PIX 515E Configuration Check

Can anyone see anything wrong with this configuration?  The IP addresses have been changed to protect the innocent.

PIX Version 7.2(2)
!
hostname Firewall
enable password blahblahblah encrypted
names
dns-guard
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 111.111.111.148 255.255.255.192 standby 111.111.111.149
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.0.10 255.255.0.0 standby 10.10.0.11
!
interface Ethernet2
 speed 100
 duplex full
 nameif dmz
 security-level 50
 ip address 10.11.0.253 255.255.0.0 standby 10.11.0.254
!
passwd blahblahblah encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network og_ip_nat_dmz
 network-object host 10.11.0.100
access-list outside_acl extended permit tcp any host 111.111.111.132 eq www
access-list outside_acl extended permit tcp any host 111.111.111.132 eq domain
access-list outside_acl extended permit udp any host 111.111.111.132 eq domain
access-list outside_acl extended permit tcp any host 111.111.111.133 eq www
access-list outside_acl extended permit tcp any host 111.111.111.133 eq domain
access-list outside_acl extended permit udp any host 111.111.111.133 eq domain
access-list outside_acl extended permit tcp any host 111.111.111.143 eq smtp
access-list outside_acl extended permit tcp any host 111.111.111.143 eq pop3
access-list outside_acl extended permit tcp any host 111.111.111.143 eq www
access-list outside_acl extended permit tcp any host 111.111.111.147 eq smtp
access-list outside_acl extended permit tcp any host 111.111.111.147 eq pop3
access-list outside_acl extended permit tcp any host 111.111.111.147 eq www
access-list outside_acl extended permit ip any host 111.111.111.132
access-list outside_acl extended permit ip any host 111.111.111.133
access-list outside_acl extended permit ip any host 111.111.111.136
access-list outside_acl extended permit ip any host 111.111.111.139
access-list outside_acl extended permit ip any host 111.111.111.145
access-list outside_acl extended permit ip any host 111.111.111.143
access-list outside_acl extended permit ip any host 111.111.111.147
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit icmp any any unreachable
access-list outside_acl extended deny tcp any eq 135 any
access-list outside_acl extended deny udp any eq 135 any
access-list outside_acl extended deny udp any eq 139 any
access-list outside_acl extended deny tcp any eq netbios-ssn any
access-list outside_acl extended deny tcp any eq 445 any
access-list outside_acl extended deny udp any eq 445 any
access-list outside_acl extended deny udp any eq 4444 any
access-list outside_acl extended deny tcp any eq 4444 any
access-list outside_acl extended deny udp any eq tftp any
access-list outside_acl extended deny tcp any eq 1025 any
access-list outside_acl extended deny tcp any eq 5000 any
access-list outside_acl extended deny udp any eq ntp any
access-list outside_acl extended deny udp any eq rip any
access-list outside_acl extended deny udp any eq 1026 any
access-list outside_acl extended deny udp any eq 1900 any
access-list outside_acl extended deny udp any eq 3009 any
access-list outside_acl extended deny udp any eq 3587 any
access-list outside_acl extended permit ip 10.0.0.0 255.0.0.0 123.123.123.0 255.255.255.0
access-list dmz_acl extended permit icmp any object-group og_ip_nat_dmz echo-reply
access-list dmz_acl extended permit icmp any object-group og_ip_nat_dmz time-exceeded
access-list dmz_acl extended permit icmp any object-group og_ip_nat_dmz unreachable
access-list dmz_acl extended deny tcp any eq 135 object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq 135 object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq 139 object-group og_ip_nat_dmz
access-list dmz_acl extended deny tcp any eq netbios-ssn object-group og_ip_nat_dmz
