PIX 501 and Multiple IP's.. 1

[AM123]

Please help me out..

I understand very little about the Pix Firewalls although I am trying to learn..

My situation is this, we have 5 External Static IP's. We use DHCP inside.

We have one machine inside which is our Web, FTP, and Mail server running Win2000 Server and Exchange 2000 Server.

We would like 4 external IP's to be mapped to the server for sites that can't use hostheaders (due to sites using SSL).

My question is, how do I go about mapping these IP's to this machine in the 501 PDM?!

Also, we have PDM 2.0(2) and 6.2(1). Is this protecting things the best it can with it's default settings? Anything we should change?

Here is the config file, if this helps:

Result of PIX command: "show config"

: Saved
: Written by enable_15 at 01:02:17.334 UTC Tue Jul 30 2002
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****
passwd ****
hostname pixfirewall
domain-name ****
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 216.***.***.*** 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 216.126.84.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

THANKS IN ADVANCE!!

AM

 

[yizhar]

HI.

* First of all, you should protect the server itself, especially IIS - did you install SP2 and SRP1 on the machine? You can verify with Start - Run - WINVER.
Following MS instructions like disabling HTR to harden the web server is important:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/chklist/iis5cl.asp

* At the server you need to configure the additional private ip addresses (one for each site) for example:
192.168.1.101
192.168.1.102
192.168.1.103
192.168.1.104

* At the pix, you need to "static" each address to a free registered address from the external subnet.
This can be done in the hosts/networks tab of PDM .
In the new PDM you can also group these hosts which helps with management.
Here is a sample config:
static (insdie,outside) 216.126.84.3 192.168.1.101
static (insdie,outside) 216.126.84.4 192.168.1.102
static (insdie,outside) 216.126.84.5 192.168.1.103
static (insdie,outside) 216.126.84.6 192.168.1.104

And you need to allow inbound SSL traffic for those addresses. You can do it in different ways. In PDM go to the first tab for Access Rules.
Here is a sample config:
access-list fromoutside permit tcp any 216.126.84.0 255.255.255.248 eq 443
You can be more specific and use the group instead of the whole subnet, but it won't make much different and using a single line might be more efficient.
You can open inbound port 80 if needed the same way.

The mapping for the main ip address of the server should be choosen for mail also and be registered in DNS as the MX record.
An example for the pix configuration is simple:
access-list fromoutside permit tcp any host 216.126.84.3 eq smtp

Open FTP as needed also.

* You should remember that once you open a port at the pix, protection of the traffic is mainly responsibility of the server - so open only what you must and make sure the server is protected. For example the server should not be configured as an open mail relay, etc...

* Do some reading:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

* Add syslog messages support - buffer, PDM, external syslog server, or any combination of them.
You can configure this in PDM 5th tab.

* After you have verified that you have established the needed connectivity, you can enable the pix built in (but limitted) IDS features. You should note that this will also block ping to the pix interface and registered addresses:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid9

ip audit name info1 info action alarm drop
ip audit name attack1 attack action alarm drop reset
ip audit interface outside info1
ip audit interface outside attack1

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[AM123]

Wow.. Thanks a lot..

1) Yes I am running all of the latest security updates for the W2K Server and Exchange 2000 Server along with Urlscan 2.5.

2) To add all of these IP's on the server, I just add them in TCP/IP - Advanced - IP Settings. Correct?

3) Sorry, but how exactly do I add these IP's under the hosts/network tab in PDM? I took a look, and I don't want to make a mistake..

4) When you say sample config, can I just enter what you typed in the command line interface? Or, how can I enter that config in that screen?

5) The mapping for the mail, you refer to a command line config, how do I enter this?

6) I have made sure that there is no open relay.

7) I have added syslog support, buffer. Great info. I will learn later how to set up an external syslog server so I can scan the logs.

8) The IDS feature, how do I enter those commands?

I really appreciate the links and info you provided. When I came here and seen your reply I thought, wow, nice.. Thanks again.

By the way, I checked out your site, I like your GUI PIX program. Hopefully soon I can install it and use it when I get past the initial configuration.

AM

 

[yizhar]

HI.

2) To add all of these IP's on the server, I just add them in TCP/IP - Advanced - IP Settings. Correct?

Yes, correct.

===

3) Sorry, but how exactly do I add these IP's under the hosts/network tab in PDM? I took a look, and I don't want to make a mistake..

Well, the interface is supposed to guide you. There is also a Help button down there.
Tip: in the PDM preference, add the option to preview the CLI commands sent to the pix. This will help you.
You can also use command line and sample configs if you feel better that way:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref

===

4) When you say sample config, can I just enter what you typed in the command line interface? Or, how can I enter that config in that screen?

Yes, but you should substitute addresses and other paramters as needed.

===

5) The mapping for the mail, you refer to a command line config, how do I enter this?

It is one of the static commands that you have probably already created (for use by https), and maps to the main ip address of the server.

===

8) The IDS feature, how do I enter those commands?
You can use the commands I have posted, and/or samples from Cisco web site, and/or PDM.
In any case, this should be done only after everything is working and not in initial steps.

===

Have a nice weekend.
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Guest_imported]

Hi friends,
I work as a assistant to net.admin in a school in CA and my work is to develop a software which will get input from syslog file of PIX firewall and display it as a GUI or as a chart information, the purpose is to make the information from the syslog easy to understand and to show it to non-techenical people. My problem is that we don't have a firewall now and we r going to get is soon. I don't know where we can get the information about the syslog file and where can I get a sample syslog file with explainations. I tried to search the internet and cisco website but I only got the general discriptions about syslog, there I also got a part of syslog but it doesn't help a lot. I will be very grateful if any of you can tell me how to get a complete syslog file and where can I get to know about its explainations.I can be reached at amitranjan@as.sjsu.edu
thanks in advance...
amit