vikram_lashkari
asked on
cisco PIX 506E firewall configuration
hi,
i am software programmer and i donot know anything about firewall configration and setting,my company has just bought the cisco pix 506e firewall and told me to connect and configure the firewall.what i did is just connected the routers connection to the firewall and from firewall i connected to my switch to the local network and after that i run the setup and just click next next in all the steps. I type https://192.168.0.1/startup.html and load the factory setting and everything was working fine all the p.c in my network are able to connect to internet but i had one problem ,i dont know that what i did is right or wrong as i had not configured any thing in it and i have doubt that any one from the internet can hack into my system and access my data so please help me ,wether cisco automatically protects all my pc on the network to be hacked from the internet user or i have to manually configure some setting to protect my local network, we donot have any outside network i m just worried about my local network to be hacked by the internet hackers. plz guide me on this area what i shoud do i am giving the configuration below :
Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:2d9d170f0a0
: end
tell me soon ,will this configration protect my internal local network or i have to perform some extra configration.
vikram lashkari
i am software programmer and i donot know anything about firewall configration and setting,my company has just bought the cisco pix 506e firewall and told me to connect and configure the firewall.what i did is just connected the routers connection to the firewall and from firewall i connected to my switch to the local network and after that i run the setup and just click next next in all the steps. I type https://192.168.0.1/startup.html and load the factory setting and everything was working fine all the p.c in my network are able to connect to internet but i had one problem ,i dont know that what i did is right or wrong as i had not configured any thing in it and i have doubt that any one from the internet can hack into my system and access my data so please help me ,wether cisco automatically protects all my pc on the network to be hacked from the internet user or i have to manually configure some setting to protect my local network, we donot have any outside network i m just worried about my local network to be hacked by the internet hackers. plz guide me on this area what i shoud do i am giving the configuration below :
Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:2d9d170f0a0
: end
tell me soon ,will this configration protect my internal local network or i have to perform some extra configration.
vikram lashkari
THe Default firewall config configured from the wizard protect all your PC by default.. no worry to have about that..
As long as you configured your PIX not to open any port on the external interface, you are safe.. and looking at your config. nothing is opened.
As long as you configured your PIX not to open any port on the external interface, you are safe.. and looking at your config. nothing is opened.
btw, I see you enabled your PIX to serve as a DHCP server for your internal network.. You might want to start the address scope at 192.168.1.20 or 30, just to let you keep 20-30 Static addresses in the case you need static addresses on your network for printers or other device..
ASKER
hi yan,
first of all thanx for telling me that my all pcs on the network are secure now tell me how do limit the address scope at 192.168.1.20 or 30.
i forgot to ask one thing that how do the "auto update server software" feature of the cisco pix firewall work ,what i have to do in order to update the software regularly just like norton antivurs. Where do i have to register so that i can update the patch of my cisco software and i always remain uptodate.
plz help me in this also.
thanx
vikram lashkari
first of all thanx for telling me that my all pcs on the network are secure now tell me how do limit the address scope at 192.168.1.20 or 30.
i forgot to ask one thing that how do the "auto update server software" feature of the cisco pix firewall work ,what i have to do in order to update the software regularly just like norton antivurs. Where do i have to register so that i can update the patch of my cisco software and i always remain uptodate.
plz help me in this also.
thanx
vikram lashkari
Never used the auto update feature.. sorry..
If you wanna use the graphical interface of your pix (Hmm, havent used that in a long long time :) ), go to the WEB PDM page.. and access your pix Config. After this, go to the config tab of your pix, and check out the DHCP Server entry.. (something like this..) and change the values.. very easy to do..
If not, telnet on your pix and do this:
enable
conf t
no dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd address 192.168.1.20-192.168.1.254
write mem
If you wanna use the graphical interface of your pix (Hmm, havent used that in a long long time :) ), go to the WEB PDM page.. and access your pix Config. After this, go to the config tab of your pix, and check out the DHCP Server entry.. (something like this..) and change the values.. very easy to do..
If not, telnet on your pix and do this:
enable
conf t
no dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd address 192.168.1.20-192.168.1.254
write mem
ASKER
i didn't understand what is harm in keeping my software upto date by "auto update software". And i have already pix device manager 3.0 installed on my computer so tell me how do i do this change from the cisco pix device manager.
