configuring pix for public ip address internal and external

Answered Question

Hello,


Just receive new subnet(s) for the network(s) behind the firewall. the addresses are public addresses.


Therefore, after entering the information for each respective internal interface, now, the internal network stop communicating to the internet.


Because of the network privacy, this time, I will not be able to reveal network addresses. Can you take a look why the internal network will not be able to go out to the internet. Again, these are public addresses, they do not need to be NAT.



PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password DAyT8Zy5o1YlaDcM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lvfw
domain-name lv.psu.edu
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network administrative-servers
  network-object host X.X.X.X
  network-object host X.X.X.X
  network-object host X.X.X.X
 
access-list extended permit ip any any
access-list extended permit icmp any any
access-list extended permit ip any object-group administrative-servers
access-list extended permit ip object-group administrative-servers any
access-list outside permit icmp any any
access-list outside permit tcp any any eq domain
access-list inside permit tcp any any eq www
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.128
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside C.D.E.F 255.255.255.248
ip address inside H.I.J.M 255.255.255.192
ip address intf2 A.B.C.D 255.255.255.128
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) A.B.C.D A.B.C.D netmask 255.255.255.128 0 0

static (inside,outside) H.I.J.M H.I.J.M netmask 255.255.255.192 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 T.O.P.Q 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http A.B.C.D 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
lvfw#

Correct Answer by Kureli Sankar about 7 years 2 months ago

If I remove this line, does it affect internet navigation? there are no webservers behind the firewall.

fixup protocol http 80


[KS]No removing that line does not affect internet access. That will flow fine. fixup protocol http does extra checks on http traffic.


If we do not have a webserver behind the firewall, do I need this line?
1) access-list outside permit tcp any any eq www ----> instead of any as the destination you can specify which ever host is your webserver.


[KS]If you don't have a web server on the inside, you can remove this line.


access-list outside permit tcp any any eq domain  ----> you can remove this as DNS uses udp 53


[KS]If you have active directory servers that are running DNS and doing zone transfers then you may need the above line.


-KS

Correct Answer by Kureli Sankar about 7 years 2 months ago

Looks good from what I can tell. May be you can restrict it a little further.


fixup protocol http 80


You may want to remove that. Internet access might get a little faster.


to remove you can do

conf t

no fixup protocol http 80


when you issue "sh access-l outside" do you show hit counts on these acls? If you do not show any hit counts you can remove them.


access-list outside permit tcp any any eq domain  ----> you can remove this as DNS uses udp 53
access-list outside permit tcp any any eq www ----> instead of any as the destination you can specify which ever host is your webserver.
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389  ----> instead of any as the destination you can specify which ever host is your RDC server
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.192 ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
access-list outside permit ip object-group administrative-servers E.F.G.H 255.255.255.128  ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
access-list outside permit icmp object-group administrative-servers any



-KS

Correct Answer by Kureli Sankar about 7 years 2 months ago

Correct.


Fixup protocol will automatically allow (without having to allow permission on the outside acl) permission and translation for responses coming from the outside via a brand new connection relating to the connection that was initiated from the inside.


-KS

Correct Answer by Kureli Sankar about 7 years 2 months ago

No problem. We are here to help. Pls. rate the posts that helped you understand/learn/solve.


There is no way you can stop people from sending malicious traffic towards your firewall.  All you can do is protect your firewall by restricting access-list like you have already done and restrict management access like telnet/ssh/pdm to the firewall.


These kind of attacks can be mitigated by IDS/IPS devices.


-KS

Correct Answer by Kureli Sankar about 7 years 2 months ago

Remove this line


access-list outside permit icmp any any


conf t

no access-list outside permit icmp any any


then no one from the outside can ping devices on the inside. Enable "fixup protocol icmp" so when the inside hosts ping, the replies will be allowed to come back in.


here is how to add fixup icmp

conf t

fixup protocol icmp


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Jennifer Halim Mon, 04/12/2010 - 15:40
User Badges:
  • Cisco Employee,

Traffic from outside to your internal network should have been blocked by default, unless you configure access-list to allow the inbound traffic. Traffic from low to high security level is not allowed by default.

In your case, access-list "outside" is applied on the outside interface, and if you would need specific access to the internal network, you would have to configure the access-list to allow those traffic in.


Hope that helps.

Do you think any of these rules are allowing to pass thru?


I'm not sure if this rule is allowing to pass other traffic than corporate traffic:


1) access-list extended permit ip any any
2) access-list extended permit icmp any any

3) access-list outside permit icmp any any

These rules were created to access internet, and remote desktop connectivity:


1) access-list outside permit tcp any any eq domain
2) access-list inside permit tcp any any eq www
3) access-list outside permit udp any any eq domain
4) access-list outside permit tcp any any eq 3389

These rules were created to allow corporate network access:


1) access-list extended permit ip any object-group administrative-servers
2) access-list extended permit ip object-group administrative-servers any

3) access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.128

Kureli Sankar Mon, 04/12/2010 - 18:16
User Badges:
  • Cisco Employee,

The only acl that is applied to the interface is called outside and it is applied to the outside interface.


access-list outside permit icmp any any
access-list outside permit tcp any any eq domain
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.128


access-group outside in interface outside


What ever this acl is allowing is being allowed to come from the outside towards the inside.


-KS

ok,


Can you help me to limit some traffic between the firewall and the rest of the corporate network?

And, as far internet traffic, I believe the firewall is doing a good job.


My concern that something is allowing too many non-corporate network to get inside the firewall protected area.


Could you illustrate how to acomplish this goal?


