Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   how to config 515-e-dmz dmz routes & ACL? (http://www.velocityreviews.com/forums/t36548-how-to-config-515-e-dmz-dmz-routes-and-acl.html)

JohnC 12-05-2004 03:08 AM

how to config 515-e-dmz dmz routes & ACL?
 
pix501 to pix515e-dmz to 4700 to internetworks

dmz is on third interface in 515e-dmz.

I am unlcear as how to config the dmz. I also have public addresses on the
dmz segment, but from what I have read, I think I can leave all of the
public address in one segment 255.255.255.240 instead of subnetting further
to 225.255.255.248 and just nat address to the dmz.

What do you suggest on the pix 515e-dmz config?
thanks,
John

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ-intf2 security4
enable password xxx encrypted
passwd xxx encrypted
hostname xxx
domain-name xxx.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any eq pcanywhere-data any eq
pcanywhere-data
access-list outside_access_in permit udp any eq pcanywhere-status any eq
pcanywhere-status
access-list outside_access_in permit tcp any eq pptp any eq pptp
access-list outside_access_in permit udp any eq 1723 any eq 1723
access-list outside_access_in remark UDP 500
access-list outside_access_in permit udp any eq isakmp any eq isakmp
access-list outside_access_in remark IP Protocol ESP 50
access-list outside_access_in permit esp any any
access-list outside_access_in permit tcp any eq 137 any
access-list outside_access_in permit udp any eq netbios-ns any
access-list outside_access_in remark SNTP
access-list outside_access_in permit tcp any eq 123 any
access-list outside_access_in remark SNTP
access-list outside_access_in permit udp any eq ntp any
access-list outside_access_in permit udp any any eq 4500
access-list inside_outbound_nat0_acl permit ip any 192.x.x.44
255.255.255.252
access-list outside_cryptomap_dyn_20 permit ip any 192.x.x.44
255.255.255.252
access-list 101 permit ip 192.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list inside_access_in remark allow any outbound tcp
access-list inside_access_in permit tcp any any
access-list inside_access_in remark permit any outbound udp
access-list inside_access_in permit udp any any
access-list inside_access_in remark enable any outbound ip
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging timestamp
logging console informational
logging buffered informational
logging trap informational
logging history informational
logging device-id string xxx
logging host inside 192.x.x.161 format emblem
mtu outside 1500
mtu inside 1500
mtu DMZ-intf2 1500
ip address outside 69.x.x.82 255.255.255.248
ip address inside 192.x.x.1 255.255.255.0
ip address DMZ-intf2 69.x.x.89 255.255.255.248
ip verify reverse-path interface outside
ip verify reverse-path interface DMZ-intf2
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 200
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 69.x.x5.81 1
route inside 192.x.x.0 255.255.255.0 192.x.x.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 60
management-access inside
console timeout 30
dhcpd auto_config outside
terminal width 80



Leigh Harrison 12-05-2004 10:09 AM

Re: how to config 515-e-dmz dmz routes & ACL?
 
John,

I'm not 100% sure what you're asking.

The very easiest way to configure a pix, if you're not used to it, is to
use the PDM web interface.

The dmz is a seperate network hanginf off the side of the firewall and
needs to be treated as such, i.e., have it's own subnet. If you want to
advertise boxes on there to the internet, then put in static nats to
your public range and open the relevant ports.

