My first time setting up a PIX so I'd appreciate ppl shooting as many holes in my config as possible as well as pointing out any logic flaws I might have. This PIX will replace our current FW and I'd like to make this as painless as possbile. I used the PDM utility as I'm not yet comfortable with the CLI.
Our current setup consists of Inside/Outside/DMZ. There are various web server on the DMZ as well as a mail server and a VPN concentrator. The dmz needs to be accessible to both the inside network, and the outside network. By accessible from the outside I mean I need to have certain ports open from the outside to the DMZ like 80, 25, etc. From inside to the DMZ will be fairly unrestricted. The web servers(in the DMZ) make sql calls to internal database servers so specific machines in the dmz will need access to specific machines internally. Everyone will need access to the mail server and the VPN clients will need access to the DMZ and the internal network. That's fairly murky but I hope it's enough for everyone. I'll try to clarify any questions about the setup. Thanks!
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password -removed
passwd -removed
hostname fwname
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 172.x.x.x gray
name 172.x.x.x blue
name 208.x.x.x server1
name 172.x.x.x wendy
name 172.x.x.x casper
name x.x.x.x otherNetwork
name 208.x.x.x server11
name 208.x.x.x server2
name 208.x.x.x server3
name 208.x.x.x VPN
name 172.x.x.x server4
name x.x.x.x vpnclients
name 172.x.x.x switch
name 172.x.x.x server5
name 172.x.x.x server10
name 208.x.x.x ids
name 208.x.x.x pvpn
name x.x.x.0 subnetwork
name 172.x.x.x server6
name 172.x.x.x server7
name 172.x.x.x server8
name 172.x.x.x server9
name 172.x.x.x tftp
object-group service group tcp
description outside to dmz
port-object eq smtp
port-object eq domain
object-group service printers tcp
port-object range 9100 9100
object-group service server2 tcp
description 9ias access
port-object range 9001 9001
port-object range 7778 7778
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host blue object-
group printers
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host casper objec
t-group printers
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host gray object-
group printers
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host wendy object
-group printers
access-list DMZ_access_in permit tcp host server2 host server4 eq sqlnet
access-list DMZ_access_in permit tcp vpnclients 255.255.255.0 host server4 eq sql
net
access-list DMZ_access_in permit tcp vpnclients 255.255.255.0 host server10 eq sql
net
access-list DMZ_access_in permit tcp host server2 host server10
access-list DMZ_access_in permit tcp host server11 host server4 eq sqlnet
access-list DMZ_access_in permit tcp host server11 host server10 eq sqlnet
access-list DMZ_access_in permit udp otherNetwork x.x.x.x host server6 eq snm
p
access-list DMZ_access_in permit udp otherNetwork x.x.x.x host switch eq sn
mp
access-list outside_access_in permit tcp host ext.ip.add.xxx host server11 eq domain
access-list outside_access_in permit tcp host ext.ip.add.xxx host server11 eq www
access-list outside_access_in permit tcp host ext.ip.add.xxx host server1 eq www
access-list outside_access_in permit tcp host ext.ip.add.xxx host server3 eq smtp
access-list outside_access_in permit tcp host ext.ip.add.xxx host server2 object-gro
up server2
access-list outside_access_in permit tcp host ext.ip.add.xxx host server3 eq pop3
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside ext.ip.add.xxx 255.255.255.248
ip address inside ins.ip.add.xxx 255.255.0.0
ip address DMZ dmz.ip.add.xxx 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ 0.0.0.0
pdm location 172.x.x.x 255.255.255.255 inside
pdm location blue 255.255.255.255 inside
pdm location casper 255.255.255.255 inside
pdm location wendy 255.255.255.255 inside
pdm location gray 255.255.255.255 inside
pdm location otherNetwork x.x.x.x DMZ
pdm location server11 255.255.255.255 DMZ
pdm location server3 255.255.255.255 DMZ
pdm location server1 255.255.255.255 DMZ
pdm location server2 255.255.255.255 DMZ
