Cisco PIX 515 with DMZ setup

I am planning to replace an IPCop (linux) firewall with a Cisco PIX 515 with DMZ, and need some assistance to what has to be set up to achieve the following:

- Outside public IP 84.x.x.150, subnet 255.255.255.252, default gw 84.x.x.149
- Inside IP's (official) in 217.x.x.128 network (adresses 129->), subnet 255.255.255.192, gw 217.x.x.129
- Servers in DMZ with certain ports open (smtp, ssl, ftp, http, https, pop, imap), all official IP's in here too (217.x.x.225->), subnet 255.255.255.224, gw. 217.x.x.225. DMZ servers available from both outside and inside.
- I do NOT want NAT on the inside, all hosts on the inside have to get all incoming traffic unless specifically blocked (severe problems with IP telephony on the current NAT'ed hosts)
- VPN from outside to reach inside hosts (217.x.x.128 network) with access to PDM from VPN hosts.

- Now use a PIX501 inside DMZ for VPN to management network (192.168.1.x), has to have ALL traffic allowed through to it.... (Maybe this could be eliminated, and use a separate VPN setup for this in the 515?). The hosts between the PIX should have access to the Internet (UPS'es and other devices that send emails)

- Traffic logging to MRTG

Might be some things I have forgotten, please request any missing info and feel free to suggest changes if necessary.
Hopefully this will get us started...? :)
realfohAsked:
Who is Participating?
 
lrmooreCommented:
>access-list Internet_access_in extended permit ip any any
Sort of defeats the whole purpose of a firewall, don't you think?

>access-list Internet_access_out extended permit ip any any
>access-group Kunder_access_in in interface Kunder
>access-group Kunder_access_out out interface Kunder

No acl is required for outbound access. You are complicating matters without reason by adding "permit any any" in both directions on all interfaces.

Remove all access groups on all interfaces for now.

I can't tell which interface is which since you did not post the interface information. Where are the VPN clients? Are the coming into interface Kunder, or interface Internet?
>isakmp enable Kunder
I would expect the VPN clients to come in through Internet interface. VPN clients do not normally attach from the Inside
>VPN Client log:
Again, where is this client in physical relation to this PIX? It must be on the Kunder interface since that is where you applied the crypto map and enabled Isakmp...

>access-list DMZ_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.240
You should not use "any" in nat0 statements. You did not post your interface IPs so I can't really tell, but suggest something more like this:
  access-list DMZ_nat0_outbound extended permit ip <DMZ subnet> <mask> 172.16.1.0 255.255.255.240

Your VPN client will only be able to access DMZ hosts, and then only if the DMZ hosts point to the local PIX's DMZ IP address as their default gateway.

I don't see your section of the config for:
   group-policy DfltGrpPolicy attributes


0
 
lrmooreCommented:
Awful big task for one question. Why don't we start with basics?
What version of PIX OS? Highly suggest starting out by upgrading to 7.1 and ASDM GUI
The ASDM has excellent, extensive context-sensitive help pages available.

- Outside public IP 84.x.x.150, subnet 255.255.255.252, default gw 84.x.x.149
- Inside IP's (official) in 217.x.x.128 network (adresses 129->), subnet 255.255.255.192, gw 217.x.x.129
    Open ASDM, connect to the PIX and now on the Configuaration page, set the interface IP's/masks and check 'enble interface'

- I do NOT want NAT on the inside, all hosts on the inside have to get all incoming traffic unless specifically blocked (severe problems with IP telephony on the current NAT'ed hosts)
   Select NAT configuration, at the top will be a checkbox [] Enable traffic through the firewall without address translation - check it
and it adds the global command "no nat control"

- Servers in DMZ with certain ports open (smtp, ssl, ftp, http, https, pop, imap), all official IP's in here too (217.x.x.225->), subnet 255.255.255.224, gw. 217.x.x.225. DMZ servers available from both outside and inside.
In the Security Policy configuration pane - Add an access-rule and choose actin: permit, apply to incoming to src
Source Host (*) IP address, interface outside, ip 0.0.0.0 mask 0.0.0.0
Destinatino host (*) IP address, interface: dmz, ip address 217.x.x.225 (example), Mask: 255.255.255.255 (host mask)
Select the protocol and service - source port - any, destination port = smtp | ssl | ftp, etc (whatever port you want to allow to this host).
You can select [Manage Service Groups..] button and create a service group that includes multiple ports, then apply that service group to the Destination port.

- VPN from outside to reach inside hosts (217.x.x.128 network)
Use Wizards (at very top menu), VPN Wizard, and create your access VPN policies for remote access. Use a different IP subnet for the client pool (can be private IP, no problems)

- VPN  with access to PDM from VPN hosts.
In Configuration | Properties, expand Device Access, select HTTPS/ASM, Add your VPN client pool subnet as allowed access

"The HTTPS/ASDM panel provides a table that specifies the addresses of all the hosts or networks that are allowed access to the ASDM using HTTPS. You can use this table to add or change the hosts or networks that are allowed access."

