Configure 506e PIX from scratch

[ITidiot]

Hi,

I have just got a Cisco PIX 606e... guess what I cant configure it! I managed to configure it to allow inside (intranet) traffic to web browse, send email(SMPT) and ping outside. However trying to setup inbound rules I have completely messed it up. So I need guidance as I have reset the PIX to factory default in rage!!

Could you please help!!! With the config from scratch

This is what I require can you pls, pls send me the config if possible

The PIX Details:

- The Cisco PIX is my LANS Default gateway. (Firewall between my LAN and Intranet Router)

- The Cisco PIX is sitting behind my Internet router (Cisco 2600). The internet routers IP is 76.110.66.65 (public IP)

- My LAN’s/Intranet range is 89.0.0.0/24 (89.0.0.1 to 89.0.0.255) 255 Devices on LAN (255.255.255.0)

- The private IP of the CISCO PIX is 89.0.0.254 (inside address)

- The public IP of the CISCO PIX is 76.100.66.66 (outside address)


The Firewall Rules

- Allow my LAN/Intranet to web browse on port 80

- Allow my LAN/Intranet to use ANY FTP site on the internet

- Allow my LAN/Intranet to use MS Instant Messenger on port(s)??

- Allow my LAN/Intranet to ping, tracert, whois any devices on the internet

- Allow our sister company (Public IP - 223.253.45.146) to access our web server (Private IP - 89.0.0.220) on the following ports 10000, 22, 21, 80

- Allow the LANS Email Server 89.0.0.200(Lotus Domino) to send SMTP emails out of the Intranet to Internet (WAN) on port 25

- Allow EasyNet email relays to forward SMTP emails to our LAN email Server on port 25. Easy net email relays are 2 x 255 Server Clusters (subnets). 195.40.1.0/24 (255.255.255.0) and 212.135.6.0/24 (255.255.255.0)

 

[ixleplix]

Look at this FAQ for the basic config. faq35-6029

I'll look at the rest for you.

Roland

What's ADD again?

 

[ixleplix]

The PIX Details:

- The Cisco PIX is my LANS Default gateway. (Firewall between my LAN and Intranet Router)
- The Cisco PIX is sitting behind my Internet router (Cisco 2600). The internet routers IP is 76.110.66.65 (public IP)
- My LAN’s/Intranet range is 89.0.0.0/24 (89.0.0.1 to 89.0.0.255) 255 Devices on LAN (255.255.255.0)
- The private IP of the CISCO PIX is 89.0.0.254/24 (inside address)
- The public IP of the CISCO PIX is 76.100.66.66 (outside address)

If you've followed the steps in the FAQ I listed, you'll have this part configured now


The Firewall Rules

- Allow my LAN/Intranet to web browse on port 80
- Allow my LAN/Intranet to use ANY FTP site on the internet
- Allow my LAN/Intranet to use MS Instant Messenger on port(s)??

These three will work with a basic configuration.

- Allow my LAN/Intranet to ping, tracert, whois any devices on the internet

access-list 100 permit icmp any host 76.100.66.66 echo-reply
access-list 100 permit icmp any any time-exceeded

- Allow our sister company (Public IP - 223.253.45.146) to access our web server (Private IP - 89.0.0.220) on the following ports 10000, 22, 21, 80
**You need to use another Public IP for this to work call it 76.100.66.X--Where X is not the IP address of the outside interface**

access-list 100 permit tcp host 223.253.45.146 host 76.100.66.X range 21 22
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.X eq 80
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.X eq 1000
static (inside,outside) 76.100.66.X 89.0.0.220 netmask 255.255.255.255 1000 1000

- Allow the LANS Email Server 89.0.0.200(Lotus Domino) to send SMTP emails out of the Intranet to Internet (WAN) on port 25
- Allow EasyNet email relays to forward SMTP emails to our LAN email Server on port 25.
Easy net email relays are 2 x 255 Server Clusters (subnets). 195.40.1.0/24 (255.255.255.0) and 212.135.6.0/24 (255.255.255.0)

