Solved: configuring pix for public ip address internal and external

par13 · ‎04-12-2010

Hello,

Just receive new subnet(s) for the network(s) behind the firewall. the addresses are public addresses.

Therefore, after entering the information for each respective internal interface, now, the internal network stop communicating to the internet.

Because of the network privacy, this time, I will not be able to reveal network addresses. Can you take a look why the internal network will not be able to go out to the internet. Again, these are public addresses, they do not need to be NAT.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password DAyT8Zy5o1YlaDcM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lvfw
domain-name lv.psu.edu
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network administrative-servers
network-object host X.X.X.X
network-object host X.X.X.X
network-object host X.X.X.X

access-list extended permit ip any any
access-list extended permit icmp any any
access-list extended permit ip any object-group administrative-servers
access-list extended permit ip object-group administrative-servers any
access-list outside permit icmp any any
access-list outside permit tcp any any eq domain
access-list inside permit tcp any any eq www
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.128
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside C.D.E.F 255.255.255.248
ip address inside H.I.J.M 255.255.255.192
ip address intf2 A.B.C.D 255.255.255.128
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) A.B.C.D A.B.C.D netmask 255.255.255.128 0 0

static (inside,outside) H.I.J.M H.I.J.M netmask 255.255.255.192 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 T.O.P.Q 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http A.B.C.D 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
lvfw#

Kureli Sankar · ‎04-12-2010

Remove this line

access-list outside permit icmp any any

conf t

no access-list outside permit icmp any any

then no one from the outside can ping devices on the inside. Enable "fixup protocol icmp" so when the inside hosts ping, the replies will be allowed to come back in.

here is how to add fixup icmp

conf t

fixup protocol icmp

-KS

View solution in original post

Kureli Sankar · ‎04-12-2010

No problem. We are here to help. Pls. rate the posts that helped you understand/learn/solve.

There is no way you can stop people from sending malicious traffic towards your firewall. All you can do is protect your firewall by restricting access-list like you have already done and restrict management access like telnet/ssh/pdm to the firewall.

These kind of attacks can be mitigated by IDS/IPS devices.

-KS

View solution in original post

Kureli Sankar · ‎04-12-2010

Correct.

Fixup protocol will automatically allow (without having to allow permission on the outside acl) permission and translation for responses coming from the outside via a brand new connection relating to the connection that was initiated from the inside.

-KS

View solution in original post

Kureli Sankar · ‎04-12-2010

Looks good from what I can tell. May be you can restrict it a little further.

fixup protocol http 80

You may want to remove that. Internet access might get a little faster.

to remove you can do

conf t

no fixup protocol http 80

when you issue "sh access-l outside" do you show hit counts on these acls? If you do not show any hit counts you can remove them.

access-list outside permit tcp any any eq domain ----> you can remove this as DNS uses udp 53
access-list outside permit tcp any any eq www ----> instead of any as the destination you can specify which ever host is your webserver.
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389 ----> instead of any as the destination you can specify which ever host is your RDC server
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.192 ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
access-list outside permit ip object-group administrative-servers E.F.G.H 255.255.255.128 ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
access-list outside permit icmp object-group administrative-servers any

-KS

View solution in original post

Kureli Sankar · ‎04-12-2010

If I remove this line, does it affect internet navigation? there are no webservers behind the firewall.

fixup protocol http 80

[KS]No removing that line does not affect internet access. That will flow fine. fixup protocol http does extra checks on http traffic.

If we do not have a webserver behind the firewall, do I need this line?
1) access-list outside permit tcp any any eq www ----> instead of any as the destination you can specify which ever host is your webserver.

[KS]If you don't have a web server on the inside, you can remove this line.

access-list outside permit tcp any any eq domain ----> you can remove this as DNS uses udp 53

[KS]If you have active directory servers that are running DNS and doing zone transfers then you may need the above line.

-KS

View solution in original post

par13 · ‎04-12-2010

Great News!

I got it to work by using static (in,out)

Now, how do I block internet users from getting into my network. I want to limit access just to corporate network.

In other words, going out should not have any blocks. But, access to internal network should be limited to corporate network

Thanks

Jennifer Halim · ‎04-12-2010

Traffic from outside to your internal network should have been blocked by default, unless you configure access-list to allow the inbound traffic. Traffic from low to high security level is not allowed by default.

In your case, access-list "outside" is applied on the outside interface, and if you would need specific access to the internal network, you would have to configure the access-list to allow those traffic in.

Hope that helps.

par13 · ‎04-12-2010

Do you think any of these rules are allowing to pass thru?

I'm not sure if this rule is allowing to pass other traffic than corporate traffic:

1) access-list extended permit ip any any
2) access-list extended permit icmp any any

3) access-list outside permit icmp any any

These rules were created to access internet, and remote desktop connectivity:

1) access-list outside permit tcp any any eq domain
2) access-list inside permit tcp any any eq www
3) access-list outside permit udp any any eq domain
4) access-list outside permit tcp any any eq 3389

These rules were created to allow corporate network access:

1) access-list extended permit ip any object-group administrative-servers
2) access-list extended permit ip object-group administrative-servers any

3) access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.128

Kureli Sankar · ‎04-12-2010

The only acl that is applied to the interface is called outside and it is applied to the outside interface.

access-list outside permit icmp any any
access-list outside permit tcp any any eq domain
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.128

access-group outside in interface outside

What ever this acl is allowing is being allowed to come from the outside towards the inside.

-KS

par13 · ‎04-12-2010

ok,

Can you help me to limit some traffic between the firewall and the rest of the corporate network?

And, as far internet traffic, I believe the firewall is doing a good job.

My concern that something is allowing too many non-corporate network to get inside the firewall protected area.

Could you illustrate how to acomplish this goal?

Thanks

Kureli Sankar · ‎04-12-2010

This one acl is pretty wide open

access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.128

You are allowing all the hosts in the administrative-servers group to access the entire A.B.C.D/25 network

Try to restric that by only allowing what you need. May be just tcp certain ports and not all IP traffic like you have.

-KS

par13 · ‎04-12-2010

ok,

how do I stop non-corporate networks from able to ping the internal subnets?

And, is there a way from stoping non-corporate networks from trying to scan the internal subnets?

Do you have like an access-list example?

Kureli Sankar · ‎04-12-2010

Remove this line

access-list outside permit icmp any any

conf t

no access-list outside permit icmp any any

then no one from the outside can ping devices on the inside. Enable "fixup protocol icmp" so when the inside hosts ping, the replies will be allowed to come back in.

here is how to add fixup icmp

conf t

fixup protocol icmp

-KS

par13 · ‎04-12-2010

This last message did the job. However, can you give me an example of how to

prevent someone from scaning internal computer(s) by hostnames and/or similar tachtics.

Thanks for all your help, as you can see, pix firewall is a new game for me.

Kureli Sankar · ‎04-12-2010

No problem. We are here to help. Pls. rate the posts that helped you understand/learn/solve.

There is no way you can stop people from sending malicious traffic towards your firewall. All you can do is protect your firewall by restricting access-list like you have already done and restrict management access like telnet/ssh/pdm to the firewall.

These kind of attacks can be mitigated by IDS/IPS devices.

-KS

par13 · ‎04-12-2010

Hi,

1) access-list and access-list extended serve different purposes.

2) Fixup Protocol benefit the internal network more than external network

Kureli Sankar · ‎04-12-2010

Correct.

Fixup protocol will automatically allow (without having to allow permission on the outside acl) permission and translation for responses coming from the outside via a brand new connection relating to the connection that was initiated from the inside.

-KS

par13 · ‎04-12-2010

Could you take one final look at the config file? I still have to fix the open ports from external corporate networks. But, other than that, can you critic anything that looks wrong?

lvfw(config)# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password DAyT8Zy5o1YlaDcM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lvfw
domain-name lv.psu.edu
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network administrative-servers
network-object host X.X.X.X
network-object host X.X.X.X
network-object host X.X.X.X

access-list extended permit ip any any
access-list extended permit ip any object-group administrative-servers
access-list extended permit ip object-group administrative-servers any
access-list outside permit tcp any any eq domain
access-list outside permit tcp any any eq www
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.192
access-list outside permit ip object-group administrative-servers E.F.G.H 255.255.255.128
access-list outside permit icmp object-group administrative-servers any
pager lines 24
icmp permit any echo-reply outside
icmp permit any echo-reply inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside X.X.X.X 255.255.255.248
ip address inside A.B.C.D 255.255.255.192
ip address intf2 E.F.G.H 255.255.255.128
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) A.B.C.D A.B.C.D netmask 255.255.255.192 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http A.B.C.D 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Kureli Sankar · ‎04-12-2010

Looks good from what I can tell. May be you can restrict it a little further.

fixup protocol http 80

You may want to remove that. Internet access might get a little faster.

to remove you can do

conf t

no fixup protocol http 80

when you issue "sh access-l outside" do you show hit counts on these acls? If you do not show any hit counts you can remove them.

access-list outside permit tcp any any eq domain ----> you can remove this as DNS uses udp 53
access-list outside permit tcp any any eq www ----> instead of any as the destination you can specify which ever host is your webserver.
access-list outside permit udp any any eq domain
access-list outside permit tcp any any eq 3389 ----> instead of any as the destination you can specify which ever host is your RDC server
access-list outside permit ip object-group administrative-servers A.B.C.D 255.255.255.192 ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
access-list outside permit ip object-group administrative-servers E.F.G.H 255.255.255.128 ---> it you want to allow IP traffic to one host you can change the mask to 255.255.255.255 instead of the entire network.
access-list outside permit icmp object-group administrative-servers any

-KS