Solved

How do I configure Cisco PIX 515e firewall for my network?

Posted on 2008-10-14
12
2,273 Views
Last Modified: 2011-10-19
First off I want to tell you that I have been trying to get this PIX deployed for over 8 months. I have stayed up countless nights doing packet traces and pings and telnets and cant get it working right. Well, my boss wants this thing deployed asap so here I am.

I'll do my best to explain exactly what I need and I hope you can supply me with the answers I need. I am a very visual person so I have supplied a labeled diagram of my network infrastructure. The labeling is as follows:

A: ISP router - 2.2.2.193 /28 (Network address is 2.2.2.192 /28)
B: Switch
C: Host on WAN - 2.2.2.205 /28
     Used for testing purposes
D: Cisco PIX 515e
     WAN = 2.2.2.206 /28
     DMZ = 192.168.1.1 /24
     LAN = 192.168.0.1 /24
E: Web server - 192.168.1.2 (static NAT to 2.2.2.196)
     Hosts an online catalog for H, must be able to connect to database on H
F: Switch
G: Management server - 192.168.0.66 (static NAT to 2.2.2.197)
     Hosts a helpdesk web application which must be accessible from the outside as well as inside
H: Application Server - 192.168.0.17
     Hosts a database which E must connect to
I: Email server - 192.168.0.11 (static NAT to 2.2.2.194)
     Besides email this server also hosts a webmail application on http/tcp port 3000

The descriptions above describe what I need as far as packet flow.
My network is currently not on the PIX, I only test it after hours, until everything is working perfectly.

I will attach my current config for you to check over, maybe there is a small mistake I have missed somewhere. I will start fresh on the config if that will make things easier.
PIX# sh run

: Saved

:

PIX Version 8.0(4)

!

hostname PIX

domain-name <this.is.my.domain>

enable password <password> encrypted

passwd <passwd> encrypted

names

!

interface Ethernet0

 nameif WAN

 security-level 0

 ip address 2.2.2.206 255.255.255.240

!

interface Ethernet1

 nameif LAN

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Ethernet2

 nameif DMZ

 security-level 50

 ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

 domain-name <this.is.my.domain>

same-security-traffic permit intra-interface

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq smtp

access-list WAN_access_in extended permit tcp any host 2.2.2.197 eq www

access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq 3000

access-list WAN_access_in extended permit object-group TCPUDP any any eq domain

access-list WAN_access_in extended permit tcp any 2.2.2.192 255.255.255.240 eq www

pager lines 24

logging enable

logging trap critical

logging asdm informational

mtu WAN 1500

mtu LAN 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (WAN) 101 interface

nat (LAN) 1 0.0.0.0 0.0.0.0

static (DMZ,WAN) 2.2.2.196 192.168.1.2 netmask 255.255.255.255

static (LAN,WAN) 2.2.2.194 192.168.0.11 netmask 255.255.255.255

static (LAN,WAN) 2.2.2.197 192.168.0.66 netmask 255.255.255.255

access-group WAN_access_in in interface WAN

route WAN 0.0.0.0 0.0.0.0 2.2.2.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.66 255.255.255.255 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.66 255.255.255.255 LAN

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 2048

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1ac47026a523767e47e0d2250ec5bf26

: end

PIX#

Open in new window

Topology.bmp
0
Comment
Question by:CoSmismgr
  • 5
  • 4
  • 3
12 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22713859
Wow that's a lot of stuff!
First off, run these to allow access to the web server and delete the useless incoming DNS statement
access-list WAN_access_in permit tcp any host 2.2.2.196 eq www
no access-list WAN_access_in extended permit object-group TCPUDP any any eq domain
Also run:
no nat-c
What problems are you experiencing exactly? I need to know to fix what's wrong.
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22713870
Oh, lol here's the problem - your NAT is wrong. Run these commands to fix it:
no global (WAN) 101 interface
global (WAN) 1 interface
nat (LAN) 1 0.0.0.0 0.0.0.0
Let me know if that does it for you!
 
0
 
LVL 16

Accepted Solution

by:
btassure earned 500 total points
ID: 22713882
What parts of it are you seeing not work now? Is it all fine except the DMZ? Or are you seeing nothing work at all. At first glance you need to put in some NAT statements for the DMZ to see the inside servers. Any traffic going from a lower security level upwards needs NAT.
You would use the same address so it would read:
static (LAN,DMZ) 192.168.0.66 192.168.0.66 netmask 255.255.255.255
for example.

You only need this for the servers that the DMZ needs to see directly. The hosts on the LAN will use overload NAT to get to the DMZ from inside.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22714878
>> static (LAN,DMZ) 192.168.0.66 192.168.0.66 netmask 255.255.255.255
And why would you map an address to itself? That makes no sense. There is no need for mapping if you use real addresses!
Sorry btassure. :(
0
 
LVL 16

Expert Comment

by:btassure
ID: 22716577
I know it makes no sense. That's how pix/asa work though. Always has. You HAVE to have a NAT statement to traverse from a lower security level to a higher one. If you want you can have multiple address mappings etc but there is little point if there are only a few servers that it actually needs to access.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22716612
Sorry, i forgot to tell you what wasn't working!

