RE: [fw-wiz] Extreme Problem with PIX Config

From: Brian Loe (knobdy_at_stjoelive.com)
Date: 05/13/05

Next message: Thomas W Shinder: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"

Previous message: John Dorsey: "Re: [fw-wiz] Extreme Problem with PIX Config"
In reply to: John Dorsey: "Re: [fw-wiz] Extreme Problem with PIX Config"
Next in thread: Ben Nagy: "RE: [fw-wiz] Extreme Problem with PIX Config"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'John Dorsey'" <dorsey@colquitt.org>
Date: Fri, 13 May 2005 13:12:05 -0500

I appreciate the help from all of you - and for the record, the one to be
kicked is me. I've never logged into a PIX until this one and everything I
had in that config are things I've gotten out of other configs I've found on
the Net and what I've gleamed from Cisco documentation... And then a LOT of
fiddling to try and get things to work. This PIX has not been put in
production as yet, only for testing. It will, however, go in tonight as we
got everything working last night. Here is the current config which I would
like to garner some comments on, as I'm not confident I've got everything
right - or as secure as it ought to be. There are a few lines my boss added
on his own as well and I want to make sure we're done going to be doing
anything..."dangerous".

: Saved
: Written by enable_15 at 11:42:46.569 UTC Thu May 12 2005
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
nameif ethernet3 intf3 security6
enable password R5JqnA.7FP.h3CNW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name nationalmoney.com
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.100.1.82 phoneM2
name 10.100.1.81 phoneM1
name 10.100.1.86 phoneM6
name 10.100.1.84 phoneM4
name 10.100.1.83 phoneM3
name 192.168.1.12 phone_Gateway
name 192.168.1.39 mail
name 192.168.1.101 ftp
name 192.168.1.104 clkdmz1
name 192.168.1.108 NTXWEB
name 192.168.1.115 KCIT07
object-group network Sister_Company
  description Sister Company range.
  network-object ip.nt.pub.33 255.255.255.255
  network-object ip.nt.pub.34 255.255.255.255
  network-object ip.nt.pub.35 255.255.255.255
  network-object ip.nt.pub.36 255.255.255.255
  network-object ip.nt.pub.37 255.255.255.255
  network-object ip.nt.pub.38 255.255.255.255
  network-object ip.nt.pub.39 255.255.255.255
  network-object ip.nt.pub.40 255.255.255.255
  network-object ip.nt.pub.41 255.255.255.255
  network-object ip.nt.pub.42 255.255.255.255
  network-object ip.nt.pub.43 255.255.255.255
  network-object ip.nt.pub.44 255.255.255.255
  network-object ip.nt.pub.45 255.255.255.255
  network-object ip.nt.pub.46 255.255.255.255
  network-object ip.nt.pub.47 255.255.255.255
  network-object ip.nt.pub.48 255.255.255.255
  network-object ip.nt.pub.49 255.255.255.255
  network-object ip.nt.pub.50 255.255.255.255
  network-object ip.nt.pub.51 255.255.255.255
  network-object ip.nt.pub.52 255.255.255.255
  network-object ip.nt.pub.53 255.255.255.255
  network-object ip.nt.pub.54 255.255.255.255
  network-object ip.nt.pub.55 255.255.255.255
  network-object ip.nt.pub.56 255.255.255.255
  network-object ip.nt.pub.57 255.255.255.255
  network-object ip.nt.pub.58 255.255.255.255
  network-object ip.nt.pub.59 255.255.255.255
  network-object ip.nt.pub.60 255.255.255.255
  network-object ip.nt.pub.61 255.255.255.255
  network-object ip.nt.pub.62 255.255.255.255
  network-object ip.nt.pub.63 255.255.255.255
object-group network IBM
  description IBM range.
  network-object pub.net.ip.197 255.255.255.255
  network-object pub.net.ip.198 255.255.255.255
  network-object pub.net.ip.199 255.255.255.255
  network-object pub.net.ip.200 255.255.255.255
  network-object pub.net.ip.201 255.255.255.255
object-group network Internal_Net
  description All internal networks.
  network-object 10.100.0.0 255.255.254.0
  network-object 10.100.2.0 255.255.254.0
  network-object 10.100.4.0 255.255.254.0
  network-object 10.100.6.0 255.255.254.0
  network-object 10.101.0.0 255.255.254.0
  network-object 10.101.2.0 255.255.254.0
object-group network phone_Group
  network-object phoneM1 255.255.255.255
  network-object phoneM2 255.255.255.255
  network-object phoneM3 255.255.255.255
  network-object phoneM4 255.255.255.255
