Solved

Cisco PIX 506E on SBS2000

Posted on 2004-04-25
3
697 Views
Last Modified: 2013-11-16
To all esteemed firewall gurus and experts,

I am humbled to pose my simple question so many learned experts in this site.  Sorry for the layman language for I have no formal IT training.  I have a Cisco PIX 506E version 6.3.1 and being a newbie on firewalls, I have been banging my head on the wall on how to get it working the way I want it.  I got a deadline to meet.. so I am giving away all 500 points to whoever first gives me a correct full detailed workout.  Basically, the network is SBS2000 with SQL, ISA, IIS, Exchange and Terminal Server running.  What I want is

1. local clients accessing Internet through ISA > PIX > Internet.
2. Remote client from random broadband IP addresses and from dial-in accessing the SBS and LAN and be able to connect to SBS services e.g. SQL, Exchange, ISS and LAN.
3. Will be using Cisco VPN Client and MSCHAP
4. Be able to administer PIX from remote site
5. Stopping common port scan attacks and www/html commands from malicious websites
6. Implement basic and common security checks points
7. Future implementation of 3DES and certs

I would like to know how to setup the ISA server to connect to PIX as well.

As an example, My SBS ip is 192.168.1.254 255.255.255.0/81.5.145.221 and ASDL ip is 81.5.145.222, Terminal Server ip 192.168.1.253 and the administrator's PC ip 192.168.1.164.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name xxx.xxx.xxx <--------------- does it mean my local domain?
fixup protocol ftp strict 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol http 8080
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 81.5.145.222 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp_pool 192.168.1.10-192.168.1.50
pdm location 192.168.1.164 255.255.255.255 inside <----------- any explanation here?
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 192.168.1.0 255.255.255.0 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
conduit permit tcp any any
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.164 255.255.255.255 inside <----------------------- any explanation here?
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40 required
vpdn group PPTP-VPDN-GROUP client configuration address local pptp_pool
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username xxxxx password ********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

Much thanks is advance.  Hope I could get the PIX up and running soon!
0
Comment
Question by:pbyeoh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10916887
domain-name xxx.xxx.xxx <--------------- does it mean my local domain?

Yes.  This tells the PIX what domain it's in.

pdm location 192.168.1.164 255.255.255.255 inside <----------- any explanation here?

The 'pdm' lines are added by PIX Device Manager (web-based config GUI).  They don't 'do' anything as far as the PIX is concerned, but when you use PDM, it uses these lines to work out where all the objects are and present the information in nice graphical format.

http 192.168.1.164 255.255.255.255 inside <----------------------- any explanation here?

These are the machines that are allowed to use PDM.

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 10916953
A good guide is here:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

1. local clients accessing Internet through ISA > PIX > Internet.

You need a default route:

ip route 0.0.0.0 0.0.0.0 if_address

..and PAT

nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface

2. Remote client from random broadband IP addresses and from dial-in accessing the SBS and LAN and be able to connect to SBS services e.g. SQL, Exchange, ISS and LAN.

You should be able to PPTP straight to the PIX using this config

3. Will be using Cisco VPN Client and MSCHAP

However... you need to setup IPSEC to use the VPN Client.  This links shows you how to do IPSEC and PPTP:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

4. Be able to administer PIX from remote site

Ensure the VPN clients are given an IP address in the range specified by:

http 192.168.1.0 255.255.255.0 inside

..then when the clients are dialled in, access PDM via the inside interface

5. Stopping common port scan attacks and www/html commands from malicious websites

You can't stop port scans.  PIX isn't very good at being application layer aware.  You really need www/html safety at a desktop level - eg use Cisco CSA, or use Websense / Surfcontrol on ISA, or just use ISA to do the HTTP security for you.

6. Implement basic and common security checks points

Use the PIX with access lists to permit/deny traffic.  Regularly carry out vulnerability scans of your networks, and subscribe to Microsoft SUS to ensure your systems are all patched and up to date.

7. Future implementation of 3DES and certs

3DES is enabled by default.  Certificates are also easy to setup, but you so need a Certificate Server to set this up, and you may feel pre-shared keys will suffice for the time being ?
0
 
LVL 1

Author Comment

by:pbyeoh
ID: 10919162
Thanks Tim, I will be checking on it tonight and let you know tomorrow.  Will accept your answers tomorrow.  Cheers again.
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco USB console Windows 8.1 unable to open serial port 4 135
VOIP gateways - feedback 23 124
ASA NAT rule change 3 86
Cisco ACS second root certificate 3 11
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question