Solved

PIX Config Optimization

Posted on 2004-10-07
8
3,153 Views
Last Modified: 2008-01-09
Hi, I need an expert to help me optimize a PIX 515E's config.   Here's the config:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname XXX-PIX
domain-name XXX.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060  <-- how do I remove this line?
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside permit icmp any any echo
access-list outside permit tcp any host xxx.xxx.xxx.80 eq www
access-list outside permit tcp any host xxx.xxx.xxx.80 eq ftp
access-list outside permit ip any host xxx.xxx.xxx7.99
access-list outside permit tcp any host xxx.xxx.xxx.80 eq 8631
access-list outside permit tcp any host xxx.xxx.xxx.80 eq 8632
access-list outside permit tcp any host xxx.xxx.xxx.90 eq 8080
access-list outside permit udp any host xxx.xxx.xxx.90 eq 2427
access-list outside permit udp any host xxx.xxx.xxx.90 eq 5060
access-list outside permit tcp any host xxx.xxx.xxx.85 eq 8631
access-list outside permit tcp any host xxx.xxx.xxx.85 eq 8632
access-list outside permit tcp any host xxx.xxx.xxx.85 eq www
access-list outside permit tcp any host xxx.xxx.xxx.85 eq ftp
access-list outside permit udp any host xxx.xxx.xxx.90 eq 53070
access-list outside permit udp any host xxx.xxx.xxx.90 range 25000 25008
access-list outside permit udp any host xxx.xxx.xxx.90 eq 1500
access-list outside permit udp any host xxx.xxx.xxx.90 range 50601 50608
access-list split-tunnel-acl permit ip 192.168.0.0 255.255.0.0 any
access-list inside_outbound_nat0_acl permit ip any 192.168.104.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 192.168.104.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.66 255.255.255.192
ip address inside 192.168.102.2 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.104.100-192.168.104.199
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.68-xxx.xxx.xxx.79
global (outside) 1 xxx.xxx.xxx.67
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50601 192.168.103.31 50601 netmask 255.255.255.255 0 0   <-- these are for IP phones
static (inside,outside) udp xxx.xxx.xxx.90 50602 192.168.103.32 50602 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50603 192.168.103.33 50603 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50604 192.168.103.34 50604 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50605 192.168.103.35 50605 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50606 192.168.103.36 50606 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50607 192.168.103.37 50607 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50608 192.168.103.38 50608 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.90 8080 192.168.103.30 8080 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 2427 192.168.103.30 2427 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 1500 192.168.103.30 1500 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 5060 192.168.103.30 5060 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25000 192.168.103.30 25000 netmask 255.255.255.255 0 0  <-- since ports 25000-25008 all go to the same internal IP, can I use one line to replace the 9 lines?
static (inside,outside) udp xxx.xxx.xxx.90 25001 192.168.103.30 25001 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25002 192.168.103.30 25002 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25003 192.168.103.30 25003 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25004 192.168.103.30 25004 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25005 192.168.103.30 25005 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25006 192.168.103.30 25006 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25007 192.168.103.30 25007 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25008 192.168.103.30 25008 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.80 192.168.102.10 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.99 192.168.102.250 netmask 255.255.255.255 00
static (inside,outside) xxx.xxx.xxx.85 192.168.101.16 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1
route inside 192.168.0.0 255.255.0.0 192.168.102.1 2
route inside 192.168.101.0 255.255.255.0 192.168.102.1 2
route inside 192.168.103.0 255.255.255.0 192.168.102.1 2
route inside 192.168.104.0 255.255.255.0 192.168.102.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ofs_set esp-des esp-md5-hmac
crypto dynamic-map dynamic 10 match address outside_cryptomap_dyn_10
crypto dynamic-map dynamic 10 set transform-set ofs_set
crypto map mymap 20 ipsec-isakmp dynamic dynamic
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxx-vpn address-pool vpnpool
vpngroup xxx-vpn dns-server 192.168.102.10
vpngroup xxx-vpn wins-server 192.168.102.10
vpngroup xxx-vpn default-domain xxx.net
vpngroup xxx-vpn split-tunnel split-tunnel-acl
vpngroup xxx-vpn idle-time 1800
vpngroup xxx-vpn password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:2820b7e884894526a1470fc300892f48
: end

Additional question:
1. How do I enable telnet to the pix from the VPN (192.168.104.x) subnet?
2. Should I install PDM?  If so, how?
0
Comment
Question by:surbit
  • 4
  • 3
8 Comments
 
LVL 2

Accepted Solution

by:
Seamless-IT earned 250 total points
ID: 12255856
You can't remove the line no fixup protocol sip 5060.

I would restrict inbound telnet access to just specific addresses or subnets. I would also set a timeout value on concole sessions. It's not a bad idea to setup logging to a syslog server either.

Punch in this command for a little extra security:
ip verify reverse-path interface outside

You could use this command to slightly increase performance:
access-list outside compiled

This command will help VPN clients with NAT problems.
isakmp nat-traversal 20

I use this command to help prevent spyware, but it will block all ActiveX traffic so only use it if you don't need activeX.
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

I use PDM for the visual traffic stats that it provides but I always use the command line when making changes. PDM is probably already loaded just add the line below to the PIX and then you should be able to access it via a webrowser.
http 192.x.x.x 255.x.x.x inside

If you want to access the PIX via a VPN then add this statement:
management-access inside

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 12255983
>static (inside,outside) udp xxx.xxx.xxx.90 25000 192.168.103.30 25000 netmask 255.255.255.255 0 0  <-- since ports 25000-25008 all go to the same internal IP, can I use one line to replace the 9 lines?

Nope. You have to have one line per port...

>no fixup protocol sip 5060  <-- how do I remove this line?
As Seamless-IT stated, you can't really remove it.
You can either enable or disable the fixup
   fixup protocol sip 5060  <= enabled
   no fixup protocol sip 5060  <= disabled

>PIX Version 6.3(1)
This version is buggy and has published security vulnerabilities.
Highly recommend upgrade to 6.3(4)
0
 

Author Comment

by:surbit
ID: 12261129
Hey guys, what is the best way to install the PDM and update the PIX version?  This is a production device, so I want to be careful.  Thanks for the inputs so far.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 12261236
Easiest way to install is from a www server or tftp server:

PIX#copy tftp://<ipaddress>/pix634.bin flash:
PIX#copy http://<ipaddress>/pix634.bin flash:

PIX#copy tftp://<ipaddress>/pdm-302.bin flash:pdm
PIX#copy http://<ipaddress>/pdm-302.bin flash:pdm

You can upgrade the pix at any time and reboot it at a more convenient time..
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:surbit
ID: 12261247
Will my current settings be preserved after I do this?
0
 

Author Comment

by:surbit
ID: 12261276
Also where is the link to download the newest PIX and PDM?  I should upgrade the BIN first and then the PDM, right?
0
 

Author Comment

by:surbit
ID: 12261347
One more question, I know how to back up my current PIX config.  I've backed it up to a tftp server.  Can someone tell me how to restore the PIX config from the tftp server?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 12261360
All current settings will be preserved. The only time this would be a factor is upgrading to a major release, i.e. 5.x to 6.x, but not from 6.3(1) to 6.3(4)
Yes, upgrade the bin first, then the PDM.

You need a CCO login: http://www.cisco.com/cgi-bin/tablebuild.pl/pix
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now