access-list dmz_acl extended deny tcp any eq 445 object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq 445 object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq 4444 object-group og_ip_nat_dmz
access-list dmz_acl extended deny tcp any eq 4444 object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq tftp object-group og_ip_nat_dmz
access-list dmz_acl extended deny tcp any eq 1025 object-group og_ip_nat_dmz
access-list dmz_acl extended deny tcp any eq 5000 object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq ntp object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq rip object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq 1026 object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq 1900 object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq 3009 object-group og_ip_nat_dmz
access-list dmz_acl extended deny udp any eq 3587 object-group og_ip_nat_dmz
access-list dmz_acl extended deny ip any object-group og_ip_nat_dmz
access-list dmz_acl extended permit ip any any
access-list posnet extended permit ip 10.0.0.0 255.0.0.0 123.123.123.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging standby
logging buffered warnings
logging trap warnings
logging history warnings
logging facility 18
no logging message 106010
mtu outside 1500
mtu inside 1500
mtu dmz 1500
failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 111.111.111.150
global (dmz) 1 10.11.0.100
nat (inside) 0 access-list pos
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 111.111.111.131 10.11.0.1 netmask 255.255.255.255
static (dmz,outside) 111.111.111.132 10.11.0.2 netmask 255.255.255.255
static (dmz,outside) 111.111.111.133 10.11.0.3 netmask 255.255.255.255
static (dmz,outside) 111.111.111.140 10.11.0.10 netmask 255.255.255.255
static (dmz,outside) 111.111.111.145 10.11.0.15 netmask 255.255.255.255
static (dmz,outside) 111.111.111.139 10.11.0.89 netmask 255.255.255.255
static (dmz,outside) 111.111.111.143 10.11.0.13 netmask 255.255.255.255
static (dmz,outside) 111.111.111.147 10.11.0.91 netmask 255.255.255.255
static (dmz,outside) 111.111.111.136 10.11.0.16 netmask 255.255.255.255
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 111.111.111.129 1
route inside 10.12.0.0 255.255.0.0 10.10.0.1 1
route inside 10.20.0.0 255.255.0.0 10.10.0.1 1
route inside 10.30.0.0 255.255.0.0 10.10.0.1 1
route inside 10.40.0.0 255.255.0.0 10.10.0.1 1
route inside 10.50.0.0 255.255.0.0 10.10.0.1 1
route inside 10.60.0.0 255.255.0.0 10.10.0.1 1
route inside 10.131.0.0 255.255.0.0 10.10.0.1 1
route inside 10.132.0.0 255.255.0.0 10.10.0.1 1
route inside 10.133.0.0 255.255.0.0 10.10.0.1 1
route inside 10.135.0.0 255.255.0.0 10.10.0.1 1
route inside 10.136.0.0 255.255.0.0 10.10.0.1 1
route inside 10.137.0.0 255.255.0.0 10.10.0.1 1
route inside 10.138.0.0 255.255.0.0 10.10.0.1 1
route inside 10.139.0.0 255.255.0.0 10.10.0.1 1
route inside 10.140.0.0 255.255.0.0 10.10.0.1 1
route inside 10.145.0.0 255.255.0.0 10.10.0.1 1
route inside 10.146.0.0 255.255.0.0 10.10.0.1 1
route inside 10.147.0.0 255.255.0.0 10.10.0.1 1
route inside 10.16.16.0 255.255.255.0 10.10.0.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community notprivate
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound
crypto ipsec transform-set posi esp-3des esp-sha-hmac
crypto map positive 10 match address pos
crypto map positive 10 set pfs
crypto map positive 10 set peer 222.222.222.9
crypto map positive 10 set transform-set posi
crypto map positive interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 222.222.222.9 type ipsec-l2l
tunnel-group 222.222.222.9 ipsec-attributes
 pre-shared-key *
telnet 10.10.0.1 255.255.255.255 inside
telnet timeout 30
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspe
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp strict
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
ntp server 10.10.0.232 source inside
prompt hostname context
Cryptochecksum:7d1dbd1a9
: end

