|
Posted by Scott Perry on July 25, 2008, 5:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
You inherited a Cisco PIX 515 firewall at work and now you need to either do
a lot of research or have your company contract a consultant. Learning all
there is to know in order to manage your firewall yourself is what would
make us all proud.
First, get rid of those conduits and replace them with access-lists. Most
of what it is permitting is not mentioned in this e-mail.
no conduit permit tcp host 68.16.146.91 eq www any
no conduit permit tcp host 68.16.146.91 eq 444 any
no conduit permit tcp host 68.16.146.91 eq 81 any
no conduit permit tcp host 68.16.146.91 eq https any
no conduit permit tcp host 68.16.146.91 eq ssh any
no conduit permit tcp host 68.16.146.91 eq telnet any
no conduit permit tcp host 68.16.146.91 eq ftp any
no conduit permit tcp host 68.16.146.91 eq smtp any
no conduit permit tcp host 68.16.146.91 eq pop3 any
no conduit permit tcp host 68.16.146.91 eq 32000 any
!
access-list inbound remark *
access-list inbound remark * Outside Internet Inbound
access-list inbound remark *
access-list inbound extended permit tcp any host 68.16.146.91 eq ftp
access-list inbound extended permit tcp any host 68.16.146.91 eq ssh
access-list inbound extended permit tcp any host 68.16.146.91 eq telnet
access-list inbound extended permit tcp any host 68.16.146.91 eq smtp
access-list inbound extended permit tcp any host 68.16.146.91 eq www
access-list inbound extended permit tcp any host 68.16.146.91 eq 81
access-list inbound extended permit tcp any host 68.16.146.91 eq pop3
access-list inbound extended permit tcp any host 68.16.146.91 eq imap4
access-list inbound extended permit tcp any host 68.16.146.91 eq https
access-list inbound extended permit tcp any host 68.16.146.91 eq 444
access-list inbound extended permit tcp any host 68.16.146.91 eq 32000
!
access-list inbound remark *
access-list inbound remark * Inside LAN Outbound
access-list inbound remark *
access-list inbound extended permit ip any any
!
access-group inbound in interface outside
access-group outbound in interface inside
> 1. I've setup and FTP server on 10.6.18.10 and need to have all
> traffic on port 21 sent to that machine (internally and externally).
> The DNS server is already setup to resolve the name, so that shouldn't
> be an issue.
> 2. I'd like to get IMAP and POP support working outside the office
> (ports 143 and 110 I assume).
Each of these (except for the one being taken out) should correspond with
entries in the inbound access-list.
no static (inside,outside) 68.16.146.91 10.6.18.179 netmask
255.255.255.255
static (inside,outside) tcp 68.16.146.91 21 10.6.18.10 21 netmask
255.255.255.255 0 0
static (inside,outside) tcp 68.16.146.91 80 10.6.18.179 80 netmask
255.255.255.255 0 0
static (inside,outside) tcp 68.16.146.91 110 10.6.18.179 110 netmask
255.255.255.255 0 0
static (inside,outside) tcp 68.16.146.91 143 10.6.18.179 143 netmask
255.255.255.255 0 0
Hosts inside the firewall cannot access the FTP server by the global IP
address; they must use the 10.6.18.10 IP address. Hosts one side of a
firewall cannot reach the firewall's own IP address on the other side.
Cisco firewalls will deny that action.
> 3. Very soon our website is going to be outsourced. I assume this will
> mean two changes on our part: change the DNS entry to point to the
> third party hosting server and remove the firewall entry that routes
> traffic to 10.6.18.179.
no static (inside,outside) tcp 68.16.146.91 80 10.6.18.179 80 netmask
255.255.255.255 0 0
!
no access-list inbound extended permit tcp any host 68.16.146.91 eq www
no access-list inbound extended permit tcp any host 68.16.146.91 eq
https
-----
Scott Perry
Indianapolis, IN
-----
|
 
| |
Posted by Artie Lange on July 25, 2008, 5:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Scott Perry wrote:
> You inherited a Cisco PIX 515 firewall at work and now you need to either do
> a lot of research or have your company contract a consultant. Learning all
> there is to know in order to manage your firewall yourself is what would
> make us all proud.
>
> First, get rid of those conduits and replace them with access-lists. Most
> of what it is permitting is not mentioned in this e-mail.
>
Thanks Scott, great post, I was going to explain to him that the
conduits need to go, but I did not want to ruin his Friday!
|
|
Posted by sintral on July 25, 2008, 5:42 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Scott Perry wrote:
> > You inherited a Cisco PIX 515 firewall at work and now you need to eith=
er do
> > a lot of research or have your company contract a consultant. =A0Learni=
ng all
> > there is to know in order to manage your firewall yourself is what woul=
d
> > make us all proud.
>
> > First, get rid of those conduits and replace them with access-lists. =
=A0Most
> > of what it is permitting is not mentioned in this e-mail.
>
> Thanks Scott, great post, I was going to explain to him that the
> conduits need to go, but I did not want to ruin his Friday!
Hey guys thanks a lot for the info and advice.