But the most important answer for me now is that why do i not update my cisco software.What is the harm and if there is no harm then what is the procedure to update the cisco software.
plz reply me
vikram lashkari
But the most important answer for me now is that why do i not update my cisco software.What is the harm and if there is no harm then what is the procedure to update the cisco software.
plz reply me
vikram lashkari
1st.. the auto-update feature is not a feature that download stuff from CISCO Website to update your firewall. It uses an Internal server that contains Firewall Configuration and software.
From Cisco:
"The auto update panel lets you configure the firewall to be managed remotely from a server that supports the auto update specification. Auto update lets you apply configuration changes to the firewall and receive software updates from a remote location."
If you wanna be able to download Software update from Cisco, you'll have to buy a maintenance contract from them.. We have a PIX 525 here, and the contract is costing us 3000US$/Year. After that, you get on cisco's website and download them.
From Cisco:
"The auto update panel lets you configure the firewall to be managed remotely from a server that supports the auto update specification. Auto update lets you apply configuration changes to the firewall and receive software updates from a remote location."
If you wanna be able to download Software update from Cisco, you'll have to buy a maintenance contract from them.. We have a PIX 525 here, and the contract is costing us 3000US$/Year. After that, you get on cisco's website and download them.
Changing the DHCP Scope by using the PDM is easy.. just browse around in the config pages and you'll find it easily.. I never use this, and PDM is not installed on my pix.. so I can't tell you exactly where to go.. I remember it's in a list of configuration, and you select DHCP Server, and change the scope for the internal interface..
ASKER
thanx alot yan,
just one more question and i will finish off my this question and accept you answer. we have taken dedicated webserver for our website to be hosted and on that same server we have installed the sql server 2000 also.This is owned by the third party so i donot have to worry about the firewall as they have assured us about the security and firewall implemented by them.
Now they had told us to give static I.P so that they can configure on their server to connect sql server. we have broadband connection of British Telecom and we are given the static ip range from 217.40.72.249 to 254 .
Now i had given this static IP 217.40.72.249 to them to connect to my sql server, but how do i configure my Cisco firewall, so that i can give one p.c a static i.p of 217.40.72.249.Because in the address class of the firewall i have configure the adress of 192.168.1.2 to 192.168.1.255 and if i try to give the 217.40.72.249 IP to one of my computer on network i am not able to connect to internet so what should i do now. plz tell me
I must give this information also that in my router also we have installed the firewall so there also i had done some setting.But first just guide me how do i set my firewall with two differnt address class as the default IP of my pix firewall is 192.168.1.1.
waiting for your reply.i m increasing my points for this question.
vikram lashkari
just one more question and i will finish off my this question and accept you answer. we have taken dedicated webserver for our website to be hosted and on that same server we have installed the sql server 2000 also.This is owned by the third party so i donot have to worry about the firewall as they have assured us about the security and firewall implemented by them.
Now they had told us to give static I.P so that they can configure on their server to connect sql server. we have broadband connection of British Telecom and we are given the static ip range from 217.40.72.249 to 254 .
Now i had given this static IP 217.40.72.249 to them to connect to my sql server, but how do i configure my Cisco firewall, so that i can give one p.c a static i.p of 217.40.72.249.Because in the address class of the firewall i have configure the adress of 192.168.1.2 to 192.168.1.255 and if i try to give the 217.40.72.249 IP to one of my computer on network i am not able to connect to internet so what should i do now. plz tell me
I must give this information also that in my router also we have installed the firewall so there also i had done some setting.But first just guide me how do i set my firewall with two differnt address class as the default IP of my pix firewall is 192.168.1.1.
waiting for your reply.i m increasing my points for this question.
vikram lashkari
>i didn't understand what is harm in keeping my software upto date by "auto update software".
in order to use the auto update feature, you must have an auto update server (CiscoWorks), AND you must have a support contract to download the updated OS from Cisco to the server to push to the firewall. If all you have is 1 x 506 firewall, I guarantee the cost of setting this up will FAR outweigh its usefulness...
in order to use the auto update feature, you must have an auto update server (CiscoWorks), AND you must have a support contract to download the updated OS from Cisco to the server to push to the firewall. If all you have is 1 x 506 firewall, I guarantee the cost of setting this up will FAR outweigh its usefulness...
So on the same server you have a webserver (let's say IIS) and SQL Server right? They asked you for a static IP to use on their server, or on your side? Or did they ask you from what Address will you be connecting to your server (hosted by them).
If you want your entire network to connect to this address, you can give them the outside address of your firewall. You are using nat, so everyone that goes out of your network will have the address of your firewall (the external interface address).
If you want your entire network to connect to this address, you can give them the outside address of your firewall. You are using nat, so everyone that goes out of your network will have the address of your firewall (the external interface address).
