Cisco PIX / VLAN configuration question

Posted on 2005-03-21
Medium Priority
Last Modified: 2013-11-16
Ok, fairly basic question here, but I'm a little rusty on the Cisco stuff.  My configuration is

1 Cisco PIX 506 E
1 Cisco Catalyst 2950
2 Servers

1 server has confidential information
1 server hosts websites

I need to assign ~10 external IP addresses to the outside interface of the PIX and forward them to the internal IP addresses on web server so that the web sites come up.  I need to setup 2 VLANS on the switch, 1 for a DMZ/webserver and 1 for a secure area.

Heres the current configuration of the PIX.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 3.2HMTIj1MApZt5a encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname xxxxx
domain-name xxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.x.x.40
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0 0
route outside 67.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end

Is this a secure configuration?  How do I configure the switch?

Question by:dkuhlman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 19

Expert Comment

ID: 13599409
Its difficult to ascertain exactly how "secure" you want it to be.  At present - no, the PIX is not VERY secure.  Most protocols inlcuding ftp are open so it would be wise to be aware of this when you are creating access lists not to open up too much.

To make it more secure you could restrict access for telnet and ssh to just one workstation (I am presuming your is your pc) so you could add:
telnet inside
ssh inside
or even ditch telnet altogether.
To translate your webservers use the following:
static (inside, outside) x.x.x.x y.y.y.y netmask 0 0   where x.x.x.x is the internet address and y.y.y.y is the internal address

You can then create whatever necessary access lists you control what you are allowing in

Be careful when creating your access lists as you are allowing these machines to be accessed to a certain capacity from the internet and they are also on your local inside network - generally webservers are placed in protected DMZs away from the more important inside machines.

As regards VLANS, I would advise you read up on the many facets of implementing them and the design behind them - this link gives a good overview and explains what the commands do.


Author Comment

ID: 13599574
Thats what I want to do.  Place the webserver in a secure DMZ and have my other server and the PC's in a secured network.  How do I do it.
LVL 19

Expert Comment

ID: 13599719
Sorry - I worded the end of that badly.  I meant that generally webservers are placed in protected DMZs by having them on a seperate firewall interface with a relevant security level.  Realistically, a PIX 515E is the straight forward tool for the job as it has an extra interface that can be your safe DMZ.

The reason i forwarded you the VLANS link is that there is much to look at before implementing them.  Do you want you inside network to be able to access these webservers too?  Are there any machines on the network that both your inside pcs and your protected webservers need joint access to? Configuring trunk links etc if necessary....etc
I didn't post you line by line config material as we would both spend the day on this forum with tagback questions!
Have a look at the vlan config link and it should explain how you can work it and probably will give you a better insight on how to tackle this.

Post further queries if i can be of help

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.


Author Comment

ID: 13599876
I had intended on placing the webserver and everything else on seperate VLANS.  Will that work?

Author Comment

ID: 13599892
Ok, let me rephrase that last post.  I'd like the webserver on VLAN 1 and everything else on VLAN 2.

Author Comment

ID: 13600381
Ok, how about this.  Lets secure this PIX first.  I'd like to disable all telnet and ssh access.  The only access to the device should be through the http server from the .100 address and the console cable.
LVL 79

Accepted Solution

lrmoore earned 1500 total points
ID: 13600634
> Lets secure this PIX first.  I'd like to disable all telnet and ssh access.  The only access to the device should be through the http server from the .100 address and the console cable.
Done. Unless and untill you apply an access subnet to either telnet or ssh, neither one is enabled.
 http inside  <== enables https access from the inside, from this host only
 telnet inside <== this *would* enable telnet from inside, but since you don't have this in the config, telnet access is not enabled. You CANNOT enable telnet access from the outside anyway
 ssh inside <== this *would* enable ssh from this host only

Right out of the box, the PIX is a VERY secure firewall.
This document will explain step-by step how to setup vlans on the PIX
LVL 19

Expert Comment

ID: 13601746
Lrmoore is quite correct - the PIX is very secure - I read the config too fast and didn't even notice that telnet was not open for any network - I apologise for sending you wrong.
  To secure http for just that interface you will also need to remove the line
http inside

as you are allowing it to your entire local network
LVL 79

Expert Comment

ID: 13703257
How's it going?  Do you need more information?
Can you close this question?


Thanks for attending to this open question.


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question