Beginner's question about PIX501 and access-lists

Discussion in 'Cisco' started by Jens Meyer, Nov 12, 2003.

  1. Jens Meyer

    Jens Meyer Guest

    Hi everybody:

    After great help last week I have to come back and ask another
    question. I'm slowly workign my way into the Cisco PIx configs (have
    virtually no background in networking). Anyway, I'm trying to set up
    the PIX so that the putside addresses are statically mapped to the
    inside addresses, which I've got working. I'm now trying to set rule
    sregarding ICMP/TCP/UDP traffic. I started out grouping my inside IP
    addresses into functional groups which were then grouped into a single
    "all hosts".

    However, I don't seem to be able to ping from the inside or the
    outside?

    A second question is, how would I best set up rules blocking e.g.
    NetBIOS traffic from/to outside addresses addresses? Or define my own
    list of services/ports that are to be blocked?

    Below is the config file

    # define interfaces and set speed
    interface ethernet0 auto
    interface ethernet1 100full

    # name interfaces and assign them default security levels
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    # enable and set the PIX password
    enable password *************** encrypted
    passwd *************** encrypted

    # define hostname and domain
    hostname pixfirewall
    domain-name location.company.com

    # define the IP addresses for the inside and outside interfaces
    ip address outside xxx.yyy.zzz.238 255.255.255.0
    ip address inside 192.168.1.238 255.255.255.240

    # define a static mapping of the outside address to a corresponding
    # inside address with matching last IP octets
    static (inside,outside) xxx.yyy.zzz.224 192.168.1.224 netmask
    255.255.255.240 0 0

    # set the default outside route for the PIX
    route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.1 1

    # configure DHCP pool for inside network
    dhcpd address 192.168.1.230-192.168.1.235 inside
    dhcpd dns xxx.yyy.20.40 xxx.yyy.2.62
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd domain location.company.com
    dhcpd auto_config outside
    dhcpd enable inside

    # set timezone and NTP server
    clock timezone EST -5
    clock summer-time EDT recurring
    ntp server 18.26.4.105 source outside prefer
    ntp server 128.252.19.1 source outside

    # set fixup for various protocols
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521

    # allow the use of names instead of IP addresses
    names

    # bind access groups to corresponding interface
    access-group acl_out in interface outside

    # define accesslist permissions for accessgroups
    # access list allowing specific ICMP messages from all inside hosts to
    # all outside hosts
    access-list acl_out permit icmp object-group all_hosts any
    object-group icmp-allowed

    # define object groups
    object-group icmp-type icmp-allowed
    icmp-object echo
    icmp-object time-exceeded
    icmp-object echo-reply
    icmp-object unreachable
    icmp-object source-quench
    object-group network static_ip
    network-object host 192.168.1.225
    network-object host 192.168.1.226
    network-object host 192.168.1.227
    network-object host 192.168.1.228
    network-object host 192.168.1.229
    object-group network dhcp_ip
    network-object host 192.168.1.230
    network-object host 192.168.1.231
    network-object host 192.168.1.232
    network-object host 192.168.1.233
    network-object host 192.168.1.234
    network-object host 192.168.1.235
    object-group network vpn_ip
    network-object host 192.168.1.236
    network-object host 192.168.1.237
    object-group network pix_firewall
    network-object host 192.168.1.238
    object-group network all_hosts
    group-object static_ip
    group-object dhcp_ip
    group-object vpn_ip
    group-object pix_firewall

    # set pagelength for pagination
    pager lines 24

    # enable internal logging
    logging on timestamp
    logging buffered debugging

    # set MTU values for inside and outside interface
    mtu outside 1500
    mtu inside 1500

    # configure IDS events (raise alarm for info, drop packet for attack)
    ip audit info action alarm
    ip audit attack action alarm drop

    # configure PIX device manager
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm logging informational 100
    pdm history enable

    # set the timepout value for the ARP table
    arp timeout 14400

    # set maximum idle times for different connection states
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute

    # define AAA server groups
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local

    # configure TFTP server to read/write configurations
    no tftp-server outside xxx.yyy.zzz.102 /

    # configure the PIX firewall HTTP server
    http server enable
    http 192.168.1.0 255.255.255.0 inside

    # configure the SNMP server
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps

    # Enable TCP resource control for AAA Authentication Proxy
    floodguard enable

    # configure Telnet access to PIX Firewall
    no telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5

    # configure SSH access to PIX Firewall
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 5

    # Set idle timeout for the serial console of the PIX
    console timeout 0

    # set terminal line parameters
    terminal width 80
     
    Jens Meyer, Nov 12, 2003
    #1
    1. Advertising

  2. In article <>,
    Jens Meyer <> wrote:
    :Anyway, I'm trying to set up
    :the PIX so that the putside addresses are statically mapped to the
    :inside addresses, which I've got working. I'm now trying to set rule
    :sregarding ICMP/TCP/UDP traffic. I started out grouping my inside IP
    :addresses into functional groups which were then grouped into a single
    :"all hosts".

    :access-group acl_out in interface outside

    :access-list acl_out permit icmp object-group all_hosts any

    access-lists applied to the 'outside' interface have source IP
    addresses which are the outside machines, and destination IP
    addresses which are the inside machines.

    When you create an access-list with object-group all_hosts any
    and apply that to the outside interface, then you are matching
    traffic whose -source- IP address is described by all_hosts .
    That's not what you want, though. You might want

    access-list acl_out permit icmp any object-group all_hosts

    (except you should probably protect your machines against
    network redirects and other potentially-malicious icmp.)
    --
    Perposterous!! Where would all the calculators go?!
     
    Walter Roberson, Nov 13, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mcaissie

    PIX501 + access-group on inside

    mcaissie, Jan 12, 2004, in forum: Cisco
    Replies:
    3
    Views:
    846
    Walter Roberson
    Jan 12, 2004
  2. VWWall

    Lists of Lists

    VWWall, Oct 20, 2004, in forum: Computer Information
    Replies:
    2
    Views:
    497
    VWWall
    Oct 21, 2004
  3. Rick
    Replies:
    0
    Views:
    457
  4. Martin
    Replies:
    2
    Views:
    709
    BoBraxton
    Dec 19, 2007
  5. JF Mezei
    Replies:
    0
    Views:
    1,048
    JF Mezei
    Jan 22, 2010
Loading...

Share This Page