help with config of 515UR

[trenchard]

My first time setting up a PIX so I'd appreciate ppl shooting as many holes in my config as possible as well as pointing out any logic flaws I might have. This PIX will replace our current FW and I'd like to make this as painless as possbile. I used the PDM utility as I'm not yet comfortable with the CLI.

Our current setup consists of Inside/Outside/DMZ. There are various web server on the DMZ as well as a mail server and a VPN concentrator. The dmz needs to be accessible to both the inside network, and the outside network. By accessible from the outside I mean I need to have certain ports open from the outside to the DMZ like 80, 25, etc. From inside to the DMZ will be fairly unrestricted. The web servers(in the DMZ) make sql calls to internal database servers so specific machines in the dmz will need access to specific machines internally. Everyone will need access to the mail server and the VPN clients will need access to the DMZ and the internal network. That's fairly murky but I hope it's enough for everyone. I'll try to clarify any questions about the setup. Thanks!

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password -removed
passwd -removed
hostname fwname
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 172.x.x.x gray
name 172.x.x.x blue
name 208.x.x.x server1
name 172.x.x.x wendy
name 172.x.x.x casper
name x.x.x.x otherNetwork
name 208.x.x.x server11
name 208.x.x.x server2
name 208.x.x.x server3
name 208.x.x.x VPN
name 172.x.x.x server4
name x.x.x.x vpnclients
name 172.x.x.x switch
name 172.x.x.x server5
name 172.x.x.x server10
name 208.x.x.x ids
name 208.x.x.x pvpn
name x.x.x.0 subnetwork
name 172.x.x.x server6
name 172.x.x.x server7
name 172.x.x.x server8
name 172.x.x.x server9
name 172.x.x.x tftp
object-group service group tcp
description outside to dmz
port-object eq smtp
port-object eq domain
object-group service printers tcp
port-object range 9100 9100
object-group service server2 tcp
description 9ias access
port-object range 9001 9001
port-object range 7778 7778
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host blue object-
group printers
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host casper objec
t-group printers
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host gray object-
group printers
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host wendy object
-group printers
access-list DMZ_access_in permit tcp host server2 host server4 eq sqlnet
access-list DMZ_access_in permit tcp vpnclients 255.255.255.0 host server4 eq sql
net
access-list DMZ_access_in permit tcp vpnclients 255.255.255.0 host server10 eq sql
net
access-list DMZ_access_in permit tcp host server2 host server10
access-list DMZ_access_in permit tcp host server11 host server4 eq sqlnet
access-list DMZ_access_in permit tcp host server11 host server10 eq sqlnet
access-list DMZ_access_in permit udp otherNetwork x.x.x.x host server6 eq snm
p
access-list DMZ_access_in permit udp otherNetwork x.x.x.x host switch eq sn
mp
access-list outside_access_in permit tcp host ext.ip.add.xxx host server11 eq domain
access-list outside_access_in permit tcp host ext.ip.add.xxx host server11 eq www
access-list outside_access_in permit tcp host ext.ip.add.xxx host server1 eq www
access-list outside_access_in permit tcp host ext.ip.add.xxx host server3 eq smtp
access-list outside_access_in permit tcp host ext.ip.add.xxx host server2 object-gro
up server2
access-list outside_access_in permit tcp host ext.ip.add.xxx host server3 eq pop3
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside ext.ip.add.xxx 255.255.255.248
ip address inside ins.ip.add.xxx 255.255.0.0
ip address DMZ dmz.ip.add.xxx 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ 0.0.0.0
pdm location 172.x.x.x 255.255.255.255 inside
pdm location blue 255.255.255.255 inside
pdm location casper 255.255.255.255 inside
pdm location wendy 255.255.255.255 inside
pdm location gray 255.255.255.255 inside
pdm location otherNetwork x.x.x.x DMZ
pdm location server11 255.255.255.255 DMZ
pdm location server3 255.255.255.255 DMZ
pdm location server1 255.255.255.255 DMZ
pdm location server2 255.255.255.255 DMZ
pdm location VPN 255.255.255.255 DMZ
pdm location barney 255.255.255.255 inside
pdm location switch 255.255.255.255 inside
pdm location server5 255.255.255.255 inside
pdm location server7 255.255.255.255 inside
pdm location server6 255.255.255.255 inside
pdm location server10 255.255.255.255 inside
pdm location server9 255.255.255.255 inside
pdm location server8 255.255.255.255 inside
pdm location tftp 255.255.255.255 inside
pdm location vpnclients 255.255.255.0 DMZ
pdm location subnetwork 255.255.255.0 DMZ
pdm location pvpn 255.255.255.255 outside
pdm location ids 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) server11 server11 netmask 255.255.255.255 0 0
static (DMZ,outside) server1 server1 netmask 255.255.255.255 0 0
static (DMZ,outside) otherNetwork otherNetwork netmask x.x.x.x 0 0
static (inside,DMZ) blue blue netmask 255.255.255.255 0 0
static (inside,DMZ) casper casper netmask 255.255.255.255 0 0
static (inside,DMZ) gray gray netmask 255.255.255.255 0 0
static (inside,DMZ) wendy wendy netmask 255.255.255.255 0 0
static (DMZ,outside) server3 server3 netmask 255.255.255.255 0 0
static (DMZ,outside) server2 server2 netmask 255.255.255.255 0 0
static (DMZ,outside) VPN VPN netmask 255.255.255.255 0 0
static (inside,DMZ) server4 server4 netmask 255.255.255.255 0 0
static (inside,DMZ) server9 server9 netmask 255.255.255.255 0 0
static (inside,DMZ) server6 server6 netmask 255.255.255.255 0 0
static (inside,DMZ) server8 server8 netmask 255.255.255.255 0 0
static (inside,DMZ) server10 server10 netmask 255.255.255.255 0 0
static (inside,DMZ) tftp tftp netmask 255.255.255.255 0 0
static (inside,DMZ) server5 server5 netmask 255.255.255.255 0 0
static (inside,DMZ) switch switch netmask 255.255.255.255 0 0
static (inside,DMZ) server7 server7 netmask 255.255.255.255 0 0
static (DMZ,outside) subnetwork subnetwork netmask 255.255.255.0 0 0
static (DMZ,outside) vpnclients vpnclients netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
route DMZ otherNetwork 255.xxx.xxx.xxx pvpn 1
route DMZ vpnclients 255.255.255.0 pvpn 1
route DMZ subnetwork 255.255.255.0 pvpn 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet xxx.xxx.xxx.xxx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum-removed
: end

