Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Securing Networks Using Firewalls with Cisco expert Nisha Chandy. Nisha is a Senior Engineer with the Cisco Technical Assistance Center. She has a Masters Degree in Electrical and Electronics Engineering and has been supporting security products and technologies (PIX, IDS, AAA) in Cisco since the year 2000. Feel free to post any questions relating to Securing Networks Using Firewalls. Remember to use the rating system to let Nisha know if you’ve received an adequate response.

Nisha might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 20. Visit this forum often to view responses to your questions and the questions of other community members.

122 REPLIES
New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi

In the Cisco PIX, how do I permit hosts on the inside to resolve DNS using a DNS server which is on the outside (the internet)? Do I need to add any configuration or is it handled by default in the PIX?

Thanks

Hilary Fernandes

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hello Hilary,

You need not to configure anything else for DNS resolution is on the outside network.You need to only configure a gobal NAT/PAT from inside to outside only.

Regards,

tarun-gswan@gujarat.gov.in

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Thanks Tarun. Thats what I thought. Just needed another confirmation.

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi Nisha,

What are some best practices regarding the use of the Cisco IOS firewall/IDS feature sets? I've noticed some issues using some of the inpsections causing high CPU utilizations especially with the http inspections?

Thanks

Aaron

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi Aaron

Regarding the best practices, i would say, do not inspect protocols not being used.

Do not change the default timeout values unless you have a lot of regular traffic through the router

As regarding the performance issues with inspecting http:

use http inspection only if blocking java

wil the 12.2(15)T and above code there have been enhancements to the performance caused by the inspection as well as audits.

Please do let me know if you have any further questions

Thanks

Nisha

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi

What is the purpose of the fixup protocol command in the PIX?

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

The fixup protocol command maps a protocol port number to the name of that protocol. Such as 80 to www. A lot of the most common ports are mapped to a name by default. Those ports may not show up as a fixup command when you show your configuration.

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hello Hilary

the fixup is mainly used when you want to negotiate the secondary channels, like in the case of H323, ftp etc. An example is say you are ftping from inside to outside , the cmd is 21 but data is passed on different por,t depending on passive or active mode. the fixup takes care if this so that for the return data traffic you don't have to punch anoher hole through the access-list.

For, applications which use single ports like http, it is used for turning on http application awareness for the port defined with fixup.

Hope this explains fixup

Thanks

Nisha

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

This is not related to PIX`s technical question, but please let me ask. I heard from the Cisco engineer that the middle range and high end PIX will be phase out (PIX515, 525, 535) in the near future and replaced with Catalyst FWS Module. Would you kindly confirm this rumour ?

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

I'm not in CISCO sales, or work for CISCO. But I seriously doubt it. If those models were to be phased out, I'm sure that they would be replaced by a different model. I know as a personal preference I like to keep my gateway firewall as a seperate device. It gives you more flexibility, failure on one box (depends on the type of failure) doesn't affect the whole network.

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi

I would say that middle end would be replaced by other models but they will not phase out in the near future

Thanks

Nisha

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hello,

i wanna ask if the pix firewall 515E version 6.3 is compatible with Cisco IOS H323 version 2 .

Note: i need to hide my gatekeeper (CISCO router 7200) behind a PIX 5151E

the gatekeeper is running an IOS that supports H323 V2 enhancement feature. does the format of H323 V2 packets will be recognized normally by PIX running rel 6.3?

i need this clarification before installing the PIX in order to not affect my real time traffic.

any comments?

Thanks

Jacob.

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi Jacob

H323 support for version 2 was there before pix 6.3. 6.3 now also supports version 3 and version 4. So the answer is Yes, it supports version 2.

Thanks

Nisha

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

I have a minor problem with our PIX 515E 6.2.

We have an Inside network and a DMZ network, and are doing alias dnat for the inside network for hosts that reside on the DMZ.

