Solved

CISCO pix 501 Firewall configuration

Posted on 2009-07-13
22
281 Views
Last Modified: 2012-05-07
I need some help configuring our Cisco pix firewall with our dedicated godaddy server.

I just obtained a new static IP address for a new website I'm adding to the server and need to set up the firewall so I may access the new website.  In the past, I used the graphical interface Godaddy/Cisco provided.  I can't use it the graphical interface now since it does not support the lastest version of java, so I am stuck using the command line version.  However, I do not know the proper set of commands to issue.  

Basically I just need to map and inside address to an outside address by adding a Nework Translation rule.  Let's say the internal ip is 10.0.0.2, and the outside ip address is 22.33.44.55.  Previously this is what I did using the graphical (PDM) tool:
      4. In the Device Manager toolbar, click the Configuration icon.
      5. Click the Translation Rules tab.
      6. Click the Translation Rules radio button.
      7. Click the New Rule icon.
      8. In the window, enter the following information:
            Ë Interface: Inside
            Ë IP Address: 10.0.0.2
            Ë Mask: 255.255.255.255
            Ë Translate address on interface: outside
            Ë Translate address to: select (x) static IP Address: 22.33.44.55
      9. Click the New Rule icon.
      10. In the window, enter the following information:
            Ë Interface: Outside
            Ë IP Address: 22.33.44.55
            Ë Mask: 255.255.255.255
            Ë Translate address on interface: inside
            Ë Translate address to: select (x) static IP Address: 10.0.0.2


Does anyone happen to know what commands to enter to accomplish the same?

Thanks!
0
Comment
Question by:lghook
  • 11
  • 11
22 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 24843728
hi there

Login to the command line using telnet/ssh and enter enable password to get to the # prompt

config t
static (inside,outside) 22.33.44.55 10.0.0.2 netmask 255.255.255.255
wri me


This will create the static and save it.

To assign rules accordingly to allow access from outside if required:

access-list outside-in permit tcp any host 22.33.44.55 eq www
access-group outside-in in interface outside

This creates an acl called outside in, allows port 80 traffic to your translated server.  If you already have an acl applied on your outside in, just use its name in the place of outside-in for any new rules

hope this helps
0
 

Author Comment

by:lghook
ID: 24844432
Thanks for helping out.

Against my better judgement, I went ahead & typed in the above (with the proper ips) and by doing so managed to disable access to all sites on the server.  Ahhhh!

I have serveral static IPs 10.0.0.1 - 10.0.0.7, all which mapped to various static ip addresses I was assigned.  I was trying to configure IP 10.0.0.8 without the GUI, and now I'm in a load of trouble.  

Any idea what I did wrong?  It seemed such a simple set of commands.

I have since regained access to graphical tool (via a much older computer) for setting up the firewall, so maybe that will be helpful.  

Is there a way to "undo" what I just did?

Thanks!

0
 
LVL 19

Expert Comment

by:nodisco
ID: 24844564
yes most likely you applied the access-list over an existing one.  Can you post your config up?  I'll have a look.  Just #### out your passwords
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24844604
the outside-in one i gave you is an example - as i said, if you have an existing one, you need to use its name instead.  If you post the config, I can amend it for you and explain.

cheers
0
 

Author Comment

by:lghook
ID: 24844639
Sure, what is the best way to get a complete listing?

0
 
LVL 19

Expert Comment

by:nodisco
ID: 24844667
you can telnet to the pix in hyperterminal (start - programs - accessories - communication - hyperterminal and copy and paste the config
or use another text editor

you can just copy and paste it in sections or capture the whole config.

