Hi all,
How do I go about setting it up so that the pix denies all traffic except http on both the inside interface and outside interface. I only want to allow the employess to surf the web. (no chatting, video streaming, etc) Also I'm not to familier with the VPN. It works but I don't know how secure it is. Is it only secured by a password or how that works. How can I make it more secure without purchasing anything else.
Here is my current config of my PIX 515.
internet----router-----pix-----W2K network
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password -- encrypted
passwd --- encrypted
hostname ---
domain-name ---
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip 192.168.x.y 255.255.255.0 192.168.x.y 255.255.255.
0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 65.x.y.z 255.255.255.240
ip address inside 192.168.x.y 255.255.255.0
ip audit attack action alarm
ip local pool ---pool 192.168.x.y-192.168.x.y
pdm history enable
arp timeout 14400
global (outside) 1 65.x.y.z netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.x.y 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 65.x.y.z 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.x.y c:\test
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set steve esp-des esp-md5-hmac
crypto dynamic-map dyna-brett 10 set transform-set steve
crypto map larkin 99 ipsec-isakmp dynamic dyna-brett
crypto map larkin client configuration address initiate
crypto map larkin client configuration address respond
crypto map larkin interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup usi address-pool ---pool
vpngroup usi dns-server 192.168.x.y
vpngroup usi wins-server 192.168.x.y
vpngroup usi default-domain ---
vpngroup usi idle-time 1800
vpngroup usi password **
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:---
: end
[OK]
Also I'm in the process of setting up another PIX 515 with ver 6.2(2) on it and cannot reach the internet with the same config. Please help. Thanx
How do I go about setting it up so that the pix denies all traffic except http on both the inside interface and outside interface. I only want to allow the employess to surf the web. (no chatting, video streaming, etc) Also I'm not to familier with the VPN. It works but I don't know how secure it is. Is it only secured by a password or how that works. How can I make it more secure without purchasing anything else.
Here is my current config of my PIX 515.
internet----router-----pix-----W2K network
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password -- encrypted
passwd --- encrypted
hostname ---
domain-name ---
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip 192.168.x.y 255.255.255.0 192.168.x.y 255.255.255.
0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 65.x.y.z 255.255.255.240
ip address inside 192.168.x.y 255.255.255.0
ip audit attack action alarm
ip local pool ---pool 192.168.x.y-192.168.x.y
pdm history enable
arp timeout 14400
global (outside) 1 65.x.y.z netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.x.y 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 65.x.y.z 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.x.y c:\test
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set steve esp-des esp-md5-hmac
crypto dynamic-map dyna-brett 10 set transform-set steve
crypto map larkin 99 ipsec-isakmp dynamic dyna-brett
crypto map larkin client configuration address initiate
crypto map larkin client configuration address respond
crypto map larkin interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup usi address-pool ---pool
vpngroup usi dns-server 192.168.x.y
vpngroup usi wins-server 192.168.x.y
vpngroup usi default-domain ---
vpngroup usi idle-time 1800
vpngroup usi password **
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:---
: end
[OK]
Also I'm in the process of setting up another PIX 515 with ver 6.2(2) on it and cannot reach the internet with the same config. Please help. Thanx