Solved

PIX 506E configuration review & tune up recommendations

Posted on 2004-10-07
11
996 Views
Last Modified: 2013-11-16
Hi guys..

I’m trying to configure my PIX so it can match my network settings and meet my needs to operate fast, secure and reliable.

Since I don’t have a test environment, a lot depends on this configuration to be up and running when first powered up behind the ISP router.

I addition to allow Exchange, FTP and Web to flow, I also need some 10 VPN (PPTP) clients/accounts to be added.

My network (Windows 2000 Servers)

Server A : 192.168.0.210 : DC, Exchange Server 2000, IIS Server 5 (FTP&Web running)
Server B : 192.168.0.211 : DC, Backup Exec
Server C : 192.168.0.212 : AV Server (Panda AdminSecure)

IP scope: 192.168.0.100-192.168.0.180 (192.168.0.100-192.168.0.110 is excluded)
Subnet: 255.255.0.0
DHCP enableded

WAN IP: 195.184.116.126

Below my PIX configuration… was is(not) missing? ;)

Thanks in advanced!


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.100-192.168.1.150 netmask 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
terminal width 80
Cryptochecksum:1fb573c35dc22110f888523f0946d212
0
Comment
Question by:dsl77
  • 6
  • 5
11 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12255862
Right off the bat, I see one issue:
IP scope: 192.168.0.100-192.168.0.180 (192.168.0.100-192.168.0.110 is excluded)
Subnet: 255.255.0.0
             ^^^^^^^
Yet, you have your inside interface with a class C mask.
>ip address inside 192.168.1.1 255.255.255.0
Either:
1) change the pix interface:
     ip address inside 192.168.1.1 255.255.0.0
2) use a single class C mask everywhere, but put the inside IP in a different subnet other than 192.168.0.x or 192.168.1.x. Why? Because of your desire to host VPN clients. 90% of home users with broadband routers or ICS use those two networks as their local lan. Too many issues with same lan subnet on both ends of the tunnel. Save the asprin and do it right at the start.

       dhcpd address 192.168.127.110-192.168.227.200 inside  <-- do you want the PIX to be your DHCP server?
       ip address inside 192.168.227.1 255.255.255.0

>global (outside) 1 192.168.1.100-192.168.1.150 netmask 255.255.0.0
Will never work. Your global must be a public IP. "interface" keyword works and just uses whatever IP is assigned to the outside IP...
    global (outside) 1 interface

Create Static port mappings for services:
    static (inside,outside) tcp smtp interface 192.168.227.210 smtp
    static (inside,outside) tcp www interface 192.168.227.210 www
    static (inside,outside) tcp ftp interface 192.168.227.210 ftp
    static (inside,outside) tcp ftp-data interface 192.168.227.210 ftp-data
   
Create access-lists for inbound traffic to those services
    access-list outside_in permit tcp any interface outside eq smtp
    access-list outside_in permit tcp any interface outside eq www
    access-list outside_in permit tcp any interface outside eq ftp
    access-list outside_in permit tcp any interface outside eq ftp-data

Apply the access-list
     access-group outside_in in interface outside

Since you have Exchange, you must disable fixup smtp:
    no fixup protocol smtp 25
   ^^

To setup for VPN access there are several steps:
<-- setup ip address pool for VPN users (different subnet)
    ip local pool VPN_Pool 192.168.228.100-192.168.228.200
<--Exclude local->VPN pool traffic from the nat process
    access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
    nat (inside) 0 access-list no_nat_VPN
<--enable pptp globally
    sysopt connection permit-pptp
<-- setup the vpn group parameters
   vpdn group PPTP accept dialin pptp
   vpdn group PPTP ppp authentication pap
   vpdn group PPTP ppp authentication chap
   vpdn group PPTP ppp authentication mschap
   vpdn group PPTP ppp encryption mppe auto
   vpdn group PPTP client configuration address local VPN_Pool
   vpdn group PPTP client configuration dns 192.168.227.210 192.168.227.211
   vpdn group PPTP pptp echo 60
   vpdn group PPTP client authentication local
   vpdn username user1 password *********
   vpdn username user2 password *********
   vpdn username user3 password *********
   vpdn username user4 password *********
   vpdn username user5 password *********
   vpdn username user6 password *********
  <etc>
   vpdn enable outside

Assuming you go with my recommendation to use 192.168.227.x, change this, too..
>http 192.168.1.0 255.255.255.0 inside
  to
   http 192.168.227.0 255.255.255.0 inside





0
 

Author Comment

by:dsl77
ID: 12257176
Hi lrmoore

I’m glad that you picked this one up! As I assumed I am in over my head on this one, but more at ease knowing you’re correcting my ideas :)

Just to sum up your reply (recommendations).

Change my servers IP’s and subnet to:
SRV A: 192.168.227.210 / 255.255.255.0
SRV B: 192.168.227.211 / 255.255.255.0
SRV C: 192.168.227.212 / 255.255.255.0

Change IP scope: 192.168.127.110-192.168.227.200 / 255.255.255.0

SRV A still runs DHCP!