Scott, I get this error when I input the commands you posted:
FergCopePIX(config)# access-list inbound remark *
ERROR: missing command argument(s)
Usage: [no] access-list compiled
[no] access-list <id> compiled
[no] access-list <id> deny|permit <protocol>|object-group
<protocol_obj_grp_id>
<sip> <smask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
<dip> <dmask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
[no] access-list <id> deny|permit icmp
<sip> <smask> | object-group <network_obj_grp_id>
<dip> <dmask> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
I've tried putting and <id> with it such as this:
access-list 102 inbound remark *
but it tells me I'm missing command arguments.
I may be using an older version of software that doesn't accept this
syntax exactly or something. I'm sure you guys know better than me if
that possible.
Adding a number to the access-list statement for FTP gives a slightly
different error:
FergCopePIX(config)# access-list 102 inbound extended permit tcp any
host 68.1$
ERROR:<inbound> not a valid permission
Usage: [no] access-list compiled
[no] access-list <id> compiled
[no] access-list <id> deny|permit <protocol>|object-group
<protocol_obj_grp_id>
<sip> <smask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
<dip> <dmask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
[no] access-list <id> deny|permit icmp
<sip> <smask> | object-group <network_obj_grp_id>
<dip> <dmask> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
One other question, it appears that these attempted changes aren't
saved unless I enter a 'wr mem' command, correct? For example I ran
all of the 'no conduit...' commands but they still show up in 'show
config'. I'll need to make sure the access-list commands are excepted
before writing the changes for the conduit entries so that everyone
isn't cutoff.
Thanks, Scott, for the complete config settings.
|
|
Posted by Artie Lange on July 25, 2008, 9:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
> One other question, it appears that these attempted changes aren't
> saved unless I enter a 'wr mem' command, correct? For example I ran
> all of the 'no conduit...' commands but they still show up in 'show
> config'. I'll need to make sure the access-list commands are excepted
> before writing the changes for the conduit entries so that everyone
> isn't cutoff.
>
Yes, you must write memory to save the config, it is also wise to
perform a 'clear xlate'
|
|
Posted by Scott Perry on July 28, 2008, 11:47 am
If you were Registered and logged in, you could reply and use other advanced thread options
access-lists, you do not need to have them. From the help dialog which you
included in your post, I see that there is not an option for remarks in your
version of the PIX OS.
-----
Scott Perry
Indianapolis, IN
-----
> Scott Perry wrote:
> > You inherited a Cisco PIX 515 firewall at work and now you need to
> > either do
> > a lot of research or have your company contract a consultant. Learning
> > all
> > there is to know in order to manage your firewall yourself is what would
> > make us all proud.
>
> > First, get rid of those conduits and replace them with access-lists.
> > Most
> > of what it is permitting is not mentioned in this e-mail.
>
> Thanks Scott, great post, I was going to explain to him that the
> conduits need to go, but I did not want to ruin his Friday!
Hey guys thanks a lot for the info and advice.
Scott, I get this error when I input the commands you posted:
FergCopePIX(config)# access-list inbound remark *
ERROR: missing command argument(s)
Usage: [no] access-list compiled
[no] access-list <id> compiled
[no] access-list <id> deny|permit <protocol>|object-group
<protocol_obj_grp_id>
<sip> <smask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
<dip> <dmask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
[no] access-list <id> deny|permit icmp
<sip> <smask> | object-group <network_obj_grp_id>
<dip> <dmask> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
I've tried putting and <id> with it such as this:
access-list 102 inbound remark *
but it tells me I'm missing command arguments.
I may be using an older version of software that doesn't accept this
syntax exactly or something. I'm sure you guys know better than me if
that possible.
Adding a number to the access-list statement for FTP gives a slightly
different error:
FergCopePIX(config)# access-list 102 inbound extended permit tcp any
host 68.1$
ERROR:<inbound> not a valid permission
Usage: [no] access-list compiled
[no] access-list <id> compiled
[no] access-list <id> deny|permit <protocol>|object-group
<protocol_obj_grp_id>
<sip> <smask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
<dip> <dmask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group
<service_obj_grp_id>]
[no] access-list <id> deny|permit icmp
<sip> <smask> | object-group <network_obj_grp_id>
<dip> <dmask> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
One other question, it appears that these attempted changes aren't
saved unless I enter a 'wr mem' command, correct? For example I ran
all of the 'no conduit...' commands but they still show up in 'show
config'. I'll need to make sure the access-list commands are excepted
before writing the changes for the conduit entries so that everyone
isn't cutoff.
Thanks, Scott, for the complete config settings.
|
| Similar Threads | Posted | | Configuration reverted to previous configuration after power loss | March 3, 2006, 11:14 am |
| Cisco 501 Configuration help. | September 22, 2005, 2:53 pm |
| Cisco IOS ACL Configuration | May 9, 2006, 8:11 am |
| configuration cisco 871 & vpn | December 13, 2006, 5:03 am |
| Cisco 801 configuration | February 28, 2007, 5:23 am |
| cisco Configuration | August 14, 2007, 11:55 am |
| Cisco Configuration | December 25, 2007, 6:24 pm |
| Re: Cisco PIX 515 configuration help | July 25, 2008, 3:45 pm |
| Cisco 803 IPsec configuration | August 23, 2004, 11:14 am |
| Cisco 2620 Configuration | November 10, 2004, 4:01 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map