Thanks

Kureli Sankar Mon, 04/12/2010 - 18:26
User Badges:
  • Cisco Employee,

This one acl is pretty wide open


access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.128


You are allowing all the hosts in the administrative-servers group to access the entire A.B.C.D/25 network


Try to restric that by only allowing what you need. May be just tcp certain ports and not all IP traffic like you have.


-KS

Correct Answer
Kureli Sankar Mon, 04/12/2010 - 18:41
User Badges:
  • Cisco Employee,

Remove this line


access-list outside permit icmp any any


conf t

no access-list outside permit icmp any any


then no one from the outside can ping devices on the inside. Enable "fixup protocol icmp" so when the inside hosts ping, the replies will be allowed to come back in.


here is how to add fixup icmp

conf t

fixup protocol icmp


-KS

Correct Answer
Kureli Sankar Mon, 04/12/2010 - 19:06
User Badges:
  • Cisco Employee,

No problem. We are here to help. Pls. rate the posts that helped you understand/learn/solve.


There is no way you can stop people from sending malicious traffic towards your firewall.  All you can do is protect your firewall by restricting access-list like you have already done and restrict management access like telnet/ssh/pdm to the firewall.


These kind of attacks can be mitigated by IDS/IPS devices.


-KS

Correct Answer
Kureli Sankar Mon, 04/12/2010 - 19:28
User Badges:
  • Cisco Employee,

Correct.


Fixup protocol will automatically allow (without having to allow permission on the outside acl) permission and translation for responses coming from the outside via a brand new connection relating to the connection that was initiated from the inside.


-KS

Could you take one final look at the config file? I still have to fix the open ports from external corporate networks. But, other than that, can you critic anything that looks wrong?



lvfw(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password DAyT8Zy5o1YlaDcM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lvfw
domain-name lv.psu.edu
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network administrative-servers
  network-object host X.X.X.X
  network-object host X.X.X.X
  network-object host X.X.X.X

access-list extended permit ip any any
access-list extended permit ip any object-group administrative-servers
access-list extended permit ip object-group administrative-servers any
access-list outside permit tcp any any eq domain
access-list outside permit tcp any any eq www
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.192
access-list outside permit ip object-group administrative-servers E.F.G.H 255.255.255.128
access-list outside permit icmp object-group administrative-servers any
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside A.B.C.D 255.255.255.192
ip address intf2 E.F.G.H 255.255.255.128
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) A.B.C.D A.B.C.D netmask 255.255.255.192 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http A.B.C.D 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Correct Answer
Kureli Sankar Mon, 04/12/2010 - 19:45
User Badges:
  • Cisco Employee,

Looks good from what I can tell. May be you can restrict it a little further.


fixup protocol http 80


You may want to remove that. Internet access might get a little faster.


to remove you can do

conf t

no fixup protocol http 80


when you issue "sh access-l outside" do you show hit counts on these acls? If you do not show any hit counts you can remove them.


access-list outside permit tcp any any eq domain  ----> you can remove this as DNS uses udp 53
access-list outside permit tcp any any eq www ----> instead of any as the destination you can specify which ever host is your webserver.
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389  ----> instead of any as the destination you can specify which ever host is your RDC server
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.192 ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
access-list outside permit ip object-group administrative-servers E.F.G.H 255.255.255.128  ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
access-list outside permit icmp object-group administrative-servers any



-KS

Hello,


We run an active directory network. Behind the firewall, we have a windows server currently replicating files to other corporate network servers.


If I remove this line, does it affect internet navigation? there are no webservers behind the firewall.

fixup protocol http 80




After running this command "sh access-l outside"  there were a few hit counts in some of the networks (administrative-servers).


Does it affect Active Directory Replication and MIT Kerberos authentication?


1) access-list outside permit tcp any any eq domain  ----> you can remove this as DNS uses udp 53

2) access-list outside permit udp any any eq domain
3) access-list outside permit tcp any any eq 3389  ----> instead of any as the destination you can specify which ever host is your RDC server
4) access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.192 ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
5) access-list outside permit ip object-group administrative-servers E.F.G.H 255.255.255.128  ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
6) access-list outside permit icmp object-group administrative-servers any


If we do not have a webserver behind the firewall, do I need this line?
1) access-list outside permit tcp any any eq www ----> instead of any as the destination you can specify which ever host is your webserver.

Correct Answer
Kureli Sankar Mon, 04/12/2010 - 20:13
User Badges:
  • Cisco Employee,

If I remove this line, does it affect internet navigation? there are no webservers behind the firewall.

fixup protocol http 80


[KS]No removing that line does not affect internet access. That will flow fine. fixup protocol http does extra checks on http traffic.


If we do not have a webserver behind the firewall, do I need this line?
1) access-list outside permit tcp any any eq www ----> instead of any as the destination you can specify which ever host is your webserver.


[KS]If you don't have a web server on the inside, you can remove this line.


access-list outside permit tcp any any eq domain  ----> you can remove this as DNS uses udp 53


[KS]If you have active directory servers that are running DNS and doing zone transfers then you may need the above line.


-KS

Standard Access-List:


In Standard ACL, filtering is based on source IP address.where as in extended ACL, filtering is bases on Source IP
address, Destination IP address, Protocol Type, Source Port Number & Destination Port Number.


Base on this information, after a standard acl list is created (access-list per, mit source destination), the communication will flow back and forth. Then, if I understand correctly, I don't have to create another access-list permit destination source.


Using one of my rules as an example: access-list outside permit icmp object-group administrative-servers any

This rule shows communication permited from the outside ( firewall interface) to the remote host.


But, this rule does not say if it trust the other way around (remote host to outside (firewall interface))


Some other firewall brands one needs to create an out going rule and an incoming rule.



Extended Access-List:


Extended ACL is basically used to block particular services like telnet. ftp, tftp, ICMP echo etc..

Actions

This Discussion