Re: Cisco PIX 501 Firewall Config

harrisgirls · ‎07-22-2012

Hi,

I know this is an old firewall but its just a simple firewall I need, my question is this.

I am not getting any internet with my current config, see below:

show conf
: Saved
: Written by enable_15 at 00:52:17.182 UTC Fri Jul 20 2012
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname bmi-501-fw-1
domain-name buildmeit.internal
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 78.XX.XXX.XXX 255.255.240.0
ip address inside 10.52.100.123 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 101 0.0.0.0 0.0.0.0 0 0
access-group allow_ping in interface outside
access-group allow_ping in interface inside
route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.52.10.0 255.255.255.0 inside
http 10.52.66.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:f8f18bf2b944dddfaf3d83e6c1e1c57c
bmi-501-fw-1#

What am I missing, if I try and ping 8.8.8.8 it times out, any suggestions?

Karsten Iwen · ‎07-22-2012

There are a couple of things wrong with that setup:

1) I don't remember the old syntax exactly but I think your Ethernet0 is shutdown.

2) Your NAT is broken. Add the following line:

global (outside) 101 interface

3) Your ACL doesn't allow the needed traffic. Change it the following way:

access-list INSIDE-IN permit udp any any eq 53

access-list INSIDE-IN permit tcp any any eq 80

access-list INSIDE-IN permit tcp any any eq 21

access-list INSIDE-IN permit icmp any any echo

access-group INSIDE-IN in interface inside

With that ACL you can make DNS, HTTP, FTP and also ping to the outside. If you need more, just add more lines with the needed ports.

4) Source-quench is nothing that should be allowed anywhere:

no access-list allow_ping permit icmp any any source-quench

and last but not least:

5) The PIX 501 is unsupported since many years. Devices like that shouldn't be connected to the internet any more ...

harrisgirls · ‎07-22-2012

Hi, Thanks for the reply, I've managed to sort it now with the following config below:

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname bmi-501-fw-1

domain-name buildmeit.internal

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list PERMIT_IN deny tcp any any

access-list PERMIT_IN deny ip any any

access-list PERMIT_IN deny udp any any

access-list PERMIT_OUT permit tcp any any

access-list PERMIT_OUT permit ip any any

access-list PERMIT_OUT permit udp any any

access-list PERMIT_OUT permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside XXX.XX.XXX.XXX 255.255.240.0

ip address inside 10.52.100.123 255.255.255.0

global (outside) 1 interface

outside interface address added to PAT pool

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group PERMIT_IN in interface outside

access-group PERMIT_OUT in interface inside

route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.1 1

route inside 10.52.0.0 255.255.0.0 10.52.100.123 1

wr mem

Regards to point 5 where you say devices like this shouldnt be used, I know its an unsupported device but what other reasons should I not be using it, its a good\simple firewall - i'd rather use this than say...........a horrible netgear!

Karsten Iwen · ‎07-23-2012

For the last point you just should keep in mind, that the software probably has a couple of security-related bugs that won't get fixed any more. For your very simplistic firewall they are perhaps not relevant, but just don't forget it when you try to do more with it.

For your PERMIT-OUT ACL, you don't need tcp, udp and icmp if you allow IP. IP includes all these protocols. The PERMIT-IN ACL is not really needed in your scenario as traffic from a lower security level to a higher level is denied by default.

Sent from Cisco Technical Support iPad App