Solved

Cisco Router Pix help

Posted on 2004-08-05
2
1,273 Views
Last Modified: 2012-05-05
To anybody who can help:

I have recently set up a network for a client. Full T-1, Cisco 1720 to a pix 506e. The configs are as follows. What i need is a serious critiquing of the configs to tell me whats good, bad, right and wrong. After the initial config and the machines (4 servers, 6 workstations,1 laptop) were installed, there was a serious virus/trojan infestation. After cleaning them all (using Trend Officescan, DCS, and Pandasoftware online scanner) i still run across some anomalys. I get a user account named 'user' created locally on each server at different times. I am not sure if its because of a whole in the pix/router or on the LAN. I have changed every password on the LAN except for the pix and router. Have i been compromised???

The router config is:
-----------------------------
Building configuration...

Current configuration : 1881 bytes
!
version 12.2
service nagle
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname edge_rtr
!
enable secret 5 $1$Pc.i$v.ZxV.TTkIthTnGEQYJ040
enable password 7 020F0A4D0E1401245F5D
!
memory-size iomem 25
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
ip domain-name hostname.com
ip name-server 199.45.32.38
ip name-server 199.45.32.43
!
no ip bootp server
ip cef
!
!
!
interface FastEthernet0
 ip address aa.bb.162.1 255.255.255.224
 no ip proxy-arp
 no ip mroute-cache
 speed auto
 no cdp enable
!
interface Serial0
 ip address aa.bb.65.26 255.255.255.252
 ip access-group hostname1-in in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 ntp disable
 no cdp enable
!
ip default-gateway aa.bb.65.25
ip classless
ip route 0.0.0.0 0.0.0.0 aa.bb.65.25
no ip http server
!
!
ip access-list extended hostname1-in
 deny   udp any range bootps bootpc any
 deny   tcp any eq 135 any
 deny   udp any eq 135 any
 deny   udp any range netbios-ns netbios-dgm any
 deny   tcp any eq 139 any
 deny   tcp any eq 445 any
 deny   tcp any eq 1243 any
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip 240.0.0.0 7.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 192.0.2.0 0.0.0.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 permit icmp 199.0.0.0 0.0.0.255 any log
 deny   icmp any any log fragments
 permit ip aa.bb.0.0 0.0.255.255 any
 permit ip any any
no cdp run
!
line con 0
line aux 0
line vty 0 4
 password 7 1067070F00051C0E4840
 login
!
end
--------------------------------------------------------------------------------
The pix config is:
: Saved
: Written by enable_15 at 16:16:12.787 UTC Wed Jul 28 2004
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vKU22tiP2nEzKS/8 encrypted
passwd vKU22tiP2nEzKS/8 encrypted
hostname HOSTNAME-Pix
domain-name HOSTNAME.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list toya permit ip any any
access-list core_fw deny tcp any any
access-list core_fw deny udp any any
access-list core_fw deny icmp any any
access-list core_fw permit tcp any host AA.BB.CC.5 eq smtp
access-list core_fw permit tcp any host AA.BB.CC.5 eq pop3
access-list core_fw permit tcp any host AA.BB.CC.5 eq imap4
access-list core_fw permit tcp any host AA.BB.CC.5 eq www
access-list core_fw permit tcp any host AA.BB.CC.5 eq https
access-list core_fw permit tcp any host AA.BB.CC.5 eq 3389
access-list core_fw permit tcp any host AA.BB.CC.7 eq 3389
access-list core_fw permit tcp any host AA.BB.CC.7 eq 1627
access-list core_fw permit tcp any host AA.BB.CC.7 eq www
access-list core_fw permit tcp any host AA.BB.CC.7 eq https
access-list core_fw permit tcp any host AA.BB.CC.7 eq ftp
access-list core_fw permit tcp any host AA.BB.CC.8 eq 3389
access-list core_fw permit tcp any host AA.BB.CC.8 eq ftp
access-list core_fw permit tcp any host AA.BB.CC.8 eq www
access-list core_fw permit tcp any host AA.BB.CC.8 eq 1627
access-list core_fw permit tcp any host AA.BB.CC.8 eq https
access-list core_fw permit tcp any host AA.BB.CC.6 eq 3389
access-list core_fw permit tcp any host AA.BB.CC.2 eq telnet
access-list core_fw permit tcp any host AA.BB.CC.4 eq ftp
access-list core_fw permit tcp any host AA.BB.CC.4 eq www
access-list core-fw permit tcp any host AA.BB.CC.9 eq www
pager lines 24
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside AA.BB.CC.2 255.255.255.224
ip address inside 192.168.14.2 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 AA.BB.CC.5-AA.BB.CC.30 netmask 255.255.255.224
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) AA.BB.CC.5 192.168.14.5 netmask 255.255.255.255 0 0
static (inside,outside) AA.BB.CC.6 192.168.14.6 netmask 255.255.255.255 0 0
static (inside,outside) AA.BB.CC.7 192.168.14.7 netmask 255.255.255.255 0 0
static (inside,outside) AA.BB.CC.8 192.168.14.8 netmask 255.255.255.255 0 0
static (inside,outside) AA.BB.CC.4 192.168.14.4 netmask 255.255.255.255 0 0
static (inside,outside) AA.BB.CC.9 192.168.14.9 netmask 255.255.255.255 0 0
access-group toya in interface outside
route outside 0.0.0.0 0.0.0.0 AA.BB.CC.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http AA.BB.CC.0 255.255.255.224 outside
http AA.BB.CC.0 255.255.255.224 inside
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet AA.BB.CC.0 255.255.255.224 outside
telnet 192.168.14.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:58862115ca5fc92a829deceecb499e41
0
Comment
Question by:litesout
2 Comments
 
