Solved

Where can I find a cram guide to configuring Cisco PIX firewalls, specifically the 515e?

Posted on 2006-07-11
8
429 Views
Last Modified: 2013-11-16
Ok, here is the deal.  I have never touched a PIX firewall before.  I work for a small company (300-400 users approx.)  We are changing ISP's in two weeks.  This means our external ip's are changing, and those that point to the vpn, mail server, dns servers etc.  Anywho, I need to find some cram material to help me understand the config file.  It doesn't even need be cram material, just clear, descriptions of what does what.  I got two weeks to figure this out, and I want it to go as smooth as possible.
I appreciate ANY help whatsoever!
Thanks,
-chipTM
0
Comment
Question by:corphealth
8 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 17081320
Hello m8

Your best bet is to mask out the IP addresses (and anything identifyable) - and post the config here, one of the Experts will explain what each line/section is doing
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17081700
Here's the best place to start:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63qsg/515quick.pdf

It really depends on what version PIX OS you have 6.x or 7.x
There is a HUGE difference between the two
0
 

Author Comment

by:corphealth
ID: 17085363
Here is the config with ip and encrypted pass removed.  
http://chipthamac.onlinestoragesolution.com/PIX.Version.6.for.EE.doc
the password to open is Experts@900
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17085872
\\-- fairly old version. Most current for 515e is 7.21
\\-- Most recent 6.x is 6.3(5)
PIX Version 6.1(4)                  

\\-- name "inside | outside | dmz" used throughout to refer to the interfaces. Can be changed
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif ethernet2 dmz security50

\\-- default fixups that inspect specified traffic for layer 4+ protection (deep packet inspection)                              
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 1720                        
fixup protocol rsh 514                      
fixup protocol rtsp 5                  
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          

\\-- access-list to define traffic to be encrypted (applied to crypto map below)
access-list ipsec permit ip <local subnet> mask <remote subnet> mask

\\-- access-list to permit unsolicited inbound traffic to internal/dmz hosts
access-list 101 permit tcp any host <public host>  eq smtp                                                      
access-list 101 permit tcp any host  <public host> eq www                                                      
access-list 101 permit tcp any host  <public host> eq 443                                                      
access-list 101 permit tcp any host  <public host> eq ftp                                                      
access-list 101 permit tcp any host  <public host> eq www                                                      
access-list 101 permit tcp any host  <public host> eq 443                                                      
access-list 101 permit tcp any host  <public host> eq domain                                                        
access-list 101 permit udp any host  <public host> eq domain                                                        
access-list 101 permit tcp any host  <public host> eq 1723                                                      
access-list 101 permit gre any host  <public host>
access-list 101 permit tcp any host  <public host> eq 3389                                                        
access-list 101 permit tcp any host  <public host> eq 3389                                                        
access-list 101 permit tcp any host  <public host> eq 3389                                                        
access-list 101 permit tcp any host  <public host> eq domain                                                        
access-list 101 permit udp any host  <public host> eq domain                                                        

\\-- define traffic that will bypass nat (vpn trafic)
access-list nonat permit ip <local subnet> mask <remote subnet> mask
access-list nonat permit ip <local subnet> mask <remote subnet> mask

\\-- define traffic that is allowed from dmz
access-list dmz permit gre host any                                              
access-list dmz permit tcp host any eq 1723                                                      
access-list dmz permit udp host any eq domain                                                        
access-list dmz permit tcp host any eq domain                                                        
access-list dmz permit udp host any eq domain                                                        
access-list dmz permit tcp host any eq domain                                                        
access-list dmz permit icmp                                                                              
access-list dmz permit tcp eq 88    
access-list dmz permit udp eq 88    
access-list dmz permit udp  eq ntp    
access-list dmz permit tcp q 135    
access-list dmz permit tcp eq 389    
access-list dmz permit udp 0 eq 389    
access-list dmz permit tcp eq 445    
access-list dmz permit tcp eq 3268      
access-list dmz permit tcp eq 69    

\\-- set the interfaces enabled | shutdown | auto neg speed/duplex
interface ethernet0 auto                        
interface ethernet1 auto                        
interface ethernet2 auto

\\-- assign ip addresses to interfaces                      
ip address outside <public ip> <mask>
ip address inside 172.16.16.x <mask>
ip address dmz a.b.c.d <mask>

\\-- set up a global nat pool (public IP's to service internal NAT clients)
global (outside) 1  <ip address-ip address> netmask <mask>

\\-- apply the no-nat acl to the nat process "0" to bypass nat for the VPN's                                                                  
nat (inside) 0 access-list nonat

\\-- define which inside hosts can use global group "1"                              
nat (inside) 1
nat (inside) 1

\\-- define which dmz hosts can use global nat group 1
nat (dmz) 1

\\-- individual 1-to-1 static public ip -->private IP NAT mappings
static (inside,outside) <public ip> <private ip> netmask 255.255.255.255 0 0                                                                            
static (inside,outside) netmask
static (inside,outside) netmask 0 0                                                                            
static (inside,outside) netmask 0 0                                                                            
static (inside,outside) netmask  0 0                                                                          
static (dmz,outside) netmask 0                                                                        
static (dmz,outside) netmask 0 0      

\\-- apply the acls to the interfaces                                                                
access-group 101 in interface outside                                    
access-group dmz in int                    

\\-- set up static routing
route outside 0.0.0.0 0.0.0.0 a.b.c.d  <== default route
route inside
route inside

\\-- define inside tftp server where config will be written with "write net" command
tftp-server inside 172.16.18.6 pix.bin                                      

\\-- default
floodguard enable                

\\-- allow IPSEC vpn and PPTP traffic to bypass outside acls (acl 101)
sysopt connection permit-ipsec                              
sysopt connection permit-pptp
no sysopt route dnat

\\-- define VPN traffic and encryption algorithm to be used
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map rtpmap 10 ipsec-isakmp
crypto map rtpmap 10 match address ipsec <== defined above
crypto map rtpmap 10 set peer <peer IP>
crypto map rtpmap 10 set transform-set myset
crypto map rtpmap 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

\\-- allow any host on inside this subnet to telnet to this PIX
telnet 172.16.16.0 255.255.240.0 inside

What else do you need to know?


0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:corphealth
ID: 17090188
Let me mull over that to see if I have any questions.  Thanks for all your help so far!
-chipTM
0
 
LVL 8

Expert Comment

by:bilbus
ID: 17116299
why not use the PDM GUI?
0
 

Author Comment

by:corphealth
ID: 17122078
bilbus, well I was going to ask what PDM GUI was, but I called my good friend google instead, I see that this is PIX Device Manager, and of course gui is 'what you look at'
In any case, I will still need to understand the settings.  This does look pretty good, but I always here its good to know the cmd line parameters as well.
Thanks, I will look into this gui right now.  
Oh, PS  I have like one week to figure this all out.
Wish me luck, (and be on standby Friday night. ha jp)
0
 

Author Comment

by:corphealth
ID: 17139213
ok, so how do i get to this PDM?  I go to https://pix_inside_ip and it says page can not be displayed.  I have made sure its enabled via http server enable cmd, and still nothing.
on a show ver
i have

Cisco PIX Device Manager Version 1.1(2)

That should be good enough to use the PDM right?
its a 515E btw
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now