Inherited this mess...please help 1

[DrLagos]

Inherited this mess and would like to clean up the config, allow ping, etc. I have also noticed that it seems to make certain websites timeout? (ie, wikipedia) and not sure why. I really just want to clean up the config and make the simplest config to allow users out and support one internal web server. Thanks in advance.
:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxx encrypted
passwdxxx encrypted
hostname my-pix
domain-name pix.me.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list indmz permit ip any any
access-list inbound permit tcp any any eq www
access-list inbound permit udp any any eq 80
access-list inbound permit tcp any any eq 8181
access-list inbound permit udp any any eq 8181
access-list inbound permit tcp any any eq 8383
access-list inbound permit udp any any eq 8383
access-list inbound permit tcp any any eq 1774
access-list inbound permit udp any any eq 1774
access-list inbound permit tcp any any eq 2646
access-list inbound permit udp any any eq 2646
access-list inbound permit tcp any any eq 3679
access-list inbound permit udp any any eq 3679
access-list inbound permit tcp any any eq 3678
access-list inbound permit udp any any eq 3678
access-list inbound permit tcp any any eq 3677
access-list inbound permit udp any any eq 3677
access-list inbound permit tcp any any eq 3673
access-list inbound permit udp any any eq 3673
access-list inbound permit tcp any any eq 3096
access-list inbound permit udp any any eq 3096
access-list inbound permit tcp any any eq 5050
access-list inbound permit udp any any eq 5050
access-list inbound permit tcp any any eq 77
access-list inbound permit udp any any eq 77
access-list inbound permit udp any any eq 6881
access-list inbound permit tcp any any eq 6881
access-list inbound permit tcp any any eq 6969
access-list inbound permit udp any any eq 6969
access-list inbound permit tcp any any eq 55535
access-list inbound permit tcp any any eq 1723
access-list inbound permit tcp any any eq 9675
access-list inbound permit tcp any any eq 9676
access-list inbound permit udp any any eq 9675
access-list inbound permit udp any any eq 9676
access-list inbound permit udp any any eq 1723
access-list inbound permit udp any any eq 443
access-list inbound permit tcp any any eq 443
access-list inbound permit tcp any any eq 100
access-list inbound permit udp any any eq 100
access-list 101 permit tcp any host 69.x.x.9 eq www
access-list 101 permit tcp any host 69.x.x.9 eq 3389
access-list 101 permit tcp any host 69.x.x.9 eq 443
access-list 101 permit tcp any host 69.x.x.8 eq www
pager lines 24
logging on
logging buffered warnings
logging facility 19
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 69.x.x.0 255.255.255.248
ip address inside 172.16.1.254 255.255.0.0
ip address dmz 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 69.x.x.7
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0
static (inside,outside) 69.x.x.9 172.16.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 69.x.x.8 172.16.1.252 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group indmz in interface dmz
route outside 0.0.0.0 0.0.0.0 69.x.x.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
telnet 172.16.1.1 255.255.255.255 inside
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:98587fa4aaf03a0d532bf7413c6f9722

 

[ADB100]

Based on that configuration you have three interfaces - inside, dmz and outside. The security levels are inside=100, dmz=50 and outside=0. The PIX has only four IPv4 routes - the inside network 172.16.0.0/16, the dmz 10.1.1.0/24, the outside subnet 69.x.x.0/29 and then a default with the next-hop set to you SP (69.x.x.5). You don't NAT between the inside and the dmz. You have static translations for two internal hosts (69.x.x.8 -> 172.16.1.252 & 69.x.x.9 -> 172.16.1.4). You NAT (PAT) outbound traffic from the inside interface within the range 172.16.0.0/16 to IP address 69.x.x.7 on the outside interface. There is no ACL on the inside interface so inside hosts can do anything, you have a 'permit ip any any' ACL on the DMZ so the dmz hosts can do anything and you have an ACL (101) allowing www, ssl and rdp to the hosts you have static NAT. The long ACL in the configuration (inbound) isn't attached to anything so isn't doing anything - I presume this used to be attached to your inside interface to restrict what inside hosts can access?
You have also hard-coded all your LAN interfaces to 100Mbps Full-Duplex so make sure your attached switches are hard-coded the same.

What you said you want is more or less how its configured? I suspect you don't need the DMZ as you say your webserver is 'internal' so you could probably get rid of the dmz interface and any configuration related to it but its not causing any issues.

Its running PIX OS 6.1(3) - this needs upgrading regardless... You haven't said what the hardware is (PIX 501, 515, 525)? so what version you can go to depends - 501 last release (all them years ago...) was 6.3(5), 515 depending on memory installed can go to 8.0(4), 525 I am not sure?

Andy

 

[DrLagos]

ADB100 Sorry...missed the hardware, it's a 515E. I removed all the inbound ACLs, any ideas on why i can't ping to the outside world?

 

[ADB100]

By default ICMP isn't inspected so any return ICMP packets will get dropped as they are not part of any existing connection (ICMP isn't being inspected). You can either explicitly enable ICMP on the outside interface ACL or enable ICMP inspection with the 'fixup icmp' global command (if its even there with this code?).

http://www.cisco.com/en/US/products...oducts_tech_note09186a0080094e8a.shtml#topic3

Andy

 

[DrLagos]

ADB100...thanks again. Found the right commands and works like a charm.

 

[ADB100]

If you have a 515E then either make sure it has enough DRAM installed (or get some its cheap). You need 128MB to run 8.0(4), its standard DDR RAM but needs to be low profile to fit in the case - there are two DIMM slots and you can either put in 2 * 64MB or 1 * 128MB. You might even find some in an old PII/PIII PC (that's where I got mine from), I think 256MB will also work?

PIX 8.0 code is old - PIX 6.x code is ancient. Why not get an ASA-5505 and step into the 21st centaury?

Andy