Hope this is of some help.
LH


JohnC wrote:
> pix501 to pix515e-dmz to 4700 to internetworks
>
> dmz is on third interface in 515e-dmz.
>
> I am unlcear as how to config the dmz. I also have public addresses on the
> dmz segment, but from what I have read, I think I can leave all of the
> public address in one segment 255.255.255.240 instead of subnetting further
> to 225.255.255.248 and just nat address to the dmz.
>
> What do you suggest on the pix 515e-dmz config?
> thanks,
> John
>
> PIX Version 6.3(4)
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 DMZ-intf2 security4
> enable password xxx encrypted
> passwd xxx encrypted
> hostname xxx
> domain-name xxx.com
> clock timezone EST -5
> clock summer-time EDT recurring
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list outside_access_in permit icmp any any
> access-list outside_access_in permit tcp any eq pcanywhere-data any eq
> pcanywhere-data
> access-list outside_access_in permit udp any eq pcanywhere-status any eq
> pcanywhere-status
> access-list outside_access_in permit tcp any eq pptp any eq pptp
> access-list outside_access_in permit udp any eq 1723 any eq 1723
> access-list outside_access_in remark UDP 500
> access-list outside_access_in permit udp any eq isakmp any eq isakmp
> access-list outside_access_in remark IP Protocol ESP 50
> access-list outside_access_in permit esp any any
> access-list outside_access_in permit tcp any eq 137 any
> access-list outside_access_in permit udp any eq netbios-ns any
> access-list outside_access_in remark SNTP
> access-list outside_access_in permit tcp any eq 123 any
> access-list outside_access_in remark SNTP
> access-list outside_access_in permit udp any eq ntp any
> access-list outside_access_in permit udp any any eq 4500
> access-list inside_outbound_nat0_acl permit ip any 192.x.x.44
> 255.255.255.252
> access-list outside_cryptomap_dyn_20 permit ip any 192.x.x.44
> 255.255.255.252
> access-list 101 permit ip 192.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
> access-list inside_access_in remark allow any outbound tcp
> access-list inside_access_in permit tcp any any
> access-list inside_access_in remark permit any outbound udp
> access-list inside_access_in permit udp any any
> access-list inside_access_in remark enable any outbound ip
> access-list inside_access_in permit ip any any
> pager lines 24
> logging on
> logging timestamp
> logging console informational
> logging buffered informational
> logging trap informational
> logging history informational
> logging device-id string xxx
> logging host inside 192.x.x.161 format emblem
> mtu outside 1500
> mtu inside 1500
> mtu DMZ-intf2 1500
> ip address outside 69.x.x.82 255.255.255.248
> ip address inside 192.x.x.1 255.255.255.0
> ip address DMZ-intf2 69.x.x.89 255.255.255.248
> ip verify reverse-path interface outside
> ip verify reverse-path interface DMZ-intf2
> ip audit info action alarm
> ip audit attack action alarm
> pdm logging informational 200
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> access-group outside_access_in in interface outside
> access-group inside_access_in in interface inside
> route outside 0.0.0.0 0.0.0.0 69.x.x5.81 1
> route inside 192.x.x.0 255.255.255.0 192.x.x.2 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> aaa authorization command LOCAL
> http server enable
> snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp identity address
> isakmp nat-traversal 20
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash sha
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> telnet timeout 5
> ssh timeout 60
> management-access inside
> console timeout 30
> dhcpd auto_config outside
> terminal width 80
>
>


JohnC 12-06-2004 02:16 PM

Re: how to config 515-e-dmz dmz routes & ACL?
 
I'll set up the static nats - I think that is where I was getting stuck -
any suggestions where to look for the recommended steps to do this? It
would have been nice if the PDM had a wizrd to set up the DMZ.

Also, the previous owner deleted the facotry default config - so far, I
haven't found a default config to download from the cisco website to store
on flash.
John

"Leigh Harrison" <leigh.harrison4@virgin.net> wrote in message
news:e7Bsd.18$pb5.8@newsfe2-gui.ntli.net...
> John,
>
> I'm not 100% sure what you're asking.
>
> The very easiest way to configure a pix, if you're not used to it, is to
> use the PDM web interface.
>
> The dmz is a seperate network hanginf off the side of the firewall and
> needs to be treated as such, i.e., have it's own subnet. If you want to
> advertise boxes on there to the internet, then put in static nats to
> your public range and open the relevant ports.
>
> Hope this is of some help.
> LH
>
>
> JohnC wrote:
> > pix501 to pix515e-dmz to 4700 to internetworks
> >
> > dmz is on third interface in 515e-dmz.
> >
> > I am unlcear as how to config the dmz. I also have public addresses on

the
> > dmz segment, but from what I have read, I think I can leave all of the
> > public address in one segment 255.255.255.240 instead of subnetting