By creating the static mapping below. Your SMTP traffic will send from address 76.100.66.Y on port 25--as long as your server is configured correctly.
**You need to use yet another Public IP for this one call it 76.100.66.Y--where Y is not the IP address of the outside interface**

access-list 100 permit tcp 195.40.1.0 255.255.255.0 host 76.100.66.Y eq 25
access-list 100 permit tcp 212.135.6.0 255.255.255.0 host 76.100.66.Y eq 25
static (inside,outside) 76.100.66.Y 89.0.0.200 netmask 255.255.255.255 1000 1000

You also have to add the command

access-group 100 in interface outside

The whole mess--that can be pasted in to the PIX once you've plugged in the missing info.
Here is good info on configuring an ACL. faq35-5861 Read it please.


access-list 100 permit icmp any host 76.100.66.66 echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.X range 21 22
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.X eq 80
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.X eq 1000
access-list 100 permit tcp 195.40.1.0 255.255.255.0 host 76.100.66.Y eq 25
access-list 100 permit tcp 212.135.6.0 255.255.255.0 host 76.100.66.Y eq 25
static (inside,outside) 76.100.66.X 89.0.0.220 netmask 255.255.255.255 1000 1000
static (inside,outside) 76.100.66.Y 89.0.0.200 netmask 255.255.255.255 1000 1000
access-group 100 in interface outside

What's ADD again?

 

[ITidiot]

Thanks ixleplix Your really helpful!

So so far i have followed your basic config....
and the following:
access-list 100 permit icmp any host 76.100.66.66 echo-reply
access-list 100 permit icmp any any time-exceeded


- But when i come to Allow our sister company gateway(Public IP - 223.253.45.146) to access our web server (Private IP - 89.0.0.220) on the following ports 10000, 22, 21, 80. Why do i need another Public IP address??

My internet router/Gateway Router(76.110.66.65) has port forwarding enabled to The public IP of the CISCO PIX is 76.100.66.66 (outside address)

 

[ITidiot]

Also why do i need to create the static mapping below?? and another IP address?? What does the Public IP address do?

Your SMTP traffic will send from address 76.100.66.Y on port 25--as long as your server is configured correctly.
**You need to use yet another Public IP for this one call it 76.100.66.Y--where Y is not the IP address of the outside interface**


The only reason why i ask is that we have a firewall in place already (really rubbish and cheap) and it only has one Public IP?

Thank you so much you are really helpfull, and i appologies for being such an ITidoit!

 

[lgarner]

You don't need an extra public IP address if you don't have one. You can change the ACLs and static statement to:

access-list 100 permit tcp host 223.253.45.146 interface range 21 22
access-list 100 permit tcp host 223.253.45.146 interface eq 80
access-list 100 permit tcp host 223.253.45.146 interface eq 1000
static (inside,outside) tcp interface 21 89.0.0.220 21 netmask 255.255.255.255
static (inside,outside) tcp interface 22 89.0.0.220 22 netmask 255.255.255.255
static (inside,outside) tcp interface 80 89.0.0.220 80 netmask 255.255.255.255
static (inside,outside) tcp interface 1000 89.0.0.220 1000 netmask 255.255.255.255

These will cause inbound tcp packets for the outside address (whatever that is) on ports 21,22,80 & 1000 to be directed to the inside address 89.0.00.220

 

[ixleplix]

Yep, that'll work too.

What's ADD again?

 

[ITidiot]

thanks for getting back.... that looks what i needed!

However when i try to input:

access-list 100 permit tcp host 223.253.45.146 interface range 21 22

It Returns:

interface <range> does not exist
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}

Can you help!
Thank you

 

[ITidiot]

Sorry what does the abreviation ADD mean?
cheers Rowland
P.s. I bet your CCNA Qual. or better

 

[lgarner]

Well, I've never used "range" with this type of ACL. Probably the interface name needs to be there, "outside" or "eth1", perhaps.

You could also create two ACL entries since there are only two ports.