1) DMZ could not access LAN server
2) LAN could not access DMZ (no remote desktop connection using public or private IP either)
3) Hosts on LAN, aside from servers, could not access web
4)Cannot access any server on LAN from outside using public IP

I have made the changes both of you suggested. I also added a permit icmp any any ACL temporarily for ping testing. Any more suggestions? I will be testing the config tomorrow evening after business hours.

Here is what I do when I test the PIX:
1)Power off existing firewall and switch to PIX
2)Power cycle ISP router (to clear ARP cache)
3)Change IP address of web server on DMZ to 192.168.1.2 (previously public IP 2.2.2.196)
4)Begin telnet / packet traces to test protocols and access to hosts
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:btassure
ID: 22716654
You will also need:
global (DMZ) 101 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0

you need to create a DMZ_access_in access list to match the traffic from the DMZ to the LAN servers
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22716918
"You will also need:
global (DMZ) 101 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0"

I have the following static NAT already:
static (DMZ,WAN) 2.2.2.196 192.168.1.2 netmask 255.255.255.255
The nat (DMZ) 1 0 0 command would translate to the WAN interface IP wouldn't it? If so, that is not what I want, this is a web server that will be accessed from outside using the public IP.


"you need to create a DMZ_access_in access list to match the traffic from the DMZ to the LAN servers"

The database connector that needs to connect to the server on the LAN (192.168.0.17) uses port 6195, so would it be:
acess-list DMZ_access_in extended permit tcp any host 2.2.2.196 eq 6195
or
access-list DMZ_access_in extended permit tcp any host 192.168.0.17 eq 6195
or
access-list DMZ_access_in extended permit tcp any host 192.168.1.2 eq 6195
0
 
LVL 16

Expert Comment

by:btassure
ID: 22719421
Yes but because of the way that you need a nat statement for the DMZ to see the LAN you need one for the return traffic to get there when reading the webserver from the LAN for example. You can either set up a one to one nat for the entire subnet so it nats 192.168.0.x to 192.168.0.x on the DMZ or use the overload that I have posted.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22770812
Still am unable to ping DMZ from host H on LAN

here's my current config:
: Saved

:

PIX Version 8.0(4) 

!

hostname PIX

domain-name my.domain

enable password ZFo4GpOUOZcsrgCq encrypted

passwd XDfAsxTJhhMhJrJh encrypted

names

!

interface Ethernet0

 nameif WAN

 security-level 0

 ip address 2.2.2.206 255.255.255.240 

!

interface Ethernet1

 nameif LAN

 security-level 100

 ip address 192.168.0.1 255.255.255.0 

!

interface Ethernet2

 nameif DMZ

 security-level 50

 ip address 192.168.1.1 255.255.255.0 

!

ftp mode passive

dns server-group DefaultDNS

 domain-name my.domain

same-security-traffic permit intra-interface

access-list WAN_access_in extended permit icmp any any unreachable 

access-list WAN_access_in extended permit icmp any any time-exceeded 

access-list WAN_access_in extended permit icmp any any echo 

access-list WAN_access_in extended permit icmp any any echo-reply 

access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq smtp 

access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq www 

access-list WAN_access_in extended permit tcp any host 2.2.2.195 eq www 

access-list WAN_access_in extended permit tcp any host 192.168.0.66 eq www 

access-list WAN_access_in extended permit tcp any host 192.168.1.2 eq www 

access-list DMZ_access_in extended permit ip host 192.168.0.17 host 192.168.1.2 

access-list DMZ_access_in extended permit ip any 2.2.2.192 255.255.255.240 

pager lines 24

logging enable

logging trap critical

logging asdm informational

mtu WAN 1500

mtu LAN 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (WAN) 1 interface

nat (LAN) 1 0.0.0.0 0.0.0.0

static (LAN,WAN) 2.2.2.194 192.168.0.11 netmask 255.255.255.255 

static (LAN,WAN) 2.2.2.197 192.168.0.66 netmask 255.255.255.255 

static (DMZ,WAN) 2.2.2.196 192.168.1.2 netmask 255.255.255.255 

static (LAN,DMZ) 192.168.0.17 192.168.0.17 netmask 255.255.255.255 

static (LAN,DMZ) 192.168.0.66 192.168.0.66 netmask 255.255.255.255 

access-group WAN_access_in in interface WAN

access-group DMZ_access_in in interface DMZ

route WAN 0.0.0.0 0.0.0.0 2.2.2.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.0.0 255.255.255.0 LAN

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 2048

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:e67173c59691f3628ad1c2ea0ae2297d

: end

Open in new window

0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22826570
All is working good now, I cant remember what all I changed, but I spent quite a bit of time configuring the ACL's and NAT statements and now everything is functional! Thanks for the help. I am awarding points based on what my current config shows as to what was suggested. Thanks again!
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 22826590
Ermm, I wanted to split points, how do I do that now? I want to give 350 to btassure and 150 to pugglewuggle
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now