surbit
asked on
PIX Config Optimization
Hi, I need an expert to help me optimize a PIX 515E's config. Here's the config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname XXX-PIX
domain-name XXX.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060 <-- how do I remove this line?
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside permit icmp any any echo
access-list outside permit tcp any host xxx.xxx.xxx.80 eq www
access-list outside permit tcp any host xxx.xxx.xxx.80 eq ftp
access-list outside permit ip any host xxx.xxx.xxx7.99
access-list outside permit tcp any host xxx.xxx.xxx.80 eq 8631
access-list outside permit tcp any host xxx.xxx.xxx.80 eq 8632
access-list outside permit tcp any host xxx.xxx.xxx.90 eq 8080
access-list outside permit udp any host xxx.xxx.xxx.90 eq 2427
access-list outside permit udp any host xxx.xxx.xxx.90 eq 5060
access-list outside permit tcp any host xxx.xxx.xxx.85 eq 8631
access-list outside permit tcp any host xxx.xxx.xxx.85 eq 8632
access-list outside permit tcp any host xxx.xxx.xxx.85 eq www
access-list outside permit tcp any host xxx.xxx.xxx.85 eq ftp
access-list outside permit udp any host xxx.xxx.xxx.90 eq 53070
access-list outside permit udp any host xxx.xxx.xxx.90 range 25000 25008
access-list outside permit udp any host xxx.xxx.xxx.90 eq 1500
access-list outside permit udp any host xxx.xxx.xxx.90 range 50601 50608
access-list split-tunnel-acl permit ip 192.168.0.0 255.255.0.0 any
access-list inside_outbound_nat0_acl permit ip any 192.168.104.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 192.168.104.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.66 255.255.255.192
ip address inside 192.168.102.2 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.104.100-192.168.10
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.68-xxx.xxx.xxx
global (outside) 1 xxx.xxx.xxx.67
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50601 192.168.103.31 50601 netmask 255.255.255.255 0 0 <-- these are for IP phones
static (inside,outside) udp xxx.xxx.xxx.90 50602 192.168.103.32 50602 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50603 192.168.103.33 50603 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50604 192.168.103.34 50604 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50605 192.168.103.35 50605 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50606 192.168.103.36 50606 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50607 192.168.103.37 50607 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50608 192.168.103.38 50608 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.90 8080 192.168.103.30 8080 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 2427 192.168.103.30 2427 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 1500 192.168.103.30 1500 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 5060 192.168.103.30 5060 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25000 192.168.103.30 25000 netmask 255.255.255.255 0 0 <-- since ports 25000-25008 all go to the same internal IP, can I use one line to replace the 9 lines?
static (inside,outside) udp xxx.xxx.xxx.90 25001 192.168.103.30 25001 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25002 192.168.103.30 25002 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25003 192.168.103.30 25003 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25004 192.168.103.30 25004 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25005 192.168.103.30 25005 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25006 192.168.103.30 25006 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25007 192.168.103.30 25007 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25008 192.168.103.30 25008 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.80 192.168.102.10 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.99 192.168.102.250 netmask 255.255.255.255 00
static (inside,outside) xxx.xxx.xxx.85 192.168.101.16 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1
route inside 192.168.0.0 255.255.0.0 192.168.102.1 2
route inside 192.168.101.0 255.255.255.0 192.168.102.1 2
route inside 192.168.103.0 255.255.255.0 192.168.102.1 2
route inside 192.168.104.0 255.255.255.0 192.168.102.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ofs_set esp-des esp-md5-hmac
crypto dynamic-map dynamic 10 match address outside_cryptomap_dyn_10
crypto dynamic-map dynamic 10 set transform-set ofs_set
crypto map mymap 20 ipsec-isakmp dynamic dynamic
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxx-vpn address-pool vpnpool
vpngroup xxx-vpn dns-server 192.168.102.10
vpngroup xxx-vpn wins-server 192.168.102.10
vpngroup xxx-vpn default-domain xxx.net
vpngroup xxx-vpn split-tunnel split-tunnel-acl
vpngroup xxx-vpn idle-time 1800
vpngroup xxx-vpn password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:2820b7e8848
: end
Additional question:
1. How do I enable telnet to the pix from the VPN (192.168.104.x) subnet?
2. Should I install PDM? If so, how?
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password xxxxxx encrypted
passwd xxxxxx encrypted
hostname XXX-PIX
domain-name XXX.net
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060 <-- how do I remove this line?