I can ping any host on the DMZ sucessfully, and can http/telnet to most of them. The problem is 3 hosts that I can not telnet or http to, though I can ping them; if I SSH to host on their network, I can telnet and http to them. There is only one other similar host like these three that I can ping, telnet, and http. I have checked PIX configuration for it against the PIX parameters for the 3: there are no significant differences I can see.

Any suggestions?

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi

Thanks for posting your question.

As I understand, you are trying http,telnet and ping from inside to dmz?

Does debug icmp trace, show both echo request and reply on the pix for that hosts.

Also, what does syslog say for the telnet and http connection(like does it build the connection etc)

Since, it is pertaining to some specific hosts this would need some debugging, like looking into the syslogs.

Thanks

Nisha

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

It's like this:

Insider ----- PIX ------DMZ

4 Hosts on that DMZ.

I can ping of all them.

I can telnet and HTTP to only one of them from inside.

I can telnet and HTTP to all of them if I do so from a host on the DMZ.

Am running alias dnat for inside to dmz communications.

Connections are being built for the telnet and http sessions from inside to dmz that do not work.

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi

Can you run a debug packet on the inside and dmz filter by the source and destination ip's and see what is happening to those packets.

Thanks

Nisha

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hello,

i have Three qestions for you :

1- after configuring my PIX 515E (running IOS 6.3)for NATing and permitting the icmp traffic on the outside interface i have been facing a problem which is :

i am not able to ping the outside interface of the Pix from an inside Host despite that the ping is successful from the same inside host to any outside host( the problem is only with the outside interface ) further i can ping the outside interface of the PIx from an outside host, could you please explain ?

2- My firewall is placed in front of a gatekeeper

i suspect of these two command :

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

causing me some troubles such as timeout od the connection after some time ..

if i remove these two commands , does will affect registration of my remote gateways to my Gatekeeper , if Yes what the replacements of the Fixup commands on the pIX firewall ?

3- if i want to replace my PIX firewall temporarily by a Cisco Router 1721 with IOS firewall , how can i make my router doing as firewall ( guidance : urls , sample known starting configs..)

Thanks In advance

Regards,

Jacob.

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi Jacob

Please look at the answers inline:

1) 1- after configuring my PIX 515E (running IOS 6.3)for NATing and permitting the icmp traffic on the outside interface i have been facing a problem which is :

i am not able to ping the outside interface of the Pix from an inside Host despite that the ping is successful from the same inside host to any outside host( the problem is only with the outside interface ) further i can ping the outside interface of the PIx from an outside host, could you please explain ?

A) It is as per PIX design that you will not able to ping the interfaces of PIX from a host on another interfaces(when i mean interfaces, i am not referring to the interface which connects to the host, but any other interface on the pix).

But with defined nat/static and access-list, you can ping through the PIX.

Pinging an interface from a host conected to the same interface is fine and is allowed by default.

2) My firewall is placed in front of a gatekeeper

i suspect of these two command :

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

causing me some troubles such as timeout od the connection after some time ..

if i remove these two commands , does will affect registration of my remote gateways to my Gatekeeper , if Yes what the replacements of the Fixup commands on the pIX firewall ?

A) Fixup is used to accomodate protocols which use multiple ports for their functioning, like H323.

So, if you remove fixup for H323, it will affect the registration of the gateways. You would then need to have an access-list which has to open ports greater than 1024 between those hosts(gateway to gatekeeper) inaddition to the existing access-list.

Here is url below regarding the H323 fixup info:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html

3- if i want to replace my PIX firewall temporarily by a Cisco Router 1721 with IOS firewall , how can i make my router doing as firewall ( guidance : urls , sample known starting configs..)

A) I would suggest going for CBAC(context based access-list)

Check the url below at the topic - Basic CBAC configuration

http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Software:Cisco_IOS_Firewall&s=Implementation_and_Configuration

Hope the above helps

Thanks

Nisha

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

I was wondering if I could use the Null 0 command with the Pix software??

