Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Beginner's question about PIX501 and access-lists

Reply
Thread Tools

Beginner's question about PIX501 and access-lists

 
 
Jens Meyer
Guest
Posts: n/a
 
      11-12-2003
Hi everybody:

After great help last week I have to come back and ask another
question. I'm slowly workign my way into the Cisco PIx configs (have
virtually no background in networking). Anyway, I'm trying to set up
the PIX so that the putside addresses are statically mapped to the
inside addresses, which I've got working. I'm now trying to set rule
sregarding ICMP/TCP/UDP traffic. I started out grouping my inside IP
addresses into functional groups which were then grouped into a single
"all hosts".

However, I don't seem to be able to ping from the inside or the
outside?

A second question is, how would I best set up rules blocking e.g.
NetBIOS traffic from/to outside addresses addresses? Or define my own
list of services/ports that are to be blocked?

Below is the config file

# define interfaces and set speed
interface ethernet0 auto
interface ethernet1 100full

# name interfaces and assign them default security levels
nameif ethernet0 outside security0
nameif ethernet1 inside security100

# enable and set the PIX password
enable password *************** encrypted
passwd *************** encrypted

# define hostname and domain
hostname pixfirewall
domain-name location.company.com

# define the IP addresses for the inside and outside interfaces
ip address outside xxx.yyy.zzz.238 255.255.255.0
ip address inside 192.168.1.238 255.255.255.240

# define a static mapping of the outside address to a corresponding
# inside address with matching last IP octets
static (inside,outside) xxx.yyy.zzz.224 192.168.1.224 netmask
255.255.255.240 0 0

# set the default outside route for the PIX
route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.1 1

# configure DHCP pool for inside network
dhcpd address 192.168.1.230-192.168.1.235 inside
dhcpd dns xxx.yyy.20.40 xxx.yyy.2.62
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain location.company.com
dhcpd auto_config outside
dhcpd enable inside

# set timezone and NTP server
clock timezone EST -5
clock summer-time EDT recurring
ntp server 18.26.4.105 source outside prefer
ntp server 128.252.19.1 source outside

# set fixup for various protocols
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521

# allow the use of names instead of IP addresses
names

# bind access groups to corresponding interface
access-group acl_out in interface outside

# define accesslist permissions for accessgroups
# access list allowing specific ICMP messages from all inside hosts to
# all outside hosts
access-list acl_out permit icmp object-group all_hosts any
object-group icmp-allowed

# define object groups
object-group icmp-type icmp-allowed
icmp-object echo
icmp-object time-exceeded
icmp-object echo-reply
icmp-object unreachable
icmp-object source-quench
object-group network static_ip
network-object host 192.168.1.225
network-object host 192.168.1.226
network-object host 192.168.1.227
network-object host 192.168.1.228
network-object host 192.168.1.229
object-group network dhcp_ip
network-object host 192.168.1.230
network-object host 192.168.1.231
network-object host 192.168.1.232
network-object host 192.168.1.233
network-object host 192.168.1.234
network-object host 192.168.1.235
object-group network vpn_ip
network-object host 192.168.1.236
network-object host 192.168.1.237
object-group network pix_firewall
network-object host 192.168.1.238
object-group network all_hosts
group-object static_ip
group-object dhcp_ip
group-object vpn_ip
group-object pix_firewall

# set pagelength for pagination
pager lines 24

# enable internal logging
logging on timestamp
logging buffered debugging

# set MTU values for inside and outside interface
mtu outside 1500
mtu inside 1500

# configure IDS events (raise alarm for info, drop packet for attack)
ip audit info action alarm
ip audit attack action alarm drop

# configure PIX device manager
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable

# set the timepout value for the ARP table
arp timeout 14400

# set maximum idle times for different connection states
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

# define AAA server groups
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

# configure TFTP server to read/write configurations
no tftp-server outside xxx.yyy.zzz.102 /

# configure the PIX firewall HTTP server
http server enable
http 192.168.1.0 255.255.255.0 inside

# configure the SNMP server
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps

# Enable TCP resource control for AAA Authentication Proxy
floodguard enable

# configure Telnet access to PIX Firewall
no telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5

# configure SSH access to PIX Firewall
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5

# Set idle timeout for the serial console of the PIX
console timeout 0

# set terminal line parameters
terminal width 80
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      11-13-2003
In article <(E-Mail Removed)>,
Jens Meyer <(E-Mail Removed)> wrote:
:Anyway, I'm trying to set up
:the PIX so that the putside addresses are statically mapped to the
:inside addresses, which I've got working. I'm now trying to set rule
:sregarding ICMP/TCP/UDP traffic. I started out grouping my inside IP
:addresses into functional groups which were then grouped into a single
:"all hosts".

:access-group acl_out in interface outside

:access-list acl_out permit icmp object-group all_hosts any

access-lists applied to the 'outside' interface have source IP
addresses which are the outside machines, and destination IP
addresses which are the inside machines.

When you create an access-list with object-group all_hosts any
and apply that to the outside interface, then you are matching
traffic whose -source- IP address is described by all_hosts .
That's not what you want, though. You might want

access-list acl_out permit icmp any object-group all_hosts

(except you should probably protect your machines against
network redirects and other potentially-malicious icmp.)
--
Perposterous!! Where would all the calculators go?!
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX501 Site-to-Site VPN Question Rick Cisco 1 11-20-2006 09:17 PM
Sitting behind a local pix501 and can't access an external site with Pix501 from Cisco VPN CLient- why? simon Cisco 1 09-21-2004 12:52 PM
PIX501 and VPN Client 4.0 config problem Jens Meyer Cisco 4 12-22-2003 08:40 PM
PIX501 and static Tosh Cisco 2 12-02-2003 04:44 PM
PIX501 and Squid ak_father Cisco 1 07-07-2003 04:52 AM



Advertisments