further
> > to 225.255.255.248 and just nat address to the dmz.
> >
> > What do you suggest on the pix 515e-dmz config?
> > thanks,
> > John
> >
> > PIX Version 6.3(4)
> > interface ethernet0 auto
> > interface ethernet1 auto
> > interface ethernet2 auto
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > nameif ethernet2 DMZ-intf2 security4
> > enable password xxx encrypted
> > passwd xxx encrypted
> > hostname xxx
> > domain-name xxx.com
> > clock timezone EST -5
> > clock summer-time EDT recurring
> > fixup protocol dns maximum-length 512
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol tftp 69
> > names
> > access-list outside_access_in permit icmp any any
> > access-list outside_access_in permit tcp any eq pcanywhere-data any eq
> > pcanywhere-data
> > access-list outside_access_in permit udp any eq pcanywhere-status any eq
> > pcanywhere-status
> > access-list outside_access_in permit tcp any eq pptp any eq pptp
> > access-list outside_access_in permit udp any eq 1723 any eq 1723
> > access-list outside_access_in remark UDP 500
> > access-list outside_access_in permit udp any eq isakmp any eq isakmp
> > access-list outside_access_in remark IP Protocol ESP 50
> > access-list outside_access_in permit esp any any
> > access-list outside_access_in permit tcp any eq 137 any
> > access-list outside_access_in permit udp any eq netbios-ns any
> > access-list outside_access_in remark SNTP
> > access-list outside_access_in permit tcp any eq 123 any
> > access-list outside_access_in remark SNTP
> > access-list outside_access_in permit udp any eq ntp any
> > access-list outside_access_in permit udp any any eq 4500
> > access-list inside_outbound_nat0_acl permit ip any 192.x.x.44
> > 255.255.255.252
> > access-list outside_cryptomap_dyn_20 permit ip any 192.x.x.44
> > 255.255.255.252
> > access-list 101 permit ip 192.x.x.0 255.255.255.0 192.x.x.0

255.255.255.0
> > access-list inside_access_in remark allow any outbound tcp
> > access-list inside_access_in permit tcp any any
> > access-list inside_access_in remark permit any outbound udp
> > access-list inside_access_in permit udp any any
> > access-list inside_access_in remark enable any outbound ip
> > access-list inside_access_in permit ip any any
> > pager lines 24
> > logging on
> > logging timestamp
> > logging console informational
> > logging buffered informational
> > logging trap informational
> > logging history informational
> > logging device-id string xxx
> > logging host inside 192.x.x.161 format emblem
> > mtu outside 1500
> > mtu inside 1500
> > mtu DMZ-intf2 1500
> > ip address outside 69.x.x.82 255.255.255.248
> > ip address inside 192.x.x.1 255.255.255.0
> > ip address DMZ-intf2 69.x.x.89 255.255.255.248
> > ip verify reverse-path interface outside
> > ip verify reverse-path interface DMZ-intf2
> > ip audit info action alarm
> > ip audit attack action alarm
> > pdm logging informational 200
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > access-group outside_access_in in interface outside
> > access-group inside_access_in in interface inside
> > route outside 0.0.0.0 0.0.0.0 69.x.x5.81 1
> > route inside 192.x.x.0 255.255.255.0 192.x.x.2 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server TACACS+ max-failed-attempts 3
> > aaa-server TACACS+ deadtime 10
> > aaa-server RADIUS protocol radius
> > aaa-server RADIUS max-failed-attempts 3
> > aaa-server RADIUS deadtime 10
> > aaa-server LOCAL protocol local
> > aaa authorization command LOCAL
> > http server enable
> > snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> > crypto map outside_map interface outside
> > isakmp enable outside
> > isakmp identity address
> > isakmp nat-traversal 20
> > isakmp policy 20 authentication pre-share
> > isakmp policy 20 encryption 3des
> > isakmp policy 20 hash sha
> > isakmp policy 20 group 2
> > isakmp policy 20 lifetime 86400
> > telnet timeout 5
> > ssh timeout 60
> > management-access inside
> > console timeout 30
> > dhcpd auto_config outside
> > terminal width 80
> >
> >




JohnC 12-06-2004 02:17 PM

Re: how to config 515-e-dmz dmz routes & ACL?
 
I'll set up the static nats - I think that is where I was getting stuck -
any suggestions where to look for the recommended steps to do this? It
would have been nice if the PDM had a wizrd to set up the DMZ.

Also, the previous owner deleted the facotry default config - so far, I
haven't found a default config to download from the cisco website to store
on flash.
John

"Leigh Harrison" <leigh.harrison4@virgin.net> wrote in message
news:e7Bsd.18$pb5.8@newsfe2-gui.ntli.net...
> John,
>
> I'm not 100% sure what you're asking.
>
> The very easiest way to configure a pix, if you're not used to it, is to
> use the PDM web interface.
>
> The dmz is a seperate network hanginf off the side of the firewall and
> needs to be treated as such, i.e., have it's own subnet. If you want to
> advertise boxes on there to the internet, then put in static nats to
> your public range and open the relevant ports.
>
> Hope this is of some help.
> LH
>
>
> JohnC wrote:
> > pix501 to pix515e-dmz to 4700 to internetworks
> >
> > dmz is on third interface in 515e-dmz.
> >
> > I am unlcear as how to config the dmz. I also have public addresses on

the
> > dmz segment, but from what I have read, I think I can leave all of the
> > public address in one segment 255.255.255.240 instead of subnetting

further
> > to 225.255.255.248 and just nat address to the dmz.
> >
> > What do you suggest on the pix 515e-dmz config?
> > thanks,
> > John
> >
> > PIX Version 6.3(4)
> > interface ethernet0 auto
> > interface ethernet1 auto
> > interface ethernet2 auto
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > nameif ethernet2 DMZ-intf2 security4
> > enable password xxx encrypted
> > passwd xxx encrypted
> > hostname xxx
> > domain-name xxx.com
> > clock timezone EST -5
> > clock summer-time EDT recurring
> > fixup protocol dns maximum-length 512
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol tftp 69
> > names
> > access-list outside_access_in permit icmp any any
> > access-list outside_access_in permit tcp any eq pcanywhere-data any eq
> > pcanywhere-data
> > access-list outside_access_in permit udp any eq pcanywhere-status any eq
> > pcanywhere-status
> > access-list outside_access_in permit tcp any eq pptp any eq pptp
> > access-list outside_access_in permit udp any eq 1723 any eq 1723
> > access-list outside_access_in remark UDP 500
> > access-list outside_access_in permit udp any eq isakmp any eq isakmp
> > access-list outside_access_in remark IP Protocol ESP 50
> > access-list outside_access_in permit esp any any
> > access-list outside_access_in permit tcp any eq 137 any
> > access-list outside_access_in permit udp any eq netbios-ns any
> > access-list outside_access_in remark SNTP
> > access-list outside_access_in permit tcp any eq 123 any
> > access-list outside_access_in remark SNTP
> > access-list outside_access_in permit udp any eq ntp any
> > access-list outside_access_in permit udp any any eq 4500
> > access-list inside_outbound_nat0_acl permit ip any 192.x.x.44
> > 255.255.255.252
> > access-list outside_cryptomap_dyn_20 permit ip any 192.x.x.44
> > 255.255.255.252
> > access-list 101 permit ip 192.x.x.0 255.255.255.0 192.x.x.0

255.255.255.0
> > access-list inside_access_in remark allow any outbound tcp
> > access-list inside_access_in permit tcp any any
> > access-list inside_access_in remark permit any outbound udp
> > access-list inside_access_in permit udp any any
> > access-list inside_access_in remark enable any outbound ip
> > access-list inside_access_in permit ip any any
> > pager lines 24
> > logging on
> > logging timestamp
> > logging console informational
> > logging buffered informational
> > logging trap informational
> > logging history informational
> > logging device-id string xxx
> > logging host inside 192.x.x.161 format emblem
> > mtu outside 1500
> > mtu inside 1500
> > mtu DMZ-intf2 1500
> > ip address outside 69.x.x.82 255.255.255.248
> > ip address inside 192.x.x.1 255.255.255.0
> > ip address DMZ-intf2 69.x.x.89 255.255.255.248
> > ip verify reverse-path interface outside
> > ip verify reverse-path interface DMZ-intf2
> > ip audit info action alarm
> > ip audit attack action alarm
> > pdm logging informational 200
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > access-group outside_access_in in interface outside
> > access-group inside_access_in in interface inside
> > route outside 0.0.0.0 0.0.0.0 69.x.x5.81 1
> > route inside 192.x.x.0 255.255.255.0 192.x.x.2 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server TACACS+ max-failed-attempts 3
> > aaa-server TACACS+ deadtime 10
> > aaa-server RADIUS protocol radius
> > aaa-server RADIUS max-failed-attempts 3
> > aaa-server RADIUS deadtime 10
> > aaa-server LOCAL protocol local
> > aaa authorization command LOCAL
> > http server enable
> > snmp-server enable traps
> > floodguard enable
> > sysopt connection permit-ipsec
> > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> > crypto map outside_map interface outside
> > isakmp enable outside
> > isakmp identity address
> > isakmp nat-traversal 20
> > isakmp policy 20 authentication pre-share
> > isakmp policy 20 encryption 3des
> > isakmp policy 20 hash sha
> > isakmp policy 20 group 2
> > isakmp policy 20 lifetime 86400
> > telnet timeout 5
> > ssh timeout 60
> > management-access inside
> > console timeout 30
> > dhcpd auto_config outside
> > terminal width 80
> >
> >





