Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Best Practice PIX/IDS

Status
Not open for further replies.
egadson

egadson

MIS
Jan 12, 2003
1
US
Can you take a look at this design and tell me if any thing needs to be improved upon. I will attach the draft of the pix config. Thanks for your assistance

AT&T Internet Router
|
|
|
Cisco 2950-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - -------- - - - (port 1 is mirroring traffic to to port 12- where Cisco IDS will sniff)
| |
| outside
| |
vpn_dmz --Cisco Pix 515 (plugged into port 2 of Cisco 2950-12) - mail_dmz
| |
| inside
|
Cisco Catalyst 4006 Switch - - - - - - - - - - - - - - - - - - - - - - - - - - - | (management port is connected back into switch)

Important Notes:

- All auto-speed configured will be changed to 100mb/Speed, Duplex Full
- A total of 100 users will need Internet Access
- I would like to use the outside pix interface ip address 12.150.x.x as the PAT address.
- No Nat will be needed on the vpn_dmz and mail_dmz network. Public IP's will be used.
- Cisco Pix will also be used as a VPN endpoint.

Questions:

- Should I be less specific with my static routes? Look at the dmz routes.
- To prevent any DNS issues, should I create and access list for the dmz dns servers to forward traffic to the inside network.
-





PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 mail_dmz security40
nameif ethernet3 vpn_dmz security50
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security6
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname CSPIX1
domain-name commscope.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.100.10.4 WebTrak
name 10.100.10.8 WebDev
name 10.100.254.61 WebMail
name 10.100.254.35 WebSvr
name 12.150.137.211 NS2
name 12.150.137.210 NS1
name 212.190.93.122 Belgium_Citrix
name 12.150.137.218 VPNCON
name 12.150.137.221 VEXTRAHOME
name 12.150.137.219 Proxy
name 12.150.137.220 Digex_VPN
name 12.150.137.216 VPN_DMZ
name 12.150.137.208 Mail_DMZ
access-list outside_access_in remark Outside Access to WebDev
access-list outside_access_in permit tcp host 12.150.137.205 eq WebDev
eq www
access-list outside_access_in remark Outside Access to WebTrak
access-list outside_access_in permit tcp host 12.150.137.213 eq WebTrak
eq www
access-list outside_access_in remark Outside Access to WebMail
access-list outside_access_in permit tcp host 12.150.137.206 eq WebMail
eq www
access-list outside_access_in remark Outside Access to WebSvr
access-list outside_access_in permit tcp host 12.150.137.214 eq WebSvr
eq www
access-list outside_access_in remark Outside access to Mail2/NS2
access-list outside_access_in permit tcp interface outside eq smtp host NS2 eq s
mtp
access-list outside_access_in remark Outside access to Mail2/NS1
access-list outside_access_in permit tcp interface outside eq smtp host NS1 eq s
mtp
access-list outside_access_in remark Outside Telnet access to NS1
access-list outside_access_in permit tcp interface outside eq telnet host NS1 eq
telnet
access-list outside_access_in remark Outside access to WebMail
access-list outside_access_in permit tcp host 12.150.137.206 eq lotusnotes host
WebMail eq lotusnotes
access-list outside_access_in remark Outside DNS traffic to the Inside Network
access-list outside_access_in permit udp interface outside eq domain interface i
nside eq domain
access-list VPNetwork3_splitTunnelAcl permit ip 10.0.0.0 255.255.0.0 any
access-list inside_outbound_nat0_acl permit ip any 10.100.125.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.100.125.0 255.255.255.0
access-list inside_access_in remark Belgium HR Citrix users web access
access-list inside_access_in permit tcp any eq citrix-ica host Belgium_Citrix eq
citrix-ica
