basic PIX plan/help

Armegeden · ‎05-24-2008

Ok, so I posted before about the basic syntax. I'm trying to get the basic principle of what to do:

I have two WAN statics. One I've assigned to the outside interface of the firewall. The other I assume I don't actually assign to the LAN server, but instead I forward traffic en-route to this second WAN address *to* the LAN server? Is this correct?

So I assigned the outside interface of the PIX the first WAN address (I'll refer to it as 12.12.12.12)

My LAN server is 10.1.1.5.

So: Would a static entry look like this?

static (inside,outside) tcp 12.12.12.13 pop3 10.1.1.5 pop3 netmask 255.255.255.255 0 0

And would my access list look like this?

access-list if_outside permit tcp any host 12.12.12.13 eq pop3

Then I would apply it like this?

access-group if_outside in interface outside

If someone could please point me in the right direction or correct any misconceptions I have about the syntax.

Also, could someone elaborate on that "access-group" syntax?

access-group <pre-defined ACL> ?in? interface ?outside?

How should I think of the "in" and the "outside" ?

Thanks for any help

andrew.prince · ‎05-25-2008

Scott,

That is correct - the syntax looks 100%

as far as the access-group is concerend...

In - coming in to the interface

Out - going out of the interface

so you could have

access-group in interface inside - traffic coming into the inside interface from the LAN or

access-group in interface outside - traffic coming in to the outside interface from the internet or

access-group out interface outside - traffic going out of the outside interface onto the internet or

access-group out interface inside - traffic leaving the inside interface going out onto the LAN.

HTH.

Armegeden · ‎05-26-2008

Thanx Andrew,

This part particularly helped *tons*:

"access-group in interface inside - traffic coming into the inside interface from the LAN or

access-group in interface outside - traffic coming in to the outside interface from the internet or

access-group out interface outside - traffic going out of the outside interface onto the internet or

access-group out interface inside - traffic leaving the inside interface going out onto the LAN. "

Thinking of it like that makes it seem so much more clear.

If you, or anyone, has a free moment, please take a look at the attached config file. It is what I have done so far and I'm going to take it to the office and try it out. Right now my goal is to be able to plug in the WAN interface "0" so all workstations on the LAN can get out to the internet and do whatever (email, www, etc).

The VPN stuff is me playing around and learning. I've never set up VPN on a PIX and am just doing trial & errors. For right now, my main goal is to just implement the firewall, I'll worry about the VPN stuff later.

So if I plug this in, will it work?

Thanks!

andrew.prince · ‎05-27-2008

Scott,

I would double check your IP addressing:-

ip address outside 16.39.45.62 255.255.255.248

but you have an acl:-

access-list if_outside permit tcp any host 216.139.145.163 eq smtp

access-list if_outside permit tcp any host 216.139.145.163 eq www

access-list if_outside permit tcp any host 216.139.145.163 eq https

access-list if_outside permit tcp any host 216.139.145.163 eq pop3

access-list if_outside permit tcp any host 216.139.145.163 eq ssh

access-list if_outside permit tcp any host 216.139.145.163 eq 993

access-list if_outside permit udp any host 216.139.145.163 eq 993

access-list if_outside permit tcp any host 216.139.145.163 eq 3283

access-list if_outside permit tcp any host 216.139.145.163 eq 5900

access-list if_outside permit udp any host 216.139.145.163 eq 3283

access-list if_outside permit udp any host 216.139.145.163 eq 5900

and a static translation:-

static (inside,outside) 16.39.45.63 10.1.1.5 netmask 255.255.255.255 0 0

The IP's don't match. Other than that it's good to go - should work right off the bat.

Just to give you a little more info - your acl:-

access-list if_inside permit ip 10.1.1.0 255.255.255.0 any

is already covered - in the PIX another little nugget is traffic from a higher interface to a lower interface is automatically permittted - not need for an ACL! But it still helps to have the acl for troubleshooting!

HTH.

Armegeden · ‎05-27-2008

Hmm, all those IP changes were just me messing around. I didn't mean to post that version of the text. The real config had it set correctly.

So mission success. Successfully implemented the firewall today. Didn't work initially, but after checking, rechecking, and double rechecking my end, I called the ISP and it was an issue with them. A quick setting change and boom, all is well.

Thanks for your help, Andrew. Much appreciated. That "PIX nuggett" is interesting. I've never heard of the higher/lower interface rule. Care to elaborate what constitutes a higher or lower? Is that the "security0" vs "security100"?

Anyhow, I have two goals now:

Setting up VPN accounts.

And being able to telnet into the PIX from home, lol.

I'll make separate posts for these. Thanks again, Andrew.

andrew.prince · ‎05-27-2008

Yes - it's the security interface number - the higher the number the more trusted. So the inside has 100 as default - the outside has 0 as default. Anything on the inside will be allowed out - without any configuration. As the outside is 0 - you have to write a permit acl to allow traffic to the inside as it's higher.

Setting up VPN is quite easy - for a newbie like you I would suggest you do it thu the PDM.

Telnet access from home is dangerous - I suggest you use SSH for that if you must. create a crypto key and then allow access:-

give the device a domain name:- domain-name blah.com

Generate your key:- crypto key generate rsa modulus 1024

wait until your key is generated then allow access:- ssh 0.0.0.0 outside

HTH.

andrew.prince · ‎05-28-2008

Have a look here for some really good config guides:-

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

HTH.