From conduits to access lists

[Zelandakh]

Current running config (some addresses have been changed) shows I'm using conduits which are not the best way of doing things. Also uncertain on pdm location command.

And there are about 3 or 4 lines about inbound SMTP. I've got 2 aaa commands in there as I'm looking to start VPNs running shortly.

Does it show that I'm out of my depth here...?

PIX Version 6.0(1)104
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname myfw
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 35
logging on
logging timestamp
logging console debugging
logging trap warnings
logging history warnings
logging host inside 192.168.1.9
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.7 255.255.255.248
ip address inside 192.168.1.7 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.246 255.255.255.255 inside - what does this command do?
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.2 255.255.255.255 500 200
static (inside,outside) 1.2.3.8 192.168.1.2 netmask 255.255.255.255 1000 100
conduit permit tcp host 1.2.3.8 eq smtp any
conduit permit tcp host 1.2.3.8 eq

http://www any

conduit permit tcp host 1.2.3.8 eq 5800 any
conduit permit tcp host 1.2.3.8 eq 5900 any
conduit permit icmp any any echo-reply
conduit permit icmp any any source-quench
conduit permit icmp any any unreachable
conduit permit icmp any any time-exceeded
conduit permit tcp any host 1.2.3.8 eq smtp
conduit deny tcp host 1.2.3.8 eq smtp any
route outside 0.0.0.0 0.0.0.0 1.2.3.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http myhomeIP 255.255.255.255 outside
http myInternalIP 255.255.255.255 inside
http MailServer 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet myInternalIP 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:****
: end
[OK]

 

[gbiello]

"pdm location 192.168.1.246 255.255.255.255 inside" means you can configure the PIX via the web interface ONLY from ip address 192.168.1.246 on the inside network by browsing to

https://192.168.1.246.

You also need to have DES encryption enabled on the firewall. You can check this by doing a "show vers".

Your "nat (inside)" statement only allows 192.168.1.2 to surf the web. I recommend replacing it with
"nat (inside) 1 192.168.1.0 255.255.255.0"

for an access-list, replace your conduits with:
access-list fromout permit tcp any host 1.2.3.8 eq smtp
access-list fromout permit tcp any host 1.2.3.8 eq www
access-list fromout permit tcp any host 1.2.3.8 eq 5800
access-list fromout permit tcp any host 1.2.3.8 eq 5900
access-list fromout permit icmp any any
access-list fromout permit tcp any host 1.2.3.8 eq smtp
access-list fromout deny tcp host 1.2.3.8 eq smtp any
access-group fromout in interface outside

The last two smtp related conduits do not make sense to me, and are probably errors.

I am also unsure of the "http xxx 255.255.255.255 outside" lines. If they make no sense to you, you may with to remove them.

hope this helps,
-gbiello

 

[havanajoe]

Hi -

As far as the access-lists that gbiello stated, you can get rid of the last two access-lists having to deal with smtp to 1.2.3.8. Those acls will never be hit because your very first acl already allows for any host to connect to 1.2.3.8 for smtp, the second last is just a duplicate of the very first and the last will never come into effect because of the very first allowing all hosts. So delete the last two acls for smtp. I would also limit the ICMP traffic that you allow in, with this ACL anyone on the internet can hit any of your servers/workstations inside. You will want an ACL that looks more like...

access-list fromout permit icmp any echo-reply
access-list fromout permit icmp any time-exceeded
etc...

also for more security you can setup the ICMP command so that your outside interface of the PIX can't be pinged.

icmp deny any outside

as far as your nat statement goes, the way that it currently is works fine, everyone that is going out is being PATted (Port Address Translated) instead of NATed.

the final statement of http myhomeIP 255.255.255.255 outside

that would be setup so that you could use the PDM to configure the PIX, I would definitely get rid of this statement.

Hope this helps to answer your questions.

 

[Zelandakh]

I deleted a line that does a nat inside for my proxy server which is how everyone goes out (I get to control them from there plus I log them).

The myhomeIP allows me to configure the Pix from home cos I'm modifying it today from home!!!

I'll get rid of the last 2 smtp commands cos I agree they are redundant. Will also work on the access lists.

Thanks guys...

 

[gbiello]

Yep, those last two lines are redundant. Oops.