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside permit icmp any any echo
access-list outside permit tcp any host xxx.xxx.xxx.80 eq www
access-list outside permit tcp any host xxx.xxx.xxx.80 eq ftp
access-list outside permit ip any host xxx.xxx.xxx7.99
access-list outside permit tcp any host xxx.xxx.xxx.80 eq 8631
access-list outside permit tcp any host xxx.xxx.xxx.80 eq 8632
access-list outside permit tcp any host xxx.xxx.xxx.90 eq 8080
access-list outside permit udp any host xxx.xxx.xxx.90 eq 2427
access-list outside permit udp any host xxx.xxx.xxx.90 eq 5060
access-list outside permit tcp any host xxx.xxx.xxx.85 eq 8631
access-list outside permit tcp any host xxx.xxx.xxx.85 eq 8632
access-list outside permit tcp any host xxx.xxx.xxx.85 eq www
access-list outside permit tcp any host xxx.xxx.xxx.85 eq ftp
access-list outside permit udp any host xxx.xxx.xxx.90 eq 53070
access-list outside permit udp any host xxx.xxx.xxx.90 range 25000 25008
access-list outside permit udp any host xxx.xxx.xxx.90 eq 1500
access-list outside permit udp any host xxx.xxx.xxx.90 range 50601 50608
access-list split-tunnel-acl permit ip 192.168.0.0 255.255.0.0 any
access-list inside_outbound_nat0_acl permit ip any 192.168.104.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 192.168.104.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.66 255.255.255.192
ip address inside 192.168.102.2 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.104.100-192.168.10
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.68-xxx.xxx.xxx
global (outside) 1 xxx.xxx.xxx.67
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50601 192.168.103.31 50601 netmask 255.255.255.255 0 0 <-- these are for IP phones
static (inside,outside) udp xxx.xxx.xxx.90 50602 192.168.103.32 50602 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50603 192.168.103.33 50603 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50604 192.168.103.34 50604 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50605 192.168.103.35 50605 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50606 192.168.103.36 50606 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50607 192.168.103.37 50607 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 50608 192.168.103.38 50608 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.90 8080 192.168.103.30 8080 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 2427 192.168.103.30 2427 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 1500 192.168.103.30 1500 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 5060 192.168.103.30 5060 netmask 255.255.255.255 0 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25000 192.168.103.30 25000 netmask 255.255.255.255 0 0 <-- since ports 25000-25008 all go to the same internal IP, can I use one line to replace the 9 lines?
static (inside,outside) udp xxx.xxx.xxx.90 25001 192.168.103.30 25001 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25002 192.168.103.30 25002 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25003 192.168.103.30 25003 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25004 192.168.103.30 25004 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25005 192.168.103.30 25005 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25006 192.168.103.30 25006 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25007 192.168.103.30 25007 netmask 255.255.255.255 0 0
static (inside,outside) udp xxx.xxx.xxx.90 25008 192.168.103.30 25008 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.80 192.168.102.10 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.99 192.168.102.250 netmask 255.255.255.255 00
static (inside,outside) xxx.xxx.xxx.85 192.168.101.16 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1
route inside 192.168.0.0 255.255.0.0 192.168.102.1 2
route inside 192.168.101.0 255.255.255.0 192.168.102.1 2
route inside 192.168.103.0 255.255.255.0 192.168.102.1 2
route inside 192.168.104.0 255.255.255.0 192.168.102.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ofs_set esp-des esp-md5-hmac
crypto dynamic-map dynamic 10 match address outside_cryptomap_dyn_10
crypto dynamic-map dynamic 10 set transform-set ofs_set
crypto map mymap 20 ipsec-isakmp dynamic dynamic
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xxx-vpn address-pool vpnpool
vpngroup xxx-vpn dns-server 192.168.102.10
vpngroup xxx-vpn wins-server 192.168.102.10
vpngroup xxx-vpn default-domain xxx.net
vpngroup xxx-vpn split-tunnel split-tunnel-acl
vpngroup xxx-vpn idle-time 1800
vpngroup xxx-vpn password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:2820b7e8848
: end
Additional question:
1. How do I enable telnet to the pix from the VPN (192.168.104.x) subnet?
2. Should I install PDM? If so, how?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Will my current settings be preserved after I do this?
ASKER
Also where is the link to download the newest PIX and PDM? I should upgrade the BIN first and then the PDM, right?
ASKER
One more question, I know how to back up my current PIX config. I've backed it up to a tftp server. Can someone tell me how to restore the PIX config from the tftp server?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER