How do I configure Cisco PIX 515e firewall for my network?
First off I want to tell you that I have been trying to get this PIX deployed for over 8 months. I have stayed up countless nights doing packet traces and pings and telnets and cant get it working right. Well, my boss wants this thing deployed asap so here I am.
I'll do my best to explain exactly what I need and I hope you can supply me with the answers I need. I am a very visual person so I have supplied a labeled diagram of my network infrastructure. The labeling is as follows:
A: ISP router - 2.2.2.193 /28 (Network address is 2.2.2.192 /28)
B: Switch
C: Host on WAN - 2.2.2.205 /28
Used for testing purposes
D: Cisco PIX 515e
WAN = 2.2.2.206 /28
DMZ = 192.168.1.1 /24
LAN = 192.168.0.1 /24
E: Web server - 192.168.1.2 (static NAT to 2.2.2.196)
Hosts an online catalog for H, must be able to connect to database on H
F: Switch
G: Management server - 192.168.0.66 (static NAT to 2.2.2.197)
Hosts a helpdesk web application which must be accessible from the outside as well as inside
H: Application Server - 192.168.0.17
Hosts a database which E must connect to
I: Email server - 192.168.0.11 (static NAT to 2.2.2.194)
Besides email this server also hosts a webmail application on http/tcp port 3000
The descriptions above describe what I need as far as packet flow.
My network is currently not on the PIX, I only test it after hours, until everything is working perfectly.
I will attach my current config for you to check over, maybe there is a small mistake I have missed somewhere. I will start fresh on the config if that will make things easier.
I'll do my best to explain exactly what I need and I hope you can supply me with the answers I need. I am a very visual person so I have supplied a labeled diagram of my network infrastructure. The labeling is as follows:
A: ISP router - 2.2.2.193 /28 (Network address is 2.2.2.192 /28)
B: Switch
C: Host on WAN - 2.2.2.205 /28
Used for testing purposes
D: Cisco PIX 515e
WAN = 2.2.2.206 /28
DMZ = 192.168.1.1 /24
LAN = 192.168.0.1 /24
E: Web server - 192.168.1.2 (static NAT to 2.2.2.196)
Hosts an online catalog for H, must be able to connect to database on H
F: Switch
G: Management server - 192.168.0.66 (static NAT to 2.2.2.197)
Hosts a helpdesk web application which must be accessible from the outside as well as inside
H: Application Server - 192.168.0.17
Hosts a database which E must connect to
I: Email server - 192.168.0.11 (static NAT to 2.2.2.194)
Besides email this server also hosts a webmail application on http/tcp port 3000
The descriptions above describe what I need as far as packet flow.
My network is currently not on the PIX, I only test it after hours, until everything is working perfectly.
I will attach my current config for you to check over, maybe there is a small mistake I have missed somewhere. I will start fresh on the config if that will make things easier.
PIX# sh run
: Saved
:
PIX Version 8.0(4)
!
hostname PIX
domain-name <this.is.my.domain>
enable password <password> encrypted
passwd <passwd> encrypted
names
!
interface Ethernet0
nameif WAN
security-level 0
ip address 2.2.2.206 255.255.255.240
!
interface Ethernet1
nameif LAN
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name <this.is.my.domain>
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq smtp
access-list WAN_access_in extended permit tcp any host 2.2.2.197 eq www
access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq 3000
access-list WAN_access_in extended permit object-group TCPUDP any any eq domain
access-list WAN_access_in extended permit tcp any 2.2.2.192 255.255.255.240 eq www
pager lines 24
logging enable
logging trap critical
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (WAN) 101 interface
nat (LAN) 1 0.0.0.0 0.0.0.0
static (DMZ,WAN) 2.2.2.196 192.168.1.2 netmask 255.255.255.255
static (LAN,WAN) 2.2.2.194 192.168.0.11 netmask 255.255.255.255
static (LAN,WAN) 2.2.2.197 192.168.0.66 netmask 255.255.255.255
access-group WAN_access_in in interface WAN
route WAN 0.0.0.0 0.0.0.0 2.2.2.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.66 255.255.255.255 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.66 255.255.255.255 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1ac47026a523767e47e0d2250ec5bf26
: end
PIX#
Oh, lol here's the problem - your NAT is wrong. Run these commands to fix it:
no global (WAN) 101 interface
global (WAN) 1 interface
nat (LAN) 1 0.0.0.0 0.0.0.0
Let me know if that does it for you!
no global (WAN) 101 interface
global (WAN) 1 interface
nat (LAN) 1 0.0.0.0 0.0.0.0
Let me know if that does it for you!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>> static (LAN,DMZ) 192.168.0.66 192.168.0.66 netmask 255.255.255.255
And why would you map an address to itself? That makes no sense. There is no need for mapping if you use real addresses!
Sorry btassure. :(
And why would you map an address to itself? That makes no sense. There is no need for mapping if you use real addresses!
Sorry btassure. :(
I know it makes no sense. That's how pix/asa work though. Always has. You HAVE to have a NAT statement to traverse from a lower security level to a higher one. If you want you can have multiple address mappings etc but there is little point if there are only a few servers that it actually needs to access.
ASKER
Sorry, i forgot to tell you what wasn't working!
1) DMZ could not access LAN server
2) LAN could not access DMZ (no remote desktop connection using public or private IP either)
3) Hosts on LAN, aside from servers, could not access web
4)Cannot access any server on LAN from outside using public IP
I have made the changes both of you suggested. I also added a permit icmp any any ACL temporarily for ping testing. Any more suggestions? I will be testing the config tomorrow evening after business hours.
Here is what I do when I test the PIX:
1)Power off existing firewall and switch to PIX
2)Power cycle ISP router (to clear ARP cache)
3)Change IP address of web server on DMZ to 192.168.1.2 (previously public IP 2.2.2.196)
4)Begin telnet / packet traces to test protocols and access to hosts
1) DMZ could not access LAN server
2) LAN could not access DMZ (no remote desktop connection using public or private IP either)
3) Hosts on LAN, aside from servers, could not access web
4)Cannot access any server on LAN from outside using public IP
I have made the changes both of you suggested. I also added a permit icmp any any ACL temporarily for ping testing. Any more suggestions? I will be testing the config tomorrow evening after business hours.
Here is what I do when I test the PIX:
1)Power off existing firewall and switch to PIX
2)Power cycle ISP router (to clear ARP cache)
3)Change IP address of web server on DMZ to 192.168.1.2 (previously public IP 2.2.2.196)
4)Begin telnet / packet traces to test protocols and access to hosts
You will also need:
global (DMZ) 101 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0
you need to create a DMZ_access_in access list to match the traffic from the DMZ to the LAN servers
global (DMZ) 101 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0
you need to create a DMZ_access_in access list to match the traffic from the DMZ to the LAN servers
ASKER
"You will also need:
global (DMZ) 101 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0"
I have the following static NAT already:
static (DMZ,WAN) 2.2.2.196 192.168.1.2 netmask 255.255.255.255
The nat (DMZ) 1 0 0 command would translate to the WAN interface IP wouldn't it? If so, that is not what I want, this is a web server that will be accessed from outside using the public IP.
"you need to create a DMZ_access_in access list to match the traffic from the DMZ to the LAN servers"
The database connector that needs to connect to the server on the LAN (192.168.0.17) uses port 6195, so would it be:
acess-list DMZ_access_in extended permit tcp any host 2.2.2.196 eq 6195
or
access-list DMZ_access_in extended permit tcp any host 192.168.0.17 eq 6195
or
access-list DMZ_access_in extended permit tcp any host 192.168.1.2 eq 6195
global (DMZ) 101 interface
nat (DMZ) 1 0.0.0.0 0.0.0.0"
I have the following static NAT already:
static (DMZ,WAN) 2.2.2.196 192.168.1.2 netmask 255.255.255.255
The nat (DMZ) 1 0 0 command would translate to the WAN interface IP wouldn't it? If so, that is not what I want, this is a web server that will be accessed from outside using the public IP.
