Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Inherited PIX506 config. Mucho questions 1

Status
Not open for further replies.

Speaker

MIS
Sep 5, 2001
72
US
I haven't administered a PIX for over a year, and am pretty rusty. I just changed companies and inherited this config from "some certified Cisco guy". I've inserted questions thoughout, for anyone who feels like tackling them.

:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname companyname-pix
domain-name ciscopix.com

!!
1) Why this domain? I'm sure deleting it won't hurt, since it's not connected to the company in any way, but is it harming (mis-routing?) anything being there? Internet and email seem to crawl for the user-to-bandwidth ratio here.
!!

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
no fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no names

!!
2) Why the no names command followed by a bunch of names? Is it just making sure it's cleared?
!!

name 10.10.10.19 Vipmux_Inside
name 1.2.3.139 Vipmux_Outside
name 1.2.3.129 Internet_Router
name 10.10.10.20 Webserver1A_Inside
name 10.10.10.21 Webserver1B_Inside
name 10.10.10.22 Webserver1C_Inside
name 10.10.10.23 Webserver1D_Inside
name 10.10.10.24 Webserver1E_Inside
name 10.10.10.25 Webserver1F_Inside
name 10.10.10.26 Webserver2A_Inside
name 10.10.10.27 Webserver2B_Inside
name 10.10.10.28 Webserver2C_Inside
name 10.10.10.29 Webserver2D_Inside
name 10.10.10.30 Webserver2E_Inside
name 10.10.10.31 Webserver2F_Inside
name 1.2.3.140 Webserver1A_Outside
name 1.2.3.141 Webserver1B_Outside
name 1.2.3.142 Webserver1C_Outside
name 1.2.3.143 Webserver1D_Outside
name 1.2.3.144 Webserver1E_Outside
name 1.2.3.145 Webserver1F_Outside
name 1.2.3.146 Webserver2A_Outside
name 1.2.3.147 Webserver2B_Outside
name 1.2.3.148 Webserver2C_Outside
name 1.2.3.149 Webserver2D_Outside
name 1.2.3.150 Webserver2E_Outside
name 1.2.3.151 Webserver2F_Outside

!!
3) This is for two web servers. I have no idea why they wanted/thought they needed to bind six external and internal IP addresses to the adapter. I suspect they were thinking about hosting multiple web sites and didn’t know you could do it with one address.
!!

name 10.10.10.38 MailserverA_Inside
name 10.10.10.39 MailserverB_Inside
name 10.10.10.40 MailserverC_Inside
name 10.10.10.41 MailserverD_Inside
name 10.10.10.42 MailserverE_Inside
name 10.10.10.43 MailserverF_Inside
name 1.2.3.158 MailserverA_Outside
name 1.2.3.159 MailserverB_Outside
name 1.2.3.160 MailserverC_Outside
name 1.2.3.161 MailserverD_Outside
name 1.2.3.162 MailserverE_Outside
name 1.2.3.163 MailserverF_Outside

!!
4) Again, the mail server has six private IP addresses bound to the NIC, and each of them is named. I have no idea why. Am I missing something?
!!