access-list mail_dmz_access_in remark Mail DMZ traffic to the Inside Network
access-list mail_dmz_access_in permit tcp interface mail_dmz interface inside
access-list vpn_dmz_access_in remark VPN Concentrator traffic to the Inside Net
work (ESP) from the DMZ
access-list vpn_dmz_access_in permit esp host VPNCON interface inside
access-list vpn_dmz_access_in remark VPN Concentrator traffic to the Inside Netw
ork (AH) from the DMZ
access-list vpn_dmz_access_in permit ah host VPNCON interface inside
access-list vpn_dmz_access_in remark VPN Concentrator traffic to the Inside Netw
ork (IKE) from the DMZ
access-list vpn_dmz_access_in permit udp host VPNCON eq 10000 interface inside e
q 10000
access-list vpn_dmz_access_in remark VPN DMZ traffic to inside network
pager lines 24
logging on
logging history warnings
icmp permit any outside
icmp permit any inside
icmp permit any mail_dmz
icmp permit any vpn_dmz
mtu outside 1500
mtu inside 1500
mtu mail_dmz 1500
mtu vpn_dmz 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 12.150.137.194 255.255.255.252
ip address inside 10.100.254.240 255.255.0.0
ip address mail_dmz 12.150.137.209 255.255.255.248
ip address vpn_dmz 12.150.137.217 255.255.255.248
no ip address intf4
no ip address intf5
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool CS_NewtonVPNUsers 10.100.125.40-10.100.125.120
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address mail_dmz
no failover ip address vpn_dmz
no failover ip address intf4
no failover ip address intf5
pdm location 12.150.137.209 255.255.255.255 outside
pdm location Mail_DMZ 255.255.255.240 outside
pdm location 12.150.137.198 255.255.255.255 outside
pdm location 12.150.137.212 255.255.255.254 outside
pdm location 12.150.137.198 255.255.255.254 outside
pdm location 12.150.137.213 255.255.255.255 outside
pdm location 12.150.137.205 255.255.255.255 outside
pdm location 12.150.137.206 255.255.255.255 outside
pdm location 12.150.137.214 255.255.255.255 outside
pdm location WebTrak 255.255.255.255 inside
pdm location WebDev 255.255.255.255 inside
pdm location WebMail 255.255.255.255 inside
pdm location WebSvr 255.255.255.255 inside
pdm location NS2 255.255.255.255 mail_dmz
pdm location NS1 255.255.255.255 mail_dmz
pdm location 10.100.0.0 255.255.0.0 inside
pdm location 10.100.140.0 255.255.255.0 inside
pdm location 10.0.0.0 255.255.0.0 inside
pdm location 10.200.0.0 255.255.0.0 inside
pdm location 10.150.0.0 255.255.0.0 inside
pdm location 10.10.0.0 255.255.0.0 inside
pdm location 10.11.0.0 255.255.0.0 inside
pdm location 10.60.0.0 255.255.0.0 inside
pdm location 10.70.0.0 255.255.0.0 inside
pdm location 10.80.0.0 255.255.0.0 inside
pdm location 10.90.0.0 255.255.0.0 inside
pdm location Belgium_Citrix 255.255.255.255 outside
pdm location 10.100.125.35 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location VPNCON 255.255.255.255 vpn_dmz
pdm location Proxy 255.255.255.255 vpn_dmz
pdm location Digex_VPN 255.255.255.255 vpn_dmz
pdm location VEXTRAHOME 255.255.255.255 vpn_dmz
pdm location 10.100.125.0 255.255.255.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 12.150.137.203 netmask 255.255.255.255
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (mail_dmz) 0 0.0.0.0 0.0.0.0 0 0
nat (vpn_dmz) 0 0.0.0.0 0.0.0.0 0 0
static (outside,inside) tcp WebTrak 255.255.255.2
55 0 0
static (outside,inside) tcp WebDev 255.255.255.25
5 0 0
static (outside,inside) tcp WebSvr 255.255.255.25
5 0 0
static (outside,inside) tcp WebMail lotusnotes 12.150.137.206 lotusnotes netmask
255.255.255.255 0 0
static (outside,inside) tcp WebMail https 12.150.137.206 https netmask 255.255.2
55.255 0 0
static (outside,inside) tcp WebMail 255.255.255.2
55 0 0
static (inside,outside) WebDev WebDev netmask 255.255.255.255 0 0
static (inside,outside) WebTrak WebTrak netmask 255.255.255.255 0 0
static (inside,outside) WebMail WebMail netmask 255.255.255.255 0 0
static (inside,outside) WebSvr WebSvr netmask 255.255.255.255 0 0
static (mail_dmz,outside) NS2 NS2 netmask 255.255.255.255 0 0
static (mail_dmz,outside) NS1 NS1 netmask 255.255.255.255 0 0
static (vpn_dmz,mail_dmz) VPNCON VPNCON netmask 255.255.255.255 0 0
static (vpn_dmz,outside) VPNCON VPNCON netmask 255.255.255.255 0 0
static (vpn_dmz,mail_dmz) Proxy Proxy netmask 255.255.255.255 0 0
static (vpn_dmz,outside) Proxy Proxy netmask 255.255.255.255 0 0
static (vpn_dmz,mail_dmz) Digex_VPN Digex_VPN netmask 255.255.255.255 0 0
static (vpn_dmz,outside) Digex_VPN Digex_VPN netmask 255.255.255.255 0 0
static (vpn_dmz,mail_dmz) VEXTRAHOME VEXTRAHOME netmask 255.255.255.255 0 0
static (vpn_dmz,outside) VEXTRAHOME VEXTRAHOME netmask 255.255.255.255 0 0
static (vpn_dmz,mail_dmz) VPN_DMZ VPN_DMZ netmask 255.255.255.248 0 0
static (vpn_dmz,outside) VPN_DMZ VPN_DMZ netmask 255.255.255.248 0 0
static (mail_dmz,outside) Mail_DMZ Mail_DMZ netmask 255.255.255.248 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group mail_dmz_access_in in interface mail_dmz
access-group vpn_dmz_access_in in interface vpn_dmz
route outside 0.0.0.0 0.0.0.0 12.150.137.194 1
route inside 10.10.0.0 255.255.0.0 10.100.1.1 1
route inside 10.11.0.0 255.255.0.0 10.100.1.1 1
route inside 10.60.0.0 255.255.0.0 10.100.1.1 1
route inside 10.70.0.0 255.255.0.0 10.100.1.1 1
route inside 10.80.0.0 255.255.0.0 10.100.1.1 1
route inside 10.90.0.0 255.255.0.0 10.100.1.1 1
route inside 10.150.0.0 255.255.0.0 10.100.1.1 1
route inside 10.200.0.0 255.255.0.0 10.100.1.1 1
route mail_dmz NS1 255.255.255.255 12.150.137.209 1
route mail_dmz NS2 255.255.255.255 12.150.137.209 1
route vpn_dmz VPNCON 255.255.255.255 12.150.137.217 1
route vpn_dmz Proxy 255.255.255.255 12.150.137.217 1
route vpn_dmz Digex_VPN 255.255.255.255 12.150.137.217 1
route vpn_dmz VEXTRAHOME 255.255.255.255 12.150.137.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.100.125.35 saturn54 timeout 5
aaa-server LOCAL protocol local
ntp server 152.1.88.124 source inside prefer
ntp server 192.101.21.1 source outside
http server enable
http 10.100.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 inside
snmp-server location Newton, NC
snmp-server contact Rob Dufresne
snmp-server community cscommpub
snmp-server enable traps
tftp-server inside 192.168.1.2 C:\TFTP-Root
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 ESP-3DES-SH
A ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SH
A ESP-AES-256-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNetwork3 address-pool CS_NewtonVPNUsers
vpngroup VPNetwork3 dns-server 10.100.254.32 10.10.254.30
vpngroup VPNetwork3 wins-server 10.100.254.32 10.10.254.30
vpngroup VPNetwork3 default-domain commscope.com
vpngroup VPNetwork3 split-tunnel VPNetwork3_splitTunnelAcl
vpngroup VPNetwork3 idle-time 3600
vpngroup VPNetwork3 authentication-server RADIUS
vpngroup VPNetwork3 user-authentication
vpngroup VPNetwork3 user-idle-timeout 3600
vpngroup VPNetwork3 password ********
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:b3e74c9c8126cf9cbd3cf29c993ffab0
: end
CSPIX1(config)#
 
Status
Not open for further replies.

Similar threads

Ailuin
  • Locked
  • Question
Best Residential proxy provider.
Replies
1
Views
707
AvivBes
AvivBes
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
120
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
163
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
240
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
103
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top