• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1179
  • Last Modified:

Cisco PIX / VLAN configuration question

Ok, fairly basic question here, but I'm a little rusty on the Cisco stuff.  My configuration is

1 Cisco PIX 506 E
1 Cisco Catalyst 2950
2 Servers

1 server has confidential information
1 server hosts websites

I need to assign ~10 external IP addresses to the outside interface of the PIX and forward them to the internal IP addresses on web server so that the web sites come up.  I need to setup 2 VLANS on the switch, 1 for a DMZ/webserver and 1 for a secure area.

Heres the current configuration of the PIX.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 3.2HMTIj1MApZt5a encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname xxxxx
domain-name xxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.x.x.40
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0 0
route outside 67.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end

Is this a secure configuration?  How do I configure the switch?

  • 4
  • 3
  • 2
1 Solution
Its difficult to ascertain exactly how "secure" you want it to be.  At present - no, the PIX is not VERY secure.  Most protocols inlcuding ftp are open so it would be wise to be aware of this when you are creating access lists not to open up too much.

To make it more secure you could restrict access for telnet and ssh to just one workstation (I am presuming your is your pc) so you could add:
telnet inside
ssh inside
or even ditch telnet altogether.
To translate your webservers use the following:
static (inside, outside) x.x.x.x y.y.y.y netmask 0 0   where x.x.x.x is the internet address and y.y.y.y is the internal address

You can then create whatever necessary access lists you control what you are allowing in

Be careful when creating your access lists as you are allowing these machines to be accessed to a certain capacity from the internet and they are also on your local inside network - generally webservers are placed in protected DMZs away from the more important inside machines.

As regards VLANS, I would advise you read up on the many facets of implementing them and the design behind them - this link gives a good overview and explains what the commands do.

dkuhlmanAuthor Commented:
Thats what I want to do.  Place the webserver in a secure DMZ and have my other server and the PC's in a secured network.  How do I do it.
Sorry - I worded the end of that badly.  I meant that generally webservers are placed in protected DMZs by having them on a seperate firewall interface with a relevant security level.  Realistically, a PIX 515E is the straight forward tool for the job as it has an extra interface that can be your safe DMZ.

The reason i forwarded you the VLANS link is that there is much to look at before implementing them.  Do you want you inside network to be able to access these webservers too?  Are there any machines on the network that both your inside pcs and your protected webservers need joint access to? Configuring trunk links etc if necessary....etc
I didn't post you line by line config material as we would both spend the day on this forum with tagback questions!
Have a look at the vlan config link and it should explain how you can work it and probably will give you a better insight on how to tackle this.

Post further queries if i can be of help

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

dkuhlmanAuthor Commented:
I had intended on placing the webserver and everything else on seperate VLANS.  Will that work?
dkuhlmanAuthor Commented:
Ok, let me rephrase that last post.  I'd like the webserver on VLAN 1 and everything else on VLAN 2.
dkuhlmanAuthor Commented:
Ok, how about this.  Lets secure this PIX first.  I'd like to disable all telnet and ssh access.  The only access to the device should be through the http server from the .100 address and the console cable.
> Lets secure this PIX first.  I'd like to disable all telnet and ssh access.  The only access to the device should be through the http server from the .100 address and the console cable.
Done. Unless and untill you apply an access subnet to either telnet or ssh, neither one is enabled.
 http inside  <== enables https access from the inside, from this host only
 telnet inside <== this *would* enable telnet from inside, but since you don't have this in the config, telnet access is not enabled. You CANNOT enable telnet access from the outside anyway
 ssh inside <== this *would* enable ssh from this host only

Right out of the box, the PIX is a VERY secure firewall.
This document will explain step-by step how to setup vlans on the PIX
Lrmoore is quite correct - the PIX is very secure - I read the config too fast and didn't even notice that telnet was not open for any network - I apologise for sending you wrong.
  To secure http for just that interface you will also need to remove the line
http inside

as you are allowing it to your entire local network
How's it going?  Do you need more information?
Can you close this question?


Thanks for attending to this open question.


Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now