This is my configuration of pix
DMZ
206.x.x.128-206.x.x.254
|
|
Inside--170.x.x.xand10.0.0.---Firewall-206.x.x.x- 206.x.x.126------router------internet
Firewall
|
|
isp2171.x.x.x
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
nameif ethernet3 ISP2 security60
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
nameif ethernet6 intf6 security30
nameif ethernet7 failover security15
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-1
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host 206.X.X.X eq smtp
access-list outside_access_in permit tcp any host 206.X.X.X eq smtp
access-list outside_access_in permit udp any host 206.X.X.X eq domain
access-list outside_access_in permit udp any host 206.X.X.X eq domain
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
pager lines 24
logging on
logging monitor errors
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
interface ethernet7 100full
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu ISP2 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu failover 1500
ip address outside 206.X.X.X 255.255.255.128
ip address inside 170.X.X.X 255.255.255.0
ip address DMZ 206.X.X.252 255.255.255.128
ip address ISP2 171.X.X.21 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip address intf6 127.0.0.1 255.255.255.255
ip address failover 7.7.7.7 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 206.X.X.X
failover ip address inside 170.X.X.3
failover ip address DMZ 206.X.X.253
failover ip address ISP2 171.X.X.21
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
failover ip address intf6 0.0.0.0
failover ip address failover 7.7.7.8
failover link failover
pdm location 170.X.X.X 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 206.X.X.90-206.X.X.120 netmask 255.255.255.128
global (outside) 1 206.X.X.X
global (DMZ) 1 206.X.X.X-206.X.X.X
nat (inside) 1 1 170.X.X.X 255.255.255.0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0
static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 206.X.X.X
route inside 10.0.0.0 255.0.0.0 170.X.X. 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (DMZ) vendor n2h2 host 206.X.X.X port 4005 timeout 5 protocol T
CP
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3d41e9f201f32c7fbe9ac8dbafaf863e
: end
[OK]
BUt still i see lot of these ports opened
7 Echo
|___ 9 Discard
|___ 13 Daytime
|___ 17 Quote of the Day
|___ 19 Character Generator
|___ 21 File Transfer Protocol [Control]
|___ 22 SSH Remote Login Protocol
|___ 23 Telnet
|___ 25 Simple Mail Transfer
|___ 37 Time
|___ 43 Who Is
|___ 53 Domain Name Server
|___ 70 Gopher
|___ 79 Finger
|___ 80 World Wide Web HTTP
|___ 88 Kerberos
|___ 109 Post Office Protocol - Version 2
|___ 110 Post Office Protocol - Version 3
|___ 113 Authentication Service
|___ 119 Network News Transfer Protocol
|___ 139 NETBIOS Session Service
|___ 143 Internet Message Access Protocol
|___ 389 Lightweight Directory Access Protocol
|___ 443 https MCom
|___ 465 ssmtp
|___ 513 remote login a la telnet;
|___ 554 Real Time Stream Control Protocol
|___ 563 snews
|___ 569 microsoft rome
|___ 636 ssl-ldap
|___ 749 kerberos administration
|___ 995 SSL based POP3
|___ 1494 ica
|___ 1720 h323hostcall
|___ 1755 ms-streaming
|___ 5050 multimedia conference control tool
|___ 5190 America-Online
How to secure this one is my config is worng
please advise me
DMZ
206.x.x.128-206.x.x.254
|
|
Inside--170.x.x.xand10.0.0.---Firewall-206.x.x.x- 206.x.x.126------router------internet
Firewall
|
|
isp2171.x.x.x
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
nameif ethernet3 ISP2 security60
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
nameif ethernet6 intf6 security30
nameif ethernet7 failover security15
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-1
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host 206.X.X.X eq smtp
access-list outside_access_in permit tcp any host 206.X.X.X eq smtp
access-list outside_access_in permit udp any host 206.X.X.X eq domain
access-list outside_access_in permit udp any host 206.X.X.X eq domain
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
pager lines 24
logging on
logging monitor errors
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
interface ethernet7 100full
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu ISP2 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu failover 1500
ip address outside 206.X.X.X 255.255.255.128
ip address inside 170.X.X.X 255.255.255.0
ip address DMZ 206.X.X.252 255.255.255.128
ip address ISP2 171.X.X.21 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip address intf6 127.0.0.1 255.255.255.255
ip address failover 7.7.7.7 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 206.X.X.X
failover ip address inside 170.X.X.3
failover ip address DMZ 206.X.X.253
failover ip address ISP2 171.X.X.21
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
failover ip address intf6 0.0.0.0
failover ip address failover 7.7.7.8
failover link failover
pdm location 170.X.X.X 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 206.X.X.90-206.X.X.120 netmask 255.255.255.128
global (outside) 1 206.X.X.X
global (DMZ) 1 206.X.X.X-206.X.X.X
nat (inside) 1 1 170.X.X.X 255.255.255.0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0
static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 206.X.X.X
route inside 10.0.0.0 255.0.0.0 170.X.X. 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (DMZ) vendor n2h2 host 206.X.X.X port 4005 timeout 5 protocol T
CP
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3d41e9f201f32c7fbe9ac8dbafaf863e
: end
[OK]
BUt still i see lot of these ports opened
7 Echo
|___ 9 Discard
|___ 13 Daytime
|___ 17 Quote of the Day
|___ 19 Character Generator
|___ 21 File Transfer Protocol [Control]
|___ 22 SSH Remote Login Protocol
|___ 23 Telnet
|___ 25 Simple Mail Transfer
|___ 37 Time
|___ 43 Who Is
|___ 53 Domain Name Server
|___ 70 Gopher
|___ 79 Finger
|___ 80 World Wide Web HTTP
|___ 88 Kerberos
|___ 109 Post Office Protocol - Version 2
|___ 110 Post Office Protocol - Version 3
|___ 113 Authentication Service
|___ 119 Network News Transfer Protocol
|___ 139 NETBIOS Session Service
|___ 143 Internet Message Access Protocol
|___ 389 Lightweight Directory Access Protocol
|___ 443 https MCom
|___ 465 ssmtp
|___ 513 remote login a la telnet;
|___ 554 Real Time Stream Control Protocol
|___ 563 snews
|___ 569 microsoft rome
|___ 636 ssl-ldap
|___ 749 kerberos administration
|___ 995 SSL based POP3
|___ 1494 ica
|___ 1720 h323hostcall
|___ 1755 ms-streaming
|___ 5050 multimedia conference control tool
|___ 5190 America-Online
How to secure this one is my config is worng
please advise me