Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I configure Cisco PIX 515e firewall for my network?

Posted on 2008-10-14
12
Medium Priority
?
2,300 Views
Last Modified: 2011-10-19
First off I want to tell you that I have been trying to get this PIX deployed for over 8 months. I have stayed up countless nights doing packet traces and pings and telnets and cant get it working right. Well, my boss wants this thing deployed asap so here I am.

I'll do my best to explain exactly what I need and I hope you can supply me with the answers I need. I am a very visual person so I have supplied a labeled diagram of my network infrastructure. The labeling is as follows:

A: ISP router - 2.2.2.193 /28 (Network address is 2.2.2.192 /28)
B: Switch
C: Host on WAN - 2.2.2.205 /28
     Used for testing purposes
D: Cisco PIX 515e
     WAN = 2.2.2.206 /28
     DMZ = 192.168.1.1 /24
     LAN = 192.168.0.1 /24
E: Web server - 192.168.1.2 (static NAT to 2.2.2.196)
     Hosts an online catalog for H, must be able to connect to database on H
F: Switch
G: Management server - 192.168.0.66 (static NAT to 2.2.2.197)
     Hosts a helpdesk web application which must be accessible from the outside as well as inside
H: Application Server - 192.168.0.17
     Hosts a database which E must connect to
I: Email server - 192.168.0.11 (static NAT to 2.2.2.194)
     Besides email this server also hosts a webmail application on http/tcp port 3000

The descriptions above describe what I need as far as packet flow.
My network is currently not on the PIX, I only test it after hours, until everything is working perfectly.

I will attach my current config for you to check over, maybe there is a small mistake I have missed somewhere. I will start fresh on the config if that will make things easier.
PIX# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname PIX
domain-name <this.is.my.domain>
enable password <password> encrypted
passwd <passwd> encrypted
names
!
interface Ethernet0
 nameif WAN
 security-level 0
 ip address 2.2.2.206 255.255.255.240
!
interface Ethernet1
 nameif LAN
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet2
 nameif DMZ
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name <this.is.my.domain>
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq smtp
access-list WAN_access_in extended permit tcp any host 2.2.2.197 eq www
access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq 3000
access-list WAN_access_in extended permit object-group TCPUDP any any eq domain
access-list WAN_access_in extended permit tcp any 2.2.2.192 255.255.255.240 eq www
pager lines 24
logging enable
logging trap critical
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (WAN) 101 interface
nat (LAN) 1 0.0.0.0 0.0.0.0
static (DMZ,WAN) 2.2.2.196 192.168.1.2 netmask 255.255.255.255
static (LAN,WAN) 2.2.2.194 192.168.0.11 netmask 255.255.255.255
static (LAN,WAN) 2.2.2.197 192.168.0.66 netmask 255.255.255.255
access-group WAN_access_in in interface WAN
route WAN 0.0.0.0 0.0.0.0 2.2.2.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.66 255.255.255.255 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.66 255.255.255.255 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 2048
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1ac47026a523767e47e0d2250ec5bf26
: end
PIX#

Open in new window

Topology.bmp
0
Comment
Question by:CoSmismgr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
12 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22713859
Wow that's a lot of stuff!
First off, run these to allow access to the web server and delete the useless incoming DNS statement
access-list WAN_access_in permit tcp any host 2.2.2.196 eq www
no access-list WAN_access_in extended permit object-group TCPUDP any any eq domain
Also run:
no nat-c
What problems are you experiencing exactly? I need to know to fix what's wrong.
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22713870
Oh, lol here's the problem - your NAT is wrong. Run these commands to fix it:
no global (WAN) 101 interface
global (WAN) 1 interface
nat (LAN) 1 0.0.0.0 0.0.0.0
Let me know if that does it for you!
 
0
 
LVL 16

Accepted Solution

by:
btassure earned 1500 total points
ID: 22713882
What parts of it are you seeing not work now? Is it all fine except the DMZ? Or are you seeing nothing work at all. At first glance you need to put in some NAT statements for the DMZ to see the inside servers. Any traffic going from a lower security level upwards needs NAT.
You would use the same address so it would read:
static (LAN,DMZ) 192.168.0.66 192.168.0.66 netmask 255.255.255.255
for example.

You only need this for the servers that the DMZ needs to see directly. The hosts on the LAN will use overload NAT to get to the DMZ from inside.
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22714878
>> static (LAN,DMZ) 192.168.0.66 192.168.0.66 netmask 255.255.255.255
And why would you map an address to itself? That makes no sense. There is no need for mapping if you use real addresses!
Sorry btassure. :(
0
 
LVL 16

Expert Comment

by:btassure
ID: 22716577
I know it makes no sense. That's how pix/asa work though. Always has. You HAVE to have a NAT statement to traverse from a lower security level to a higher one. If you want you can have multiple address mappings etc but there is little point if there are only a few servers that it actually needs to access.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22716612
Sorry, i forgot to tell you what wasn't working!

