1 edit |
[Config] Question about a pix 506eI just inherited a over due retirement of a pix 506e running 6.3.3 from a company. I configured to use this on my dhcp ISP at home. Everything is working but I was just reviewing additional steps i probably need to configure. the article "pix fw lock it down in 10 steps" says i need to configure a Access-List too?
Isn't this a FW appliance that blocks out everything by default? at least for the inbound policy?
I thought only routers i had to create a access-list for in and out.
the only thing i have done is this to get it running for now, need sugguestions to improve it.
enable password ****** hostname pixfw console timeout 5 banner exec Unauthorized access will be prosecuted. interface ethernet0 100full interface ethernet1 100full ip address outside dhcp ip address inside 192.168.10.4 255.255.255.0 route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 route inside 192.168.10.0 255.255.255.0 192.168.10.4 1 nat (inside) 1 192.168.10.0 0.0.0.0 global (outside) 1 interface dhcpd address 192.168.10.5-192.168.10.254 inside dhcpd dns 4.2.2.2 4.2.2.6 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside |
|
BinkVillains... knock off all that evil join:2006-05-14 Colorado |
Bink
Member
2011-Jun-3 1:31 pm
Suggestions on improving a PIX 506E running 6.3.3? Toss it. It is ancient and theres a lot better stuff you could be running. |
|
DomwilkoCCVP, CCNP, CCNA, CCDA join:2002-03-02 UK |
to kracksmith
If you reset the configuration to the factory default, then it will allow all traffic by default if I remember correctly.
However, once you create as single firewall rule (access list) on an interface, then it will begin to block all other traffic, other than the traffic you created the rule (access list) for.
The PIX firewall 'rules' are based around multiple entry access lists (like an access list). The access list is then applied to an interface. i.e. 'Inside' or 'Outside' interface.
If you post your full config, then I'll probably be able to provide some more recommendations.
Hope that helps, |
|
Domwilko |
to Bink
It may be old, but it's still a quite capable firewall and if you got it for free, then there is no harm in using it; it's better than no firewall! |
|
|
technically i could upgrade to 6.3.5 which is the latest version. yes, it's free so why not use it. my linux smoothwall was my FW but the electricity is too much, then i replaced it with a linksys cable/router which has no FW. so this is better than nothing.
i didn't reset the config, i typed in a command to erase it, "write erase". neverless exisiting config was wiped clean. then i applied my script above to get it routing out to the internet.
maybe you can help me out with that single inbound fw rule that blocks all traffic, and show me how to port forward too.
OK i'll post my config when i get home tonight. |
|
kracksmith |
Here's the old configure before i erased it. I don't see any Access_list policy for inbound, so this means it was open for that company since day 1 when they purchased this pix 5 years ago?
I only see rds port forwarding and access-list for VPN.
pixfirewall> pixfirewall> en Password: ******* pixfirewall# show run : Saved : PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname pixfirewall domain-name ciscopix.com clock timezone PST -8 clock summer-time PDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 101 permit ip 192.168.0.0 255.255.255.0 10.9.8.0 255.255.255.0 access-list 102 permit ip 192.168.0.0 255.255.255.0 10.9.8.0 255.255.255.0 access-list outside_access-in permit tcp any host x.x.x.x eq 3389 pager lines 24 logging on logging trap warnings logging host inside 192.168.0.94 mtu outside 1500 mtu inside 1500 ip address outside x.x.x.x 255.255.255.248 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool1 10.9.8.1-10.9.8.254 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 102 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp x.x.x.x 3389 192.168.0.11 3389 netmask 255.255 .255.255 0 0 route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server tacacs+ protocol tacacs+ aaa-server radius protocol radius aaa-server local protocol tacacs+ http 192.168.0.94 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac crypto dynamic-map map2 10 set transform-set trmset1 crypto map map1 10 ipsec-isakmp dynamic map2 crypto map map1 client authentication LOCAL crypto map map1 interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication rsa-sig isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 vpngroup abgroup address-pool vpnpool1 vpngroup abgroup dns-server 4.2.2.2 4.2.2.6 vpngroup abgroup split-tunnel 101 vpngroup abgroup idle-time 1800 vpngroup abgroup password xxxxx telnet 192.168.0.94 255.255.255.255 inside telnet timeout 5 ssh 192.168.0.94 255.255.255.255 inside ssh timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:97e2a1cffa9eba662fb00fc1b749ea88 : end pixfirewall# |
|
DomwilkoCCVP, CCNP, CCNA, CCDA join:2002-03-02 UK |
to kracksmith
Doing a "write erase" basically resets the firewall to its 'factory' default base configuration. In the default configuration, it will allow all inbound and outbound traffic.
