Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do you Secure the PIX 506E?

Status
Not open for further replies.
tsap

tsap

IS-IT--Management
Apr 19, 2005
69
0
0
CA
I’m not to familiar with configuring cisco products. It appears by default that all traffic can pass thought this box. My question is, what do I type in to lock it down properly?

I want my users just to have access to the following….

Internet, email, pcanywhere, cisco vpn

What do I type in the command line interface to block all traffic but the above accesses?
 
Sort by date Sort by votes
By virtue of the ASA security model of the PIX all traffic outbound is allowed since it goes from a higher security interface to a lower security.

Inbound everything is blocked unless explicitly allowed.

When you say Cisco VPN is this allowing internal users to access cisco vpns or inbound allowing them to connect back to your lan?


access-list 102 permit tcp lan-ip lan-sub any eq http
access-list 102 permit tcp lan-ip lan-sub any eq https
access-list 102 permit tcp lan-ip lan-sub any eq pop3
access-list 102 permit tcp lan-ip lan-sub any eq 5631
access-list 102 permit udp lan-ip lan-sub any eq 5632
access-list 102 deny ip any any log

access-group 102 in interface inside



This is basically how you would perform the above asked questions. This would only allow outbound web traffic , pop3 and pcanywhere.
 
Upvote 0 Downvote
thanks for the info.

My vpn users are connecting from any outside public addresses, to use the LAN on the inside.
 
Upvote 0 Downvote
I tried using your above commands...., My PIX said it does not recognize them. I used the command like this....


access-list 102 permit tcp 192.168.111.101 255.255.255.255 any eq 5631
 
Upvote 0 Downvote
I assume you want to restrict access from the inside to outside.


access-list 102 permit tcp 192.168.111.101 any host eq 5631
This make host 192.168.111.101 on the inside to have access to port 5631 thru the pix.

If you want everyone have access to port 5631 thru the pix
access-list 102 permit tcp any any eq 5631

access-list 102 permit tcp "source" "destination" eq "port number"

After you typed all permitlines end with.
access-list 102 deny ip any any
access-group 102 in interface inside

If you are using a internal dns you dont have to open ports associated with dns. Otherwise you need to open those ports aswell.

Is it ciscos native client or a pptp client for vpn?
 
Upvote 0 Downvote
You did go into config mode before typing those commands, right?

config t
 
Upvote 0 Downvote
How do I check the PIX firewall version, we're planning to upgrade PDM 2.0?
 
Upvote 0 Downvote
show version

The ACL should work as entered, if you're in config mode. Using the "host" keyword, the correct syntax is

config# access-list 102 permit tcp host 192.168.111.101 any eq 5631

The final "deny ip any any" is optional, unless you want to enable logging.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
116
nnaarrnn
nnaarrnn
GeorgeAlba
  • Locked
  • Question
What do you think about this proxy
Replies
0
Views
53
GeorgeAlba
GeorgeAlba
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
40
DivemasterBill
DivemasterBill
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
35
xwray
xwray
texwiz
  • Locked
  • Question
need some help to properly set up, segregate and secure a network with an ASA 5505
Replies
2
Views
56
texwiz
texwiz

Part and Inventory Search

Sponsor

Back
Top