captaintuba
Technical User
I’m new to working on PIX configs and wanted to check some things out.
(I’ve inherited a working PIX but need to create a DMZ for web pre-staging.)
Comments
Please can you confirm the right syntax to add a comment in a configuration.
I don’t see many comments in the configurations I’ve seen so far.
Is this security through obscurity?
You know what it all does and don’t need clues/reminders?
-OR- It is not valid syntax for the PIX?
Order of commands in configuration
Other than access-lists, does the order of configuration commands matter?
In the example below, that I have inherited, the access-list and access-group commands are split by nearly a page – surely having access-group following immediately after access-list would improve legibility.
Is there a recognised order to the commands? e.g.
Interface and device names
Management & logging
Routing
NAT/PAT
Access lists
VPN
Size of global pools
Ought global pools to be sized according to the number of users who will use them?
In this case I need to let web developers and support access the pre-staging environment on dmz1. As this is less than 20 people – should I cut the pool to be only 20 addresses?
Static & Nat - max_cons & em_limit
In the commands static and nat there are two parameters max_cons & em_limit, they are usually left as their default value “0”. Some people type them others do not.
Which is best practice?
Syntax checker
Is there a syntax checker for PIX configs?
The configuration I have inherited has the ACL command:
Is this bad/invalid syntax?
Default Route
Should the default route point to the router on the outside LAN or to the ISPs default router beyond the router connected to the outside LAN?
or
Many thanks for your time.
C.T.
Example Config:
(I’ve inherited a working PIX but need to create a DMZ for web pre-staging.)
Comments
Please can you confirm the right syntax to add a comment in a configuration.
I don’t see many comments in the configurations I’ve seen so far.
Is this security through obscurity?
You know what it all does and don’t need clues/reminders?
-OR- It is not valid syntax for the PIX?
Order of commands in configuration
Other than access-lists, does the order of configuration commands matter?
In the example below, that I have inherited, the access-list and access-group commands are split by nearly a page – surely having access-group following immediately after access-list would improve legibility.
Is there a recognised order to the commands? e.g.
Interface and device names
Management & logging
Routing
NAT/PAT
Access lists
VPN
Size of global pools
Ought global pools to be sized according to the number of users who will use them?
In this case I need to let web developers and support access the pre-staging environment on dmz1. As this is less than 20 people – should I cut the pool to be only 20 addresses?
Code:
global (dmz1) 1 192.168.169.100-192.168.168.120 netmask 255.255.255.0
!--- lets inside,dmz2,3,4 establish connections to dmz1Static & Nat - max_cons & em_limit
In the commands static and nat there are two parameters max_cons & em_limit, they are usually left as their default value “0”. Some people type them others do not.
Which is best practice?
Syntax checker
Is there a syntax checker for PIX configs?
The configuration I have inherited has the ACL command:
Code:
access-list outside_access_in permit tcp host A.B.C.117 host A.B.C.121 eq 3389Default Route
Should the default route point to the router on the outside LAN or to the ISPs default router beyond the router connected to the outside LAN?
Code:
ip address outside A.B.C.115 255.255.255.240
route outside 0.0.0.0 0.0.0.0 A.B.C.117 1
Code:
ip address outside A.B.C.115 255.255.255.240
route outside 0.0.0.0 0.0.0.0 X.Y.Z.113 1Many thanks for your time.
C.T.
Example Config:
Code:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security20
nameif ethernet3 intf3 security40
nameif ethernet4 intf4 security60
nameif ethernet5 intf5 security80
enable password X encrypted
passwd X encrypted
hostname pixoffice
domain-name something.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq smtp
access-list outside_access_in permit tcp host A.B.C.117 host A.B.C.121 eq 3389
access-list outside_access_in permit tcp any host A.B.C.120 eq www
access-list outside_access_in permit tcp any host A.B.C.123 eq ftp
access-list outside_access_in permit tcp any host A.B.C.123 eq ftp-data
access-list outside_access_in permit tcp any host A.B.C.124 eq www
access-list outside_access_in permit tcp any host A.B.C.124 eq https
access-list outside_access_in permit tcp any host A.B.C.125 eq www
access-list outside_access_in permit tcp any host A.B.C.125 eq https
access-list dmz1_access_in permit icmp any any
!--- For testing temporarily allow Ping from inside to anything on dmz1
access-list 80 permit ip 192.168.168.0 255.255.255.0 10.44.52.0 255.255.255.0
access-list 90 permit ip 192.168.168.0 255.255.255.0 host D.E.F.170
access-list 100 permit ip 192.168.168.0 255.255.255.0 10.44.52.0 255.255.255.0
access-list 100 permit ip 192.168.168.0 255.255.255.0 host D.E.F.170
access-list 100 permit ip 192.168.168.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit ip 192.168.168.0 255.255.255.0 host D.E.F.45
access-list 100 permit ip 192.168.168.0 255.255.255.0 host D.E.F.46
access-list 50 permit ip 192.168.168.0 255.255.255.0 host D.E.F.46
access-list 50 permit ip 192.168.168.0 255.255.255.0 host D.E.F.45
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging history informational
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside A.B.C.115 255.255.255.240
ip address inside 192.168.168.1 255.255.255.0
ip address dmz1 192.168.169.1 255.255.255.0
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool DIALINCLIENTS 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm location 192.168.168.10 255.255.255.255 inside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz1) 1 192.168.169.100-192.168.168.200 netmask 255.255.255.0
!--- lets inside,dmz2,3,4 establish connections to dmz1
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 192.168.169.1 255.255.255.0
name 192.168.169.49 ftpserver
name 192.168.169.53 server
name 192.168.169.55 webserver
static (inside,outside) tcp interface smtp 192.168.168.12 smtp netmask 255.255.255.255 0 0
static (inside,outside) A.B.C.121 192.168.168.11 netmask 255.255.255.255 0 0
static (inside,outside) A.B.C.120 192.168.168.52 netmask 255.255.255.255 0 0
static (dmz1,outside) A.B.C.123 192.168.169.49 netmask 255.255.255.255 0 0
static (dmz1,outside) A.B.C.124 192.168.169.53 netmask 255.255.255.255 0 0
static (dmz1,outside) A.B.C.125 192.168.169.55 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz1_access_in in interface dmz1
!--- permits pings to DMZ1 from inside
route outside 0.0.0.0 0.0.0.0 X.Y.Z.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set co-lovpn esp-des esp-sha-hmac
crypto ipsec transform-set DIALINCLIENTS esp-des esp-md5-hmac
crypto dynamic-map dynomap 90 set transform-set DIALINCLIENTS
crypto map co-lo 10 ipsec-isakmp
crypto map co-lo 10 match address 80
crypto map co-lo 10 set peer G.H.I.49
crypto map co-lo 10 set transform-set co-lovpn
crypto map co-lo 20 ipsec-isakmp
crypto map co-lo 20 match address 90
crypto map co-lo 20 set peer D.E.F.163
crypto map co-lo 20 set transform-set co-lovpn
crypto map co-lo 30 ipsec-isakmp
crypto map co-lo 30 match address 50
crypto map co-lo 30 set peer D.E.F.35
crypto map co-lo 30 set transform-set co-lovpn
crypto map co-lo 90 ipsec-isakmp dynamic dynomap
crypto map co-lo client configuration address initiate
crypto map co-lo interface outside
isakmp enable outside
isakmp key ******** address D.E.F.163 netmask 255.255.255.255
isakmp key ******** address G.H.I.49 netmask 255.255.255.255
isakmp key ******** address D.E.F.35 netmask 255.255.255.255
isakmp identity address
isakmp policy 6 authentication pre-share
isakmp policy 6 encryption des
isakmp policy 6 hash sha
isakmp policy 6 group 1
isakmp policy 6 lifetime 86400
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 1200
vpngroup DIALINVPN address-pool DIALINCLIENTS
vpngroup DIALINVPN dns-server 192.168.168.11 192.168.168.16
vpngroup DIALINVPN split-tunnel 100
vpngroup DIALINVPN idle-time 1800
vpngroup DIALINVPN password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:X