dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3590
kracksmith
join:2004-07-14
Fullerton, CA

1 edit

kracksmith

Member

[Config] Question about a pix 506e

I just inherited a over due retirement of a pix 506e running 6.3.3 from a company. I configured to use this on my dhcp ISP at home. Everything is working but I was just reviewing additional steps i probably need to configure. the article "pix fw lock it down in 10 steps" says i need to configure a Access-List too?

Isn't this a FW appliance that blocks out everything by default? at least for the inbound policy?

I thought only routers i had to create a access-list for in and out.

the only thing i have done is this to get it running for now, need sugguestions to improve it.

enable password ******
hostname pixfw
console timeout 5
banner exec Unauthorized access will be prosecuted.
interface ethernet0 100full
interface ethernet1 100full
ip address outside dhcp
ip address inside 192.168.10.4 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.10.0 255.255.255.0 192.168.10.4 1
nat (inside) 1 192.168.10.0 0.0.0.0
global (outside) 1 interface
dhcpd address 192.168.10.5-192.168.10.254 inside
dhcpd dns 4.2.2.2 4.2.2.6
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
Bink
Villains... knock off all that evil
join:2006-05-14
Colorado

Bink

Member

Suggestions on improving a PIX 506E running 6.3.3? Toss it. It is ancient and there’s a lot better stuff you could be running.

Domwilko
CCVP, CCNP, CCNA, CCDA
join:2002-03-02
UK

Domwilko to kracksmith

Member

to kracksmith
If you reset the configuration to the factory default, then it will allow all traffic by default if I remember correctly.

However, once you create as single firewall rule (access list) on an interface, then it will begin to block all other traffic, other than the traffic you created the rule (access list) for.

The PIX firewall 'rules' are based around multiple entry access lists (like an access list). The access list is then applied to an interface. i.e. 'Inside' or 'Outside' interface.

If you post your full config, then I'll probably be able to provide some more recommendations.

Hope that helps,
Domwilko

Domwilko to Bink

Member

to Bink
It may be old, but it's still a quite capable firewall and if you got it for free, then there is no harm in using it; it's better than no firewall!
kracksmith
join:2004-07-14
Fullerton, CA

kracksmith

Member

technically i could upgrade to 6.3.5 which is the latest version.
yes, it's free so why not use it. my linux smoothwall was my FW but the electricity is too much, then i replaced it with a linksys cable/router which has no FW. so this is better than nothing.

i didn't reset the config, i typed in a command to erase it, "write erase". neverless exisiting config was wiped clean. then i applied my script above to get it routing out to the internet.

maybe you can help me out with that single inbound fw rule that blocks all traffic, and show me how to port forward too.

OK i'll post my config when i get home tonight.
kracksmith

kracksmith

Member

Here's the old configure before i erased it. I don't see any Access_list policy for inbound, so this means it was open for that company since day 1 when they purchased this pix 5 years ago?

I only see rds port forwarding and access-list for VPN.

pixfirewall>
pixfirewall> en
Password: *******
pixfirewall# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 10.9.8.0 255.255.255.0
access-list 102 permit ip 192.168.0.0 255.255.255.0 10.9.8.0 255.255.255.0
access-list outside_access-in permit tcp any host x.x.x.x eq 3389
pager lines 24
logging on
logging trap warnings
logging host inside 192.168.0.94
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 10.9.8.1-10.9.8.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.x 3389 192.168.0.11 3389 netmask 255.255 .255.255 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server tacacs+ protocol tacacs+
aaa-server radius protocol radius
aaa-server local protocol tacacs+
http 192.168.0.94 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup abgroup address-pool vpnpool1
vpngroup abgroup dns-server 4.2.2.2 4.2.2.6
vpngroup abgroup split-tunnel 101
vpngroup abgroup idle-time 1800
vpngroup abgroup password xxxxx
telnet 192.168.0.94 255.255.255.255 inside
telnet timeout 5
ssh 192.168.0.94 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:97e2a1cffa9eba662fb00fc1b749ea88
: end
pixfirewall#

Domwilko
CCVP, CCNP, CCNA, CCDA
join:2002-03-02
UK

Domwilko to kracksmith

Member

to kracksmith
Doing a "write erase" basically resets the firewall to its 'factory' default base configuration. In the default configuration, it will allow all inbound and outbound traffic.

Before you upgrade the software, you should check that you have enough memory for the upgrade.

Once you get the hang of the PIX, you'll find it quite versatile. It's good for terminating VPNs.

Finally, whilst learning, you might want to try using the PIX Device Manager (PDM) which is a web GUI for configuring it. You can make a change and then before you commit the change, you can get it to show you the command-line config which it will use to make the changes. It's good for getting an understanding of what the various command-lines are doing.

I'll take a look at your config when you post it.
aryoba
MVM
join:2002-08-22

aryoba to kracksmith

MVM

to kracksmith
said by kracksmith:

I just inherited a over due retirement of a pix 506e running 6.3.3 from a company. I configured to use this on my dhcp ISP at home. Everything is working but I was just reviewing additional steps i probably need to configure. the article "pix fw lock it down in 10 steps" says i need to configure a Access-List too?

Isn't this a FW appliance that blocks out everything by default? at least for the inbound policy?

PIX Firewall (and ASA) has concept of security level. Higher security level value means higher degree of network trust level. As illustration, Security level 0 means least trusted network, Security level 100 means most trusted network, and Security level with value between 0 and 100 (i.e. 5, 10, 50) means the network is "kind of" secure; often called DMZ.

If you take a look of the configuration, outside interface should have Security level 0 and inside interface level 100. I don't think you have (yet) DMZ, therefore there should be no security level value between 0 and 100 in your configuration.

How does this security level concept come into play? The PIX as stateful firewall by default permit anything outbound from higher security level value (more trusted network) towards lower security level value (less trusted network), and also deny everything inbound from less trusted network towards more trusted network. In your case, all traffic originating from Inside network out to the Internet (or Outside network) is allowed by default and all traffic originating from the Internet towards the Inside network is blocked.

When you need to permit traffic originating from less trusted network to reach more trusted network, you have to create some kind of rules (using ACL as one of the tools) to permit such traffic to enter. Note that you don't need to implement ACL at anywhere when your traffic is only outbound from more trusted network to less trusted network since by default the PIX allows those. If you like, you can restrict which traffic originating from the more trusted network that is allowed to go through the firewall to reach less trusted network by implementing ACL as your found article may suggest.
said by kracksmith:

I thought only routers i had to create a access-list for in and out.

the only thing i have done is this to get it running for now, need sugguestions to improve it.

Depending on how secure you like the firewall to be, you can implement some ACL on the inside interface to restrict outbound traffic. As illustration, let's say you only need to allow Internet browsing traffic outbound and to block everything else. You then simply create and implement ACL that permit outbound traffic of TCP port 80 (WWW), TCP port 443 (HTTPS/SSL), and DNS (UDP port 53).
said by kracksmith:

enable password ******
hostname pixfw
console timeout 5
banner exec Unauthorized access will be prosecuted.
interface ethernet0 100full
interface ethernet1 100full
ip address outside dhcp
ip address inside 192.168.10.4 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.10.0 255.255.255.0 192.168.10.4 1
nat (inside) 1 192.168.10.0 0.0.0.0
global (outside) 1 interface
dhcpd address 192.168.10.5-192.168.10.254 inside
dhcpd dns 4.2.2.2 4.2.2.6
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside

Some comments:

* You may need to confirm whether you need to do hardcoded 100 Full on the outside interface since it is possible that you just need to run auto detect
* Since inside network is part of 192.168.10.0/24, there should be no point of have the static route statement to reach 192.168.10.0/24, would you not agree?
* Since the outside interface is running DHCP, there should be no need to have static route in form of default gateway; would you not agree?
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to kracksmith

MVM

to kracksmith
AFAIK, e-model PIXs can take 7.0 ASA code, if you can get your hands on that kracksmith.
said by kracksmith:

Isn't this a FW appliance that blocks out everything by default? at least for the inbound policy?

My mnemonic's for the PIX / ASAs always been "higher (security level) to lower (security level) okay,
lower to higher no way." Like Aryoba says, check your security levels configured on your interfaces.
said by kracksmith:

I thought only routers i had to create a access-list for in and out.

Depends on what you want to do. It used to be about blocking everything inbound from the untrusted
interface, but these days it's also about blocking unknown / unaccounted outbound from your trusted
network as well, especially if you're the security conscious / paranoid type.

Looking at the original config, they had traffic inspection configured (all the FIXUP commands) for
everything except SMTP, permitted TCP 3389 in (access-list OUTSIDE_ACCESS-IN), likely
for RDP, had basic IDS enabled (the IP AUDIT commands), AAA authentication, and VPN
termination.

By the way, can you do a show ver and show licence? Wonder if this was a basic model or not.

Regards
kracksmith
join:2004-07-14
Fullerton, CA

kracksmith

Member

ok this is what i thought bout this PIX box, by having security 100 i'm protected by all ports are closed from the outside unless i initial it from the inside since i don't have any outbound policies yet.

Can somebody post a access-list that blocks all outbound except certain ports such as 80, 443, and 53?

so you're saying i don't really need these 2 statements?
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.10.0 255.255.255.0 192.168.10.4 1

how would the inside network know where the GW hop is then?

Seems like this IOS has unlimited throughput, unlimited hosts, and 3DES for VPN.

pixfw# sh ver

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

pixfw up 2 days 15 hours

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0012.7f5b.e335, irq 10
1: ethernet1: address is 0012.7f5b.e336, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has a Restricted (R) license.

Serial Number:
Running Activation Key:
Configuration last modified by enable_15 at 22:09:34.609 UTC Sun Jun 5 2011
pixfw#

here is the show running-config. i have no idea how my route inside shows a class A subnetmask, i didn't type it in like so. Also anything else i should lock down besides the outbound policy?

pixfw# sh ru
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname pixfw
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp
ip address inside 192.168.10.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 76.87.0.1 1
route inside 192.0.0.0 255.0.0.0 192.168.10.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.5-192.168.10.254 inside
dhcpd dns 4.2.2.2 4.2.2.6
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
banner exec Unauthorized access will be prosecuted.
Cryptochecksum:b360633f15d6b55e2786e25574ef299a
: end
pixfw#
aryoba
MVM
join:2002-08-22

aryoba

MVM

Some comments regarding your config

* interface ethernet0 100full

Make sure that the other end is also 100 Full hardcoded, otherwise you may want to set as auto

* ip address outside dhcp

You may want to have ip address outside dhcp setroute command instead to set the DHCP process put the default route

* route outside 0.0.0.0 0.0.0.0 76.86.0.1

This is not necessary since the DHCP process as mentioned should put the default route

* route inside 192.0.0.0 255.0.0.0 192.168.10.4

I don't think this route is valid. I'm 99% sure that you should remove it to avoid problem
aryoba

aryoba to kracksmith

MVM

to kracksmith
said by kracksmith:

Can somebody post a access-list that blocks all outbound except certain ports such as 80, 443, and 53?

Something like this perhaps?

object-group network Inside
network-object 192.168.10.0 255.255.255.0
object-group service Inside_TCP tcp
port-object eq 80
port-object eq 443
object-group service Inside_UDP udp
port-object eq 53
access-list inside permit tcp object-group Inside any object-group Inside_TCP
access-list inside permit udp object-group Inside any object-group Inside_UDP
access-list inside deny ip any any log
access-group inside in interface inside
logging on
logging buffered level 7
said by kracksmith:

so you're saying i don't really need these 2 statements?
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.10.0 255.255.255.0 192.168.10.4 1

how would the inside network know where the GW hop is then?

Since your Inside network is set as part of DHCP as the dhcpd commands state, then simply set Inside network machines to be DHCP client and you should be good to go
said by kracksmith:

Seems like this IOS has unlimited throughput, unlimited hosts, and 3DES for VPN.

It's PIX OS not IOS Anywho the PIX should run 6.3(5) which is the latest version the PIX 506E can support. Should you be considering OS version 7.x, you need at least PIX 515E. With OS version 8.4, you need ASA.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to kracksmith

MVM

to kracksmith
quote:
Although the 501 and 506E are relatively recent models, the flash memory size of only 8 MB prevents official upgrading to version 7.x, although 7.0 can be installed on a 506E using monitor mode up to version 7.1(2). The 8MB flash size only allows for installation of the PIX OS software, not the ASDM software (GUI).
Then again, what does Wikipedia know? *lol*

My attempt at a default deny policy, so adapt as needed, which like aryoba showed should be pretty easy to
do if you know how to do ACL structures.

Regards