?
Solved

Cisco PIX 515 with DMZ setup

Posted on 2006-04-13
8
Medium Priority
?
652 Views
Last Modified: 2007-12-19
I am planning to replace an IPCop (linux) firewall with a Cisco PIX 515 with DMZ, and need some assistance to what has to be set up to achieve the following:

- Outside public IP 84.x.x.150, subnet 255.255.255.252, default gw 84.x.x.149
- Inside IP's (official) in 217.x.x.128 network (adresses 129->), subnet 255.255.255.192, gw 217.x.x.129
- Servers in DMZ with certain ports open (smtp, ssl, ftp, http, https, pop, imap), all official IP's in here too (217.x.x.225->), subnet 255.255.255.224, gw. 217.x.x.225. DMZ servers available from both outside and inside.
- I do NOT want NAT on the inside, all hosts on the inside have to get all incoming traffic unless specifically blocked (severe problems with IP telephony on the current NAT'ed hosts)
- VPN from outside to reach inside hosts (217.x.x.128 network) with access to PDM from VPN hosts.

- Now use a PIX501 inside DMZ for VPN to management network (192.168.1.x), has to have ALL traffic allowed through to it.... (Maybe this could be eliminated, and use a separate VPN setup for this in the 515?). The hosts between the PIX should have access to the Internet (UPS'es and other devices that send emails)

- Traffic logging to MRTG

Might be some things I have forgotten, please request any missing info and feel free to suggest changes if necessary.
Hopefully this will get us started...? :)
0
Comment
Question by:realfoh
  • 3
  • 3
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 16460792
Awful big task for one question. Why don't we start with basics?
What version of PIX OS? Highly suggest starting out by upgrading to 7.1 and ASDM GUI
The ASDM has excellent, extensive context-sensitive help pages available.

- Outside public IP 84.x.x.150, subnet 255.255.255.252, default gw 84.x.x.149
- Inside IP's (official) in 217.x.x.128 network (adresses 129->), subnet 255.255.255.192, gw 217.x.x.129
    Open ASDM, connect to the PIX and now on the Configuaration page, set the interface IP's/masks and check 'enble interface'

- I do NOT want NAT on the inside, all hosts on the inside have to get all incoming traffic unless specifically blocked (severe problems with IP telephony on the current NAT'ed hosts)
   Select NAT configuration, at the top will be a checkbox [] Enable traffic through the firewall without address translation - check it
and it adds the global command "no nat control"

- Servers in DMZ with certain ports open (smtp, ssl, ftp, http, https, pop, imap), all official IP's in here too (217.x.x.225->), subnet 255.255.255.224, gw. 217.x.x.225. DMZ servers available from both outside and inside.
In the Security Policy configuration pane - Add an access-rule and choose actin: permit, apply to incoming to src
Source Host (*) IP address, interface outside, ip 0.0.0.0 mask 0.0.0.0
Destinatino host (*) IP address, interface: dmz, ip address 217.x.x.225 (example), Mask: 255.255.255.255 (host mask)
Select the protocol and service - source port - any, destination port = smtp | ssl | ftp, etc (whatever port you want to allow to this host).
You can select [Manage Service Groups..] button and create a service group that includes multiple ports, then apply that service group to the Destination port.

- VPN from outside to reach inside hosts (217.x.x.128 network)
Use Wizards (at very top menu), VPN Wizard, and create your access VPN policies for remote access. Use a different IP subnet for the client pool (can be private IP, no problems)

- VPN  with access to PDM from VPN hosts.
In Configuration | Properties, expand Device Access, select HTTPS/ASM, Add your VPN client pool subnet as allowed access

"The HTTPS/ASDM panel provides a table that specifies the addresses of all the hosts or networks that are allowed access to the ASDM using HTTPS. You can use this table to add or change the hosts or networks that are allowed access."

In Configuration | Properties, Expand Device Administration, Management access, select the inside interface and Apply.

"The Management Access panel lets you enable or disable management access on a high-security interface and thus lets you perform management functions on the security appliance. With management access enabled, you can run ASDM on an internal interface with a fixed IP address over an IPSec VPN tunnel. Use this feature if VPN is configured on the security appliance and the external interface is using a dynamically assigned IP address. For example, this feature is helpful for accessing and managing the security appliance securely from home using the VPN client."

- Traffic logging to MRTG
MRTG is dependent on SNMP, so Configuration | Properties | Device Administration, SNMP
Set the community string (please don't leave it at the default "public" - treat this as a password
Add a snmp management station. Use the IP address of the MRTG poller and location relative to the interface (inside?) and same community string you set on the main page.

- Now use a PIX501 inside DMZ for VPN to management network (192.168.1.x),
Suggest just using another 3rd interface on the PIX515 for access to this subnet, or if your LAN switches support VLAN's, you can create a logical VLAN sub-interface..





0
 

Author Comment

by:realfoh
ID: 16527235
What security level should be used on the "inside" interface? If I use 100, everything will be blocked from the outside, unless allowed in an access list, right?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16528924
Security levels for Outside = 0 and Inside = 100
These cannot be changed.

