[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Cisco Router Pix help

Posted on 2004-08-05
2
Medium Priority
?
1,301 Views
Last Modified: 2012-05-05
To anybody who can help:

I have recently set up a network for a client. Full T-1, Cisco 1720 to a pix 506e. The configs are as follows. What i need is a serious critiquing of the configs to tell me whats good, bad, right and wrong. After the initial config and the machines (4 servers, 6 workstations,1 laptop) were installed, there was a serious virus/trojan infestation. After cleaning them all (using Trend Officescan, DCS, and Pandasoftware online scanner) i still run across some anomalys. I get a user account named 'user' created locally on each server at different times. I am not sure if its because of a whole in the pix/router or on the LAN. I have changed every password on the LAN except for the pix and router. Have i been compromised???

The router config is:
-----------------------------
Building configuration...

Current configuration : 1881 bytes
!
version 12.2
service nagle
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname edge_rtr
!
enable secret 5 $1$Pc.i$v.ZxV.TTkIthTnGEQYJ040
enable password 7 020F0A4D0E1401245F5D
!
memory-size iomem 25
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
ip domain-name hostname.com
ip name-server 199.45.32.38
ip name-server 199.45.32.43
!
no ip bootp server
ip cef
!
!
!
interface FastEthernet0
 ip address aa.bb.162.1 255.255.255.224
 no ip proxy-arp
 no ip mroute-cache
 speed auto
 no cdp enable
!
interface Serial0
 ip address aa.bb.65.26 255.255.255.252
 ip access-group hostname1-in in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 ntp disable
 no cdp enable
!
ip default-gateway aa.bb.65.25
ip classless
ip route 0.0.0.0 0.0.0.0 aa.bb.65.25
no ip http server
!
!
ip access-list extended hostname1-in
 deny   udp any range bootps bootpc any
 deny   tcp any eq 135 any
 deny   udp any eq 135 any
 deny   udp any range netbios-ns netbios-dgm any
 deny   tcp any eq 139 any
 deny   tcp any eq 445 any
 deny   tcp any eq 1243 any
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip 240.0.0.0 7.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 192.0.2.0 0.0.0.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 permit icmp 199.0.0.0 0.0.0.255 any log
 deny   icmp any any log fragments
 permit ip aa.bb.0.0 0.0.255.255 any
 permit ip any any
no cdp run
!
line con 0
line aux 0
line vty 0 4
 password 7 1067070F00051C0E4840
 login
!
end
--------------------------------------------------------------------------------
The pix config is:
: Saved
: Written by enable_15 at 16:16:12.787 UTC Wed Jul 28 2004
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vKU22tiP2nEzKS/8 encrypted
passwd vKU22tiP2nEzKS/8 encrypted
hostname HOSTNAME-Pix
domain-name HOSTNAME.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list toya permit ip any any
access-list core_fw deny tcp any any
access-list core_fw deny udp any any
access-list core_fw deny icmp any any
access-list core_fw permit tcp any host AA.BB.CC.5 eq smtp
access-list core_fw permit tcp any host AA.BB.CC.5 eq pop3
access-list core_fw permit tcp any host AA.BB.CC.5 eq imap4
access-list core_fw permit tcp any host AA.BB.CC.5 eq www
access-list core_fw permit tcp any host AA.BB.CC.5 eq https
access-list core_fw permit tcp any host AA.BB.CC.5 eq 3389
access-list core_fw permit tcp any host AA.BB.CC.7 eq 3389
access-list core_fw permit tcp any host AA.BB.CC.7 eq 1627
access-list core_fw permit tcp any host AA.BB.CC.7 eq www
access-list core_fw permit tcp any host AA.BB.CC.7 eq https
access-list core_fw permit tcp any host AA.BB.CC.7 eq ftp
access-list core_fw permit tcp any host AA.BB.CC.8 eq 3389
access-list core_fw permit tcp any host AA.BB.CC.8 eq ftp
access-list core_fw permit tcp any host AA.BB.CC.8 eq www
access-list core_fw permit tcp any host AA.BB.CC.8 eq 1627
access-list core_fw permit tcp any host AA.BB.CC.8 eq https
access-list core_fw permit tcp any host AA.BB.CC.6 eq 3389
access-list core_fw permit tcp any host AA.BB.CC.2 eq telnet
access-list core_fw permit tcp any host AA.BB.CC.4 eq ftp
access-list core_fw permit tcp any host AA.BB.CC.4 eq www
access-list core-fw permit tcp any host AA.BB.CC.9 eq www
pager lines 24
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside AA.BB.CC.2 255.255.255.224
ip address inside 192.168.14.2 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 AA.BB.CC.5-AA.BB.CC.30 netmask 255.255.255.224
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) AA.BB.CC.5 192.168.14.5 netmask 255.255.255.255 0 0
static (inside,outside) AA.BB.CC.6 192.168.14.6 netmask 255.255.255.255 0 0
static (inside,outside) AA.BB.CC.7 192.168.14.7 netmask 255.255.255.255 0 0
static (inside,outside) AA.BB.CC.8 192.168.14.8 netmask 255.255.255.255 0 0
static (inside,outside) AA.BB.CC.4 192.168.14.4 netmask 255.255.255.255 0 0
static (inside,outside) AA.BB.CC.9 192.168.14.9 netmask 255.255.255.255 0 0
access-group toya in interface outside
route outside 0.0.0.0 0.0.0.0 AA.BB.CC.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http AA.BB.CC.0 255.255.255.224 outside
http AA.BB.CC.0 255.255.255.224 inside
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet AA.BB.CC.0 255.255.255.224 outside
telnet 192.168.14.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:58862115ca5fc92a829deceecb499e41
0
Comment
Question by:litesout
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 36