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi

Are you referring to the null 0 interface command on the routers? If then, no you cannot use that command with the PIX software.

Thanks

Nisha

Silver

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

I've following questions on PIX:

1. Is is possible to filter traffic based on URL instead of IP. e.g. I want to disable domain, xyz.com, to FTP from my server. They have multiple IP prefixes and new sites, belonging to xyz.com, emerge from time to time.

2. Is is possible that two PIXes can maintain the state of a connection. Suppose I have redundant connections to the Internet. If my traffic leaves from PIX A and enters through PIX B, can PIX B validate it based on state info from PIX A.

3. RIP is available on PIX but there is no way to limit the number of route prefixes received from the outside RIP-running box. Is there any way to do that?

Thanks.

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi

Please see answers inline:

1.. Is is possible to filter traffic based on URL instead of IP. e.g. I want to disable domain, xyz.com, to FTP from my server. They have multiple IP prefixes and new sites, belonging to xyz.com, emerge from time to time.

A. PIX can do URL (http) filtering in conjunction with 3rd part softwares(N2H2 and Websense).

But according to your requirement, please correct me if i get it wrong, you would like the access-list to be defined with domain name as either the source or destination instead of an ip address, which is not possible

2.Is is possible that two PIXes can maintain the state of a connection. Suppose I have redundant connections to the Internet. If my traffic leaves from PIX A and enters through PIX B, can PIX B validate it based on state info from PIX A.

A. PIX is a stateful firewall. Having said that, if the traffic leaves from PIX A and it does not see the corresponding return traffic, PIX A is going to drop that connection.

So, 2 PIXes cannot maintain the stae connection

3.RIP is available on PIX but there is no way to limit the number of route prefixes received from the outside RIP-running box. Is there any way to do that?

A. There is no way to limit the number of prefixes received from RIP. From, 6.3 version of PIX where ospf is supported, prefix-list is supported for ospf

Thanks

Nisha

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi

If you are referring to the interface null 0 command as in routers, then the answer is no, we cannot use the null 0 command with PIX

Thanks

Nisha

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi Nisha,

I'm having problem regarding PIX 501. i want to use it as a gateway for my users to access the internet.

workstation---------------switch-----------firewall----------dslmodem----------------internet

Pls check my current configuration

: Saved

: Written by enable_15 at 11:50:14.727 UTC Tue May 27 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ZkoVzp83keh94NqN encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname Kajima

domain-name kajima.com.ph

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 210.23.x.x255.255.255.x

ip address inside 192.168.1.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (ouside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 210.23.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.x 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set xxxxxx esp-3des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 202.136.x.x

crypto map transam 1 set transform-set xxxxxx

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address 202.136.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:edit

Any suggestion is highly appreciated

thanks

Mhel

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi Mhel

Your config looks fine, except for one typo i see (may see you have right on the pix itself)

global (ouside) 1 interface

Other that it looks fine for traffic initiating from inside to outside.

What is happening?

Thanks

Nisha

New Member

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Hi Nisha,

Well actually, when i use the 192.168.1.x as a gateway, all the WS cant access the internet. Did i need to input the ip(s) (block) that the ISP issued to us?

Can i change the:

global (outside) 1 interface

to;

global (outside) 1 210.23.197.x 210.23.197.x

Thanks

Mhel

Cisco Employee

Re: ASK THE EXPERT- SECURING NETWORKS USING FIREWALLS

Mhel

Is the dsl modem doing any natting( natting to a public address),since your outside and inside ip's are private addresses.

If not, then The PIX has to nat the inside ip's to a public address (which wil be the address given to you by the ISP)

Also, say

If the ISP has given 3 ip's then you can configure the PIX outside and the DSL modem's inside with those 2 ip's and the remaining ip use for the global statement.

The above will hold if you have control of the dsl modem.

let me know if have additional question on this

Thanks

Nisha

57
Views
25
Helpful
122
Replies
CreatePlease to create content