topic Re: PIX Config problems. in Network Security

PIX Config problems.

jon.hamilton — Fri, 21 Feb 2020 07:12:43 GMT

So I am configuring my PIX 506E through PDM and am having problems getting the rules to work properly.

What I really need is an example config of how it should look, blocking in bound ports and some out bound ports. I have tried many variations and have yet to nail the config. RTFM, done it and it seems that the Manuel and the actual way it works is different.

Chances are that I am just missing something.

Any help on this is much appreciated.

Re: PIX Config problems.

nkhawaja — Sat, 24 Jan 2004 01:18:42 GMT

Hi,

You need to be specific for what you are looking for. There is alot of stuff, infact the entire configs that can be done with PDM. Basically the online guide is the only one available .

Let us know what rules you are saying you are having problems with.

Thanks

Nadeem

Re: PIX Config problems.

jon.hamilton — Mon, 26 Jan 2004 17:24:12 GMT

Okay, sorry for not being more specific. I am setting the PIX up in a test lab, for the time being. Eventually it will be deployed to the Corp. network but we have testing to do first.

The Test: Set up the Firewall to allow normal connections out (http, FTP, PC-anywhere, etc...) and restrict access back in. after that I have to start blocking streaming media in, my web guys are going to try to hack it so they can get the media past most firewalls (our company lives off streaming media purchised by other companies and we have problems every now and then with their firewalls, thus the test).

After these tests, the PIX will serve as our company firewall with normal access to mail and what not (web-etc...)

I read through the manual and it seems I have everything set up right but it fails my tests (i.e. tested a block out-bound http port 80) yet the web traffic still gets through.

192.168.2.0 (inside PIX) --> 10.0.2.0 (corporate net) --> I-net.

Re: PIX Config problems.

tvanginneken — Mon, 26 Jan 2004 19:46:43 GMT

Hi,

could you please post the config of the pix and specify what is no working? Please remove the passwords and public ip addresses.

Please specify the protocols (tcp/udp/ports) that you need to allow.

Thanks!!

Re: PIX Config problems.

jon.hamilton — Mon, 26 Jan 2004 20:21:29 GMT

Building configuration...

: Saved

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname xxxxxx

domain-name xxxx.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 10.0.2.13 xxxxx

name 10.0.2.1 ExternalGateway

object-group service allftp tcp

description this covers ftp and ftp-data ports.

port-object eq ftp

port-object eq ftp-data

access-list outside_access_in remark ICMP Allow.

access-list outside_access_in permit icmp any any

access-list outside_access_in deny ip any any

access-list inside_access_in deny tcp 192.168.2.0 255.255.255.0 eq www any eq www

access-list inside_access_in permit ip any any

access-list inside_access_in remark AOL IM Allow

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.0.2.42 255.255.255.0

ip address inside 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.2.42 255.255.255.255 inside

pdm location 10.0.2.113 255.255.255.255 outside

pdm location 10.0.2.105 255.255.255.255 outside

pdm location 10.0.2.5 255.255.255.255 outside

pdm location xxxxxxxxxx255.255.255.255 outside

pdm location ExternalGateway 255.255.255.255 outside

pdm location 192.168.2.34 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 99 192.168.2.2-192.168.2.254 netmask 255.255.255.0

global (inside) 1 10.0.2.42

nat (inside) 0 192.168.2.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 ExternalGateway 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.0.2.5 255.255.255.255 outside

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server outside 10.0.2.5 /tftp/ppgc-nh

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

Okay, so this is weird. I looked through this config and I have rules there that are long gone...PDM doesn't show the AOL IM rule anymore...

See attached screen shot of PDM.

Note that I am simply trying to test how rules are set up so I can make my final config. I have tried several different variations of this but my interpretations of the manual say it is supposed to look like this:

Re: PIX Config problems.

jon.hamilton — Mon, 26 Jan 2004 20:26:31 GMT

Attached screen.

Re: PIX Config problems.

tvanginneken — Tue, 27 Jan 2004 08:00:09 GMT

Hi,

if something is in the config that is no longer visible in the PDM then I would recommend to reset the config. If you make changes to the configuration I would strongly recommend that you use only the PDM or only the Command Line Interface. Do not mix the PDM and the CLI. Some things you enter using the CLI may not be interpreted correctly by the PDM.

To reset the config:

write erase

reload

Please connect a console cable after doing this. The pix will start the configuration wizard after the commands above.

Kind Regards,

Tom