I have to leave soon - if you don't post it before i leave i'll instruct you on what to do - but it would make more sense with the actual config.

cheers
0
 

Author Comment

by:lghook
ID: 24844675
This might be a clue.  This is a list of commands that the CIsco PDM did not understand while parsing the firewall configuration:

 
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ssh
access-list outside_access_in permit tcp any any eq 42
access-list outside_access_in permit udp any any eq nameserver
access-list outside_access_in permit tcp any any eq domain
access-list outside_access_in permit udp any any eq domain
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq 465
access-list outside_access_in permit tcp any any eq 587
access-list outside_access_in permit tcp any any eq 995
access-list outside_access_in permit tcp any any eq 993
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 8443
access-list outside_access_in permit tcp any any eq 9999
access-list outside_access_in permit tcp any any eq 2086
access-list outside_access_in permit tcp any any eq 2087
access-list outside_access_in permit tcp any any eq 2082
access-list outside_access_in permit tcp any any eq 2083
access-list outside_access_in permit tcp any any eq 2096
access-list outside_access_in permit tcp any any eq 2095
access-list outside_access_in deny tcp any any eq telnet
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in deny tcp any any eq imap4
access-list outside_access_in deny tcp any any eq 1433
access-list outside_access_in deny tcp any any eq 3306
access-list outside_access_in deny tcp any any eq 9080
access-list outside_access_in deny tcp any any eq 9090
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24844677
btw - you can use hyperterminal as console or telnet (tcp/ip winsock for telnet)
0
 

Author Comment

by:lghook
ID: 24844690
I'll see if I can get you that configuration in a moment .. Thanks!!!!
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24844723
Ok no probs - thats our access-list alright.  But I'll wait on the full config
0
 

Author Comment

by:lghook
ID: 24844748
I have a feeling telnet access is disabled.  Currently I just have the pdm access or I can ssh in
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 19

Expert Comment

by:nodisco
ID: 24844762
I have to head out so will leave you instructions on this

Most likely its as suspected, you typed in literally my example so this has had the effect of applying my new example acl
over your existing one.  

To confirm this - look for this line on your Pix config

access-group outside-in in interface outside

If there just do the following:

config t
no access-group outside-in in interface outside
access-group outside_access_in in interface outside
wri me

Test your connections again from outside and they should be ok.
Your new static will also work as you are allowing access from any host on the internet to any internal host for all protocols

This however is not advisable.  I'll be back online in an hour or so and can explain how to tighten security on this if possible - but at this stage getting you back in action is the most important.

cheers
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24844777
If you want to get the config posted - ssh in to the PIX and add the following line as an interim
telnet 10.0.0.0 255.0.0.0 inside

Then try a telnet connection
If it works ok, connect in using hyperterminal and TCP/IP winsock to its ip address and make a copy of the config and post it

I'll be back a bit later
0
 

Author Comment

by:lghook
ID: 24844808
I can't seem to telnet directly in, so I'll start cutting and pasting what I have listed in the gui (pdm) interface

Under Access Rules Two Rules Are Listed:

1)

#: -  
Action: checked
Source: (10.0.0.1, 10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5, 10.0.0.6,10.0.0.7, 10.0.0.8)
Destination: outside: any
Interface: Inside (outbound)
Service: ip
Log Level Interval:
Implicit


2)
#: 1
Action: checked
Source: outside:any
Destination: 10.0.0.8
Interface: outside
Service:  http/tcp
Log Level Interval:


0
 

Author Comment

by:lghook
ID: 24845074
Still wasn't able to telnet in, but after poking around I think I found the command that lists out the current configuration.  Here's what I got:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password [deleted] encrypted
passwd [deleted] encrypted
hostname pixfirewall
domain-name [deleted].secureserver.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any any eq ftp-data
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ssh
access-list outside_access_in permit tcp any any eq 42
access-list outside_access_in permit udp any any eq nameserver
access-list outside_access_in permit tcp any any eq domain
access-list outside_access_in permit udp any any eq domain
access-list outside_access_in permit tcp any any eq www
access-list outside_access_in permit tcp any any eq pop3
access-list outside_access_in permit tcp any any eq https
access-list outside_access_in permit tcp any any eq 465
access-list outside_access_in permit tcp any any eq 587
access-list outside_access_in permit tcp any any eq 995
access-list outside_access_in permit tcp any any eq 993
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 8443
access-list outside_access_in permit tcp any any eq 9999
access-list outside_access_in permit tcp any any eq 2086
access-list outside_access_in permit tcp any any eq 2087
access-list outside_access_in permit tcp any any eq 2082
access-list outside_access_in permit tcp any any eq 2083
access-list outside_access_in permit tcp any any eq 2096
access-list outside_access_in permit tcp any any eq 2095
access-list outside_access_in deny tcp any any eq telnet
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in deny tcp any any eq imap4
access-list outside_access_in deny tcp any any eq 1433
access-list outside_access_in deny tcp any any eq 3306
access-list outside_access_in deny tcp any any eq 9080
access-list outside_access_in deny tcp any any eq 9090
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any source-quench
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside-in permit tcp any host 72.167.164.195 eq www
pager lines 24
logging on
logging console informational
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside 72.167.161.117 255.255.255.0
ip address inside 10.0.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.1 255.255.255.255 inside
pdm location 72.167.161.116 255.255.255.255 outside
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 72.167.151.210 255.255.255.255 outside
pdm location 72.167.161.210 255.255.255.255 outside
pdm location 10.0.0.3 255.255.255.255 inside
pdm location 10.0.0.3 255.255.255.255 outside
pdm location 72.167.161.211 255.255.255.255 outside
pdm location 10.0.0.4 255.255.255.255 inside
pdm location 72.167.164.81 255.255.255.255 outside
pdm location 10.0.0.5 255.255.255.255 inside
pdm location 72.167.164.82 255.255.255.255 outside
pdm location 72.167.164.0 255.255.255.0 outside
pdm location 10.0.0.6 255.255.255.255 inside
pdm location 72.167.164.158 255.255.255.255 outside
pdm location 10.0.0.7 255.255.255.255 inside
pdm location 72.167.164.159 255.255.255.255 outside
pdm location 10.0.0.8 255.255.255.255 inside
pdm location 10.0.0.7 255.255.255.255 outside
pdm location 72.167.164.195 255.255.255.255 outside
pdm location 71.235.254.9 255.255.255.255 outside
pdm location 10.0.0.0 255.0.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
static (outside,inside) 10.0.0.1 72.167.161.116 netmask 255.255.255.255 0 0
static (inside,outside) 72.167.161.116 10.0.0.1 netmask 255.255.255.255 0 0
static (inside,outside) 72.167.161.210 10.0.0.2 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.2 72.167.161.210 netmask 255.255.255.255 0 0
static (inside,outside) 72.167.161.211 10.0.0.3 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.3 72.167.161.211 netmask 255.255.255.255 0 0
static (inside,outside) 72.167.164.81 10.0.0.4 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.4 72.167.164.81 netmask 255.255.255.255 0 0
static (inside,outside) 72.167.164.82 10.0.0.5 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.5 72.167.164.82 netmask 255.255.255.255 0 0
static (inside,outside) 72.167.164.158 10.0.0.6 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.6 72.167.164.158 netmask 255.255.255.255 0 0
static (inside,outside) 72.167.164.159 10.0.0.7 netmask 255.255.255.255 0 0
static (inside,outside) 72.167.164.195 10.0.0.8 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.7 72.167.164.159 netmask 255.255.255.255 0 0
static (outside,inside) 10.0.0.8 72.167.164.195 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 72.[rest of ip deleted just in case] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access outside
console timeout 0
username [deleted] encrypted privilege 15
terminal width 80
Cryptochecksum: [deleted]
0
 

Author Comment

by:lghook
ID: 24845143
You are a lifesaver!  I think I'm receiving a crash course on the firewall configuration tonight.
I'll wait for more instructions, but at least things are up for the moment after removing set of commands you recommended.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24845300
no worries mate.  

You have essentially done what you need to do but just as an afterthought, I would consider changing some of your firewall settings from a security standpoint.

1) Why are you using:
static (outside,inside) ?

static (inside,outside) for your translations will map the hosts to the translated addresses and handle incoming traffic

2) pdm location 72.167.164.81 255.255.255.255 outside
If these are only the translated addresses of these systems, there should be no reason for these commands as if you are on one of the servers, it will hit the pix on internal address anyway.

3) http 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 outside

These 2 are ones i would def look at changing.  This is allowing ssh and http from any outside site - if you need to allow ssh/http from external, you should ideally allow this only from trusted public ip blocks.