"you need to create a DMZ_access_in access list to match the traffic from the DMZ to the LAN servers"
The database connector that needs to connect to the server on the LAN (192.168.0.17) uses port 6195, so would it be:
acess-list DMZ_access_in extended permit tcp any host 2.2.2.196 eq 6195
or
access-list DMZ_access_in extended permit tcp any host 192.168.0.17 eq 6195
or
access-list DMZ_access_in extended permit tcp any host 192.168.1.2 eq 6195
Yes but because of the way that you need a nat statement for the DMZ to see the LAN you need one for the return traffic to get there when reading the webserver from the LAN for example. You can either set up a one to one nat for the entire subnet so it nats 192.168.0.x to 192.168.0.x on the DMZ or use the overload that I have posted.
ASKER
Still am unable to ping DMZ from host H on LAN
here's my current config:
here's my current config:
: Saved
:
PIX Version 8.0(4)
!
hostname PIX
domain-name my.domain
enable password ZFo4GpOUOZcsrgCq encrypted
passwd XDfAsxTJhhMhJrJh encrypted
names
!
interface Ethernet0
nameif WAN
security-level 0
ip address 2.2.2.206 255.255.255.240
!
interface Ethernet1
nameif LAN
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name my.domain
same-security-traffic permit intra-interface
access-list WAN_access_in extended permit icmp any any unreachable
access-list WAN_access_in extended permit icmp any any time-exceeded
access-list WAN_access_in extended permit icmp any any echo
access-list WAN_access_in extended permit icmp any any echo-reply
access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq smtp
access-list WAN_access_in extended permit tcp any host 2.2.2.194 eq www
access-list WAN_access_in extended permit tcp any host 2.2.2.195 eq www
access-list WAN_access_in extended permit tcp any host 192.168.0.66 eq www
access-list WAN_access_in extended permit tcp any host 192.168.1.2 eq www
access-list DMZ_access_in extended permit ip host 192.168.0.17 host 192.168.1.2
access-list DMZ_access_in extended permit ip any 2.2.2.192 255.255.255.240
pager lines 24
logging enable
logging trap critical
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 1 0.0.0.0 0.0.0.0
static (LAN,WAN) 2.2.2.194 192.168.0.11 netmask 255.255.255.255
static (LAN,WAN) 2.2.2.197 192.168.0.66 netmask 255.255.255.255
static (DMZ,WAN) 2.2.2.196 192.168.1.2 netmask 255.255.255.255
static (LAN,DMZ) 192.168.0.17 192.168.0.17 netmask 255.255.255.255
static (LAN,DMZ) 192.168.0.66 192.168.0.66 netmask 255.255.255.255
access-group WAN_access_in in interface WAN
access-group DMZ_access_in in interface DMZ
route WAN 0.0.0.0 0.0.0.0 2.2.2.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e67173c59691f3628ad1c2ea0ae2297d
: end
ASKER
All is working good now, I cant remember what all I changed, but I spent quite a bit of time configuring the ACL's and NAT statements and now everything is functional! Thanks for the help. I am awarding points based on what my current config shows as to what was suggested. Thanks again!
ASKER
Ermm, I wanted to split points, how do I do that now? I want to give 350 to btassure and 150 to pugglewuggle
First off, run these to allow access to the web server and delete the useless incoming DNS statement
access-list WAN_access_in permit tcp any host 2.2.2.196 eq www
no access-list WAN_access_in extended permit object-group TCPUDP any any eq domain
Also run:
no nat-c
What problems are you experiencing exactly? I need to know to fix what's wrong.
Cheers!