?
Solved

restore pix-501 from Backup

Posted on 2005-04-09
5
Medium Priority
?
482 Views
Last Modified: 2010-05-18
maybe I should start from the beginning.

I am the new tech at my compay and I need to make some changes to the PIX-501 and I am very green in Cisco. I have figured out how to get into the configuration of the pix and I need to make some changes. For instance... I need to remove a pdm location, change passwords, and remove outside access from a specific external group of IP addresses. A backup in the form of a text file of the current configuration. Is it possible to just remove the entries for the external access and restore from backup? If so how would I go about that... if not what do I need to do to make these changes. If you need a copy of the current config to understand what I mean please let me know. Thanks
0
Comment
Question by:Bill Warren
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13746771
Unless you manually save the changes that you make, a simple reboot of the PIX will restore the config to the last saved state.
Save it now as it is. Make all the changes you want. If everything works the way you want, then and only then save the config.
Save =
PIX#write mem

0
 

Author Comment

by:Bill Warren
ID: 13749037
Thanks...
unforutunately I only know how to get "TO" the config screen using telnet. I don't really know how to change the passwords and remove the unwanted entries. If I could get the commands to remove the specific entries I'd be extremely appreciative. I'll paste the list here and place "###" in front of the lines I wish to remove or infact specifically block, and "***" in front of the lines I wish to change. Also please let me know if you see any real security problems if possible. Sorry I'm very new at this. Also FYI I do know the current passwords to change so there is no problem there.... yet

: Saved

: Written by enable_15 at 09:29:33.605 UTC Wed Dec 8 2004

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
***enable password 48bO5AdT5HkzmGuR encrypted
***passwd LAACGbd.fuQHjz5J encrypted
hostname fw-p501
domain-name afsfire.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq pcanywhere-status
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq domain
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq domain
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 2604
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 2604
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq aol
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 5190
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 5131
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 5131
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 5631
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 5632
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 5900
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 5900
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 2512
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 2512
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 2513
access-list outside permit udp any 64.60.8.160 255.255.255.224 eq 2513
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq pcanywhere-data
access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq ssh
access-list outside permit icmp any any
access-list outside permit tcp any host 64.60.8.162 eq smtp
access-list outside permit tcp any host 64.60.8.162 eq pop3
access-list outside permit tcp any host 64.60.8.162 eq ftp
access-list outside permit tcp any host 64.60.8.162 eq www
access-list outside permit tcp any host 64.60.8.162 eq 8080
access-list outside permit tcp any host 64.60.8.162 eq https
pager lines 24
logging on
logging monitor debugging
logging buffered critical
logging trap informational
logging host inside 10.10.10.200 17/1514
mtu outside 1500
mtu inside 1500
ip address outside 64.60.8.190 255.255.255.224
ip address inside 10.10.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.10.200 255.255.255.255 inside
###pdm location 216.112.212.0 255.255.255.0 outside
pdm location 10.10.10.217 255.255.255.255 inside
pdm location 10.10.10.192 255.255.255.224 inside
pdm location 10.10.10.250 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.60.8.162 10.10.10.250 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.163 10.10.10.200 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.164 10.10.10.12 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.165 10.10.10.14 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.166 10.10.10.251 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.167 10.10.10.16 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.168 10.10.10.34 netmask 255.255.255.255 0 0
static (inside,outside) 64.60.8.169 10.10.10.25 netmask 255.255.255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 64.60.8.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
###http 216.112.212.0 255.255.255.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
###tftp-server outside 216.112.212.70 \
floodguard enable
###telnet 216.112.212.0 255.255.255.0 outside
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 30
###ssh 216.112.212.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.10.10.220-10.10.10.249 inside
dhcpd dns 64.60.0.17 64.60.0.18
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain afsfire.com
dhcpd auto_config outside
dhcpd enable inside
***username h____r password quqn8c9NEB10gV59 encrypted privilege 15
terminal width 80
banner exec _________
banner login BEWARE! All access is logged and inrusion is prosecuted to the fullest extent of the law!
cryptochecksum:3c396ca71a23df41f02f01429d62f41e
: end
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13749104
pixfirewall#config term
pixfirewall(config)#

***enable password 48bO5AdT5HkzmGuR encrypted
pixfirewall(config)#enable password <newpassword>
--- overwrites existing password --

***passwd LAACGbd.fuQHjz5J encrypted
pixfirewall(config)#passwd <newpassword>
--- overwrites existing password --

***username h____r password quqn8c9NEB10gV59 encrypted privilege 15
pixfirewall(config)#no username h____r
pixfirewall(config)#username h___r password <password>
--- delete with "no" then create a new username/password entry --

###pdm location 216.112.212.0 255.255.255.0 outside
pixfirewall(config)#no pdm location 216.112.212.0 255.255.255.0 outside
-- simply use "no" in front of any line that you want to remove --

###http 216.112.212.0 255.255.255.0 outside
pixfirewall(config)#no http 216.112.212.0 255.255.255.0 outside

###tftp-server outside 216.112.212.70 \
pixfirewall(config)#no tftp-server outside 216.112.212.70 \

###telnet 216.112.212.0 255.255.255.0 outside
pixfirewall(config)#no telnet 216.112.212.0 255.255.255.0 outside

###ssh 216.112.212.0 255.255.255.0 outside
pixfirewall(config)#no ssh 216.112.212.0 255.255.255.0 outside

>access-list outside permit udp any 64.60.8.160 255.255.255.224 eq pcanywhere-status
>access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq domain
>access-list outside permit udp any 64.60.8.160 255.255.255.224 eq domain
>access-list outside permit tcp any 64.60.8.160 255.255.255.224 eq 2604
<etc>
It appears that all of the access-list entries that permit traffic in to 64.60.8.160 are OBE because you have no static entry for any inside local host to be natted to that public IP address

0
 

Author Comment

by:Bill Warren
ID: 13749311
LRMOORE!

Thanks a ton! all of the commands worked except the pdm line. when I typed that particular line I get

Usage: (and then all of the possible uses of the command). One that looks similar to what I need is- clear pdm [location|group|logging] which I have tried however I don't know what the group and logging are. Either way is there maybe some reason why "pixfirewall(config)#no pdm 216.112.212.0 255.255.255.0 outside " would not work? also this is my first question, at what time should I click the accept button, when I'm finished with the question or after every comment? Thanks for the help again. I'm glad to have joined the comminuty! also by the way the 64.60.8.160 is the IP subnet where my first useable IP is 162... do you mean that these lines should not be here?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13749433
Not to worry. The PDM entry is only used by the GUI anyway. If you use the web gui, you can go into hosts/networks and delete that host. It has absolutely no other use than a host entry for the GUI.

Once you accept, you basically close out the question. If you're comfortable that we have covered your original question, then the thing to do is accept. If you have follow-on questions, simply post new ones.

Since .160 is the subnet-- yeah, I missed that first time 'round -- then do you really want to open up ALL of the hosts that you have statics for to those three ports? I don't think you do. You want to be as selective as possible.

How about closing this one out and open a new question "Help review PIX ACLS"

Thanks!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month17 days, 13 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question