Walter Roberson 12-06-2004 06:42 PM

Re: how to config 515-e-dmz dmz routes & ACL?
 
In article <10r8qh3e82vt2d7@corp.supernews.com>,
JohnC <jcadellano.spam@optonline.net> wrote:
:Also, the previous owner deleted the facotry default config - so far, I
:haven't found a default config to download from the cisco website to store
:on flash.

Urrr,

clear configure all
clear configure flashfs

will restore anything but a 501 or 506/506E to its factory configuration.

For the 501, clear configure factory-default
will always work to reset to the factory configuration. For a
506 or 506E that was shipped with PIX 6.2 or later, proceed as with
the 501; for a 506 or 506E that was shipped before PIX 6.2, proceed as
for the other kinds of systems. You can use the factory-default
one on PIX 506 or 506E that was shipped before 6.2 but later upgraded
to 6.2 or beyond, but then you get into semantics about what
exactly is meant by "factory default". When the factory-default option
is used on a 501 or 506/506E, it resets the configuration to be
one that has an inside network of 192.168.1.x/24 and which is
permitted PAT through a DHCP'd outside IP. That's the factory default
for all 501s and for 506/506E shipped with 6.2 onwards; for everything
else, including older 506/506E, the factory default is an essentially
empty configuration with no networks or IPs at all configured.
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers

JohnC 12-06-2004 10:54 PM

Re: how to config 515-e-dmz dmz routes & ACL?
 
hi Walter,
Thanks for the reply , but I have the 515e-dmz - when I tried the factory
reset from the pdm, it said unable to restore factory config. I can't try
it now as we are trying to get the 515e-dmz up for a T1 that needs to go
live in 2 days.

So far, we are unable to create the nat and static route via the pdm. We'll
keep on it for a bit, then post the config if we can't get it working. I
can see why the previous owner sold this pix - we are following the cisco
article from tac, but they just are not working on setting up the dmz.
john

"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:cp2960$8rn$1@canopus.cc.umanitoba.ca...
> In article <10r8qh3e82vt2d7@corp.supernews.com>,
> JohnC <jcadellano.spam@optonline.net> wrote:
> :Also, the previous owner deleted the facotry default config - so far, I
> :haven't found a default config to download from the cisco website to

store
> :on flash.
>
> Urrr,
>
> clear configure all
> clear configure flashfs
>
> will restore anything but a 501 or 506/506E to its factory configuration.
>
> For the 501, clear configure factory-default
> will always work to reset to the factory configuration. For a
> 506 or 506E that was shipped with PIX 6.2 or later, proceed as with
> the 501; for a 506 or 506E that was shipped before PIX 6.2, proceed as
> for the other kinds of systems. You can use the factory-default
> one on PIX 506 or 506E that was shipped before 6.2 but later upgraded
> to 6.2 or beyond, but then you get into semantics about what
> exactly is meant by "factory default". When the factory-default option
> is used on a 501 or 506/506E, it resets the configuration to be
> one that has an inside network of 192.168.1.x/24 and which is
> permitted PAT through a DHCP'd outside IP. That's the factory default
> for all 501s and for 506/506E shipped with 6.2 onwards; for everything
> else, including older 506/506E, the factory default is an essentially
> empty configuration with no networks or IPs at all configured.
> --
> "No one has the right to destroy another person's belief by
> demanding empirical evidence." -- Ann Landers




Walter Roberson 12-06-2004 11:01 PM

Re: how to config 515-e-dmz dmz routes & ACL?
 
In article <10r9oq5qehgmsaf@corp.supernews.com>,
JohnC <jcadellano.spam@optonline.net> wrote:
:Thanks for the reply , but I have the 515e-dmz - when I tried the factory
:reset from the pdm, it said unable to restore factory config.

As I indicated, the 515E is not one of the devices that supports
factory reset as such. Go into the PDM command line mode and
send the clear of the flashfs and then the clear of the main configure.
At that point, you'll lose communications with the 515E as it won't
have an IP address for the PDM to talk to, so be prepared with a
serial console.
--
Those were borogoves and the momerathsoutgrabe completely mimsy.

JohnC 12-06-2004 11:45 PM

Re: how to config 515-e-dmz dmz routes & ACL?
 
We are trying to follow this link, but the pdm fails trying to config the
nat.
http://www.cisco.com/en/US/about/ac1...0800a4bd8.html

I will post the config.
For such a popular scenario, I am not finding any online articles explaining
how to overcome the nat error.
John
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:cp2oc0$rt0$1@canopus.cc.umanitoba.ca...
> In article <10r9oq5qehgmsaf@corp.supernews.com>,
> JohnC <jcadellano.spam@optonline.net> wrote:
> :Thanks for the reply , but I have the 515e-dmz - when I tried the factory
> :reset from the pdm, it said unable to restore factory config.
>
> As I indicated, the 515E is not one of the devices that supports
> factory reset as such. Go into the PDM command line mode and
> send the clear of the flashfs and then the clear of the main configure.
> At that point, you'll lose communications with the 515E as it won't
> have an IP address for the PDM to talk to, so be prepared with a
> serial console.
> --
> Those were borogoves and the momerathsoutgrabe completely mimsy.




JohnC 12-06-2004 11:57 PM

Re: how to config 515-e-dmz dmz routes & ACL?
 
Can't get nat to translate to or from dmz.
-----------------------------------------
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ-intf2 security4
enable password x encrypted
passwd x encrypted
hostname x
domain-name x.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
xx
access-list outside_access_in permit tcp any eq pptp any eq pptp
access-list outside_access_in permit udp any eq 1723 any eq 1723
access-list outside_access_in remark UDP 500
access-list outside_access_in permit udp any eq isakmp any eq isakmp
access-list outside_access_in remark IP Protocol ESP 50
access-list outside_access_in permit esp any any
access-list outside_access_in permit tcp any eq 137 any
access-list outside_access_in permit udp any eq netbios-ns any
access-list outside_access_in remark SNTP
access-list outside_access_in permit tcp any eq 123 any
access-list outside_access_in remark SNTP
access-list outside_access_in permit udp any eq ntp any
access-list outside_access_in permit udp any any eq 4500
access-list outside_access_in permit tcp any host 69.x.x.90 eq www
access-list outside_access_in permit tcp any host 69.x.x.90 eq https
access-list inside_outbound_nat0_acl permit ip any 192.168.x.44
255.255.255.252
access-list outside_cryptomap_dyn_20 permit ip any 192.168.x.44
255.255.255.252
....
access-list inside_access_in remark allow any outbound tcp
access-list inside_access_in permit tcp any any
access-list inside_access_in remark permit any outbound udp
access-list inside_access_in permit udp any any
access-list inside_access_in remark enable any outbound ip
access-list inside_access_in permit ip any any
access-list DMZ-intf2_access_in permit tcp any any
pager lines 24
logging on
logging timestamp
logging console informational
logging buffered informational
logging trap informational
logging history informational
logging device-id string ...
logging host inside ...
mtu outside 1500
mtu inside 1500
mtu DMZ-intf2 1500
ip address outside 69.x.x.82 255.255.255.240
ip address inside 192.168.x.1 255.255.255.0
ip address DMZ-intf2 192.168.x.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface DMZ-intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool ...
....
pdm logging informational 200
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (DMZ-intf2,outside) 69.x.x.90 xxxx netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ-intf2_access_in in interface DMZ-intf2
route outside 0.0.0.0 0.0.0.0 69.x.x.81 1
route inside 192.168.x.0 255.255.255.0 192.168.x.2 1
......
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http 192.168.x.0 255.255.255.0 inside
....
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
.....
telnet timeout 5
ssh timeout 60
management-access inside
console timeout 30
.....
dhcpd auto_config outside
terminal width 80
.....
: end




"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:cp2oc0$rt0$1@canopus.cc.umanitoba.ca...
> In article <10r9oq5qehgmsaf@corp.supernews.com>,
> JohnC <jcadellano.spam@optonline.net> wrote:
> :Thanks for the reply , but I have the 515e-dmz - when I tried the factory
> :reset from the pdm, it said unable to restore factory config.
>
> As I indicated, the 515E is not one of the devices that supports
> factory reset as such. Go into the PDM command line mode and
> send the clear of the flashfs and then the clear of the main configure.
> At that point, you'll lose communications with the 515E as it won't
> have an IP address for the PDM to talk to, so be prepared with a
> serial console.
> --
> Those were borogoves and the momerathsoutgrabe completely mimsy.




Walter Roberson 12-07-2004 09:14 AM

Re: how to config 515-e-dmz dmz routes & ACL?
 
In article <10r9sfh8ru2q7f7@corp.supernews.com>,
JohnC <jcadellano.spam@optonline.net> wrote:
:Can't get nat to translate to or from dmz.

You haven't been very clear about what you are trying to do.

:PIX Version 6.3(4)
:nameif ethernet2 DMZ-intf2 security4

:access-list outside_access_in permit tcp any host 69.x.x.90 eq www
:access-list outside_access_in permit tcp any host 69.x.x.90 eq https

Hazarding a guess here: you want a www server to be on the dmz and
you want its public address to be 69.x.x.90 ?

>access-list inside_outbound_nat0_acl permit ip any 192.168.x.44



:access-list inside_access_in remark allow any outbound tcp
:access-list inside_access_in permit tcp any any
:access-list inside_access_in remark permit any outbound udp
:access-list inside_access_in permit udp any any
:access-list inside_access_in remark enable any outbound ip
:access-list inside_access_in permit ip any any

The last of those lines renders all the other redundant. And you
might as well just get rid of the ACL entirely and not apply
any access-group to the inside interface, if you are going to permit
everything anyhow.


:access-list DMZ-intf2_access_in permit tcp any any

You aren't permitting back the standard icmp maintenance messages
that are needed to impliment MTU Path Discovery. You should be permitting
icmp ttl-exceeded and icmp unreachable to go out of the DMZ. You
should also consider which hosts [including on the inside] that you
want to the dmz systems to be able to send icmp echo-reply to so that
you can ping the dmz system.


:ip address outside 69.x.x.82 255.255.255.240
:ip address inside 192.168.x.1 255.255.255.0
:ip address DMZ-intf2 192.168.x.1 255.255.255.0

If we read those last two "algebraically", then you can't do that.
Your dmz interface and your inside interface must be on different
networks. If your inside interface is 192.168.x/24 then your
dmz interface has to be something else such as 192.168.y/24 where
x is not the same as y.


:ip verify reverse-path interface outside
:ip verify reverse-path interface DMZ-intf2

:global (outside) 1 interface
:nat (inside) 0 0.0.0.0 0.0.0.0 0 0
:static (DMZ-intf2,outside) 69.x.x.90 xxxx netmask 255.255.255.255 0 0

In that statement, is xxxx something in the 192.168.x/24 IP range?
If you try to use anything else on the dmz interface, then your
reverse-path verification is going to kill the packets.

I notice that you do not have any global (dmz) 1 interface
or similar, nor any static between inside and DMZ-intf2. You need
a global or a static statement in order for the inside systems
to be able to reach the dmz systems.

:access-group outside_access_in in interface outside
:access-group inside_access_in in interface inside
:access-group DMZ-intf2_access_in in interface DMZ-intf2

:route outside 0.0.0.0 0.0.0.0 69.x.x.81 1
:route inside 192.168.x.0 255.255.255.0 192.168.x.2 1

That last statement is unnecessary unless 192.168.x.2
is a router within your inside LAN, and it's probably wrong as well.
If all hosts on your inside LAN are in 192.168.x/24 then just leave
out that 'route inside' statement, as the PIX inside interface
will ARP for the destination hosts and will detect them directly
provided they are not in a different IP address range.


If your xxxx in your static is an IP in a 192.168.?/24 address range
that is the same address range assigned to the DMZ, and that address
range is a different address range than for the inside interface,
and if the 'route inside' statement is not referring to the DMZ address
range, then the configuration you posted should be able to
allow new connections to a WWW server that lives on the DMZ and
whose public IP is 69.x.x.90 . [You might have DNS issues, but that's
a different matter.]
--
Warhol's Second Law of Usenet: "In the future, everyone will troll
for 15 minutes."


All times are GMT. The time now is 02:16 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.