access-list Outside_In permit tcp any host 1.2.3.140 eq www
access-list Outside_In permit tcp any host 1.2.3.141 eq www
access-list Outside_In permit tcp any host 1.2.3.142 eq www
access-list Outside_In permit tcp any host 1.2.3.143 eq www
access-list Outside_In permit tcp any host 1.2.3.144 eq www
access-list Outside_In permit tcp any host 1.2.3.145 eq www
access-list Outside_In permit tcp any host 1.2.3.146 eq www
access-list Outside_In permit tcp any host 1.2.3.147 eq www
access-list Outside_In permit tcp any host 1.2.3.148 eq www
access-list Outside_In permit tcp any host 1.2.3.149 eq www
access-list Outside_In permit tcp any host 1.2.3.150 eq www
access-list Outside_In permit tcp any host 1.2.3.151 eq www
access-list Outside_In permit tcp any host 1.2.3.160 eq pop3
access-list Outside_In permit tcp any host 1.2.3.161 eq pop3
access-list Outside_In permit tcp any host 1.2.3.162 eq pop3
access-list Outside_In permit tcp any host 1.2.3.163 eq pop3
access-list Outside_In permit tcp any host 1.2.3.158 eq smtp
access-list Outside_In permit tcp any host 1.2.3.159 eq smtp
access-list Outside_In permit tcp any host 1.2.3.160 eq smtp
access-list Outside_In permit tcp any host 1.2.3.161 eq smtp
access-list Outside_In permit tcp any host 1.2.3.162 eq smtp
access-list Outside_In permit tcp any host 1.2.3.163 eq smtp
access-list Outside_In permit tcp any host 1.2.3.158 eq www
access-list Outside_In permit tcp any host 1.2.3.159 eq www
access-list Outside_In permit tcp any host 1.2.3.160 eq www
access-list Outside_In permit tcp any host 1.2.3.161 eq www
access-list Outside_In permit tcp any host 1.2.3.162 eq www
access-list Outside_In permit tcp any host 1.2.3.163 eq www
access-list Outside_In permit tcp any host 1.2.3.158 eq imap4
access-list Outside_In permit tcp any host 1.2.3.159 eq imap4
access-list Outside_In permit tcp any host 1.2.3.160 eq imap4
access-list Outside_In permit tcp any host 1.2.3.161 eq imap4
access-list Outside_In permit tcp any host 1.2.3.162 eq imap4
access-list Outside_In permit tcp any host 1.2.3.163 eq imap4
access-list Outside_In permit tcp any host 1.2.3.158 eq 3000
access-list Outside_In permit tcp any host 1.2.3.159 eq 3000
access-list Outside_In permit tcp any host 1.2.3.160 eq 3000
access-list Outside_In permit tcp any host 1.2.3.161 eq 3000
access-list Outside_In permit tcp any host 1.2.3.162 eq 3000
access-list Outside_In permit tcp any host 1.2.3.163 eq 3000
access-list Outside_In permit tcp any host 1.2.3.158 eq 220
access-list Outside_In permit tcp any host 1.2.3.159 eq 220
access-list Outside_In permit tcp any host 1.2.3.160 eq 220
access-list Outside_In permit tcp any host 1.2.3.161 eq 220
access-list Outside_In permit tcp any host 1.2.3.162 eq 220
access-list Outside_In permit tcp any host 1.2.3.158 eq pop3
access-list Outside_In permit tcp any host 1.2.3.159 eq pop3
access-list Outside_In permit tcp any host 1.2.3.163 eq 220
access-list Outside_In permit icmp any any
access-list Outside_In permit ip any host 1.2.3.139
access-list Outside_In permit tcp any host 1.2.3.140 eq ftp
access-list Outside_In permit tcp any host 1.2.3.141 eq ftp
access-list Outside_In permit tcp any host 1.2.3.142 eq ftp
access-list Outside_In permit tcp any host 1.2.3.143 eq ftp
access-list Outside_In permit tcp any host 1.2.3.144 eq ftp
access-list Outside_In permit tcp any host 1.2.3.145 eq ftp
access-list Outside_In permit tcp any host 1.2.3.146 eq ftp
access-list Outside_In permit tcp any host 1.2.3.147 eq ftp
access-list Outside_In permit tcp any host 1.2.3.148 eq ftp
access-list Outside_In permit tcp any host 1.2.3.149 eq ftp
access-list Outside_In permit tcp any host 1.2.3.150 eq ftp
access-list Outside_In permit tcp any host 1.2.3.151 eq ftp
access-list Outside_In permit tcp any any eq 5800
access-list Outside_In permit ip host 1.2.3.159 any
access-list Outside_In permit tcp any host 1.2.3.141 eq https
access-list Outside_In permit tcp any host 1.2.3.141 eq 8080
access-list Outside_In permit tcp any host 1.2.3.141 eq 1755
access-list Outside_In permit tcp any host 1.2.3.141 eq 5005
access-list Outside_In permit udp any host 1.2.3.141 eq 5005
access-list Outside_In permit udp any host 1.2.3.141 eq 5004
access-list Outside_In permit tcp any host 1.2.3.141 eq 554
access-list Outside_In permit udp any host 1.2.3.141 eq 1755
access-list Outside_In permit tcp any host 1.2.3.140 eq https
access-list Outside_In permit tcp any host 1.2.3.140 eq 8080
access-list Outside_In permit tcp any host 1.2.3.140 eq 1755
access-list Outside_In permit tcp any host 1.2.3.140 eq 5005
access-list Outside_In permit udp any host 1.2.3.140 eq 5005
access-list Outside_In permit udp any host 1.2.3.140 eq 5004
access-list Outside_In permit tcp any host 1.2.3.140 eq 554
access-list Outside_In permit udp any host 1.2.3.140 eq 1755

!!
5) Ignoring that they used no ranges for consecutive addresses, and allow icmp, why are www, ftp, smtp, etc… being specifically allowed for these workstation addresses? As far as I know, none of these are doing anything that requires this.
!!