In Configuration | Properties, Expand Device Administration, Management access, select the inside interface and Apply.

"The Management Access panel lets you enable or disable management access on a high-security interface and thus lets you perform management functions on the security appliance. With management access enabled, you can run ASDM on an internal interface with a fixed IP address over an IPSec VPN tunnel. Use this feature if VPN is configured on the security appliance and the external interface is using a dynamically assigned IP address. For example, this feature is helpful for accessing and managing the security appliance securely from home using the VPN client."

- Traffic logging to MRTG
MRTG is dependent on SNMP, so Configuration | Properties | Device Administration, SNMP
Set the community string (please don't leave it at the default "public" - treat this as a password
Add a snmp management station. Use the IP address of the MRTG poller and location relative to the interface (inside?) and same community string you set on the main page.

- Now use a PIX501 inside DMZ for VPN to management network (192.168.1.x),
Suggest just using another 3rd interface on the PIX515 for access to this subnet, or if your LAN switches support VLAN's, you can create a logical VLAN sub-interface..





0
 
realfohAuthor Commented:
What security level should be used on the "inside" interface? If I use 100, everything will be blocked from the outside, unless allowed in an access list, right?
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
lrmooreCommented:
Security levels for Outside = 0 and Inside = 100
These cannot be changed.

>If I use 100, everything will be blocked from the outside, unless allowed in an access list, right?
Correct. By default, all traffic is allowed out from higher --> lower. Use access-lists only to restrict outbound traffic
All traffic is blocked lower --> higher. You need access-lists to permit unsolicted inbound traffic like for your www and email services. No access list entries are required for returning traffic from an outbound request, except for icmp.
All icmp is blocked through the pix by default and you must allow returning echo-replies in through the outside interface.

0
 
realfohAuthor Commented:
I think I'll turn things around, and allow everything through to the "inside" - ISP customers, and add rules for what I want to block...
I'll use 100 for DMZ, and have access-lists to allow necessary traffic through...
0
 
realfohAuthor Commented:
Again, VPN is giving me a head ache...
I used the VPN wizard, but no connection.
Pretty sure I miss some access rules - and probably something else too...

Current config:

ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Tjenester tcp
 port-object eq imap4
 port-object eq domain
 port-object eq ssh
 port-object eq smtp
 port-object eq pop3
 port-object eq 3306
 port-object eq www
 port-object eq ftp
 port-object eq https
access-list Internet_access_in extended permit ip any any
access-list DMZ_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.240
access-list Kunder_cryptomap_dyn_20 extended permit ip any 172.16.1.0 255.255.255.240
access-list Kunder_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list Kunder_access_out extended permit ip any any
access-list Internet_access_out extended permit ip any any
pager lines 24
logging asdm informational
mtu Internet 1500
mtu DMZ 1500
mtu Kunder 1500
ip local pool VPN-inn 172.16.1.1-172.16.1.14 mask 255.255.255.240
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
nat (DMZ) 0 access-list DMZ_nat0_outbound
access-group Internet_access_in in interface Internet
access-group Internet_access_out out interface Internet
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group Kunder_access_in in interface Kunder
access-group Kunder_access_out out interface Kunder
route Internet 0.0.0.0 0.0.0.0 84.*.*.149 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy BUSOVPN internal
group-policy BUSOVPN attributes
 dns-server value **********************
username realf password ********** encrypted privilege 0
username realf attributes
 vpn-group-policy BUSOVPN
http server enable
http ******** 255.255.255.255 Internet
http 192.168.1.0 255.255.255.0 DMZ
http ******* 255.255.255.224 DMZ
http ******* 255.255.255.255 Kunder
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map Kunder_dyn_map 20 match address Kunder_cryptomap_dyn_20
crypto dynamic-map Kunder_dyn_map 20 set transform-set ESP-DES-SHA
crypto map Kunder_map 65535 ipsec-isakmp dynamic Kunder_dyn_map
crypto map Kunder_map interface Kunder
isakmp enable Kunder
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group BUSOVPN type ipsec-ra
tunnel-group BUSOVPN general-attributes
 address-pool VPN-inn
 default-group-policy BUSOVPN
tunnel-group BUSOVPN ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50

VPN Client log:

1      23:12:56.843  04/25/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 84.*.*.150.

2      23:12:56.859  04/25/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 84.*.*.150

3      23:12:56.859  04/25/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

4      23:12:56.859  04/25/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

5      23:13:02.296  04/25/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

6      23:13:02.296  04/25/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 84.*.*.150

7      23:13:07.296  04/25/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

8      23:13:07.296  04/25/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 84.*.*.150

9      23:13:12.296  04/25/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

10     23:13:12.296  04/25/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 84.*.*.150

11     23:13:17.296  04/25/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=72FD0E15C2F25033 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

12     23:13:17.796  04/25/06  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=72FD0E15C2F25033 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

13     23:13:17.812  04/25/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

14     23:13:17.812  04/25/06  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

15     23:13:17.828  04/25/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

16     23:13:17.828  04/25/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

17     23:13:17.828  04/25/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

18     23:13:17.828  04/25/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.