1) DMZ could not access LAN server
2) LAN could not access DMZ (no remote desktop connection using public or private IP either)
3) Hosts on LAN, aside from servers, could not access web
4)Cannot access any server on LAN from outside using public IP

I have made the changes both of you suggested. I also added a permit icmp any any ACL temporarily for ping testing. Any more suggestions? I will be testing the config tomorrow evening after business hours.

Here is what I do when I test the PIX:
1)Power off existing firewall and switch to PIX
2)Power cycle ISP router (to clear ARP cache)
3)Change IP address of web server on DMZ to 192.168.1.2 (previously public IP 2.2.2.196)
4)Begin telnet / packet traces to test protocols and access to hosts
0
 
LVL 16

Expert Comment

by:btassure
ID: 22716654
You will also need:
global (DMZ) 101 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0

you need to create a DMZ_access_in access list to match the traffic from the DMZ to the LAN servers
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22716918
"You will also need:
global (DMZ) 101 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0"

I have the following static NAT already:
static (DMZ,WAN) 2.2.2.196 192.168.1.2 netmask 255.255.255.255
The nat (DMZ) 1 0 0 command would translate to the WAN interface IP wouldn't it? If so, that is not what I want, this is a web server that will be accessed from outside using the public IP.


"you need to create a DMZ_access_in access list to match the traffic from the DMZ to the LAN servers"

The database connector that needs to connect to the server on the LAN (192.168.0.17) uses port 6195, so would it be:
acess-list DMZ_access_in extended permit tcp any host 2.2.2.196 eq 6195
or
access-list DMZ_access_in extended permit tcp any host 192.168.0.17 eq 6195
or
access-list DMZ_access_in extended permit tcp any host 192.168.1.2 eq 6195
0
 
LVL 16

Expert Comment

by:btassure
ID: 22719421
Yes but because of the way that you need a nat statement for the DMZ to see the LAN you need one for the return traffic to get there when reading the webserver from the LAN for example. You can either set up a one to one nat for the entire subnet so it nats 192.168.0.x to 192.168.0.x on the DMZ or use the overload that I have posted.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22770812
Still am unable to ping DMZ from host H on LAN

here's my current config:
: Saved
:
PIX Version 8.0(4) 
!
hostname PIX
domain-name my.domain
enable password ZFo4GpOUOZcsrgCq encrypted
passwd XDfAsxTJhhMhJrJh encrypted
names
!
interface Ethernet0
 nameif WAN
 security-level 0
 ip address 2.2.2.206 255.255.255.240 
!
interface Ethernet1
 nameif LAN
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Ethernet2
 nameif DMZ
 security-level 50
 ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
dns server-group DefaultDNS
 domain-name my.domain
same-security-traffic permit intra-interface
access-list WAN_access_in extended permit icmp any any unreachable 
access-list WAN_access_in extended permit icmp any any time-exceeded 
access-list WAN_access_in extended permit icmp any any echo 
access-list WAN_access_in extended permit icmp any any echo-reply 
access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq smtp 
access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq www 
access-list WAN_access_in extended permit tcp any host 2.2.2.195 eq www 
access-list WAN_access_in extended permit tcp any host 192.168.0.66 eq www 
access-list WAN_access_in extended permit tcp any host 192.168.1.2 eq www 
access-list DMZ_access_in extended permit ip host 192.168.0.17 host 192.168.1.2 
access-list DMZ_access_in extended permit ip any 2.2.2.192 255.255.255.240 
pager lines 24
logging enable
logging trap critical
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 1 0.0.0.0 0.0.0.0
static (LAN,WAN) 2.2.2.194 192.168.0.11 netmask 255.255.255.255 
static (LAN,WAN) 2.2.2.197 192.168.0.66 netmask 255.255.255.255 
static (DMZ,WAN) 2.2.2.196 192.168.1.2 netmask 255.255.255.255 
static (LAN,DMZ) 192.168.0.17 192.168.0.17 netmask 255.255.255.255 
static (LAN,DMZ) 192.168.0.66 192.168.0.66 netmask 255.255.255.255 
access-group WAN_access_in in interface WAN
access-group DMZ_access_in in interface DMZ
route WAN 0.0.0.0 0.0.0.0 2.2.2.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 2048
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:e67173c59691f3628ad1c2ea0ae2297d
: end

Open in new window

0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22826570
All is working good now, I cant remember what all I changed, but I spent quite a bit of time configuring the ACL's and NAT statements and now everything is functional! Thanks for the help. I am awarding points based on what my current config shows as to what was suggested. Thanks again!
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22826590
Ermm, I wanted to split points, how do I do that now? I want to give 350 to btassure and 150 to pugglewuggle
0

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Make the most of your online learning experience.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question