4) access-list outside_access_in permit tcp any any eq ssh

On your outside access-list you are permitting access from any external address to any internal address.  With protocols like ssh and 3389 (RDP) this means that an attacker from outside is fully allowed access to ssh or RDP from any external address - v dangerous!
First off - you should allow the specific ports access only the servers they should be accessing (e.g. the static public ip addresses) rather than "any"
Secondly, and most importantly - where possible, allow access in from only trusted public ip addresses.  Naturally, this won't be possible for www and smtp etc - but for ssh and 3389 you should be very careful about allowing it from all external addresses.

hope this helps
0
 

Author Comment

by:lghook
ID: 24845584
For #1 & #2, those rules were entered for me when I used the PDM tool to configure the new ip addresses based on this FAQ for godaddy dedicated hosting:

http://help.godaddy.com/article/1046

I always wondered about them, but blindly followed the instructions since I thought if it was in the FAQ, it must be the correct set of instructions to follow.  Now I will take a second look at them.  

For #3(ssh), I can understand why SSH should not be opened up to anyone.  I'd like to close that loop and only allow authorized hosts (me) access.  Is there a command I can enter to only allow a certain IP ssh access?  However, since I'm on cable internet, wouldn't my IP address always be changing?  I know I can look up my current IP address, but in a few weeks/months couldn't that change?   I'm a little worried about blocking access off for myself.  Is there a way to configure the firewall to allow access from my ISP alone?  Would that make more sense?  

For #3 (http) access - all of the ips are for web servers,  I'm not sure how to block of the "bad ips" without blocking out the rest the world.

For #4, I see your point. I'll see about narrowing down access.  However,  for blocking SSH for all but myself, how again, would I determine te correct address to put in?  Also, is there any reason to allow RDP?  I not, can I just disable it altogether?

If there's no easy answer to my questions, feel free to let me know.  I'll do some more digging since you have been so kind to point me in the right direction.  

As you might guess, my experience in configuring network hardware is limited.  The sites were thrust upon me with a "by the way, there's a hw firewall that also needs setup".  

Thanks again for your quick assistance!  I really do appreciate it, you've been my helping hand that pulled me out of alot of problems this evening!
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24845703
1 & 2 - understood - I only use Command line - I have seen configs with extra stuff in them created by PDM, as it can often be a bit confusing.

#3 - (ssh)  If its just you that needs access via ssh, you could setup a VPN to the PIX for remote management.  Have a look on cisco.com for VPN client to PIX config.  Otherwise, yes you are running a risk by allowing all ssh entries in.  You could get a static ip address for your home connection or allow their full subnet of dynamic ip - the ISP themselves could provide it.  

#3 http - the http section here isn't anything to do with your servers or web access - its allowing http access to the PIX to manage it - by PDM.  So at present, you have it fully open to the world so that anyone can access your PIX device by http.

#4 - for ssh - as per above.  Re RDP, if you don't need it, remove it.  RDP is the worst loophole to have on a network  - ssh is reasonably secure but RDP is an easy break.  To remove it, you can just 'no' that line out of your access-list.

You would probably benefit from doing a bit of research on the PIX and how it works.  Its a very good firewall, but if its not configured properly, you won't be gaining from it.  A good rule of thumb with firewalls is to allow absolutely nothing in from outside but what is absolutely necessary.  
I begin a config with allowing icmp return traffic on the outside interface and nothing else.  As ports/access is required, I allow it as restricted as can be.  Naturally, in a live environment, you can only be as secure/restrictive as supporting your business function will dictate - sometimes your hands are tied and you must make changes you rather wouldn't.

Cisco.com has some very good tech articles on setups of statics and access-lists etc - if nothing else, they will provide a working understanding of what these commands do.

Here is a good article on it
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Just ignore the conduit command - its since been deprecated.

good luck!
0
 

Author Comment

by:lghook
ID: 24845850
Great advice.  I see now about #3 as well.  

I've been doing some reading this evening, and just ordered a book so hopefully things will come together.  Having the list you provided provides me with a great start in configuring the firewall properly.  As always, the hardest part of is figuring out where to get started.

I did come across the conduit command many times, now I know not to pay attention to that since it would get me off track.

Thanks again for all of your help!

 
0
 

Author Closing Comment

by:lghook
ID: 31603002
Thanks again for your assistance!
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24845899
welcome mate
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now