[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

Configuring my Cisco PIX 506E

I have one IP address so I'm going to be using PAT.  I don't need DHCP compability because I have an internal server that hands out DHCP.

ISP IP:  60.60.60.60

These are the conditions I need:

Block All Incoming Traffic
Block All Outgoing Traffic

Allow the following ports to go outside:
1935, 8080, 80, 21, 143, 443, 25, 3389, 1723, 995, 1863

Allow the following ports to come inside and port forwarded to:
80 to 10.10.1.1
25 to 10.10.1.210
143 to 10.10.1.1
1723 to 10.10.1.1

Now let's two weeks later I need to allow port 1111 to go outside how would I do that?

Thanks.
0
myfootsmells
Asked:
myfootsmells
  • 6
  • 4
1 Solution
 
myfootsmellsAuthor Commented:
not much help at those links.
0
 
calvinetterCommented:
>Block All Incoming Traffic
  PIX blocks all incoming connection attempts by default, right of the box, with no configuration necessary.

>Block All Outgoing Traffic
>Allow the following ports to go outside:
>1935, 8080, 80, 21, 143, 443, 25, 3389, 1723, 995, 1863
  What protocols for these ports?  I'll assume TCP for the above.  However, I don't see (UDP) port 53 for resolving DNS, so I'll add that as well.

access-list outbound permit tcp any any eq 1935
access-list outbound permit tcp any any eq 8080
access-list outbound permit tcp any any eq 80
access-list outbound permit tcp any any eq 21
access-list outbound permit tcp any any eq 143
access-list outbound permit tcp any any eq 443
access-list outbound permit tcp any any eq 25
access-list outbound permit tcp any any eq 3389
access-list outbound permit tcp any any eq 1723
access-list outbound permit tcp any any eq 995
access-list outbound permit tcp any any eq 1863
access-list outbound permit udp any any eq 53
access-list outbound permit icmp any any echo <- optional, allows outbound ping
access-list outbound permit gre any any  <- needed if allowing incoming PPTP VPN from outside
access-list outbound deny ip any any
access-group outbound in interface inside

>Allow the following ports to come inside and port forwarded to:
>80 to 10.10.1.1
>25 to 10.10.1.210
>143 to 10.10.1.1
>1723 to 10.10.1.1

access-list inbound permit tcp any interface outside eq 80
access-list inbound permit tcp any interface outside eq 25
access-list inbound permit tcp any interface outside eq 143
access-list inbound permit tcp any interface outside eq 1723
access-list inbound permit icmp any any echo-reply <- add if you included the "icmp any any echo" line in above section
access-group inbound in interface outside

static (inside,outside) tcp interface 80 10.10.1.1 80
static (inside,outside) tcp interface 80 10.10.1.210 25
static (inside,outside) tcp interface 80 10.10.1.1 143
static (inside,outside) tcp interface 80 10.10.1.1 1723
no fixup protocol smtp 25    <- add this if your mail server is Exchange
fixup protocol pptp 1723      <- add if PIX is v6.3 or higher (if not, let me know)
clear xlate

The above static NAT entries assume 60.60.60.60 is the IP assigned to your outside interface.

>two weeks later I need to allow port 1111 to go outside how would I do that?
    Once again I'll assume TCP since you didn't specify...

access-list outbound line 1 permit tcp any any eq 1111
access-group outbound in interface inside

cheers
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
myfootsmellsAuthor Commented:
thanks I will review and assign points.
0
 
myfootsmellsAuthor Commented:
no fixup protocol smtp 25    <- add this if your mail server is Exchange
fixup protocol pptp 1723      <- add if PIX is v6.3 or higher (if not, let me know)

why the no fixup if i'm running exchange?
and why the fixup protocol pptp 1723 if PIX v6.3+
0
 
calvinetterCommented:
a) If you don't disable the "fixup" for smtp, your Exchange server won't be able to receive mail.

b) If a PIX is 6.2 or older, instead of "fixup protocol pptp 1723", you'd need to explicitly allow inbound GRE for inbound PPTP VPN to work, eg:
  access-list inbound permit gre any interface outside

Otherwise, if PIX is 6.3+, the "fixup protocol pptp 1723" takes care of it behind the scenes.

cheers
0
 
myfootsmellsAuthor Commented:
my mail server is exchange but the port i'm forwarding 25 to is my spam filter and then my spam filter will send it to my exchange server.

will i still need this then?
0
 
calvinetterCommented:
That depends on the spam filter appliance - check the documentation for it: if it's considered an "ESMTP" server, then yes you'll need to disable the "smtp fixup".  This "fixup" is a feature called "Mailguard".
   see also:  http://support.microsoft.com/default.aspx?scid=kb;en-us;320027

cheers
0
 
myfootsmellsAuthor Commented:
and if it's not an ESMTP server i can just take that line out and not do nething else?
0
 
calvinetterCommented:
If it's not an ESMTP server, but Exchange sends email directly from itself (& not through the spam appliance) then you've still  got a problem, since you must disable the Mailguard feature for an ESMTP server to send or receive mail.

cheers
0
 
myfootsmellsAuthor Commented:
ok then i'll need to disable it then.  thanks!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now