Solved

Where can I find a cram guide to configuring Cisco PIX firewalls, specifically the 515e?

Posted on 2006-07-11
8
446 Views
Last Modified: 2013-11-16
Ok, here is the deal.  I have never touched a PIX firewall before.  I work for a small company (300-400 users approx.)  We are changing ISP's in two weeks.  This means our external ip's are changing, and those that point to the vpn, mail server, dns servers etc.  Anywho, I need to find some cram material to help me understand the config file.  It doesn't even need be cram material, just clear, descriptions of what does what.  I got two weeks to figure this out, and I want it to go as smooth as possible.
I appreciate ANY help whatsoever!
Thanks,
-chipTM
0
Comment
Question by:corphealth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 17081320
Hello m8

Your best bet is to mask out the IP addresses (and anything identifyable) - and post the config here, one of the Experts will explain what each line/section is doing
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17081700
Here's the best place to start:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63qsg/515quick.pdf

It really depends on what version PIX OS you have 6.x or 7.x
There is a HUGE difference between the two
0
 

Author Comment

by:corphealth
ID: 17085363
Here is the config with ip and encrypted pass removed.  
http://chipthamac.onlinestoragesolution.com/PIX.Version.6.for.EE.doc
the password to open is Experts@900
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17085872
\\-- fairly old version. Most current for 515e is 7.21
\\-- Most recent 6.x is 6.3(5)
PIX Version 6.1(4)                  

\\-- name "inside | outside | dmz" used throughout to refer to the interfaces. Can be changed
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif ethernet2 dmz security50

\\-- default fixups that inspect specified traffic for layer 4+ protection (deep packet inspection)                              
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 1720                        
fixup protocol rsh 514                      
fixup protocol rtsp 5                  
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          

\\-- access-list to define traffic to be encrypted (applied to crypto map below)
access-list ipsec permit ip <local subnet> mask <remote subnet> mask

\\-- access-list to permit unsolicited inbound traffic to internal/dmz hosts
access-list 101 permit tcp any host <public host>  eq smtp                                                      
access-list 101 permit tcp any host  <public host> eq www                                                      
access-list 101 permit tcp any host  <public host> eq 443                                                      
access-list 101 permit tcp any host  <public host> eq ftp                                                      
access-list 101 permit tcp any host  <public host> eq www                                                      
access-list 101 permit tcp any host  <public host> eq 443                                                      
access-list 101 permit tcp any host  <public host> eq domain                                                        
access-list 101 permit udp any host  <public host> eq domain                                                        
access-list 101 permit tcp any host  <public host> eq 1723                                                      
access-list 101 permit gre any host  <public host>
access-list 101 permit tcp any host  <public host> eq 3389                                                        
access-list 101 permit tcp any host  <public host> eq 3389                                                        
access-list 101 permit tcp any host  <public host> eq 3389                                                        
access-list 101 permit tcp any host  <public host> eq domain                                                        
access-list 101 permit udp any host  <public host> eq domain                                                        

\\-- define traffic that will bypass nat (vpn trafic)
access-list nonat permit ip <local subnet> mask <remote subnet> mask
access-list nonat permit ip <local subnet> mask <remote subnet> mask

\\-- define traffic that is allowed from dmz
access-list dmz permit gre host any                                              
access-list dmz permit tcp host any eq 1723                                                      
access-list dmz permit udp host any eq domain                                                        
access-list dmz permit tcp host any eq domain                                                        
access-list dmz permit udp host any eq domain                                                        
access-list dmz permit tcp host any eq domain                                                        
access-list dmz permit icmp                                                                              
access-list dmz permit tcp eq 88    
access-list dmz permit udp eq 88    
access-list dmz permit udp  eq ntp    
access-list dmz permit tcp q 135    
access-list dmz permit tcp eq 389    
access-list dmz permit udp 0 eq 389    
access-list dmz permit tcp eq 445    
access-list dmz permit tcp eq 3268      
access-list dmz permit tcp eq 69    

\\-- set the interfaces enabled | shutdown | auto neg speed/duplex
interface ethernet0 auto                        
interface ethernet1 auto                        
interface ethernet2 auto

\\-- assign ip addresses to interfaces                      
ip address outside <public ip> <mask>
ip address inside 172.16.16.x <mask>
ip address dmz a.b.c.d <mask>

\\-- set up a global nat pool (public IP's to service internal NAT clients)
global (outside) 1  <ip address-ip address> netmask <mask>

\\-- apply the no-nat acl to the nat process "0" to bypass nat for the VPN's                                                                  
nat (inside) 0 access-list nonat

\\-- define which inside hosts can use global group "1"                              
nat (inside) 1
nat (inside) 1

\\-- define which dmz hosts can use global nat group 1
nat (dmz) 1

\\-- individual 1-to-1 static public ip -->private IP NAT mappings
static (inside,outside) <public ip> <private ip> netmask 255.255.255.255 0 0                                                                            
static (inside,outside) netmask
static (inside,outside) netmask 0 0                                                                            
static (inside,outside) netmask 0 0                                                                            
static (inside,outside) netmask  0 0                                                                          
static (dmz,outside) netmask 0                                                                        
static (dmz,outside) netmask 0 0      

\\-- apply the acls to the interfaces                                                                
access-group 101 in interface outside                                    
access-group dmz in int                    

\\-- set up static routing
route outside 0.0.0.0 0.0.0.0 a.b.c.d  <== default route
route inside
route inside

\\-- define inside tftp server where config will be written with "write net" command
tftp-server inside 172.16.18.6 pix.bin                                      

\\-- default
floodguard enable                

\\-- allow IPSEC vpn and PPTP traffic to bypass outside acls (acl 101)
sysopt connection permit-ipsec                              
sysopt connection permit-pptp
no sysopt route dnat

\\-- define VPN traffic and encryption algorithm to be used
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map rtpmap 10 ipsec-isakmp
crypto map rtpmap 10 match address ipsec <== defined above
crypto map rtpmap 10 set peer <peer IP>
crypto map rtpmap 10 set transform-set myset
crypto map rtpmap 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

\\-- allow any host on inside this subnet to telnet to this PIX
telnet 172.16.16.0 255.255.240.0 inside

What else do you need to know?


0
 

Author Comment

by:corphealth
ID: 17090188
Let me mull over that to see if I have any questions.  Thanks for all your help so far!
-chipTM
0
 
LVL 8

Expert Comment

by:bilbus
ID: 17116299
why not use the PDM GUI?
0
 

Author Comment

by:corphealth
ID: 17122078
bilbus, well I was going to ask what PDM GUI was, but I called my good friend google instead, I see that this is PIX Device Manager, and of course gui is 'what you look at'
In any case, I will still need to understand the settings.  This does look pretty good, but I always here its good to know the cmd line parameters as well.
Thanks, I will look into this gui right now.  
Oh, PS  I have like one week to figure this all out.
Wish me luck, (and be on standby Friday night. ha jp)
0
 

Author Comment

by:corphealth
ID: 17139213
ok, so how do i get to this PDM?  I go to https://pix_inside_ip and it says page can not be displayed.  I have made sure its enabled via http server enable cmd, and still nothing.
on a show ver
i have

Cisco PIX Device Manager Version 1.1(2)

That should be good enough to use the PDM right?
its a 515E btw
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question