Solved

Cisco PIX 506E on SBS2000

Posted on 2004-04-25
3
683 Views
Last Modified: 2013-11-16
To all esteemed firewall gurus and experts,

I am humbled to pose my simple question so many learned experts in this site.  Sorry for the layman language for I have no formal IT training.  I have a Cisco PIX 506E version 6.3.1 and being a newbie on firewalls, I have been banging my head on the wall on how to get it working the way I want it.  I got a deadline to meet.. so I am giving away all 500 points to whoever first gives me a correct full detailed workout.  Basically, the network is SBS2000 with SQL, ISA, IIS, Exchange and Terminal Server running.  What I want is

1. local clients accessing Internet through ISA > PIX > Internet.
2. Remote client from random broadband IP addresses and from dial-in accessing the SBS and LAN and be able to connect to SBS services e.g. SQL, Exchange, ISS and LAN.
3. Will be using Cisco VPN Client and MSCHAP
4. Be able to administer PIX from remote site
5. Stopping common port scan attacks and www/html commands from malicious websites
6. Implement basic and common security checks points
7. Future implementation of 3DES and certs

I would like to know how to setup the ISA server to connect to PIX as well.

As an example, My SBS ip is 192.168.1.254 255.255.255.0/81.5.145.221 and ASDL ip is 81.5.145.222, Terminal Server ip 192.168.1.253 and the administrator's PC ip 192.168.1.164.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name xxx.xxx.xxx <--------------- does it mean my local domain?
fixup protocol ftp strict 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol http 8080
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 81.5.145.222 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp_pool 192.168.1.10-192.168.1.50
pdm location 192.168.1.164 255.255.255.255 inside <----------- any explanation here?
pdm location 192.168.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 192.168.1.0 255.255.255.0 0 0
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
conduit permit tcp any any
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.164 255.255.255.255 inside <----------------------- any explanation here?
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40 required
vpdn group PPTP-VPDN-GROUP client configuration address local pptp_pool
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username xxxxx password ********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

Much thanks is advance.  Hope I could get the PIX up and running soon!
0
Comment
Question by:pbyeoh
  • 2
3 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10916887
domain-name xxx.xxx.xxx <--------------- does it mean my local domain?

Yes.  This tells the PIX what domain it's in.

pdm location 192.168.1.164 255.255.255.255 inside <----------- any explanation here?

The 'pdm' lines are added by PIX Device Manager (web-based config GUI).  They don't 'do' anything as far as the PIX is concerned, but when you use PDM, it uses these lines to work out where all the objects are and present the information in nice graphical format.

http 192.168.1.164 255.255.255.255 inside <----------------------- any explanation here?

These are the machines that are allowed to use PDM.

0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 10916953
A good guide is here:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

1. local clients accessing Internet through ISA > PIX > Internet.

You need a default route:

ip route 0.0.0.0 0.0.0.0 if_address

..and PAT

nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface

2. Remote client from random broadband IP addresses and from dial-in accessing the SBS and LAN and be able to connect to SBS services e.g. SQL, Exchange, ISS and LAN.

You should be able to PPTP straight to the PIX using this config

3. Will be using Cisco VPN Client and MSCHAP

However... you need to setup IPSEC to use the VPN Client.  This links shows you how to do IPSEC and PPTP:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

4. Be able to administer PIX from remote site

Ensure the VPN clients are given an IP address in the range specified by:

http 192.168.1.0 255.255.255.0 inside

..then when the clients are dialled in, access PDM via the inside interface

5. Stopping common port scan attacks and www/html commands from malicious websites

You can't stop port scans.  PIX isn't very good at being application layer aware.  You really need www/html safety at a desktop level - eg use Cisco CSA, or use Websense / Surfcontrol on ISA, or just use ISA to do the HTTP security for you.

6. Implement basic and common security checks points

Use the PIX with access lists to permit/deny traffic.  Regularly carry out vulnerability scans of your networks, and subscribe to Microsoft SUS to ensure your systems are all patched and up to date.

7. Future implementation of 3DES and certs

3DES is enabled by default.  Certificates are also easy to setup, but you so need a Certificate Server to set this up, and you may feel pre-shared keys will suffice for the time being ?
0
 
LVL 1

Author Comment

by:pbyeoh
ID: 10919162
Thanks Tim, I will be checking on it tonight and let you know tomorrow.  Will accept your answers tomorrow.  Cheers again.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now