With the network changes in mind and the rewritten PIX config how is ‘it’ looking now? :)


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
no fixup protocol smtp 25
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0      
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.227.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
ip address inside 192.168.227.1 255.255.255.0
static (inside,outside) tcp www interface 192.168.227.210 www
static (inside,outside) tcp ftp interface 192.168.227.210 ftp
static (inside,outside) tcp ftp-data interface 192.168.227.210 ftp-data
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq ftp-data
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inaside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
ip local pool VPN_Pool 192.168.228.100-192.168.228.200
access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
nat (inside) 0 access-list no_nat_VPN
sysopt connection permit-pptp
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication pap
vpdn group PPTP ppp authentication chap
vpdn group PPTP ppp authentication mschap
vpdn group PPTP ppp encryption mppe auto
vpdn group PPTP client configuration address local VPN_Pool
vpdn group PPTP client configuration dns 192.168.227.210 192.168.227.211
vpdn group PPTP pptp echo 60
vpdn group PPTP client authentication local
vpdn username user1 password *********
vpdn username user2 password *********
vpdn username user3 password *********
vpdn username user4 password *********
vpdn username user5 password *********
vpdn username user6 password *********
vpdn enable outside
terminal width 80
Cryptochecksum:1fb573c35dc22110f888523f0946d212





0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12258075
>dhcpd enable inaside
You need to disable dhcpd on the PIX if SRV A still runs DHCP
   no dhcpd enable inside

Looks like the rest of it should work fine..
0
 

Author Comment

by:dsl77
ID: 12270498
When trying to create the static port mappings i get this error: "ERROR: Invalid global IP address smtp"

I'm using Device Manager 3.0 (Command Line Interface) to insert the command - any ideas?

Is there an easy way to convert a txt file to a PIX image?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12270611
My bad....
 static (inside,outside) tcp www interface 192.168.227.210 www
 static (inside,outside) tcp ftp interface 192.168.227.210 ftp
 static (inside,outside) tcp ftp-data interface 192.168.227.210 ftp-data

Should be...

static (inside,outside) tcp interface www 192.168.227.210 www
static (inside,outside) tcp interface ftp 192.168.227.210 ftp
static (inside,outside) tcp interface ftp-data192.168.227.210 ftp-data
static (inside,outside) tcp interface smtp 192.168.227.210 smtp

The PIX config is already a text file. From PDM File | show running config in new window
IE File | Save As...
Save as .txt file somewhere
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:dsl77
ID: 12270729
thanks lrmorre

access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0

is saying: "ERROR: invalid protocol 192.168.227.0 - any ideas here? :)

How do I import the txt into PDM?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12271091
Yes, once again I must have been running on too much caffeine..

> access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0

Should be:
 access-list no_nat_VPN permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
                                             ^^

You can import the text by opening it up in Notepad, select, copy, the use the Multi command line option, paste, submit..

0
 

Author Comment

by:dsl77
ID: 12274836
Hi again..

Yesterday I finally installed my PIX – but nothing happened - no email, no internet!? So now I’m looking for that glass of aspirin I threw away :)

I changed all the servers IP, IP Scope, Subnet and DHCP. There where no errors in the Event Viewer, after rebooting the servers.

Clients running DHCP (192.168.227.1xx) are not able to ping the router. Clients on a static IP (192.168.1.2) can ping the router, but cannot get online.

What to do now… ?

lrmoore – just so you know, I really appreciate your help!

Here is an updated list:
Router:                   192.168.1.1 / 255.255.255.0
DC & DHCP Server:  192.168.227.210 / 255.255.255.0
DHCP IP Scopes:       192.168.227.100 - 192.168.227.200
                    192.168.228.100 - 192.168.228.200
  Router:                      192.168.1.1
  DNS Server:           192.168.227.210 & 192.168.227.211
 
My running PIX config:

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq ftp-data
access-list no_nat_VPN permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.228.100-192.168.228.200
pdm location 192.168.227.0 255.255.255.0 inside
pdm location 192.168.227.210 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.227.210 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.227.210 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.227.210 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.227.210 ftp-data netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.227.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication pap
vpdn group PPTP ppp authentication chap
vpdn group PPTP ppp authentication mschap
vpdn group PPTP ppp encryption mppe auto
vpdn group PPTP client configuration address local VPN_Pool
vpdn group PPTP client configuration dns 192.168.227.210 192.168.227.211
vpdn group PPTP pptp echo 60
vpdn group PPTP client authentication local
vpdn username dsl77 password *********
vpdn enable outside
dhcpd auto_config outside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
terminal width 80
Cryptochecksum:43babccec88d2e559b1aeab8c218ec72
: end
[OK]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12275966
You have to change this:
>ip address inside 192.168.1.1 255.255.255.0

to this:
>ip address inside 192.168.227.1 255.255.255.0

Making sure that the dhcp scope points to this as the default gateway..

0
 

Author Comment

by:dsl77
ID: 12280218
>Making sure that the dhcp scope points to this as the default gateway..
By this you mean change the 003 Router under scope options so it points to...?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12280511
Yes. If you have it pointing now to 192.168.1.1, then you must change it to 192.168.227.1
You can't assign the PIX interface an IP address in a different subnet, and you can't point a default gateway to an IP that is not local to the client..

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now