troubleshooting Question

Can you stealth ports on a Cisco Pix 501?

Avatar of ShadowInq
ShadowInq asked on
RoutersHardware FirewallsCisco
8 Comments2 Solutions849 ViewsLast Modified:
I have a Cisco Pix 501.  I have it configured to run behind a small network which has a web server.  I know ports 80 and 443 need to be open for the web server to function, but I was wondering if all my other ports should be appearing "closed" or "stealthed".  When I run a scan at Shields Up! only a few of my ports are showing as "stealthed".   All we want to firewall to do is allow access out, access to our web server (80 and 443), and access to port 5080 by a specific subnet, access to port 25 by a specific subnet.  The firewall sits between 1 network (192.168.168) and the outside world (T1 connection).  The firewall was setup by someone else, and I have no experience with Cisco.  Along with the stealth issue, are there some things I can get rid of?  I see some unnecessary translation rules but it won't let me remove them via the PDM.  Here is my config:


PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname company
domain-name city
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.168.0 company
name 192.168.253.0 vpnra
name {service provider} sp1
name {service provider 2} sp2
access-list acl_out permit tcp any interface outside eq www
access-list acl_out permit tcp any interface outside eq https
access-list acl_out permit tcp host {service provider} interface outside eq 5080
access-list acl_out permit tcp {service provider 2} 255.255.240.0 interface outside eq smtp
access-list nonat permit ip 192.168.168.0 255.255.255.0 192.168.253.0 255.255.255.224
access-list nonat permit ip any 192.168.99.0 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip any 192.168.99.0 255.255.255.128
pager lines 15
logging on
logging trap notifications
logging host inside 192.168.168.53
icmp permit any echo-reply outside
icmp permit any traceroute outside
icmp permit any outside
mtu outside 1492
mtu inside 1500
ip address outside {public IP} 255.255.255.252
ip address inside 192.168.168.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name IDS1 attack action alarm drop reset
ip audit name IDS2 info action alarm reset
ip audit interface outside IDS2
ip audit interface outside IDS1
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip local pool companyvpn-ippool 192.168.99.1-192.168.99.100
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.168.0 255.255.255.0 0 0
static (inside,outside) tcp interface 4125 192.168.168.10 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.168.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.168.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.168.10 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 192.168.168.10 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9009 192.168.168.10 9009 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.168.10 pptp netmask 255.255.255.255 0 0
static (inside,outside) udp interface tftp 192.168.168.10 tftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.168.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5080 192.168.168.10 5080 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 {public gateway} 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authorization command LOCAL
ntp server 192.5.41.41 source inside
ntp server 192.5.41.40 source inside prefer
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.168.0 255.255.255.0 inside
http 192.168.253.0 255.255.255.224 inside
snmp-server host inside 192.168.168.53
no snmp-server location
no snmp-server contact
snmp-server community bollocks
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetinbound
service resetoutside
crypto ipsec transform-set companytrs esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set companytrs
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 3600 60
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet 192.168.168.0 255.255.255.0 inside
telnet 192.168.253.0 255.255.255.224 inside
telnet timeout 15
ssh timeout 15
management-access inside
console timeout 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
ASKER CERTIFIED SOLUTION
Jody Lemoine
Network Architect

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 8 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros