Pix 501 config for vendor access to web 1

[itisme]

Have a PIX 501 that I want to config so that vendors who visit our company can access the web without having to plug into our network.

I have a free static IP address available on my Cayman ADSL router -

Is there a way I can config PIX so vendors or any guest in our lobby can access net the same way hotels grant access, (e.g., DHCP ,etc.) Not interested in a wireless access point yet.

I was curious how the user would setup the ISP DNS settings to resolve the

http://www URLS

like the way I have mine set up in TCP/IP properties in Windows. I know there is a setting on the Cayman router for DNS, but since I am not using PPOE I am not clear on where this should be set up for a user.

 

[ixleplix]

I have a similar setup.

You can set the PIX to give out DHCP accresses and other info, DNS server, etc--see this link

http://www.cisco.com/en/US/customer..._4container_ccmigration_09186a00801e8934.html

I only allow web-based traffic out of their network by using an ACL applied to the inside interface

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq https
access-list 100 permit tcp any any eq 8080
access-list 100 deny ip any any
'the deny statement isn't necessary, but it lets me see the hit count of what was blocked.

access-group 100 in interface inside


then if you set up ssh management from the outside, you can still login without having to plug into the inside network.

the design would look like this
--------------
| Internet |
--------------
|
|
|
-----------------
| Your Firewall |
-----------------
|
|
|
-----------------
| Your Network |
-----------------
|
|
|
-------------
| Lobby PIX |
-------------
|
|
|
-------------------
| Untrusted Users |
-------------------

I have a tendency to ramble, so I'll shut up now.

Roland


1) A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2) A robot must obey orders given it by human beings except where such orders would conflict with the First Law.

3) A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

 

[lgarner]

It sounds like you want the vendors to access the web, not your internal network. I'd put the Pix in parallel with your company firewall.

Also, change the first three lines of the acl to "permit icmp any any echo". If ping is allowed, I'd suggest allowing them outbound only. Another ACL containing the first 3 lines will allow inbound replies.

Vendors can still access the public parts of your network, but nothing behind your firewall.

 

[ixleplix]

lgarner

Good point on the parallel issue.

I didn't have that freedom since the group behind the firewall are at another site and have to come through my network to reach the Internet. It was one of those "by the way, this is what we've done, make it work" things.

Roland

1) A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2) A robot must obey orders given it by human beings except where such orders would conflict with the First Law.

3) A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

 

[itisme]

I was not considering our private network in this PIX configuration because I want this PIX to be dedicated.
Maybe something like this model where our lobby/vendors have their own "private" network:

| Internet |
--------------
|
|
|
-------------
| Lobby PIX |
-------------
|
|
|
-------------------
| Untrusted Users |
-------------------

I am "giving up" one of my 5 usable fixed public addresses on my ADSL router so this network will have its own public IP address.

Since DHCP will assign 192.168.1.2 - 192.168.1.10 - can I NAT the 10 maximum connections with the following commands:

nat(inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 192.168.1.25-192.168.1.35 netmask 255.255.255.0

route inside 0.0.0.0 0.0.0.0 66.140.43.137

The ADSL router network is 66.140.43.136/29
outside interface on PIX will be 66.140.43.142

Yes - I would like websense on this network soon!

 

[ixleplix]

itisme
If I understand correctly, you will have this address scheme:

| Internet |
--------------
|
|
---------------
| ADSL Router |
---------------
| IP : 66.140.43.137 (this will be the
| PIX's default gateway)
|
| outside IP: 66.140.43.142/29
-------------
| Lobby PIX |
-------------
| inside IP: 192.168.1.?/24
|
|
-------------------
| Untrusted Users |
-------------------


use
nat(inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

and it will PAT all of the traffic for you using the outside interface.

change
route inside 0.0.0.0 0.0.0.0 66.140.43.137
to
route outside 0.0.0.0 0.0.0.0 66.140.43.137

why dont you create a basic config and post it. Just remember to remove all password(s) and other sensitive data first.

Roland


1) A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2) A robot must obey orders given it by human beings except where such orders would conflict with the First Law.

3) A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

 

[itisme]

Please see attached config below. Current config allows me to access a website ONLY when I enter the ip address and not a domain name. I looked at the alias command but there is not one in this config as you will see. You will also see a dhcp dns entry for the DNS servers provided by the ISP - but this is not helping.

Thank you for helping me with this. I am learning great stuff here.

vendor# wr t
Building configuration...
: Saved
:
PIX Version 6.3(1
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname vendor
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.0 vend
access-list inside_access_in permit tcp any any
pager lines 24
logging on
logging buffered informational
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside 66.140.43.141 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location vend 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.248 inside
pdm location 0.0.0.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 192.168.1.2 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.140.43.137 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http vend 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 151.164.1.8 151.164.11.201
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:28e7578ca3813dd58593e9d
: end
[OK]

 

[ixleplix]

Your welcome. It helps me stay sharp too.

I only see a few things that need to be changed.

The reason your not resolving DNS is because you are only allowing TCP out of the network. DNS is UDP port 53.

access-list inside_access_in permit tcp any any

there are a couple of options.

1) add access-list inside_access_in permit udp any any eq 53 only allows udp port 53 out
2) add access-list inside_access_in permit udp any any
3)Remove the access-list---this is what I'd do since the traffic from the lobby isn't traveling through and doesn't touch the rest of your network.

To remove the access-list use the order below. The PIX won't let you remove an access-list that is applied to an interface, so you take it off of the interface first and then remove it.

no access-group inside_access_in in interface inside
no access-list inside_access_in permit tcp any any



Also, this NAT statement can be removed:
nat (outside) 0 192.168.1.2 255.255.255.255 0 0


Let me know how that works.

Roland



1) A robot may not injure a human being or, through inaction, allow a human being to come to harm.

2) A robot must obey orders given it by human beings except where such orders would conflict with the First Law.

3) A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

 

[itisme]

Thank you Roland. Config is now working.
Cannot understand though how firewall tester at

http://www.auditmypc.com

is able to report my internal ip address.

show xlate results show PAT Global 66.140.43.141 (xxxx)

Odd.

 

[ixleplix]

I asked TAC, this is what they said:

Notice the following:
When you go this page it is required for you to download a cookie, that is install on your computer, if you don?t do this process, the application will not be able to check/test your system.
Now the reason why they can see your internal IP address is this file. If you block all downloads/pup-ups and delete all cookies, you will see that you wont be able to even open the page.

This is not a leak in your firewall, I will say that is just a nice application that, when you allow it to install on your computer, it is able to read and upload part of your network information.
Moreover, in this process the firewall has nothing to do since you are accepting the file.


***********************************************
So I don't know how much I'd rely on this testing site since they try to trick you into buying their software.



What's ADD again?