Before you upgrade the software, you should check that you have enough memory for the upgrade.
Once you get the hang of the PIX, you'll find it quite versatile. It's good for terminating VPNs.
Finally, whilst learning, you might want to try using the PIX Device Manager (PDM) which is a web GUI for configuring it. You can make a change and then before you commit the change, you can get it to show you the command-line config which it will use to make the changes. It's good for getting an understanding of what the various command-lines are doing.
I'll take a look at your config when you post it. |
|
|
to kracksmith
said by kracksmith:I just inherited a over due retirement of a pix 506e running 6.3.3 from a company. I configured to use this on my dhcp ISP at home. Everything is working but I was just reviewing additional steps i probably need to configure. the article "pix fw lock it down in 10 steps" says i need to configure a Access-List too?
Isn't this a FW appliance that blocks out everything by default? at least for the inbound policy? PIX Firewall (and ASA) has concept of security level. Higher security level value means higher degree of network trust level. As illustration, Security level 0 means least trusted network, Security level 100 means most trusted network, and Security level with value between 0 and 100 (i.e. 5, 10, 50) means the network is "kind of" secure; often called DMZ. If you take a look of the configuration, outside interface should have Security level 0 and inside interface level 100. I don't think you have (yet) DMZ, therefore there should be no security level value between 0 and 100 in your configuration. How does this security level concept come into play? The PIX as stateful firewall by default permit anything outbound from higher security level value (more trusted network) towards lower security level value (less trusted network), and also deny everything inbound from less trusted network towards more trusted network. In your case, all traffic originating from Inside network out to the Internet (or Outside network) is allowed by default and all traffic originating from the Internet towards the Inside network is blocked. When you need to permit traffic originating from less trusted network to reach more trusted network, you have to create some kind of rules (using ACL as one of the tools) to permit such traffic to enter. Note that you don't need to implement ACL at anywhere when your traffic is only outbound from more trusted network to less trusted network since by default the PIX allows those. If you like, you can restrict which traffic originating from the more trusted network that is allowed to go through the firewall to reach less trusted network by implementing ACL as your found article may suggest. said by kracksmith:I thought only routers i had to create a access-list for in and out.
the only thing i have done is this to get it running for now, need sugguestions to improve it. Depending on how secure you like the firewall to be, you can implement some ACL on the inside interface to restrict outbound traffic. As illustration, let's say you only need to allow Internet browsing traffic outbound and to block everything else. You then simply create and implement ACL that permit outbound traffic of TCP port 80 (WWW), TCP port 443 (HTTPS/SSL), and DNS (UDP port 53). said by kracksmith:enable password ****** hostname pixfw console timeout 5 banner exec Unauthorized access will be prosecuted. interface ethernet0 100full interface ethernet1 100full ip address outside dhcp ip address inside 192.168.10.4 255.255.255.0 route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 route inside 192.168.10.0 255.255.255.0 192.168.10.4 1 nat (inside) 1 192.168.10.0 0.0.0.0 global (outside) 1 interface dhcpd address 192.168.10.5-192.168.10.254 inside dhcpd dns 4.2.2.2 4.2.2.6 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside Some comments: * You may need to confirm whether you need to do hardcoded 100 Full on the outside interface since it is possible that you just need to run auto detect * Since inside network is part of 192.168.10.0/24, there should be no point of have the static route statement to reach 192.168.10.0/24, would you not agree? * Since the outside interface is running DHCP, there should be no need to have static route in form of default gateway; would you not agree? |
|
|
to kracksmith
AFAIK, e-model PIXs can take 7.0 ASA code, if you can get your hands on that kracksmith. said by kracksmith:Isn't this a FW appliance that blocks out everything by default? at least for the inbound policy? My mnemonic's for the PIX / ASAs always been "higher (security level) to lower (security level) okay, lower to higher no way." Like Aryoba says, check your security levels configured on your interfaces. said by kracksmith:I thought only routers i had to create a access-list for in and out. Depends on what you want to do. It used to be about blocking everything inbound from the untrusted interface, but these days it's also about blocking unknown / unaccounted outbound from your trusted network as well, especially if you're the security conscious / paranoid type. Looking at the original config, they had traffic inspection configured (all the FIXUP commands) for everything except SMTP, permitted TCP 3389 in (access-list OUTSIDE_ACCESS-IN), likely for RDP, had basic IDS enabled (the IP AUDIT commands), AAA authentication, and VPN termination. By the way, can you do a show ver and show licence? Wonder if this was a basic model or not. Regards |
|
|
|
ok this is what i thought bout this PIX box, by having security 100 i'm protected by all ports are closed from the outside unless i initial it from the inside since i don't have any outbound policies yet.