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.130 255.255.255.192
ip address inside 10.10.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.190
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.10.10.20 1.2.3.140 255.255.255.255
alias (inside) 10.10.10.21 1.2.3.141 255.255.255.255
alias (inside) 10.10.10.25 1.2.3.145 255.255.255.255
alias (inside) 10.10.10.19 1.2.3.139 255.255.255.255
alias (inside) 10.10.10.22 1.2.3.142 255.255.255.255
alias (inside) 10.10.10.23 1.2.3.143 255.255.255.255
alias (inside) 10.10.10.24 1.2.3.144 255.255.255.255
alias (inside) 10.10.10.26 1.2.3.146 255.255.255.255
alias (inside) 10.10.10.27 1.2.3.147 255.255.255.255
alias (inside) 10.10.10.28 1.2.3.148 255.255.255.255
alias (inside) 10.10.10.29 1.2.3.149 255.255.255.255
alias (inside) 10.10.10.30 1.2.3.150 255.255.255.255
alias (inside) 10.10.10.31 1.2.3.151 255.255.255.255
alias (inside) 10.10.10.38 1.2.3.158 255.255.255.255
alias (inside) 10.10.10.39 1.2.3.159 255.255.255.255
alias (inside) 10.10.10.40 1.2.3.160 255.255.255.255
alias (inside) 10.10.10.41 1.2.3.161 255.255.255.255
alias (inside) 10.10.10.42 1.2.3.162 255.255.255.255
alias (inside) 10.10.10.43 1.2.3.163 255.255.255.255

!!
6) What is the purpose of all these alias statements? The IP addresses belong to workstations.
!!

static (inside,outside) 1.2.3.139 10.10.10.19 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.140 10.10.10.20 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.141 10.10.10.21 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.142 10.10.10.22 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.143 10.10.10.23 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.144 10.10.10.24 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.145 10.10.10.25 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.146 10.10.10.26 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.147 10.10.10.27 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.148 10.10.10.28 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.149 10.10.10.29 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.150 10.10.10.30 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.151 10.10.10.31 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.158 10.10.10.38 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.159 10.10.10.39 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.160 10.10.10.40 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.161 10.10.10.41 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.162 10.10.10.42 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.163 10.10.10.43 netmask 255.255.255.255 0 0

!!
7) All the servers (including the ones with six addresses bound to a single NIC) have static mappings to external IP addresses.
!!

access-group Outside_In in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd address 10.10.10.100-10.10.10.254 inside
dhcpd dns a.b.c.d w.x.y.z
dhcpd wins 10.10.10.49
dhcpd lease 259200
dhcpd ping_timeout 750
dhcpd enable inside

!!
8) No question here, really. The firewall is handling DHCP, and pointing to the domain controller for WINS which, of course, is not running WINS
!!

Some of these are obviously useless commands, but I wanted to supply the entire config. Maybe some of these things make sense and I'm just not aware of it.
 
phew, thats alot of questions.........i'll start of the answers

1) No, does not in any way impact traffic through the pix, it's needed to do ssh though, might be why its in there

2) no names only applies to the CLI of the pix, i.e you can't do a ping <name>

3,4,7) clueless admin, thats why it's in there

5) i thought you said they we're server adresses ?

6) Alias is used to do dns doctoring of return dns reply and to forward traffic another address.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Looks like 1) and 2) were entered for possible future need.

5) My bad. It's my second day on the job and I haven't mapped out the network yet. The documentation consists of a chart of the internal IP addresses. x.x.x.20-50 are reserved for servers, and 100-254 are for DHCP assignments for the workstations. It looks like the admin put some of these lines in for web and mail servers with addresses of x.x.x.40... but entered them as x.x.x.140...

I think I'm just going to chuck the entire config and build a new one.

6) Do you mean when PIX is handling DNS? I'm going to configure the Domain Controller to handle DNS sometime soon. Can I lose the alias statements?

Thanks for confirming that I haven't forgetten EVERYTHING while I was on my hiatus... but still a lot
 
6) Well, the deal is that the pix can track dns queries that traverse the firewall and if any response includes records for public addresses that the pix has a static nat for it will change the packet to reflect this (ie include the local address) so that ppl without internal dns can use public dns names and still reach their servers on the inside.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top