ASKER
hi yan,
They have asked that from what address we will be connecting to their server.And for this i have to give any one Static IP given by my BroadBand provider,and that IP is suppose 217.40.72.249.And I want only my PC to connect to their server no other else in my network should be able to connect to my dedicated server.
Now problem is that in the firewall setting we have given the IP range from 192.168.1.2 to 192.168.1.254 moreover the IP of firewall is also 192.168.1.1,which was default configure from cisco.
If i try to change IP of just my PC to 217.40.72.249 then i am not able to connect to internet.Now Plz tell me how do i configure this setting so that i am able to handle this situation.
vikram
They have asked that from what address we will be connecting to their server.And for this i have to give any one Static IP given by my BroadBand provider,and that IP is suppose 217.40.72.249.And I want only my PC to connect to their server no other else in my network should be able to connect to my dedicated server.
Now problem is that in the firewall setting we have given the IP range from 192.168.1.2 to 192.168.1.254 moreover the IP of firewall is also 192.168.1.1,which was default configure from cisco.
If i try to change IP of just my PC to 217.40.72.249 then i am not able to connect to internet.Now Plz tell me how do i configure this setting so that i am able to handle this situation.
vikram
Hmmm, I know only how to do this via the command interface..
you have to use the static command.. Never actually done it personaly.. but check out this solution:
https://www.experts-exchange.com/questions/20914595/PIX-515E-with-a-pool-of-14-Public-IP-Addresses-NAT-PAT-Question.html?query=pix+public+ip&clearTAFilter=true
this is the part that should interest you:
If you have a server that needs to stay the same address use the static statement...
static (inside,outside) [the ip for the server] [the ip for the server] netmask 255.255.255.255
static (inside,outside) 204.x.x.x 204.x.x.x netmask 255.255.255.255
you have to use the static command.. Never actually done it personaly.. but check out this solution:
https://www.experts-exchange.com/questions/20914595/PIX-515E-with-a-pool-of-14-Public-IP-Addresses-NAT-PAT-Question.html?query=pix+public+ip&clearTAFilter=true
this is the part that should interest you:
If you have a server that needs to stay the same address use the static statement...
static (inside,outside) [the ip for the server] [the ip for the server] netmask 255.255.255.255
static (inside,outside) 204.x.x.x 204.x.x.x netmask 255.255.255.255
btw.. you'll have to telnet to your pix to do that, log in, and enter the "enable" mode.. the default telnet password to enter your pix is "cisco" btw.. you can change that in the web interface too.
so you telnet to your pix
after you login, you type "enable"
enter your enable pw
after type: conf t
after this: static (inside, outside) 192.168.1.X 217.40.72.249 255.255.255.255
after: write mem
Sorry, I have *no* idea how to do this via PDM.
so you telnet to your pix
after you login, you type "enable"
enter your enable pw
after type: conf t
after this: static (inside, outside) 192.168.1.X 217.40.72.249 255.255.255.255
after: write mem
Sorry, I have *no* idea how to do this via PDM.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, yan
You told me that we have to go for the contract costing 3000US$/Year in order to get the Latest updates in the Cisco PIX Firewall OS. So what do u think is it worth while to spent so much of money in the OS software update.We have cisco PIX 506e firewall,so if i go for the update in software OS what they provide us,did they fix the bugs in the PIX 506E or they provide the extra security patches to protect from the hackers.
Please give me the clarification of my last question.
thanx alot for all your answers
vikram
You told me that we have to go for the contract costing 3000US$/Year in order to get the Latest updates in the Cisco PIX Firewall OS. So what do u think is it worth while to spent so much of money in the OS software update.We have cisco PIX 506e firewall,so if i go for the update in software OS what they provide us,did they fix the bugs in the PIX 506E or they provide the extra security patches to protect from the hackers.
Please give me the clarification of my last question.
thanx alot for all your answers
vikram
Not worth the money if you ask me. The IOS version you have is perfectly secure. and everything is closed from the outside. No need to be afraid of anything :). The software by the way, is not only for the PIX 506e, it is for all the different pix that are out. They are all running the same IOS.
