topic Re: creating rules on cisco pix in Network Security

creating rules on cisco pix

par13 — Mon, 11 Mar 2019 17:29:59 GMT

Could anyone help me to create a few basic rules that will allow this traffic to flow thru the cisco pix firewall?

internal networks:

192.168.1.0/24

192.168.2.0/24

both needs to be able to search internet websites, browse, and connect to other remote networks (ex. 10.5.1.0/24)

On the other hand, a remote network (ex. 10.5.1.0/24) needs to have access to internal network 192.168.1.0/24

Can you provide an example?

Thanks

Re: creating rules on cisco pix

Federico Coto Fajardo — Wed, 07 Apr 2010 20:34:00 GMT

Hi,

These are the basic Firewall rules:

The traffic flow through interfaces based on the security level.

Security level ranges from (0-100)

When communicating from a higher security interface to a lower security interface (inside to outside), you need a STATIC NAT and ACL permiting the traffic.

When communicating from a lower security interface to a higher security interface (outside to inside), you just need NAT.

In your example:

To allow

192.168.1.0/24

192.168.2.0/24

to get to the Internet, you should have:

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 2 192.168.2.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 interface

To allow communication TO servers in the internal network 192.168.1.0/24 from the Internet, for example to 192.168.1.8

static (in,out) public_IP 192.168.1.8

access-list OUTSIDE permit ip any host public_IP

access-group OUTSIDE in interface outside

Federico.

Re: creating rules on cisco pix

par13 — Wed, 07 Apr 2010 21:00:19 GMT

hi federico,

I created the rules base on your instructions, but, the internal network can not access any outside websites.

The 192.168.1.0/24 and 192.168.2.0/24 do not have any servers to offer to the public. Instead, the internal networks are computers that needs to access resources outside of the firewall.

Re: creating rules on cisco pix

Federico Coto Fajardo — Wed, 07 Apr 2010 21:06:35 GMT

Ok,

What you're missing is the routing.

The internal networks should have a route to the Internet pointing to the ASA (or have the ASA as their default gateway).

The ASA as well should have a default gateway:

route outside 0 0 x.x.x.x

In this case x.x.x.x represents the IP of the next-hop (next device) in the path to the Internet from the ASA.

Check it out and let us know.

Federico.

Re: creating rules on cisco pix

par13 — Wed, 07 Apr 2010 21:36:26 GMT

ok, let me send you my temporary configuration.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password DAyT8Zy5o1YlaDcM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname LVCLC-FW

domain-name lv.psu.edu

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service webservices tcp

port-object eq www

port-object eq https

port-object eq ftp

port-object eq telnet

port-object eq ssh

object-group icmp-type icmp-allowed

icmp-object echo

icmp-object time-exceeded

object-group protocol tcpudp

protocol-object udp

protocol-object tcp

protocol-object esp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 172.31.53.100 255.255.255.0

ip address inside 146.186.174.129 255.255.255.192

ip address intf2 128.118.6.129 255.255.255.128

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

route inside 0.0.0.0 0.0.0.0 172.31.53.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 146.186.174.128 255.255.255.192 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Re: creating rules on cisco pix

Federico Coto Fajardo — Wed, 07 Apr 2010 21:42:08 GMT

I see some problems.

The PIX has no clue as to where networks 192.168.1.0/24 and 192.168.2.0/24 are (there are no routes)

Are those networks reachable via which interface on the ASA?

The default route on the PIX is set to the inside interface. Is this the interface connected to the Internet?

Federico.

Re: creating rules on cisco pix

par13 — Wed, 07 Apr 2010 22:19:05 GMT

on the configuration file, the two internal networks are:

146.186.174.128 255.255.255.192

128.118.6.128 255.255.255.128

The external (public address) is 172.31.53.0/24 or 172.31.53.100/24

Both internal networks needs to go out. These are just computers that will access resources (servers, webserservers, etc.) to public network.

Take a look at the attach file.|

Re: creating rules on cisco pix

Federico Coto Fajardo — Wed, 07 Apr 2010 22:25:58 GMT

nat (inside) 1 146.186.174.128 255.255.255.129
nat (intf2) 1 128.118.6.128 255.255.255.128
global (outside) 1 interface

access-list inside permit ip any any

Make sure that both internal networks have the ASA as the default gateway.

Federico.

Re: creating rules on cisco pix

par13 — Wed, 07 Apr 2010 22:37:46 GMT

what should I do with the other rules created? should I have them removed?

On my last submission, I uploaded a diagram for you to comment on.

Re: creating rules on cisco pix

Federico Coto Fajardo — Wed, 07 Apr 2010 22:40:14 GMT

Just remove the previous rules typing the same command again with the keyword ''no'' in front.

Try to get Internet access from the internal networks.

I saw the diagram, just out of curiosity, why do you have public IP addresses in your internal networks?

Federico.

Re: creating rules on cisco pix

par13 — Wed, 07 Apr 2010 22:46:59 GMT

these are testing ip address, until we get the firewall correctly working..

Re: creating rules on cisco pix

par13 — Wed, 07 Apr 2010 23:25:38 GMT

Before uploading the new config, is this sound much better?

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password DAyT8Zy5o1YlaDcM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname LVCLC-FW

domain-name lv.psu.edu

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service webservices tcp

port-object eq www

port-object eq https

port-object eq ftp

port-object eq telnet

port-object eq ssh

object-group icmp-type icmp-allowed

icmp-object echo

icmp-object time-exceeded

object-group protocol tcpudp

protocol-object udp

protocol-object tcp

protocol-object esp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 172.31.53.100 255.255.255.0

ip address inside 146.186.174.129 255.255.255.192

ip address intf2 128.118.6.129 255.255.255.128

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

nat (inside) 1 146.186.174.128 255.255.255.129
nat (intf2) 1 128.118.6.128 255.255.255.128
global (outside) 1 interface

access-list inside permit ip any any
route inside 0.0.0.0 0.0.0.0 172.31.53.100 1
timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 146.186.174.128 255.255.255.192 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Re: creating rules on cisco pix

Jennifer Halim — Thu, 08 Apr 2010 00:34:57 GMT

This route is incorrect: route inside 0.0.0.0 0.0.0.0 172.31.53.100 1

172.31.53.100 is your outside interface ip address. You can't route the default gateway back to your inside.

The default route should say: route outside 0.0.0.0 0.0.0.0 172.31.53.x

172.31.53.x should the next hop router ip address connected to the PIX outside interface.

and please remove the "route inside" command.

Re: creating rules on cisco pix

par13 — Thu, 08 Apr 2010 02:16:16 GMT

ok, thanks for the suggestion..

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password DAyT8Zy5o1YlaDcM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname LVCLC-FW

domain-name lv.psu.edu

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service webservices tcp

port-object eq www

port-object eq https

port-object eq ftp

port-object eq telnet

port-object eq ssh

object-group icmp-type icmp-allowed

icmp-object echo

icmp-object time-exceeded

object-group protocol tcpudp

protocol-object udp

protocol-object tcp

protocol-object esp

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 172.31.53.100 255.255.255.0

ip address inside 146.186.174.129 255.255.255.192

ip address intf2 128.118.6.129 255.255.255.128

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

nat (inside) 1 146.186.174.128 255.255.255.129
nat (intf2) 1 128.118.6.128 255.255.255.128
global (outside) 1 interface

access-list inside permit ip any any
route outside 0.0.0.0 0.0.0.0 172.31.53.100 172.31.53.106

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 146.186.174.128 255.255.255.192 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Re: creating rules on cisco pix

Federico Coto Fajardo — Thu, 08 Apr 2010 02:37:54 GMT

Have you tried it already?

Federico.

Re: creating rules on cisco pix

par13 — Thu, 08 Apr 2010 02:42:19 GMT

I will have it tested tomorrow morning.

On the other hand, does these settings provide some protection to the internal network?

Re: creating rules on cisco pix

Federico Coto Fajardo — Thu, 08 Apr 2010 02:46:07 GMT

The internal hosts should access the web getting translated to the outside IP of the ASA.

There's protection in terms that no inbound access is permitted by the ASA (with the exception of the replies for the outbound connections).

It's in fact a very basic configuration and normally you would want to change your internal addressing scheme to a private range of IPs.

Federico.

Re: creating rules on cisco pix

par13 — Thu, 08 Apr 2010 03:08:09 GMT

Now, the host behind the firewall will need to access other services:

Telnet

Printing thru Print Server

FTP

https

Microsoft DFS

Check EMail

And, in both internal networks, these computers are join to an active directory server located remotely. Therefore, the remote servers will need to have access to these two networks. Can you provide a simple rule(s) that allow the servers to make sure authentication, active directory communication does not get interrupted?

And, in some communication instances, the internal clients will have a direct communication to other network(s). In other words, communication between the internal subnet(s) and other remote subnet(s) should be opened. This is most certain between trusted network(s).

Thanks

Re: creating rules on cisco pix

par13 — Thu, 08 Apr 2010 12:36:29 GMT

Fransisco,

I made the changes in accord to the new configuration file, and the internal network can't still see any host on the 172.31.53.0/24 network. The 172.31.53.0/24 would be oustide of the firewall.

Re: creating rules on cisco pix

Federico Coto Fajardo — Thu, 08 Apr 2010 13:47:13 GMT

The internal networks can go to the Internet?

If so, then the ASA is allowing the traffic out fine.

According to the diagram, the external network is outside the ASA (but is not directly connected is it?). Is this external network another office geographically located on a different site?

We need to check if the problem is with your ASA or with the external network not knowing how to reach your internal networks.

Federico.