Can somebody post a access-list that blocks all outbound except certain ports such as 80, 443, and 53?
so you're saying i don't really need these 2 statements? route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 route inside 192.168.10.0 255.255.255.0 192.168.10.4 1
how would the inside network know where the GW hop is then?
Seems like this IOS has unlimited throughput, unlimited hosts, and 3DES for VPN.
pixfw# sh ver
Cisco PIX Firewall Version 6.3(3) Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 13-Aug-03 13:55 by morlee
pixfw up 2 days 15 hours
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz Flash E28F640J3 @ 0x300, 8MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0012.7f5b.e335, irq 10 1: ethernet1: address is 0012.7f5b.e336, irq 11 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: Running Activation Key: Configuration last modified by enable_15 at 22:09:34.609 UTC Sun Jun 5 2011 pixfw#
here is the show running-config. i have no idea how my route inside shows a class A subnetmask, i didn't type it in like so. Also anything else i should lock down besides the outbound policy?
pixfw# sh ru : Saved : PIX Version 6.3(3) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname pixfw fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside dhcp ip address inside 192.168.10.4 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.10.0 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 76.87.0.1 1 route inside 192.0.0.0 255.0.0.0 192.168.10.4 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.10.5-192.168.10.254 inside dhcpd dns 4.2.2.2 4.2.2.6 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 banner exec Unauthorized access will be prosecuted. Cryptochecksum:b360633f15d6b55e2786e25574ef299a : end pixfw# |
|
|
Some comments regarding your config
* interface ethernet0 100full
Make sure that the other end is also 100 Full hardcoded, otherwise you may want to set as auto
* ip address outside dhcp
You may want to have ip address outside dhcp setroute command instead to set the DHCP process put the default route
* route outside 0.0.0.0 0.0.0.0 76.86.0.1
This is not necessary since the DHCP process as mentioned should put the default route
* route inside 192.0.0.0 255.0.0.0 192.168.10.4
I don't think this route is valid. I'm 99% sure that you should remove it to avoid problem |
|
aryoba |
to kracksmith
said by kracksmith:Can somebody post a access-list that blocks all outbound except certain ports such as 80, 443, and 53? Something like this perhaps? object-group network Inside network-object 192.168.10.0 255.255.255.0 object-group service Inside_TCP tcp port-object eq 80 port-object eq 443 object-group service Inside_UDP udp port-object eq 53 access-list inside permit tcp object-group Inside any object-group Inside_TCP access-list inside permit udp object-group Inside any object-group Inside_UDP access-list inside deny ip any any log access-group inside in interface inside logging on logging buffered level 7 said by kracksmith:so you're saying i don't really need these 2 statements? route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 route inside 192.168.10.0 255.255.255.0 192.168.10.4 1
how would the inside network know where the GW hop is then? Since your Inside network is set as part of DHCP as the dhcpd commands state, then simply set Inside network machines to be DHCP client and you should be good to go said by kracksmith:Seems like this IOS has unlimited throughput, unlimited hosts, and 3DES for VPN. It's PIX OS not IOS Anywho the PIX should run 6.3(5) which is the latest version the PIX 506E can support. Should you be considering OS version 7.x, you need at least PIX 515E. With OS version 8.4, you need ASA. |
|
|
to kracksmith
quote: Although the 501 and 506E are relatively recent models, the flash memory size of only 8 MB prevents official upgrading to version 7.x, although 7.0 can be installed on a 506E using monitor mode up to version 7.1(2). The 8MB flash size only allows for installation of the PIX OS software, not the ASDM software (GUI).
Then again, what does Wikipedia know? *lol* My attempt at a default deny policy, so adapt as needed, which like aryoba showed should be pretty easy to do if you know how to do ACL structures. Regards |
|