Assisted Solution

by:grblades
grblades earned 750 total points
ID: 11729637
Hi litesout,
I have a few questions with regard to your PIX configuration.

access-list core_fw is not being used anywhere and even then the list denies all tcp, udp and icmp so it will effectivly block everything.

You are permitting everything inbound from the Internet to the servers with static mappings. The only things being blocked are the basic rules in the router. I suggest you build an access list which only permits specifically what is needed.

> global (outside) 1 interface
You have an large range of addresses already defined for global so you don't need the firewalls IP address being used aswell.

global (outside) 1 AA.BB.CC.5-AA.BB.CC.30 netmask 255.255.255.224
> global (outside) 1 interface
> static (inside,outside) AA.BB.CC.5 192.168.14.5 netmask 255.255.255.255 0 0
> static (inside,outside) AA.BB.CC.6 192.168.14.6 netmask 255.255.255.255 0 0
> static (inside,outside) AA.BB.CC.7 192.168.14.7 netmask 255.255.255.255 0 0
> static (inside,outside) AA.BB.CC.8 192.168.14.8 netmask 255.255.255.255 0 0
> static (inside,outside) AA.BB.CC.4 192.168.14.4 netmask 255.255.255.255 0 0
> static (inside,outside) AA.BB.CC.9 192.168.14.9 netmask 255.255.255.255 0 0
You don't need such a big range for the global and you should also avoid using the same addresses that you have static mappings for. AA.BB.CC.25-AA.BB.CC.30 will be more than sufficient.

> telnet AA.BB.CC.0 255.255.255.224 outside
> telnet 192.168.14.0 255.255.255.0 inside
Telnet is not a very secure protocol as the password is sent across unencrypted when you log on. I suggest you disable it and switch to using ssh instead.
Also if you are not using the PDM web interface disable that aswell.
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 750 total points
ID: 11731868
Your filtering of protocols at the router is backwards.  Instead of blocking things you know are bad, you should allow only things you know are good.  A few common protocols, such as ftp, make it hard to do that without a more intelligent enforcement device -- such as a PIX!  So let it do that job, and use the router access lists just to enforce address validity.

Remember also to do egress filtering; it's not 1995 any more.

0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question