How to configure PIX515 1

[ericgls]

How do i configure the pix firewall to safeguard 3 of my servers located at the hosting company. For example:

mailserver = 202.172.233.100
ftpserver = 202.172.233.101
webserver = 202.172.233.103
netmask = 255.255.255.4
reserved address 202.172.233.120-202.172.233.125

I would like all the server to be able to go out to the internet as well. (able to surf the net)

After configuring the PIX firewall, how should I configure the server? (in terms of IP, Gateway, DNS)

Thanks

 

[bp1169]

Have a look at

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm

They have many examples and sample configurations

 

[yizhar]

HI!

You need more info to complete the configuration.
Try to answer these questions:
What is the IP address of the router?
What IP address to give to PIX own interfaces?
Will the servers use a registered IP address or are you going to use private IP addresses and STATIC translation for the servers?
Are all servers going to be in the same internal network (or DMZ)?
You can buy a PIX with 6 interfaces, and then put each server in its own DMZ therefore preventing the webserver from attacking the mailserver if it has been compromized.

For configuring the servers - default gateway should be the PIX related interface IP .
The IP id dependant if using NAT or not.
For DNS, you can use the ISP DNS servers like before.
However for better performance, you can implement an internal caching only DNS server on one of them (recommended at the mail server for my opinion).

Use the examples from CISCO site as a baseline.
You can also try out my free utility PIXCRIPT for asisting in configuration:

http://teachers.sivan.co.il/yizhar/files/PIXCRIPT10b.zip

Bye
Yizhar

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ericgls]

Yizhar,

The servers were hosted at a hosting company. So, i assume that the gateway is the router (202.172.233.129).
IP address given to the PIX own interface are outside 202.172.233.110/netmask 255.255.25.192(registered), inside(192.168.1.100).
Currently, all the servers have a registered IP. Should I use the registered IP or static translation fir the servers?
All servers going to bein the same network.

Thanks

 

[Bluecrack]

Ericgls,

It sounds like you will have NAT running on the PIX to NAT the 192.168.1.x network. If each of the servers are on the 192.168.1.x network then they should be configured with the 192.168.1.x addresses. On the PIX you would use the STATIC command to create a static mapping between the registered public IP address of each server and the the private IP address assigned to the server. The servers would have 192.168.1.100 as the default gateway and the PIX should have a route to the ISPs router, 202.172.233.129.

This all assumes you only have a two interface PIX. Also, once this is setup and working you can begin locking down the access to the servers using Access-lists.

Bluecrack

 

[ericgls]

Let's say i configure the PIX as follow(for web server only). What could be wrong? When I connect the inside point of the firewall to the hub there is no light.

Building configuration...
: Saved
:
PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 202.172.233.103 eq www
access-list 100 permit udp any host 202.172.233.103 eq 80
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 202.172.233.100 255.255.255.192
ip address inside 192.168.1.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 202.172.233.101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 202.172.233.103 192.168.1.103 netmask 255.255.255.255 0
0
route outside 0.0.0.0 0.0.0.0 202.172.23.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet 192.168.1.101 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
: end
[OK]

 

[yizhar]

HI!

Now it is much easier...

***
If there is no light in the Ling led (on hub and pix) you should first solve this problem.
Connect the PIX to hub using a straight cable (not crossover) to a normal port on the hub (not to the uplink port). You may try the yellow cables that come with the pix or any normal Ethernet cable.
If connection are ok and still no link, maybe manual configuration of the interface can help. You can type

interface ethernet0 10baset
interface ethernet1 10baset

Instead of:

interface ethernet0 auto
interface ethernet1 auto

If it is the correct speed.

***
There is a typo mistake in this line which will cause lots of problems:
route outside 0.0.0.0 0.0.0.0 202.172.23.129 1
It should be:
route outside 0.0.0.0 0.0.0.0 202.172.233.129 1

***
This important line is missing. Without the access-list won't work:
access-group 100 in interface outside

***
You can remove this line as http does not use UDP/80 :
access-list 100 permit udp any host 202.172.233.103 eq 80


Good luck


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ericgls]

Thanks Yizhar, now i am able to ping with each other among the local servers and i can even ping outside. I am also able to surf from the server. However i am not able to ping the servers from the public. I could not view the webpages from outside too.

What could be wrong here?

 

[ericgls]

When I added in this line, i can browser from the public to the web server already.

access-list 100 permit any any eq www

but i think this should not be the way.

Is there anything wrong with the line below:

'can i eliminate the global and nat if all 3 of my servers are already assigned with 3 different public addreses?
global (outside) 1 202.172.233.101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

'b4 i have this firewall, 202.172.233.103 is my ip address and 255.255.255.192 is my subnetmask. So, is the static command below correct? Why is it 255.255.255.255 0?
static (inside,outside) 202.172.233.103 192.168.1.103 netmask 255.255.255.255 0

 

[ericgls]

Yizhar, just forget about the previous 2 messages that i replied. I can get it through already(forgotten to add in the access-group)

Till noe, everything works fine except for the ping. I can ping from the servers to any public host. But I can't be able to ping from the public to the server. When I on the logging console debug of the firewall and ping from outside to 202.172.233.103, i get this message from the message log in the firewall:
***
106019: IP packet from 210.193.2.70 to 202.172.233.103, protocol icmp received from interface "outside" deny by access-group "100"
***

What should i do to allow the public to be able to ping my servers?

 

[gbromley]

Assuming you mean how can I configure outside IP address to ping inside IP address, you need to add echo-request to your ACL via:
access-list 100 permit icmp any any echo-request

Point of Note: ICMP is becoming a very, very dangerous protocol to allow through firewalls. It allows hackers to map you networks very quickly, it is not handled in a stateful manner by many firewalls, and has been subverted to carry covert and sometimes encrypted channels across echo-reply messages.

If you don't need it, don't use it

 

[Bluecrack]

gbromely is absolutely right. It is better NOT to allow ICMP traffic through the firewall.

Bluecrack

 

[ericgls]

I've got it already, thank you yizhar. You really helps a lot. Thank you. Have you heard of a syslog called Kiwi Syslog Daemon? If you happens to know, I have one question to ask you. I have been able to put all the logs in the syslog server. However how can I see all the logs on the main screen of syslog daemon. All the logs is written in the text file but i just can't get it on the screen. I'm using logging facility=20 which is a local4 if i'm not mistaken.

 

[yizhar]

HI!

Yes I know Kiwi's SYSLOG but I don't have much experience with it.
I have done some testing on Win9x host with Kiwi's and I could see the messages on screen.
I guess that you are running it as a service (which I have not tried yet), and this maybe has a different configuration.

You should better post a new thread here and/or contact Kiwi (read the help files first), and also add info like the OS which Kiwi's running on, the type of installation and version, and the configuration of the Syslog Deamon.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ericgls]

Thanks anyway.

 

[Zelandakh]

two thoughts:

why are you doing fixup h323 - you haven't mentioned a requirement that uses it?

also what is the access-list (think I can guess) and how does it work?