 

[yizhar]

HI.

I think that you should restructure your network using more interfaces at the pix.
Place the VPN server on a dedicated pix interface. Not in DMZ, as this is one of the most sensitive device, and also it is difficult to configure and manage the network as you can see with your complex configuration. Using separate interface will make things simplier, more secure, and easier to manage.

You should also consider connecting "Other Network" to a dedicated interface, and also thing about placing SQL servers on a dedicated interface.

So if you follow my advice, you need to purchase the 4 port pix card to get the maximum 6 interfaces (you will need to remove the current DMZ 1 port card), and have the following interfaces:
inside
outside
dmz
vpn
othernetwork
sql
Or a similar design.

That way you will have the following basic rules:
vpn can access other networks as required.
dmz can only access outside and sql
inside can access other networks
outside can only access dmz
othernetwork can access the networks you need.

In addition to these suggestsions, you can implement a print server that will forward print jobs to "blue", "casper", "gray" and "wendy", and then you can limit print traffic only to the print server and not directly to workstations.

Other notes:

> port-object range 9100 9100
Don't use range for specific ports.
In PDM when you define the ports, use only the top edit box, and leave the second (high port) empty - it will understand this as specific port.

> access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host blue object-group printers
> access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host casper object-group printers
> ...
You can also group hosts in similar way that you used to group ports.

Your DMZ access-list does not have an entry for DNS traffic from DMZ servers to outside DNS servers. The DMZ servers also have no access to the web so they cannot download OS or anti virus updates.
But beware not to allow DMZ server access to the internal network by mistake.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[yizhar]

HI.

In second look, I can see that "OtherNetwork" is coming via the VPN device.
Still same ideas and suggestions - you'll just have one more interface to play with because VPN and OtherNetwork are on the same interface.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[trenchard]

Thanks for the suggestions. A couple of follow up questions. You mentioned that I can group hosts similar to how I grouped ports. I've not been able to find out how to accomplish this task and I hope you can point me in the right direction in PDM.

I also had a question about the DMZ access list and the lack of a DNS entry in it and the access to the web from the DMZ. I thought that higher level interfaces(DMZ is 50) could travel to lower level interfaces(outside is 0) without restriction. So shouldn't my DMZ have the ability to access the web and shouldn't my DMZ have the ability to access outside DNS server? Thanks again to any who reply.
-Trenchard

>> access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host blue object-group printers
>> access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host casper object-group printers
>> ...
>You can also group hosts in similar way that you used to >group ports.

>Your DMZ access-list does not have an entry for DNS >traffic from DMZ servers to outside DNS servers. The DMZ >servers also have no access to the web so they cannot >download OS or anti virus updates.
>But beware not to allow DMZ server access to the internal >network by mistake.

 

[yizhar]

HI.

> I hope you can point me in the right direction in PDM
Simply go to the Hosts/Networks tab in PDM.

> I thought that higher level interfaces(DMZ is 50) could travel to lower level interfaces(outside is 0) ...
Once you apply an access-list to an interface, that overrides the ASA security levels regarding that issue.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar