03-13-2004 10:15 AM - edited 02-20-2020 11:17 PM
I'm currently doing a school project that involves the use of a PIX firewall between the ISP and the edge router of the network. The purpose is to make the network as secure as possible using only the PIX. Ideally, I'd like it if an attacker could not even see the PIX was there. This got me thinking about whether the PIX can act as a transparent firewall, that is, not have any IP addresses assigned to the interfaces nor do any routing, simply inspect/forward traffic between the inside/outside interface. Otherwise I am going to have to create a small /30 between the ISP and the PIX's outside, and the edge router and the PIX's inside and route between them.
If I have to do the latter, can you give me any advice on how to make the PIX more secure? Here is my config:
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x encrypted
passwd x encrypted
hostname pixfirewall
domain-name pix.local
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.1 255.255.255.252
ip address inside 10.0.0.5 255.255.255.252
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name AttackPolicy attack action alarm drop reset
ip audit name InfoPolicy info action alarm drop reset
ip audit interface outside InfoPolicy
ip audit interface outside AttackPolicy
ip audit interface inside InfoPolicy
ip audit interface inside AttackPolicy
ip audit signature 2000 disable
ip audit signature 2004 disable
no pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 5
terminal width 80
Any help is appreciated! Thanks!
Chris
Solved! Go to Solution.
03-14-2004 12:12 PM
The PIX can't currently act as a Layer 2 firewall, this functionality will be in the next major release of code due out later this year. For the moment you'll need a small subnet in between the ISP and the PIX.
If you don't want people to see the PIX then first thing is to make sure it doesn't respond to pings. Use the "icmp" command for that (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574). Make sure you allow ICMP unreachables to the outside interface though so Path MTU Discovery can work properly (http://www.cisco.com/warp/public/105/38.shtml#pmtud_fail).
Other than that it looks fine, pretty standard.
03-14-2004 12:12 PM
The PIX can't currently act as a Layer 2 firewall, this functionality will be in the next major release of code due out later this year. For the moment you'll need a small subnet in between the ISP and the PIX.
If you don't want people to see the PIX then first thing is to make sure it doesn't respond to pings. Use the "icmp" command for that (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1026574). Make sure you allow ICMP unreachables to the outside interface though so Path MTU Discovery can work properly (http://www.cisco.com/warp/public/105/38.shtml#pmtud_fail).
Other than that it looks fine, pretty standard.
03-29-2004 11:35 PM
Will the PIX NG software :) Require Vlan configuration for both ends or is it going to be a drop in transparent bridging type L2 ??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide