA-server any object-group Service
s
access-list inside_access_in permit udp host ISA-server any object-group Domain
access-list inside_access_in permit tcp host ISA-server host Router eq telnet
access-list inside_access_in permit tcp host ISA-server any eq 1863
access-list inside_access_in permit icmp object-group LAusers any echo
access-list inside_access_in permit icmp object-group LAusers any echo-reply
access-list inside_access_in permit tcp object-group LAusers object-group VPNser
vices any
access-list inside_access_in deny tcp object-group LAusers any
access-list inside_access_in deny udp object-group LAusers any
access-list inside_access_in deny ip object-group LAusers any
access-list outside_access_in permit icmp any object-group LAusers_ref echo-repl
y
access-list outside_access_in permit icmp any object-group LAusers_ref echo
access-list outside_access_in deny tcp any object-group LAusers_ref
access-list outside_access_in deny udp any object-group LAusers_ref
access-list outside_access_in deny ip any host 202.54.1.27
access-list inside_nat0_outbound permit ip myLAn 255.255.248.0 myLAn 255.255.248
.0
access-list inside_nat0_outbound permit ip myLAn 255.255.248.0 172.24.81.0 255.2
55.255.192
access-list dialin_users_splitTunnelAcl permit ip myLAn 255.255.248.0 any
access-list outside_cryptomap_dyn_40 permit ip any 172.24.81.0 255.255.255.192
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap warnings
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 202.54.1.19 255.255.255.240
ip address inside 172.24.80.30 255.255.248.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool remote_user 172.24.81.25-172.24.81.50
pdm location 172.24.80.32 255.255.255.255 inside
pdm location ISA-server 255.255.255.255 inside
pdm location Router 255.255.255.255 outside
pdm location myLAn 255.255.248.0 outside
pdm location Javacode 255.255.248.0 inside
pdm group LAusers inside
pdm group LAusers_ref outside reference LAusers
pdm history enable
arp timeout 14400
global (outside) 1 202.54.1.21-202.54.1.27
global (outside) 1 202.54.1.20
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) 202.54.1.20 ISA-server netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host ISA-server cisco1234 timeout 10
aaa-server LOCAL protocol local
aaa-server ISA-server protocol radius
aaa-server ISA-server (inside) host ISA-server cisco1234 timeout 10
filter activex 80 myLAn 255.255.248.0 0.0.0.0 0.0.0.0
http server enable
http 172.24.80.32 255.255.255.255 inside
http myLAn 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside ISA-server /pix
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
auth-prompt prompt Welcome to NuBAH RO
auth-prompt accept You are logged in successfully
auth-prompt reject Check your login information
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication ISA-server
crypto map outside_map interface outside
isakmp enable outside
isakmp client configuration address-pool local remote_user outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup dialin_users address-pool remote_user
vpngroup dialin_users wins-server 172.16.40.1
vpngroup dialin_users split-tunnel dialin_users_splitTunnelAcl
vpngroup dialin_users idle-time 1800
vpngroup dialin_users password ********
telnet myLAn 255.255.248.0 inside
telnet timeout 5
ssh timeout 5
vpdn group dial_group accept dialin pptp
vpdn group dial_group ppp authentication mschap
vpdn group dial_group ppp encryption mppe 128 required
vpdn group dial_group client configuration address local remote_user
vpdn group dial_group pptp echo 100
vpdn group dial_group client authentication local
vpdn username vpnuser password *********
vpdn enable outside
terminal width 80
Cryptochecksum:119e040d0b7a2ddde7f95a1828a7d574
: end
[OK]

0
Comment
Question by:samprav
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
21 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8053289
Is your router doing all your nat for you? Not a particularly popular way of doing it.

The security of your setup will greatly depend on the security of the router, and your written policies.

You have taken prudent measures to use external authentication for logins, and setup explicit inbound and outbound access-lists, although it looks like your acls are blocking almost everything inbound and out.
0
 

Author Comment

by:samprav
ID: 8053381
My router is not doing any NAT..can u suggest me some of the ways o secure my router?..and what modifications i can do in PIX to make this setup looks like a professional one..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8053450
Follow the Cisco Router guidelines in this link to secure your router:
http://nsa2.www.conxion.com/index.html

If you're not doing NAT at the router, and you aren't doing it at the PIX, and you're blocking almost everything both inbound and outboud, I'd say you are pretty darn secure. Non-functional, but secure.
To get you functional for outbound nat, try adding:
nat (inside) 1 172.24.80.0 255.255.248.0 0 0
and delete this:
access-list inside_nat0_outbound permit ip myLAn 255.255.248.0 myLAn 255.255.248.0


Right out of the box, the PIX is very secure. By default, absolutely nothing gets in that is not a direct request from an inside host, and yet, all inside requests are passed to the outside by default. Explicit acls are used only to permit uninvited Internet traffic inbound, ie. to direct incomming email to a mail server, incomming web requests to your web server, etc., and to block very specific ports/access even as a result of a system inside, i.e. block tcp port 1434 to prevent the sql worm from propogating, etc.

Start with a very basic configuration that is functional, then add in the other bells and whistles.

Start with a written acceptible use policy that defines exactly what can/cannot be accessed through the company internet, and adjust the outbound filter set to satisfy the policies, and nothing else.

You're trying to make it too complicated, too fast and that's why it looks "unprofessional"
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:samprav
ID: 8055694
Gr8 help Irmoore..i am just following the steps u hve said i.e. i am securing the router first..But do i need to assign ACL in the router ? because i will be using PIX as firewall do two firewalls will make more confusion isn't it?

This questions might be sounding foolish but as this is for first time i am configuring i am taking all the necessary stpes..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8056713
Yes, assign thost acls to the router as your first line of defense so that a lot of the mischevious activity does not even hit the firewall.
Two firewalls are better than one. This is a "professional" grade setup.
0
 

Author Comment

by:samprav
ID: 8056840
Hahaha..i think after each comment i will become more and more "Professional"..
0
 

Author Comment

by:samprav
ID: 8056896
Hahaha..i think after each comment i will become more and more "Professional"..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8056941
But, of course!  <8-}

0
 

Author Comment

by:samprav
ID: 8057460
Hahaha..i think after each comment i will become more and more "Professional"..
0
 

Author Comment

by:samprav
ID: 8057908
Hi Irmoore..i have changed the router config can u tell me is this fine ...(sorry for the repeat comments above my coulege refresshed the window)


Using 1939 out of 29688 bytes
!
version 12.2
service timestamps debug datetime
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Router
!
enable secret 5 $1$l2.O$5us6fBGHUKVDpfIcb0EA4/1uub/
!
ip subnet-zero
no ip source-route
no ip domain lookup
!
no ip bootp server
!
!
!
!
interface FastEthernet0/0
 description Connected to PIX 515e Global Interface
 ip address 202.54.1.18 255.255.255.240
 ip access-group 101 in
 no ip proxy-arp
 speed auto
 no cdp enable
!
interface Serial0/0
 description connected to ISP
 ip address 202.54.15.110 255.255.255.252
 ip access-group 104 in
 ip access-group 101 out
 no ip proxy-arp
 no cdp enable
!
interface BRI1/0
 no ip address
 shutdown
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.54.15.109
ip route 202.54.1.21 255.255.255.255 202.54.1.19
no ip http server
!
!
access-list 95 permit 202.54.1.20
access-list 101 permit ip 202.54.1.18 0.0.0.15 any
access-list 102 permit ip any 202.54.1.18 0.0.0.15
access-list 104 deny   ip 172.16.40.0 0.0.7.255 any
access-list 104 deny   ip 127.0.0.0 0.0.0.255 any
access-list 104 deny   ip 0.0.0.0 0.255.255.255 any
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 169.254.0.0 0.0.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 224.0.0.0 15.255.255.255 any
access-list 104 deny   icmp any any redirect
access-list 104 deny   icmp any any echo
access-list 104 deny   icmp any any mask-request
access-list 104 deny   ip 202.54.1.18 0.0.0.15 any
access-list 104 permit ip any 202.54.1.18 0.0.0.15
no cdp run
tftp-server flash
banner login ^C Unauthorised Access to This system is Unlawful ^C
!
line con 0
 exec-timeout 5 0
 password 7 121E554hth7160D5C162B7A75
 login
line aux 0
 exec-timeout 0 10
line vty 0 4
 access-class 95 in
 exec-timeout 5 0
 password 7 0201540B0ioklF005F334D1F58
 login
 transport input telnet
!
end


0
 

Author Comment

by:samprav
ID: 8064937
Hi Irmoore i am sleeplessly waiting for your comment on the above router config.....so i can move forward to PIX config...Thanks..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8065163
Sorry, I thought I did respond. Must have been when laptop battery died..

First, nix the inbound/outbound filtering of acl 101

interface FastEthernet0/0
 no ip access-group 101 in
!
interface Serial0/0
 no ip access-group 101 out

There is no value in processing the packets twice, and will really bog down the CPU. Besides, the outbound just says permit everything anyway.

While the NSA guidelines are OK, I have found that they lack real teeth and simply confuse things.

Here's a sample of my inbound acl, adapted to use your IP addresses:
ip access-list extended outside_in
# deny everything I get tired of seeing over and over in the logs
 deny   udp any any eq netbios-ns
 deny   udp any any eq netbios-dgm
 deny   udp any any eq 3052
 deny   ip host 202.54.15.109 any
 deny   tcp any any eq 1433
 deny   udp any any eq 1434
 deny   tcp any host 202.54.15.110 eq www
 deny   tcp any host 202.54.15.110 eq 139
 deny   ip 210.0.0.0 0.255.255.255 any
 deny   ip 211.0.0.0 0.255.255.255 any
 deny   ip 61.0.0.0 0.255.255.255 any
# permit only specified icmp
 permit icmp any any echo-reply
 permit icmp any any echo
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 permit icmp any any unreachable
 permit udp any eq domain any
#add entry for NTP time server
 permit udp host 140.142.16.34 eq ntp host 202.54.15.110  eq ntp
# add entrys so that I can manage it from home
 permit ip host <my ip> host 202.54.15.110  
 permit tcp any host 202.54.15.110 eq ssl log
#explicitly permit anything else going back to the PIX:
 permit ip any host 202.54.1.19
 permit tcp any any established
 deny   ip any any log
!
interface serial 0/0
 no ip access-group 104 in
 ip access-group outside_in in
!




You don't need this route statement, this subnet is "connected"
ip route 202.54.1.21 255.255.255.255 202.54.1.19
no ip route 202.54.1.21 255.255.255.255 202.54.1.19



0
 

Author Comment

by:samprav
ID: 8065634
Thnaks for ur guidline Irmoore..If you can explain me that what i am doing with this comments i will be thankful....
if i have understoood it fully then i should be adding this entry in my ACl-104 right? which will be applicable to my serial interface..

deny   udp any any eq netbios-ns
deny   udp any any eq netbios-dgm
deny   udp any any eq 3052
deny   ip host 202.54.15.109 any
deny   tcp any any eq 1433
deny   udp any any eq 1434
deny   tcp any host 202.54.15.110 eq www
deny   tcp any host 202.54.15.110 eq 139
deny   ip 210.0.0.0 0.255.255.255 any
deny   ip 211.0.0.0 0.255.255.255 any
deny   ip 61.0.0.0 0.255.255.255 any


permit udp host 140.142.16.34(which is this entry) eq ntp host 202.54.15.110  eq ntp

on which interface should  apply these accesslist.
and mt last routing entry for 202.54.1.21 is because i will be having a Mail server 5.5 in a DMZ .....is it fine?

and one more thing is how can i enable ssh login inplace of teltel because i was trying but i couldnt find any

ip ssh ....how can i enable this..

thnaks in advance..u r very helpful


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8065865
disregard this line if you don't have ntp set up

permit udp host 140.142.16.34(which is this entry) eq ntp host 202.54.15.110  eq ntp

Use my example ACL in it's extended acl form just as it is, and remove acl 104 from the serial interface

Acl should be applied to interface serial 0/0 -in-
0
 

Author Comment

by:samprav
ID: 8078909
Hi Irmoore i have configured the router..i need to configure the PIX in a way that it will work as a firewall,VPN server and support mail server 5.5 with DMZ .how can i proceed in doing this....thanks for your help thruout..
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 800 total points
ID: 8079659
Geez.. I bill out at $250/hour to setup a router/Pix at a customer site..
I'll help guide you with examples. Post more questions if you have specific problems after following the examples.
Best I can say is RTFM:
Basic config:
http://www.cisco.com/warp/public/110/single-net.shtml
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/index.htm
Configure VPN:
http://www.cisco.com/warp/public/110/A.html
Exchange in DMZ:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/msexchng.htm
0
 

Author Comment

by:samprav
ID: 8097050
Hi irmoore..for putting exchange 5.5 do i need to use two email servers u.e. one for nside and one for outside? one exchange server5.5 in DMZ will not work?...
My clients wants to send the emails thru that dmz mail server only i.e. LAN mails will not go to the internet but internet mails will go to the internet traffic..

How this scenario will be possible?
Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8097587
In my opionion, because of the dependencies of exchange to the internal lan for authentication, and that it services mainly the internal users, it should be in the Inside LAN, with a simple mail relay host in the dmz. Two Exchange servers is the suggested by Cisco and by Microsoft, but is overkill for the DMZ mail relay function.
0
 

Author Comment

by:samprav
ID: 8098046
hi irmoore..i am implementing a PIX site to site VPN but in my loggs i am continuously getting this message

106021: Deny udp reverse path check from 192.168.40.1 to 255.255.255.255 on interface outside
is thsi anything seriouse?
what could be the reason for this and how can i stop this?

samir
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8098157
How many questions are you trying to wrap into one? How about closing this one out and open a new one.
0
 

Author Comment

by:samprav
ID: 8126842
Hi Irmoore..in My PIX firewall now i have a new a new configuration in which i have only these lines..

access-list outside permit icmp any any unreachable
access-list outside permit icmp any any redirect
access-list outside permit icmp any any echo-reply\
acess-list outside permit icmp any any time-exceeded

this rule i have applied on

access-group outside in interface outside

is this ruleset will make my PIX secured?
now here i want to use your huge experiance of configuration of PIX firewalls.What else rulesets i can add to make my Network secure .hope you can guide me in this...thanks a lot.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question