LVL 36

Assisted Solution

by:grblades
grblades earned 250 total points
ID: 11729637
Hi litesout,
I have a few questions with regard to your PIX configuration.

access-list core_fw is not being used anywhere and even then the list denies all tcp, udp and icmp so it will effectivly block everything.

You are permitting everything inbound from the Internet to the servers with static mappings. The only things being blocked are the basic rules in the router. I suggest you build an access list which only permits specifically what is needed.

> global (outside) 1 interface
You have an large range of addresses already defined for global so you don't need the firewalls IP address being used aswell.

global (outside) 1 AA.BB.CC.5-AA.BB.CC.30 netmask 255.255.255.224
> global (outside) 1 interface
> static (inside,outside) AA.BB.CC.5 192.168.14.5 netmask 255.255.255.255 0 0
> static (inside,outside) AA.BB.CC.6 192.168.14.6 netmask 255.255.255.255 0 0
> static (inside,outside) AA.BB.CC.7 192.168.14.7 netmask 255.255.255.255 0 0
> static (inside,outside) AA.BB.CC.8 192.168.14.8 netmask 255.255.255.255 0 0
> static (inside,outside) AA.BB.CC.4 192.168.14.4 netmask 255.255.255.255 0 0
> static (inside,outside) AA.BB.CC.9 192.168.14.9 netmask 255.255.255.255 0 0
You don't need such a big range for the global and you should also avoid using the same addresses that you have static mappings for. AA.BB.CC.25-AA.BB.CC.30 will be more than sufficient.

> telnet AA.BB.CC.0 255.255.255.224 outside
> telnet 192.168.14.0 255.255.255.0 inside
Telnet is not a very secure protocol as the password is sent across unencrypted when you log on. I suggest you disable it and switch to using ssh instead.
Also if you are not using the PDM web interface disable that aswell.
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 250 total points
ID: 11731868
Your filtering of protocols at the router is backwards.  Instead of blocking things you know are bad, you should allow only things you know are good.  A few common protocols, such as ftp, make it hard to do that without a more intelligent enforcement device -- such as a PIX!  So let it do that job, and use the router access lists just to enforce address validity.

Remember also to do egress filtering; it's not 1995 any more.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now