Hey,

Sorry about the long post.

I have multiple questions about the PIX 525 software version 8.0(2) ASDM 6.0 (2)

I am a windows network admin that is new to Cisco and routing in general. I have read through the forums and the Cisco documentation, but have not been able to fully understand the topics discussed within.

Thanks for your time in advance.

The questions I have are about the following topics...

1. Anti-Spoofing Attack Protection
2. Scanning Threat Detection - Auto Shun
3. NTP Sync Verification
4. QoS implementation
5. IOS and ASDM Backup

First, here is the result of the sh ver command (hardware mac addresses removed)...

Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)

Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/pix802.bin"
Config file at boot was "startup-config"

pixfirewall up 1 hour 24 mins

Hardware:   PIX-525, 384 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash E28F400B5T @ 0xfffd8000, 32KB

Encryption hardware device : VAC (IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5)
  0: Ext: Ethernet0           : address is ****.****.****, irq 10
  1: Ext: Ethernet1           : address is ****.****.****, irq 11
  2: Ext: Ethernet2           : address is ****.****.****, irq 11
  3: Ext: Ethernet3           : address is ****.****.****, irq 10
  4: Ext: Ethernet4           : address is ****.****.****, irq 9
  5: Ext: Ethernet5           : address is ****.****.****, irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : 10
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Cut-through Proxy            : Enabled
Guards                       : Enabled
URL Filtering                : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : Unlimited

And here is my current config (IP address info removed)...

PIX Version 8.0(2)
!
hostname ***********
enable password *********** encrypted
names
!
interface Ethernet0
  nameif outside
  security-level 0
  ip address xxx.xxx.xxx.153 255.255.255.248
  ospf cost 10
!
interface Ethernet1
  nameif inside1
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  ospf cost 10
!
interface Ethernet2
  nameif inside2
  security-level 90
  ip address 192.168.1.1 255.255.255.0
  ospf cost 10
!
interface Ethernet3
  nameif inside3
  security-level 80
  ip address 192.168.2.1 255.255.255.0
  ospf cost 10
!
interface Ethernet4
  nameif inside4
  security-level 70
  ip address 192.168.3.1 255.255.255.0
  ospf cost 10
!
interface Ethernet5
  nameif inside5
  security-level 50
  ip address 192.168.4.1 255.255.255.0
!
passwd ********** encrypted
!
time-range IPBlocked
absolute end 01:12 28 October 2010
periodic daily 0:00 to 23:59
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 4100 log
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 3389
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq smtp
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq www
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq https
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq pop3
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq ftp
access-list 101 extended permit ip any host xxx.xxx.xxx.155
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq 5000
access-list 101 extended permit gre any host xxx.xxx.xxx.153
access-list 101 extended permit tcp any host xxx.xxx.xxx.153 eq pptp
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7707
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7708
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 7717
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 28852
access-list 101 extended permit udp any host xxx.xxx.xxx.154 eq 20560
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 20560
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 8075
access-list 101 extended permit tcp any host xxx.xxx.xxx.154 eq 28852
access-list 301 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 301 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside1 1500
mtu inside2 1500
mtu inside3 1500
mtu inside4 1500
mtu inside5 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 xxx.xxx.xxx.154
global (outside) 3 xxx.xxx.xxx.155
global (outside) 4 xxx.xxx.xxx.156
global (outside) 5 xxx.xxx.xxx.157
nat (inside1) 0 access-list 301
nat (inside1) 1 192.168.0.0 255.255.255.0
nat (inside2) 2 192.168.1.0 255.255.255.0
nat (inside3) 3 192.168.2.0 255.255.255.0
nat (inside4) 4 192.168.3.0 255.255.255.0
nat (inside5) 5 192.168.4.0 255.255.255.0
static (inside2,outside) tcp xxx.xxx.xxx.154 ftp 192.168.1.2 ftp netmask 255.255.255.255
static (inside1,outside) tcp interface smtp 192.168.0.2 smtp netmask 255.255.255.255
static (inside2,outside) tcp xxx.xxx.xxx.154 3389 192.168.1.2 3389 netmask 255.255.255.255
static (inside1,outside) tcp interface 5000 192.168.0.22 5000 netmask 255.255.255.255
static (inside1,outside) tcp interface www 192.168.0.2 www netmask 255.255.255.255
static (inside1,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255
static (inside1,outside) tcp interface pop3 192.168.0.2 pop3 netmask 255.255.255.255
static (inside1,outside) tcp interface pptp 192.168.0.2 pptp netmask 255.255.255.255
static (inside1,outside) tcp interface 4100 192.168.0.2 4100 netmask 255.255.255.255
static (inside2,outside) udp xxx.xxx.xxx.154 7708 192.168.1.2 7708 netmask 255.255.255.255
static (inside2,outside) udp xxx.xxx.xxx.154 7707 192.168.1.2 7707 netmask 255.255.255.255
static (inside2,outside) udp xxx.xxx.xxx.154 7717 192.168.1.2 7717 netmask 255.255.255.255
static (inside2,outside) udp xxx.xxx.xxx.154 28852 192.168.1.2 28852 netmask 255.255.255.255
static (inside2,outside) udp xxx.xxx.xxx.154 20560 192.168.1.2 20560 netmask 255.255.255.255
static (inside2,outside) tcp xxx.xxx.xxx.154 20560 192.168.1.2 20560 netmask 255.255.255.255
static (inside2,outside) tcp xxx.xxx.xxx.154 8075 192.168.1.2 8075 netmask 255.255.255.255
static (inside2,outside) tcp xxx.xxx.xxx.154 28852 192.168.1.2 28852 netmask 255.255.255.255
static (inside3,outside) xxx.xxx.xxx.155 192.168.2.2 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.158 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside1
ssh timeout 30
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx
!
dhcpd address 192.168.3.10-192.168.3.254 inside4
dhcpd enable inside4
!
dhcpd address 192.168.4.10-192.168.4.20 inside5
dhcpd enable inside5
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map inspection_default
  match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
  parameters
   message-length maximum 512
policy-map global_policy
  class inspection_default
   inspect dns preset_dns_map
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect sqlnet
   inspect skinny 
   inspect sunrpc
   inspect xdmcp
   inspect sip 
   inspect netbios
   inspect tftp
   inspect pptp
!
service-policy global_policy global
ntp server 207.46.197.32 source outside prefer
prompt hostname context
Cryptochecksum:15ea9cfe061ea55d7123b408e07a017e
: end
asdm image flash:/asdm-602.bin
no asdm history enable