Thanks!
dbarr57Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bignewfCommented:
The config looks fine, but I would not allow pings from the outside in unless you are doing testing.
to remove these inbound acl's


no access-list outside_acl extended permit icmp any any echo-reply
no access-list outside_acl extended permit icmp any any time-exceeded
no access-list outside_acl extended permit icmp any any unreachable

you can replace all your route inside statements for brevity with:

route inside 0.0.0.0 0.0.0.0 10.10.0.0 1  but it's fine adding the static routes



you need to enable ssh on an interface i.e  ssh x.x.x.x  x.x.x.x inside
then generate the public and private keys:

crypto key generate rsa

then specify a timeout:
ssh timeout 5


0
dbarr57Author Commented:
Good ideas!

Look again at the ACL statements - are they in the correct order?  I mean, do the first 19 lines effectively make the rest useless?
0
bignewfCommented:


You don't want these lines:

access-list outside_acl extended permit ip any host 111.111.111.132
access-list outside_acl extended permit ip any host 111.111.111.133
access-list outside_acl extended permit ip any host 111.111.111.136
access-list outside_acl extended permit ip any host 111.111.111.139
access-list outside_acl extended permit ip any host 111.111.111.145
access-list outside_acl extended permit ip any host 111.111.111.143
access-list outside_acl extended permit ip any host 111.111.111.147

This configuration means you are allowing anything in your network
They render the lines above  these acl's useless  sorry I missed these!

You always filter by a layer 4 protocol - udp or tcp to only allow certain ports open
remove these, you should only allow the services (ports) that outside hosts need



access-list outside_acl extended permit tcp any host 111.111.111.132 eq www
access-list outside_acl extended permit tcp any host 111.111.111.132 eq domain
access-list outside_acl extended permit udp any host 111.111.111.132 eq domain
access-list outside_acl extended permit tcp any host 111.111.111.133 eq www
access-list outside_acl extended permit tcp any host 111.111.111.133 eq domain
access-list outside_acl extended permit udp any host 111.111.111.133 eq domain
access-list outside_acl extended permit tcp any host 111.111.111.143 eq smtp
access-list outside_acl extended permit tcp any host 111.111.111.143 eq pop3
access-list outside_acl extended permit tcp any host 111.111.111.143 eq www
access-list outside_acl extended permit tcp any host 111.111.111.147 eq smtp
access-list outside_acl extended permit tcp any host 111.111.111.147 eq pop3
access-list outside_acl extended permit tcp any host 111.111.111.147 eq www


the ip's at 136,139, 145 need access lists filtered by layer 4  ie. www, pop3, etc
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

dbarr57Author Commented:
Thanks again!

So, is this how I would change it?

no access-group outside_acl in interface outside
no access-group outside_acl
access-list outside_acl extended permit tcp any host 111.111.111.132 eq www
access-list outside_acl extended permit tcp any host 111.111.111.132 eq domain
access-list outside_acl extended permit udp any host 111.111.111.132 eq domain
access-list outside_acl extended permit tcp any host 111.111.111.133 eq www
access-list outside_acl extended permit tcp any host 111.111.111.133 eq domain
access-list outside_acl extended permit udp any host 111.111.111.133 eq domain
access-list outside_acl extended permit tcp any host 111.111.111.136 eq www
access-list outside_acl extended permit tcp any host 111.111.111.136 eq domain
access-list outside_acl extended permit udp any host 111.111.111.136 eq domain
access-list outside_acl extended permit tcp any host 111.111.111.143 eq smtp
access-list outside_acl extended permit tcp any host 111.111.111.143 eq pop3
access-list outside_acl extended permit tcp any host 111.111.111.143 eq www
access-list outside_acl extended permit tcp any host 111.111.111.146 eq smtp
access-list outside_acl extended permit tcp any host 111.111.111.147 eq smtp
access-list outside_acl extended permit tcp any host 111.111.111.147 eq pop3
access-list outside_acl extended permit tcp any host 111.111.111.147 eq www
access-list outside_acl extended permit ip 10.0.0.0 255.0.0.0 222.222.222.0 255.255.255.0
access-list outside_acl extended deny tcp any eq 135 any
access-list outside_acl extended deny udp any eq 135 any
access-list outside_acl extended deny udp any eq 139 any
access-list outside_acl extended deny tcp any eq netbios-ssn any
access-list outside_acl extended deny tcp any eq 445 any
access-list outside_acl extended deny udp any eq 445 any
access-list outside_acl extended deny udp any eq 4444 any
access-list outside_acl extended deny tcp any eq 4444 any
access-list outside_acl extended deny udp any eq tftp any
access-list outside_acl extended deny tcp any eq 1025 any
access-list outside_acl extended deny tcp any eq 5000 any
access-list outside_acl extended deny udp any eq ntp any
access-list outside_acl extended deny udp any eq rip any
access-list outside_acl extended deny udp any eq 1026 any
access-list outside_acl extended deny udp any eq 1900 any
access-list outside_acl extended deny udp any eq 3009 any
access-list outside_acl extended deny udp any eq 3587 any
access-group outside_acl in interface outside
wr mem
0
bignewfCommented:
This looks better. Any issues with outside hosts reaching the necessary services, ie. pop3, smtp?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dbarr57Author Commented:
That worked!  The only problem was with some servers needing SSL and specific ports.  Those were discovered after the initial change was made.  Then it was just a matter of adding those.

Thank you very much for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.