ASKER
hi yan,
But my director wants to know that what is the benefits of update OS,r they providing more security like norton antivirus after every update they add new virus defination so is anything like norton antivirus in the cisco firewall Os that it is updating any virus information or adding more secure layer to stop the hackers
plz reply me
vikram
But my director wants to know that what is the benefits of update OS,r they providing more security like norton antivirus after every update they add new virus defination so is anything like norton antivirus in the cisco firewall Os that it is updating any virus information or adding more secure layer to stop the hackers
plz reply me
vikram
ASKER
hi yan,
can i use command line instead of telnet for the code u give me for static IP.
after you login, you type "enable"
enter your enable pw
after type: conf t
after this: static (inside, outside) 192.168.1.X 217.40.72.249 255.255.255.255
after: write mem
as i donot know how to connect telnet from my PC. as my firewall is not directly connected to any PC,i am accessing my firewall from my PC which is on network switch(which is connected to firewall).
plz give me replu
can i use command line instead of telnet for the code u give me for static IP.
after you login, you type "enable"
enter your enable pw
after type: conf t
after this: static (inside, outside) 192.168.1.X 217.40.72.249 255.255.255.255
after: write mem
as i donot know how to connect telnet from my PC. as my firewall is not directly connected to any PC,i am accessing my firewall from my PC which is on network switch(which is connected to firewall).
plz give me replu
Often, they fix little bugs related to command not working properly, or changing error messages
example of thing changed in version 6.3(4)
VLAN Support Added to the PIX 506/506E
AAA Fallback for Administrative Access
SNMP Fixup
IKE Syslog Support Improved
New Syslog Messaging for AAA authentication
SIP IP Address Privacy Enhancement
New Ability to Assign Netmasks with Address Pools
btw, 6.3(4) is still a beta release anways..
A maintenance contract for a 506e would not cost 3000 btw.. but it would still be very expensive.. Updating a pix firewall is not like updating an antivirus, it's more like changing a complete OS. like windows 2000 to XP.
example of thing changed in version 6.3(4)
VLAN Support Added to the PIX 506/506E
AAA Fallback for Administrative Access
SNMP Fixup
IKE Syslog Support Improved
New Syslog Messaging for AAA authentication
SIP IP Address Privacy Enhancement
New Ability to Assign Netmasks with Address Pools
btw, 6.3(4) is still a beta release anways..
A maintenance contract for a 506e would not cost 3000 btw.. but it would still be very expensive.. Updating a pix firewall is not like updating an antivirus, it's more like changing a complete OS. like windows 2000 to XP.
TO view the complete change, you need to have a username/pw on cisco website anyways.. you can have a free one, but i'm not sure it will give you access to the proper documentation.
go to www.cisco.com, click register, then try going in technical support -> download -> cisco secure software
if the firewall section is not there, it's because you have to get a maintenance contract.
go to www.cisco.com, click register, then try going in technical support -> download -> cisco secure software
if the firewall section is not there, it's because you have to get a maintenance contract.
ASKER
hi yan,
can i use command line instead of telnet for the code u give me for static IP.
after you login, you type "enable"
enter your enable pw
after type: conf t
after this: static (inside, outside) 192.168.1.X 217.40.72.249 255.255.255.255
after: write mem
as i donot know how to connect telnet from my PC. as my firewall is not directly connected to any PC,i am accessing my firewall from my PC which is on network switch(which is connected to firewall).
plz give me replu
can i use command line instead of telnet for the code u give me for static IP.
after you login, you type "enable"
enter your enable pw
after type: conf t
after this: static (inside, outside) 192.168.1.X 217.40.72.249 255.255.255.255
after: write mem
as i donot know how to connect telnet from my PC. as my firewall is not directly connected to any PC,i am accessing my firewall from my PC which is on network switch(which is connected to firewall).
plz give me replu
Download and use a telnet software like this:
http://www.download.com/3000-2155-1538703.html?legacy=cnet
then get in it, put your PIX up address and connect.
you will get a command prompt with password.
1st password is the telnet password.. usually cisco
after you get in, type enable.
then you get the 2nd pw that you determined in your pix..
You cannot do that via command line.
http://www.download.com/3000-2155-1538703.html?legacy=cnet
then get in it, put your PIX up address and connect.
you will get a command prompt with password.
1st password is the telnet password.. usually cisco
after you get in, type enable.
then you get the 2nd pw that you determined in your pix..
You cannot do that via command line.
oh, btw.. not "up address" but "Ip address" :)
Be back in an hour, going for lunch.
Another thing, if you are not able to telnet on it. you may have to get in the PDM and in the config, specify the address that are permited to login via telnet..
Be back in an hour, going for lunch.
Another thing, if you are not able to telnet on it. you may have to get in the PDM and in the config, specify the address that are permited to login via telnet..
ASKER
i am increasing points