PIX 506E configuration review & tune up recommendations

Hi guys..

I’m trying to configure my PIX so it can match my network settings and meet my needs to operate fast, secure and reliable.

Since I don’t have a test environment, a lot depends on this configuration to be up and running when first powered up behind the ISP router.

I addition to allow Exchange, FTP and Web to flow, I also need some 10 VPN (PPTP) clients/accounts to be added.

My network (Windows 2000 Servers)

Server A : 192.168.0.210 : DC, Exchange Server 2000, IIS Server 5 (FTP&Web running)
Server B : 192.168.0.211 : DC, Backup Exec
Server C : 192.168.0.212 : AV Server (Panda AdminSecure)

IP scope: 192.168.0.100-192.168.0.180 (192.168.0.100-192.168.0.110 is excluded)
Subnet: 255.255.0.0
DHCP enableded

WAN IP: 195.184.116.126

Below my PIX configuration… was is(not) missing? ;)

Thanks in advanced!


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.100-192.168.1.150 netmask 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
terminal width 80
Cryptochecksum:1fb573c35dc22110f888523f0946d212
dsl77Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Right off the bat, I see one issue:
IP scope: 192.168.0.100-192.168.0.180 (192.168.0.100-192.168.0.110 is excluded)
Subnet: 255.255.0.0
             ^^^^^^^
Yet, you have your inside interface with a class C mask.
>ip address inside 192.168.1.1 255.255.255.0
Either:
1) change the pix interface:
     ip address inside 192.168.1.1 255.255.0.0
2) use a single class C mask everywhere, but put the inside IP in a different subnet other than 192.168.0.x or 192.168.1.x. Why? Because of your desire to host VPN clients. 90% of home users with broadband routers or ICS use those two networks as their local lan. Too many issues with same lan subnet on both ends of the tunnel. Save the asprin and do it right at the start.

       dhcpd address 192.168.127.110-192.168.227.200 inside  <-- do you want the PIX to be your DHCP server?
       ip address inside 192.168.227.1 255.255.255.0

>global (outside) 1 192.168.1.100-192.168.1.150 netmask 255.255.0.0
Will never work. Your global must be a public IP. "interface" keyword works and just uses whatever IP is assigned to the outside IP...
    global (outside) 1 interface

Create Static port mappings for services:
    static (inside,outside) tcp smtp interface 192.168.227.210 smtp
    static (inside,outside) tcp www interface 192.168.227.210 www
    static (inside,outside) tcp ftp interface 192.168.227.210 ftp
    static (inside,outside) tcp ftp-data interface 192.168.227.210 ftp-data
   
Create access-lists for inbound traffic to those services
    access-list outside_in permit tcp any interface outside eq smtp
    access-list outside_in permit tcp any interface outside eq www
    access-list outside_in permit tcp any interface outside eq ftp
    access-list outside_in permit tcp any interface outside eq ftp-data

Apply the access-list
     access-group outside_in in interface outside

Since you have Exchange, you must disable fixup smtp:
    no fixup protocol smtp 25
   ^^

To setup for VPN access there are several steps:
<-- setup ip address pool for VPN users (different subnet)
    ip local pool VPN_Pool 192.168.228.100-192.168.228.200
<--Exclude local->VPN pool traffic from the nat process
    access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
    nat (inside) 0 access-list no_nat_VPN
<--enable pptp globally
    sysopt connection permit-pptp
<-- setup the vpn group parameters
   vpdn group PPTP accept dialin pptp
   vpdn group PPTP ppp authentication pap
   vpdn group PPTP ppp authentication chap
   vpdn group PPTP ppp authentication mschap
   vpdn group PPTP ppp encryption mppe auto
   vpdn group PPTP client configuration address local VPN_Pool
   vpdn group PPTP client configuration dns 192.168.227.210 192.168.227.211
   vpdn group PPTP pptp echo 60
   vpdn group PPTP client authentication local
   vpdn username user1 password *********
   vpdn username user2 password *********
   vpdn username user3 password *********
   vpdn username user4 password *********
   vpdn username user5 password *********
   vpdn username user6 password *********
  <etc>
   vpdn enable outside

Assuming you go with my recommendation to use 192.168.227.x, change this, too..
>http 192.168.1.0 255.255.255.0 inside
  to
   http 192.168.227.0 255.255.255.0 inside





Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dsl77Author Commented:
Hi lrmoore

I’m glad that you picked this one up! As I assumed I am in over my head on this one, but more at ease knowing you’re correcting my ideas :)

Just to sum up your reply (recommendations).

Change my servers IP’s and subnet to:
SRV A: 192.168.227.210 / 255.255.255.0
SRV B: 192.168.227.211 / 255.255.255.0
SRV C: 192.168.227.212 / 255.255.255.0

Change IP scope: 192.168.127.110-192.168.227.200 / 255.255.255.0

SRV A still runs DHCP!

