Solved

PIX firewall 525 configuration

Posted on 2004-10-17
9
221 Views
Last Modified: 2013-11-16
I am new to firewalls and I have to configure a PIX 525 firewall for my company.
It has just 2 interfaces.The external IP of the PIX is 199.59.112.15 and the default gateway is 199.59.112.254.
The company has 3 music servers.
Internal IP of the 1st  music server is 10.250.170.17 and its external IP is 199.59.112.19
Internal IP of the 2 nd music server is 10.250.170.18 and its external IP is 199.59.112.22
Internal IP of the 3 rd musci server is 10.250.23.17.Its external IP is 199.59.112.18

The IP address of the music  network is 67.69.17.168

The ports used by these are ftp, http, tcp-999, udp-20,21,80 and ssh.

Looking forward to your answers

0
Comment
Question by:Kevin_J
  • 5
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12332472
How much detail do you need? Do you have any familiarity at all with the PIX? Command line? GUI?
Is this a brand-new pix right out of the box, or re-purposed from somewhere else?
Is there any config on it at all yet?
Does every server need the same group of ports open to it?

What IP addres do you want to assign the inside interface? 10.250.?
What subnet mask are you using on the inside? Can I assume 255.255.0.0 ?
0
 

Author Comment

by:Kevin_J
ID: 12333204
I just have some familiarity with PIX but not much. It is a brand new PIX . Only the default configurations are there on it. I do believe every server needs the same group of ports open to it  because I was given just that much amout of information.I was told that they need to group the servers together in the firewall.

The firewall is connected to a  3550 switch on the inside. On one interface on the switch is a 10.2250.250.0/24 network and on the other interface is an ATM  interface router(7206) which receives pvc's from a 10.250.30.0 network with a subnet mask of 255.255.252.0. There will be an eigrp configured between the 3550 switch and the router.

I have to configure myself all these things.i do have only this much information with me right now. Looking forward to your suggestions
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12333343
Can you verify the OS Version?  6.3(4) is the latest.
If you can follow these directions, it should get you started...

<=== setup the basics
  ip address inside 10.225.250.? 255.255.255.0 <== need to determine what IP address you can use for the PIX inside interface
  ip address outside 199.59.112.15 255.255.255.0  <== need to verify this mask
  route outside 0.0.0.0 0.0.0.0 199.59.112.254
  route inside 10.0.0.0 255.0.0.0 10.225.250.x <== the IP address of the 3550 switch
  global (outside) 1 interface
  nat (inside) 1 10.0.0.0 255.0.0.0

<=== create static NAT mappings:
    static (inside,outside) 199.59.112.19 10.250.170.17 netmask 255.255.255.255 0 0
    static (inside,outside) 199.59.112.22 10.250.170.19 netmask 255.255.255.255 0 0
    static (inside,outside) 199.59.112.18 10.250.23.17 netmask 255.255.255.255 0

<=== create protocol and server groups

 object-group network SERVERS
        network-object 10.250.23.17 255.255.255.255
        network-object 10.250.170.17 255.255.255.255
        network-object 10.250.170.19 255.255.255.255
   object-group service TCP-Ports tcp
        port-object eq 80
        port-object eq 22
        port-object eq 20
        port-object eq 21
        port-object range 999 999
  object-group network SERVERS_ref
        network-object 199.59.112.18 255.255.255.255
        network-object 199.59.112.19 255.255.255.255
        network-object 199.59.112.22 255.255.255.255
 
<=== create access-lists to permit inbound service group to access the servers group
      access-list outside_in line 2 permit tcp any  object-group SERVERS_ref object-group TCP-Ports

<=== apply access-lists
  access-group outside_in in interface outside

That should get you up and running with basic functionality....

Troubleshooting tools:
   logging on
   logging trap debug
   logging buffer debug
 "show log"
 "show access-list" look for (hitcount= xx)
0
 

Author Comment

by:Kevin_J
ID: 12344619
Thank you so much lrmoore for your detailed explanation. It really helped me today when I tried to configure the firewall. The version running is 6.3 (3).
I did exactly like you asked me to do except for setting the inside IP address because at the moment I  dont have that IP.

One problem I faced is when creating the access-list . I gave the command as u asked me to, but when I looked in show run, the " line 2" in the command was missing. I checked the show access-list  and instead of line 2, it was showing line 1 in all the access-lists.

I am not familiar with the access-list in firewall,so can u explain to me what does "line 2"
stand for in the access-list and whats it purpose and also  why isnt the firewall not accepting the " line 2 " in the access-list command

Another thing i want to know is that what does the " 0 " at the end of the static command stand for and why is that the first two static command has" 0 0 " at the end where as the last static command has only one " 0 " at the end. If I am right u might have missed to put that.

In the object-group service u put the range as 999 999.What does that mean?

For the servers to be grouped together do i need to use the group-object in the
 object-group command ?

May be my doubts may sound very silly , but since I have to do all the configuration myself I felt I should clarify this.

Looking forward to your help.

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12346241
Sorry to confuse you with the line numbering in the access-list. This is a fairly new feature of the pix that allows you to insert access-list entries in between others. If you only have one access-list entry, it will be line 1 regardless, so you can leave it off completely when you enter it:
 
     access-list outside_in permit tcp any  object-group SERVERS_ref object-group TCP-Ports

The zeros at the ends of the statics are configurable items (embyonic connections limit, and max connections limit, but in this case, the 0 is default meaning unlimited. If you enter them like this:
       static (inside,outside) 199.59.112.19 10.250.170.17 netmask 255.255.255.255
       static (inside,outside) 199.59.112.22 10.250.170.19 netmask 255.255.255.255
       static (inside,outside) 199.59.112.18 10.250.23.17 netmask 255.255.255.255
When you look at the config, they will look like this:
    static (inside,outside) 199.59.112.19 10.250.170.17 netmask 255.255.255.255 0 0
    static (inside,outside) 199.59.112.22 10.250.170.19 netmask 255.255.255.255 0 0
    static (inside,outside) 199.59.112.18 10.250.23.17 netmask 255.255.255.255 0 0    <== 2nd 0 was cut off in my hast to cut/paste

I used the GUI to create the object groups and pasted the result. When you create a port group for non-standard ports it asks for start and end port.
You can replace the range line  
       port-object range 999 999
With this:
       port-object eq 999

You will see two different server groups. One with private IP's and one with their corresponding public IP's. You only really need the group with the public IP's. If you use the PDM GUI, it will create both groups.
You can leave this one out if you want:
 object-group network SERVERS
        network-object 10.250.23.17 255.255.255.255
        network-object 10.250.170.17 255.255.255.255
        network-object 10.250.170.19 255.255.255.255

But keep this one, because it is referenced in the access-list below
 object-group network SERVERS_ref
        network-object 199.59.112.18 255.255.255.255
        network-object 199.59.112.19 255.255.255.255
        network-object 199.59.112.22 255.255.255.255
 
     access-list outside_in permit tcp any  object-group SERVERS_ref object-group TCP-Ports




 

0
 

Author Comment

by:Kevin_J
ID: 12361828
Thanks a lot for your detailed information. I have configured the firewall but I have to configure the router and switch before connecting it to the firewall. I will surely be getting back to you for more tips by this weekend . People like you make life easy for me.

Thank you so much and may GOD  bless you !!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12361875
Glad to help!
0
 

Author Comment

by:Kevin_J
ID: 12385926


U had given me this command to configure the PIX 525.

  route inside 10.0.0.0 255.0.0.0 10.225.250.x <== the IP address of the 3550 switch

I believe this command  is for  having a route to the inside network.
The IP address of the the 3550 switch is 192.168.248.254/24 and the inside interface of the PIX is 192.168.248.1/24

I am a bit confused abt this. Can u please clarify this command in accordance with my scenario in the router/switch section.


Also I would like to know how to set telnet password on the PIX
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12386196
Add this to the PIX:
  route inside 10.0.0.0 255.0.0.0 192.168.248.254
  route inside 192.168.249.0 255.255.255.0 192.168.248.254

To reset the PIX telnet password
   passwd  <password>

0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now