 

[ixleplix]

You should change interface to the actual IP address and either add the "host" keyword or use a 255.255.255.255 mask--or...split it into two seperate statements.

instead of:
access-list 100 permit tcp host 223.253.45.146 interface range 21 22
Use:
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.66 range 21 22

It's a preference thing. I just don't like using two lines when one will do.

Roland

ADD = Attention Deficit Disorder
Means a person who has trouble staying on task.

What's ADD again?

 

[ixleplix]

I bet your CCNA Qual. or better--"

Thanks.
Actually CCSP & MCSE & a bunch of others that were the result of getting those...

And thanks lgarner for the addtl input. It's always good to have different viewpoints--It's one of the things I love about this site.

Roland

What's ADD again?

 

[ITidiot]

Will try this over the weekend when all the staff have gone home, because they will only moan. So i will let you know on Monday if it is ok!

What about allowing port 25 (SMPT) from my easynet relays? Do you know how to allow this? Do i need another static route (hope not).

EasyNet Email Relays

195.40.1.0/24 255.255.255.0
212.135.6.0/24 255.255.255.0

Lotus Domino server (Email)

89.0.0.200

 

[ITidiot]

and when this is sorted i will only have to setup up my VPN connections. Another CISCO Headache!!!

Oh CCSP - Canadian Centre for Studies in Publishing i see

 

[ixleplix]

access-list 100 permit tcp 195.40.1.0 255.255.255.0 host 76.100.66.66 eq 25
'This allows all port 25 traffic from the 195.40.1.0/24 network in on the 76.100.66.66 IP.
access-list 100 permit tcp 212.135.6.0 255.255.255.0 host 76.100.66.66 eq 25
'This allows all port 25 traffic from the 212.135.6.0/24 network in on the 76.100.66.66 IP.

static (inside,outside) tcp 76.100.66.66 25 89.0.0.200 25 netmask 255.255.255.255 500 500
'This redirects port 25 traffic from the 76.100.66.66 IP to the 89.0.0.200 server and allows 500 max connections and 500 embryonic connections.


Any time you create an access-list statement that has to do with allowing traffic to reach a particular machine inside, you're going to have to create a static mapping.

Let me know how it goes.


"Oh CCSP - Canadian Centre for Studies in Publishing"--Yeah that's it! How'd you know?

What's ADD again?

 

[ITidiot]

Well i tried the config and it didn't work! Maybe i will try it without the static route!

p.s. i will try it again... then i will paste my config. Got any thoughts?

p.p.s. Does you job get you angry when you cant do any changes in office hours! i hate working late!

 

[ixleplix]

Sometimes it gets frustrating.

Go ahead and paste the config and add a few notes on exactly what isn't working. Does some of it work...None of it?

Thanks
Roland

What's ADD again?

 

[ITidiot]

The config........

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password [something] encrypted
passwd [something] encrypted
hostname Firewall-Edge
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any host 76.100.66.66 echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.66 range ftp ssh
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.66 eq www
access-list 100 permit tcp host 223.253.45.146 host 76.100.66.66 eq 1000
access-list 100 permit tcp 195.40.1.0 255.255.255.0 host 76.100.66.66 eq smtp
access-list 100 permit tcp 212.135.6.0 255.255.255.0 host 76.100.66.66 eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 76.100.66.66 255.255.255.240
ip address inside 89.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 89.0.0.200 255.255.255.255 inside
pdm location 89.0.0.220 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 89.0.0.220 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ssh 89.0.0.220 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface

http://www 89.0.0.220

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp interface 1000 89.0.0.220 1000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 76.100.66.66 smtp 89.0.0.200 smtp netmask 255.255.255.255 500 500
route outside 0.0.0.0 0.0.0.0 82.110.66.65 1

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 89.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 89.0.0.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:

 

[ITidiot]

cheers rowland

ok i cant recieve emails from external sources, but i can send them out of our network.

I cannot ping, tracert etc... devices outside my network

I havent checked whether our sister company can gain access but will be doing that tonight.

Part from that everything else works

cheers

 

[ixleplix]

Looks like we're missing this command:

access-group 100 in interface outside

Let me know.

Roland

What's ADD again?