>If I use 100, everything will be blocked from the outside, unless allowed in an access list, right?
Correct. By default, all traffic is allowed out from higher --> lower. Use access-lists only to restrict outbound traffic
All traffic is blocked lower --> higher. You need access-lists to permit unsolicted inbound traffic like for your www and email services. No access list entries are required for returning traffic from an outbound request, except for icmp.
All icmp is blocked through the pix by default and you must allow returning echo-replies in through the outside interface.

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:realfoh
ID: 16529034
I think I'll turn things around, and allow everything through to the "inside" - ISP customers, and add rules for what I want to block...
I'll use 100 for DMZ, and have access-lists to allow necessary traffic through...
0
 

Author Comment

by:realfoh
ID: 16538710
Again, VPN is giving me a head ache...
I used the VPN wizard, but no connection.
Pretty sure I miss some access rules - and probably something else too...

Current config:

ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Tjenester tcp
 port-object eq imap4
 port-object eq domain
 port-object eq ssh
 port-object eq smtp
 port-object eq pop3
 port-object eq 3306
 port-object eq www
 port-object eq ftp
 port-object eq https
access-list Internet_access_in extended permit ip any any
access-list DMZ_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.240
access-list Kunder_cryptomap_dyn_20 extended permit ip any 172.16.1.0 255.255.255.240
access-list Kunder_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list Kunder_access_out extended permit ip any any
access-list Internet_access_out extended permit ip any any
pager lines 24
logging asdm informational
mtu Internet 1500
mtu DMZ 1500
mtu Kunder 1500
ip local pool VPN-inn 172.16.1.1-172.16.1.14 mask 255.255.255.240
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
nat (DMZ) 0 access-list DMZ_nat0_outbound
access-group Internet_access_in in interface Internet
access-group Internet_access_out out interface Internet
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group Kunder_access_in in interface Kunder
access-group Kunder_access_out out interface Kunder
route Internet 0.0.0.0 0.0.0.0 84.*.*.149 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy BUSOVPN internal
group-policy BUSOVPN attributes
 dns-server value **********************
username realf password ********** encrypted privilege 0
username realf attributes
 vpn-group-policy BUSOVPN
http server enable
http ******** 255.255.255.255 Internet
http 192.168.1.0 255.255.255.0 DMZ
http ******* 255.255.255.224 DMZ
http ******* 255.255.255.255 Kunder
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map Kunder_dyn_map 20 match address Kunder_cryptomap_dyn_20
crypto dynamic-map Kunder_dyn_map 20 set transform-set ESP-DES-SHA
crypto map Kunder_map 65535 ipsec-isakmp dynamic Kunder_dyn_map
crypto map Kunder_map interface Kunder
isakmp enable Kunder
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group BUSOVPN type ipsec-ra
tunnel-group BUSOVPN general-attributes
 address-pool VPN-inn
 default-group-policy BUSOVPN
tunnel-group BUSOVPN ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50

VPN Client log:

1      23:12:56.843  04/25/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 84.*.*.150.

2      23:12:56.859  04/25/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 84.*.*.150

3      23:12:56.859  04/25/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

4      23:12:56.859  04/25/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

5      23:13:02.296  04/25/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

6      23:13:02.296  04/25/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 84.*.*.150

7      23:13:07.296  04/25/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

8      23:13:07.296  04/25/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 84.*.*.150

9      23:13:12.296  04/25/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

10     23:13:12.296  04/25/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 84.*.*.150

11     23:13:17.296  04/25/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=72FD0E15C2F25033 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

12     23:13:17.796  04/25/06  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=72FD0E15C2F25033 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

13     23:13:17.812  04/25/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

14     23:13:17.812  04/25/06  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

15     23:13:17.828  04/25/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

16     23:13:17.828  04/25/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

17     23:13:17.828  04/25/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

18     23:13:17.828  04/25/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 16539761
>access-list Internet_access_in extended permit ip any any
Sort of defeats the whole purpose of a firewall, don't you think?

>access-list Internet_access_out extended permit ip any any
>access-group Kunder_access_in in interface Kunder
>access-group Kunder_access_out out interface Kunder

No acl is required for outbound access. You are complicating matters without reason by adding "permit any any" in both directions on all interfaces.

Remove all access groups on all interfaces for now.

I can't tell which interface is which since you did not post the interface information. Where are the VPN clients? Are the coming into interface Kunder, or interface Internet?
>isakmp enable Kunder
I would expect the VPN clients to come in through Internet interface. VPN clients do not normally attach from the Inside
>VPN Client log:
Again, where is this client in physical relation to this PIX? It must be on the Kunder interface since that is where you applied the crypto map and enabled Isakmp...

>access-list DMZ_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.240
You should not use "any" in nat0 statements. You did not post your interface IPs so I can't really tell, but suggest something more like this:
  access-list DMZ_nat0_outbound extended permit ip <DMZ subnet> <mask> 172.16.1.0 255.255.255.240

Your VPN client will only be able to access DMZ hosts, and then only if the DMZ hosts point to the local PIX's DMZ IP address as their default gateway.

I don't see your section of the config for:
   group-policy DfltGrpPolicy attributes


0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question