pdm location VPN 255.255.255.255 DMZ
pdm location barney 255.255.255.255 inside
pdm location switch 255.255.255.255 inside
pdm location server5 255.255.255.255 inside
pdm location server7 255.255.255.255 inside
pdm location server6 255.255.255.255 inside
pdm location server10 255.255.255.255 inside
pdm location server9 255.255.255.255 inside
pdm location server8 255.255.255.255 inside
pdm location tftp 255.255.255.255 inside
pdm location vpnclients 255.255.255.0 DMZ
pdm location subnetwork 255.255.255.0 DMZ
pdm location pvpn 255.255.255.255 outside
pdm location ids 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) server11 server11 netmask 255.255.255.255 0 0
static (DMZ,outside) server1 server1 netmask 255.255.255.255 0 0
static (DMZ,outside) otherNetwork otherNetwork netmask x.x.x.x 0 0
static (inside,DMZ) blue blue netmask 255.255.255.255 0 0
static (inside,DMZ) casper casper netmask 255.255.255.255 0 0
static (inside,DMZ) gray gray netmask 255.255.255.255 0 0
static (inside,DMZ) wendy wendy netmask 255.255.255.255 0 0
static (DMZ,outside) server3 server3 netmask 255.255.255.255 0 0
static (DMZ,outside) server2 server2 netmask 255.255.255.255 0 0
static (DMZ,outside) VPN VPN netmask 255.255.255.255 0 0
static (inside,DMZ) server4 server4 netmask 255.255.255.255 0 0
static (inside,DMZ) server9 server9 netmask 255.255.255.255 0 0
static (inside,DMZ) server6 server6 netmask 255.255.255.255 0 0
static (inside,DMZ) server8 server8 netmask 255.255.255.255 0 0
static (inside,DMZ) server10 server10 netmask 255.255.255.255 0 0
static (inside,DMZ) tftp tftp netmask 255.255.255.255 0 0
static (inside,DMZ) server5 server5 netmask 255.255.255.255 0 0
static (inside,DMZ) switch switch netmask 255.255.255.255 0 0
static (inside,DMZ) server7 server7 netmask 255.255.255.255 0 0
static (DMZ,outside) subnetwork subnetwork netmask 255.255.255.0 0 0
static (DMZ,outside) vpnclients vpnclients netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
route DMZ otherNetwork 255.xxx.xxx.xxx pvpn 1
route DMZ vpnclients 255.255.255.0 pvpn 1
route DMZ subnetwork 255.255.255.0 pvpn 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet xxx.xxx.xxx.xxx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum-removed
: end
Our current setup consists of Inside/Outside/DMZ. There are various web server on the DMZ as well as a mail server and a VPN concentrator. The dmz needs to be accessible to both the inside network, and the outside network. By accessible from the outside I mean I need to have certain ports open from the outside to the DMZ like 80, 25, etc. From inside to the DMZ will be fairly unrestricted. The web servers(in the DMZ) make sql calls to internal database servers so specific machines in the dmz will need access to specific machines internally. Everyone will need access to the mail server and the VPN clients will need access to the DMZ and the internal network. That's fairly murky but I hope it's enough for everyone. I'll try to clarify any questions about the setup. Thanks!
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password -removed
passwd -removed
hostname fwname
domain-name domain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 172.x.x.x gray
name 172.x.x.x blue
name 208.x.x.x server1
name 172.x.x.x wendy
name 172.x.x.x casper
name x.x.x.x otherNetwork
name 208.x.x.x server11
name 208.x.x.x server2
name 208.x.x.x server3
name 208.x.x.x VPN
name 172.x.x.x server4
name x.x.x.x vpnclients
name 172.x.x.x switch
name 172.x.x.x server5
name 172.x.x.x server10
name 208.x.x.x ids
name 208.x.x.x pvpn
name x.x.x.0 subnetwork
name 172.x.x.x server6
name 172.x.x.x server7
name 172.x.x.x server8
name 172.x.x.x server9
name 172.x.x.x tftp
object-group service group tcp
description outside to dmz
port-object eq smtp
port-object eq domain
object-group service printers tcp
port-object range 9100 9100
object-group service server2 tcp
description 9ias access
port-object range 9001 9001
port-object range 7778 7778
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host blue object-
group printers
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host casper objec
t-group printers