First Question: Anti-Spoofing Attack Protection

I saw this option in ASDM under: Configuration --> Firewall --> Advanced --> Anti-Spoofing

This option is currently DISSABLED for all interfaces.

I know what ip address spoofing is, but what is the functionality of these options specifically? How does it work and should I enable it and for which

interfaces?

Second Question: Scanning Threat Detection - Auto Shun

I found this option in ASDM under: Configuration --> Firewall --> Threat Detection

Enable Basic Threat Detection and Enable Scanning Threat Detection are both currently ENABLED, but Shun Hosts detected by scanning threat is currently DISABLED. Also, the Networks Excluded from Shun field is empty.

I know what the shun command does. I have used it many times when I have been fortunate enough to catch some piece of crap trying to spam my mail server or gain access to it.

What I am asking specifically is how does the Auto Shun work? Should I enable it and what are the potential consequences? Also, what exactly is a

scanning attack?

I posted a question a few days ago about automating the shun command to try to curb some of the attempts to compromise my systems. If you are interested

and/or have something to add, you can view it here...

https://supportforums.cisco.com/message/3309568#3309568

Third Question: NTP Sync Verification

How can I verify that the PIX is properly synced with the NTP server?

The NTP server currently configured is as follows...

ntp server 207.46.197.32 source outside prefer

This IP is for time.windows.com which I have had problems with in the past.

Is there another NTP server I should use instead?

Fourth Question: QoS Implementation

One of the problems I currently have is that the users on interface inside5 are routinely using the maximum internet bandwidth available. This obviously

causes problems with applications like the mail server on inside1 and the game server on inside2.

I have read the following documentation ad nauseam...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

I am not familiar enough with the PIX and with the topics discussed in the document to successfully apply the info within. Plus, I'm not sure it covers

the kind of basic, all-inclusive bandwith cap I would like to put in place.

The goal is to cap the maximum internet (outside) bandwidth that inside5 can use to a reasonable percentage while allowing the other interfaces to have

the remainder.

Questions...

1. How would I go about this implementation?
2. Is there a way to allow inside1 - inside4 to use max bandwidth when there is no traffic on inside5?

I applogise for my ignorance and lack of full understanding. I have attempted to be as specific as I can given my lack of expertise in this area.

Last Question (thanks for staying with is this long): IOS and ASDM Backup

I am probably, at least, the third owner of this device and I do not have an account with Cisco nor can my tiny (perhaps non-exsistant given the current

economic state) IT budget afford any form of support or software licensing with them.

My goal is to backup the IOS and ASDM data in the event that I have to replace the device due to a hardware failure.

I found a file transfer function within ASDM which allowed my to copy the files pix802.bin, asdm-602.bin and tfp from flash to my desktop computer. I

also have a copy of the activation key info and my current configuration.

My questions are...

1. Have I backed up all the data/info I would need to restore this software and ASDM to another unit.
2. The activation key screen also has a serial number field. Is this the hardware serial number or is it for the software? and is it tied to this   

     device specifically or can I use it to restore another unit if necessary?
3. Is there anything else I should do or be aware of regarding backup and restore for the PIX?
4. What is the tfp file?

Again I apologize for the lenght of this post and would greatly appreciate any information you guys have regarding my questions.

Thanks,

Chris