With the network changes in mind and the rewritten PIX config how is ‘it’ looking now? :)


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
no fixup protocol smtp 25
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0      
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.227.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
ip address inside 192.168.227.1 255.255.255.0
static (inside,outside) tcp www interface 192.168.227.210 www
static (inside,outside) tcp ftp interface 192.168.227.210 ftp
static (inside,outside) tcp ftp-data interface 192.168.227.210 ftp-data
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq ftp-data
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inaside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
ip local pool VPN_Pool 192.168.228.100-192.168.228.200
access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
nat (inside) 0 access-list no_nat_VPN
sysopt connection permit-pptp
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication pap
vpdn group PPTP ppp authentication chap
vpdn group PPTP ppp authentication mschap
vpdn group PPTP ppp encryption mppe auto
vpdn group PPTP client configuration address local VPN_Pool
vpdn group PPTP client configuration dns 192.168.227.210 192.168.227.211
vpdn group PPTP pptp echo 60
vpdn group PPTP client authentication local
vpdn username user1 password *********
vpdn username user2 password *********
vpdn username user3 password *********
vpdn username user4 password *********
vpdn username user5 password *********
vpdn username user6 password *********
vpdn enable outside
terminal width 80
Cryptochecksum:1fb573c35dc22110f888523f0946d212





lrmooreCommented:
>dhcpd enable inaside
You need to disable dhcpd on the PIX if SRV A still runs DHCP
   no dhcpd enable inside

Looks like the rest of it should work fine..
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

dsl77Author Commented:
When trying to create the static port mappings i get this error: "ERROR: Invalid global IP address smtp"

I'm using Device Manager 3.0 (Command Line Interface) to insert the command - any ideas?

Is there an easy way to convert a txt file to a PIX image?
lrmooreCommented:
My bad....
 static (inside,outside) tcp www interface 192.168.227.210 www
 static (inside,outside) tcp ftp interface 192.168.227.210 ftp
 static (inside,outside) tcp ftp-data interface 192.168.227.210 ftp-data

Should be...

static (inside,outside) tcp interface www 192.168.227.210 www
static (inside,outside) tcp interface ftp 192.168.227.210 ftp
static (inside,outside) tcp interface ftp-data192.168.227.210 ftp-data
static (inside,outside) tcp interface smtp 192.168.227.210 smtp

The PIX config is already a text file. From PDM File | show running config in new window
IE File | Save As...
Save as .txt file somewhere
dsl77Author Commented:
thanks lrmorre

access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0

is saying: "ERROR: invalid protocol 192.168.227.0 - any ideas here? :)

How do I import the txt into PDM?
lrmooreCommented:
Yes, once again I must have been running on too much caffeine..

> access-list no_nat_VPN permit 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0

Should be:
 access-list no_nat_VPN permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
                                             ^^

You can import the text by opening it up in Notepad, select, copy, the use the Multi command line option, paste, submit..

dsl77Author Commented:
Hi again..

Yesterday I finally installed my PIX – but nothing happened - no email, no internet!? So now I’m looking for that glass of aspirin I threw away :)

I changed all the servers IP, IP Scope, Subnet and DHCP. There where no errors in the Event Viewer, after rebooting the servers.

Clients running DHCP (192.168.227.1xx) are not able to ping the router. Clients on a static IP (192.168.1.2) can ping the router, but cannot get online.

What to do now… ?

lrmoore – just so you know, I really appreciate your help!

Here is an updated list:
Router:                   192.168.1.1 / 255.255.255.0
DC & DHCP Server:  192.168.227.210 / 255.255.255.0
DHCP IP Scopes:       192.168.227.100 - 192.168.227.200
                    192.168.228.100 - 192.168.228.200
  Router:                      192.168.1.1
  DNS Server:           192.168.227.210 & 192.168.227.211
 
My running PIX config:

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b4YMiQWlhCQP5KZD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq smtp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq ftp-data
access-list no_nat_VPN permit ip 192.168.227.0 255.255.255.0 192.168.228.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.184.116.126 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.228.100-192.168.228.200
pdm location 192.168.227.0 255.255.255.0 inside
pdm location 192.168.227.210 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.227.210 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.227.210 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.227.210 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp-data 192.168.227.210 ftp-data netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.184.116.125 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.227.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication pap
vpdn group PPTP ppp authentication chap
vpdn group PPTP ppp authentication mschap
vpdn group PPTP ppp encryption mppe auto
vpdn group PPTP client configuration address local VPN_Pool
vpdn group PPTP client configuration dns 192.168.227.210 192.168.227.211
vpdn group PPTP pptp echo 60
vpdn group PPTP client authentication local
vpdn username dsl77 password *********
vpdn enable outside
dhcpd auto_config outside
vpnclient server 192.168.1.1
vpnclient mode client-mode
vpnclient vpngroup mbdkvpn password ********
vpnclient username mbdkvpn password ********
vpnclient enable
terminal width 80
Cryptochecksum:43babccec88d2e559b1aeab8c218ec72
: end
[OK]
lrmooreCommented:
You have to change this:
>ip address inside 192.168.1.1 255.255.255.0

to this:
>ip address inside 192.168.227.1 255.255.255.0

Making sure that the dhcp scope points to this as the default gateway..

dsl77Author Commented:
>Making sure that the dhcp scope points to this as the default gateway..
By this you mean change the 003 Router under scope options so it points to...?
lrmooreCommented:
Yes. If you have it pointing now to 192.168.1.1, then you must change it to 192.168.227.1
You can't assign the PIX interface an IP address in a different subnet, and you can't point a default gateway to an IP that is not local to the client..

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.