  network-object phoneM6 255.255.255.255
object-group service WEB_PORTS tcp
  port-object eq www
  port-object eq https
  port-object eq echo
object-group service FTP_PORTS tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq echo
object-group service WebX tcp
  group-object FTP_PORTS
  group-object WEB_PORTS
  port-object eq 1935
object-group service Tranlink_TCP tcp
  group-object WEB_PORTS
  port-object range 3306 3307
  port-object eq ssh
object-group service KCIT07 tcp
  port-object range 1433 19628
object-group service DB2_TCP tcp
  port-object eq 523
  port-object eq ssh
  port-object range 50000 50100
  port-object eq 1415
object-group service Mail_Ports tcp
  group-object WEB_PORTS
  port-object range 1000 1028
  port-object eq 2000
  port-object eq 3000
  port-object eq pop3
  port-object eq smtp
object-group service KCIT01 tcp
  port-object eq pptp
object-group service EQA_TCP tcp
  port-object eq 3389
object-group service Tranlink_UDP udp
  port-object eq 22
object-group service DB2_UDP udp
  port-object range 50000 50100
object-group service EQA_UDP udp
  port-object eq 3389
object-group network DMZ
  network-object 192.168.1.0 255.255.255.0
access-list compiled
access-list acl_inbound permit tcp any host ip.pub.nt.114 object-group WebX
access-list acl_inbound permit tcp any host ip.pub.nt.108 object-group WebX
access-list acl_inbound permit tcp any host ip.pub.nt.111 object-group
WEB_PORTS
access-list acl_inbound permit tcp any host ip.pub.nt.107 object-group
Tranlink_TCP
access-list acl_inbound permit udp any host ip.pub.nt.107 object-group
Tranlink_UDP
access-list acl_inbound permit tcp any host ip.pub.nt.115 object-group
KCIT07
access-list acl_inbound permit tcp any host ip.pub.nt.106 object-group
DB2_TCP
access-list acl_inbound permit udp any host ip.pub.nt.106 object-group
DB2_UDP
access-list acl_inbound permit tcp any host ip.pub.nt.100 object-group
KCIT01
access-list acl_inbound permit tcp any host ip.pub.nt.102 object-group
FTP_PORTS
access-list acl_inbound permit icmp any host ip.pub.nt.102
access-list acl_inbound permit tcp any host ip.pub.nt.104 eq domain
access-list acl_inbound permit udp any host ip.pub.nt.104 eq domain
access-list acl_inbound permit tcp any host ip.pub.nt.99 object-group
Mail_Ports
access-list acl_inbound permit tcp any host ip.pub.nt.101 object-group
WEB_PORTS
access-list acl_inbound permit icmp any host ip.pub.nt.116 unreachable
access-list acl_inbound permit icmp any host ip.pub.nt.116 time-exceeded
access-list acl_inbound permit icmp any host ip.pub.nt.116 echo-reply
access-list acl_inbound permit icmp any host ip.pub.nt.116 echo
access-list acl_inbound permit icmp any any
access-list acl_inbound permit gre any host ip.pub.nt.100
access-list in_dmz permit ip any any
pager lines 24
logging on
logging buffered debugging
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu intf3 1500
ip address outside ip.pub.nt.126 255.255.255.224
ip address inside 10.100.0.3 255.255.254.0
ip address DMZ 192.168.1.1 255.255.255.0
ip address intf3 10.255.255.253 255.255.255.252
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
no failover ip address intf3
pdm location 10.100.1.10 255.255.255.255 inside
pdm location 10.100.1.20 255.255.255.255 inside
pdm location 10.100.1.49 255.255.255.255 inside
pdm location 10.100.1.57 255.255.255.255 inside
pdm location 10.100.1.190 255.255.255.255 inside
pdm location 10.100.2.0 255.255.254.0 inside
pdm location 10.100.4.100 255.255.255.255 inside
pdm location 10.100.4.0 255.255.254.0 inside
pdm location 10.100.6.0 255.255.254.0 inside
pdm location mail 255.255.255.255 DMZ
pdm location 192.168.1.102 255.255.255.255 DMZ
pdm location sommz1 255.255.255.255 DMZ
pdm location NTSWEB 255.255.255.255 DMZ
pdm location 192.168.1.114 255.255.255.255 DMZ
pdm location KCIT07 255.255.255.255 DMZ
pdm location 10.100.0.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 ip.pub.nt.117-ip.pub.nt.119 netmask 255.255.255.224
global (outside) 1 ip.pub.nt.116 netmask 255.255.255.224
global (DMZ) 1 192.168.1.240-192.168.1.250
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) ip.pub.nt.111 10.100.1.57 netmask 255.255.255.255 0
0
static (DMZ,outside) ip.pub.nt.114 192.168.1.114 netmask 255.255.255.255 0 0

static (DMZ,outside) ip.pub.nt.108 NTXWEB netmask 255.255.255.255 0 0
static (inside,outside) ip.pub.nt.107 10.100.1.190 netmask 255.255.255.255 0
0
static (DMZ,outside) ip.pub.nt.115 KCIT07 netmask 255.255.255.255 0 0
static (inside,outside) ip.pub.nt.106 10.100.1.49 netmask 255.255.255.255 0
0
static (inside,outside) ip.pub.nt.100 10.100.4.100 netmask 255.255.255.255 0
0
static (DMZ,outside) ip.pub.nt.102 192.168.1.102 netmask 255.255.255.255 0 0

static (DMZ,outside) ip.pub.nt.104 clkdmz1 netmask 255.255.255.255 0 0
static (DMZ,outside) ip.pub.nt.99 mail netmask 255.255.255.255 0 0
static (inside,outside) ip.pub.nt.101 10.100.1.20 netmask 255.255.255.255 0
0
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
access-group acl_inbound in interface outside
access-group in_dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 ip.pub.nt.97 1
route inside 10.100.2.0 255.255.254.0 10.100.0.1 1
route inside 10.100.4.0 255.255.254.0 10.100.0.1 1
route inside 10.100.6.0 255.255.254.0 10.100.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 1:00:00 mgcp 1:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 10.100.1.10 sec.ret timeout 5
aaa-server LOCAL protocol local
aaa authentication http console RADIUS
aaa authentication serial console RADIUS
aaa authentication ssh console RADIUS
aaa authentication telnet console RADIUS
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server location Lowell
snmp-server contact Brian Loe
snmp-server community R3@d04!y
no snmp-server enable traps
tftp-server inside 10.100.0.169 PIX_DATE
floodguard enable
fragment size 2000 DMZ
fragment timeout 30 DMZ
telnet 10.100.0.1 255.255.255.255 inside
telnet 10.100.0.1 255.255.255.255 DMZ
telnet 10.100.0.1 255.255.255.255 intf3
telnet timeout 5
ssh 10.100.0.0 255.255.254.0 inside
ssh timeout 15
management-access inside
console timeout 15
terminal width 80
banner motd ******************************************
banner motd * *
banner motd * !!!WARNING !!! *
banner motd * All attempts at unauthorized access *
banner motd * will be aggressively pursued and *
banner motd * prosecuted to the full extent *
banner motd * of local and international law. *
banner motd * *
banner motd ******************************************
Cryptochecksum:19c0e4355e47f84a2e9110284a00ce57
: end

> -----Original Message-----
> From: John Dorsey [mailto:dorsey@colquitt.org]
> Sent: Friday, May 13, 2005 10:14 AM
> To: Brian Loe
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] Extreme Problem with PIX Config
>
> Brian,
>
> > I've been fighting this problem for two weeks now. What
> follows is the
> > current config (edited to protect the innocent). If format is
> > maintained, the trouble lines will be bolded. These trouble
> lines are:
> > access-list nonat permit ip any any; nat (inside) 0
> access-list nonat;
> > access-group nonat in interface dmz.
> [lots of deletia]
>
> Here's a couple of ideas and recommendations that may help.
> First, I don't recommend using the same acl for the
> "access-group" and "nat (interface) 0 ..." purposes; keep
> those acl's separate and things are cleaner.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Thomas W Shinder: "RE: [fw-wiz] PIX -> ISA -> OWA Configuration"

Previous message: John Dorsey: "Re: [fw-wiz] Extreme Problem with PIX Config"
In reply to: John Dorsey: "Re: [fw-wiz] Extreme Problem with PIX Config"
Next in thread: Ben Nagy: "RE: [fw-wiz] Extreme Problem with PIX Config"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[fw-wiz] Extreme Problem with PIX Config
... object-group network Remote_Site ... port-object eq https ... access-list acl_inbound permit tcp any host ip.pub.nt.114 object-group PubX ... access-group acl_inbound in interface outside ...
(Firewall-Wizards)
Re: PIC 501 Redirect IP
... no access-list outside_access_in permit tcp any host 80.80.80.80 ... permit tcp any host 90.90.90.90 object-group tcp_mail ... access-group outside_access_in in interface outside ...
(comp.dcom.sys.cisco)
Re: Open up ssh for remote access on PIX 501
... > You can see that I have a few access-lists and one access-group command. ... > There's on object-group SBS2003. ... > access-group command works, port 25 opens) ...
(comp.dcom.sys.cisco)