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host gray object-
group printers
access-list DMZ_access_in permit tcp otherNetwork x.x.x.x host wendy object
-group printers
access-list DMZ_access_in permit tcp host server2 host server4 eq sqlnet
access-list DMZ_access_in permit tcp vpnclients 255.255.255.0 host server4 eq sql
net
access-list DMZ_access_in permit tcp vpnclients 255.255.255.0 host server10 eq sql
net
access-list DMZ_access_in permit tcp host server2 host server10
access-list DMZ_access_in permit tcp host server11 host server4 eq sqlnet
access-list DMZ_access_in permit tcp host server11 host server10 eq sqlnet
access-list DMZ_access_in permit udp otherNetwork x.x.x.x host server6 eq snm
p
access-list DMZ_access_in permit udp otherNetwork x.x.x.x host switch eq sn
mp
access-list outside_access_in permit tcp host ext.ip.add.xxx host server11 eq domain
access-list outside_access_in permit tcp host ext.ip.add.xxx host server11 eq www
access-list outside_access_in permit tcp host ext.ip.add.xxx host server1 eq www
access-list outside_access_in permit tcp host ext.ip.add.xxx host server3 eq smtp
access-list outside_access_in permit tcp host ext.ip.add.xxx host server2 object-gro
up server2
access-list outside_access_in permit tcp host ext.ip.add.xxx host server3 eq pop3
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside ext.ip.add.xxx 255.255.255.248
ip address inside ins.ip.add.xxx 255.255.0.0
ip address DMZ dmz.ip.add.xxx 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ 0.0.0.0
pdm location 172.x.x.x 255.255.255.255 inside
pdm location blue 255.255.255.255 inside
pdm location casper 255.255.255.255 inside
pdm location wendy 255.255.255.255 inside
pdm location gray 255.255.255.255 inside
pdm location otherNetwork x.x.x.x DMZ
pdm location server11 255.255.255.255 DMZ
pdm location server3 255.255.255.255 DMZ
pdm location server1 255.255.255.255 DMZ
pdm location server2 255.255.255.255 DMZ
pdm location VPN 255.255.255.255 DMZ
pdm location barney 255.255.255.255 inside
pdm location switch 255.255.255.255 inside
pdm location server5 255.255.255.255 inside
pdm location server7 255.255.255.255 inside
pdm location server6 255.255.255.255 inside
pdm location server10 255.255.255.255 inside
pdm location server9 255.255.255.255 inside
pdm location server8 255.255.255.255 inside
pdm location tftp 255.255.255.255 inside
pdm location vpnclients 255.255.255.0 DMZ
pdm location subnetwork 255.255.255.0 DMZ
pdm location pvpn 255.255.255.255 outside
pdm location ids 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) server11 server11 netmask 255.255.255.255 0 0
static (DMZ,outside) server1 server1 netmask 255.255.255.255 0 0
static (DMZ,outside) otherNetwork otherNetwork netmask x.x.x.x 0 0
static (inside,DMZ) blue blue netmask 255.255.255.255 0 0
static (inside,DMZ) casper casper netmask 255.255.255.255 0 0
static (inside,DMZ) gray gray netmask 255.255.255.255 0 0
static (inside,DMZ) wendy wendy netmask 255.255.255.255 0 0
static (DMZ,outside) server3 server3 netmask 255.255.255.255 0 0
static (DMZ,outside) server2 server2 netmask 255.255.255.255 0 0
static (DMZ,outside) VPN VPN netmask 255.255.255.255 0 0
static (inside,DMZ) server4 server4 netmask 255.255.255.255 0 0
static (inside,DMZ) server9 server9 netmask 255.255.255.255 0 0
static (inside,DMZ) server6 server6 netmask 255.255.255.255 0 0
static (inside,DMZ) server8 server8 netmask 255.255.255.255 0 0
static (inside,DMZ) server10 server10 netmask 255.255.255.255 0 0
static (inside,DMZ) tftp tftp netmask 255.255.255.255 0 0
static (inside,DMZ) server5 server5 netmask 255.255.255.255 0 0
static (inside,DMZ) switch switch netmask 255.255.255.255 0 0
static (inside,DMZ) server7 server7 netmask 255.255.255.255 0 0
static (DMZ,outside) subnetwork subnetwork netmask 255.255.255.0 0 0
static (DMZ,outside) vpnclients vpnclients netmask 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
route DMZ otherNetwork 255.xxx.xxx.xxx pvpn 1
route DMZ vpnclients 255.255.255.0 pvpn 1
route DMZ subnetwork 255.255.255.0 pvpn 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet xxx.xxx.xxx.xxx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum-removed
: end