01-23-2004 11:11 AM - edited 02-20-2020 11:12 PM
So I am configuring my PIX 506E through PDM and am having problems getting the rules to work properly.
What I really need is an example config of how it should look, blocking in bound ports and some out bound ports. I have tried many variations and have yet to nail the config. RTFM, done it and it seems that the Manuel and the actual way it works is different.
Chances are that I am just missing something.
Any help on this is much appreciated.
01-23-2004 05:18 PM
Hi,
You need to be specific for what you are looking for. There is alot of stuff, infact the entire configs that can be done with PDM. Basically the online guide is the only one available .
Let us know what rules you are saying you are having problems with.
Thanks
Nadeem
01-26-2004 09:24 AM
Okay, sorry for not being more specific. I am setting the PIX up in a test lab, for the time being. Eventually it will be deployed to the Corp. network but we have testing to do first.
The Test: Set up the Firewall to allow normal connections out (http, FTP, PC-anywhere, etc...) and restrict access back in. after that I have to start blocking streaming media in, my web guys are going to try to hack it so they can get the media past most firewalls (our company lives off streaming media purchised by other companies and we have problems every now and then with their firewalls, thus the test).
After these tests, the PIX will serve as our company firewall with normal access to mail and what not (web-etc...)
I read through the manual and it seems I have everything set up right but it fails my tests (i.e. tested a block out-bound http port 80) yet the web traffic still gets through.
192.168.2.0 (inside PIX) --> 10.0.2.0 (corporate net) --> I-net.
01-26-2004 11:46 AM
Hi,
could you please post the config of the pix and specify what is no working? Please remove the passwords and public ip addresses.
Please specify the protocols (tcp/udp/ports) that you need to allow.
Thanks!!
01-26-2004 12:21 PM
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname xxxxxx
domain-name xxxx.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.0.2.13 xxxxx
name 10.0.2.1 ExternalGateway
object-group service allftp tcp
description this covers ftp and ftp-data ports.
port-object eq ftp
port-object eq ftp-data
access-list outside_access_in remark ICMP Allow.
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
access-list inside_access_in deny tcp 192.168.2.0 255.255.255.0 eq www any eq www
access-list inside_access_in permit ip any any
access-list inside_access_in remark AOL IM Allow
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.0.2.42 255.255.255.0
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.2.42 255.255.255.255 inside
pdm location 10.0.2.113 255.255.255.255 outside
pdm location 10.0.2.105 255.255.255.255 outside
pdm location 10.0.2.5 255.255.255.255 outside
pdm location xxxxxxxxxx255.255.255.255 outside
pdm location ExternalGateway 255.255.255.255 outside
pdm location 192.168.2.34 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 99 192.168.2.2-192.168.2.254 netmask 255.255.255.0
global (inside) 1 10.0.2.42
nat (inside) 0 192.168.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 ExternalGateway 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.2.5 255.255.255.255 outside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside 10.0.2.5 /tftp/ppgc-nh
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxxx
: end
[OK]
Okay, so this is weird. I looked through this config and I have rules there that are long gone...PDM doesn't show the AOL IM rule anymore...
See attached screen shot of PDM.
Note that I am simply trying to test how rules are set up so I can make my final config. I have tried several different variations of this but my interpretations of the manual say it is supposed to look like this:
01-26-2004 12:26 PM
Attached screen.
01-27-2004 12:00 AM
Hi,
if something is in the config that is no longer visible in the PDM then I would recommend to reset the config. If you make changes to the configuration I would strongly recommend that you use only the PDM or only the Command Line Interface. Do not mix the PDM and the CLI. Some things you enter using the CLI may not be interpreted correctly by the PDM.
To reset the config:
write erase
reload
Please connect a console cable after doing this. The pix will start the configuration wizard after the commands above.
Kind Regards,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide