Newbie Assist 1

[jwilder]

I was wondering if there might be a wonderful person in the crowd that might be willing to steer me on the right path for implementing a PIX-506.

I don't want all the answers or for someone to configure it, but someone that can steer me away from making mistakes so that I can move a little faster in setup.

As I mentioned in a previous post, this is my first step into the world of Cisco products.

Thanks. Jason Wilder
IT/CAD Manager

 

[Reaper36]

Your firewall config will depend very much on what you have to protect. The 506 is a great little piece of kit albeit limited to 35K connections and only at 10Meg. The manual that comes with this pix has a very good intro explaining the concept of the firewall with good explanations on what each of the rules means and how to implement them. The trick (for me anyway) is to start with paper and pen, define what traffic you need, use the manual to see how to implement them. I always use forums, particularly security forums to see where the weaknesses are in any piece of kit and define rules to block up any holes/weaknesses.

Once your notes seem to make sense then set up a test environment and start writing them into the PIX. Then test 'em! From both sides if you can, put a PC on the outside of the firewall and test your rules to see if they work. Once you have what you think is a working config make sure you always keep a copy of it on a tftp server, (must be on the inside), makes recovery from any config errors real easy.

These might not be detailed ideas but it was a kind of wide open question, i hope they are a starting point for you. Drop me an email if you need more help, im not an expert but have 4 pix here that i have to manage so have some limited experience.

 

[8dstaicu]

1st: name you interfaces and give the a secutiry with command nameif.
2nd: give an ip to every interface.
3rd: define a nat with nat.... And a pat if you need with global ...
4th: make a static with static. Attach a conduit permit.
don't forget! for testing you'll need: conduit permit icmp any any . After testing finish you can refine.
5: setup an syslog server with logging host.... Then logging trap .... A syslog server for windows it's from

http://www.kiwisoftware.com

Whatch if everything it's normal.
That's the begining.

 

[jwilder]

I've already hit these points somewhat. Right now I'm trying to determine the arrangement of devices and where the PIX will sit. I've been working on writing the CONFIG commands I'll put in the PIX.

You both made good points and I'm starting there...

Here is where I could use an opinion... is it feasible to chain the equipment as such: Local Loop T-1 into a TSU & Cisco 1600* ; which then will go into the PIX and then to a switch to serve 3 servers that will require access to the outside world. One server operates my Exchange Server, one is my File Server and administers all Internet access for the internal network, the third is a server that will migrate into place as the File Server, but for the time being has it's own outside connection.

* The reason I'm not simply utilizing the 1600 is that it is leased equipment from our ISP provider and I'd rather not touch it. I know it may not make much sense, but this is the direction I'm headed. Jason Wilder
IT/CAD Manager

 

[abovebrd]

I have not used the 506 yet. I would however be happy to send you a copy of a 515 config that I did.

Of course without the IP addresses !



-Danny

 

[JasWild]

I'd appreciate it, but how do I get it? I've already been warned about trying to 'elicit' people's e-mail addresses through the forum, because of this thread.

 

[abovebrd]

send me a e-mail

dcd@pop.mainstreet.net

I would be happy to help.



-Danny