Cisco PIX / VLAN configuration question
Ok, fairly basic question here, but I'm a little rusty on the Cisco stuff. My configuration is
1 Cisco PIX 506 E
1 Cisco Catalyst 2950
2 Servers
1 server has confidential information
1 server hosts websites
I need to assign ~10 external IP addresses to the outside interface of the PIX and forward them to the internal IP addresses on web server so that the web sites come up. I need to setup 2 VLANS on the switch, 1 for a DMZ/webserver and 1 for a secure area.
Heres the current configuration of the PIX.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 3.2HMTIj1MApZt5a encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname xxxxx
domain-name xxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.x.x.40 255.255.255.240
ip address inside 192.168.111.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.111.100 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 67.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.111.100 255.255.255.255 inside
http 192.168.111.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9f93425abd0
: end
Is this a secure configuration? How do I configure the switch?
1 Cisco PIX 506 E
1 Cisco Catalyst 2950
2 Servers
1 server has confidential information
1 server hosts websites
I need to assign ~10 external IP addresses to the outside interface of the PIX and forward them to the internal IP addresses on web server so that the web sites come up. I need to setup 2 VLANS on the switch, 1 for a DMZ/webserver and 1 for a secure area.
Heres the current configuration of the PIX.
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 3.2HMTIj1MApZt5a encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname xxxxx
domain-name xxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.x.x.40 255.255.255.240
ip address inside 192.168.111.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.111.100 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 67.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.111.100 255.255.255.255 inside
http 192.168.111.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9f93425abd0
: end
Is this a secure configuration? How do I configure the switch?
ASKER
Thats what I want to do. Place the webserver in a secure DMZ and have my other server and the PC's in a secured network. How do I do it.
Sorry - I worded the end of that badly. I meant that generally webservers are placed in protected DMZs by having them on a seperate firewall interface with a relevant security level. Realistically, a PIX 515E is the straight forward tool for the job as it has an extra interface that can be your safe DMZ.
The reason i forwarded you the VLANS link is that there is much to look at before implementing them. Do you want you inside network to be able to access these webservers too? Are there any machines on the network that both your inside pcs and your protected webservers need joint access to? Configuring trunk links etc if necessary....etc
I didn't post you line by line config material as we would both spend the day on this forum with tagback questions!
Have a look at the vlan config link and it should explain how you can work it and probably will give you a better insight on how to tackle this.
Post further queries if i can be of help
The reason i forwarded you the VLANS link is that there is much to look at before implementing them. Do you want you inside network to be able to access these webservers too? Are there any machines on the network that both your inside pcs and your protected webservers need joint access to? Configuring trunk links etc if necessary....etc
I didn't post you line by line config material as we would both spend the day on this forum with tagback questions!
Have a look at the vlan config link and it should explain how you can work it and probably will give you a better insight on how to tackle this.
Post further queries if i can be of help
ASKER
I had intended on placing the webserver and everything else on seperate VLANS. Will that work?
ASKER
Ok, let me rephrase that last post. I'd like the webserver on VLAN 1 and everything else on VLAN 2.
ASKER
Ok, how about this. Lets secure this PIX first. I'd like to disable all telnet and ssh access. The only access to the device should be through the http server from the .100 address and the console cable.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Lrmoore is quite correct - the PIX is very secure - I read the config too fast and didn't even notice that telnet was not open for any network - I apologise for sending you wrong.
To secure http for just that interface you will also need to remove the line
http 192.168.111.0 255.255.255.0 inside
as you are allowing it to your entire local network
To secure http for just that interface you will also need to remove the line
http 192.168.111.0 255.255.255.0 inside
as you are allowing it to your entire local network
How's it going? Do you need more information?
Can you close this question?
https://www.experts-exchange.com/help.jsp#hs5
Thanks for attending to this open question.
<-8}
Can you close this question?
https://www.experts-exchange.com/help.jsp#hs5
Thanks for attending to this open question.
<-8}
To make it more secure you could restrict access for telnet and ssh to just one workstation (I am presuming your 192.168.111.100 is your pc) so you could add:
telnet 192.168.111.100 255.255.255.255 inside
ssh 192.168.111.100 255.255.255.255 inside
or even ditch telnet altogether.
To translate your webservers use the following:
static (inside, outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0 0 where x.x.x.x is the internet address and y.y.y.y is the internal address
You can then create whatever necessary access lists you control what you are allowing in
Be careful when creating your access lists as you are allowing these machines to be accessed to a certain capacity from the internet and they are also on your local inside network - generally webservers are placed in protected DMZs away from the more important inside machines.
As regards VLANS, I would advise you read up on the many facets of implementing them and the design behind them - this link gives a good overview and explains what the commands do.
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a0080212c3e.html