Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

locking down a pic 501

I'm a noob so keep it simple for me. I'm not good at the commands.

I want to lock down my PIX 501 (v.6.2) by doing the following:

Disable all incoming traffic except if initiated by someone on the inside and https access to one web server

Block all outgoing except http, https, IMAP, Lotus Notes, Ping, Traceroute, DNS, and the VPN to the other PIX.

What do I need to do?

Thanks!

2 REPLIES
New Member

Re: locking down a pic 501

Ok, you need to get an access-list on both interfaces. The inbound one will have only one permit, that being the https access.

The outbound one will allow the mentioned traffic outbound.

Then apply to the interface with access-group command.

The VPN traffic to other pix is covered within the VPN config.

Re: locking down a pic 501

Here is an example:

object-group service Outbound-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 143

port-object eq 1352

object-group service Outbound-UDP udp

port-object eq 53

# Create an access-list that allows inbound traffic to your web server

access-list outside permit tcp any host WebPublicIP eq 443

access-group outside in interface outside

# Address Translation rule static NAT

static (inside,outside) WebPublicIP WebLocalIP netmask 255.255.255.255

# Cerate an access-list that restrict outbound protocols

access-list outbound permit tcp any any object-group Outbound-TCP

access-list outbound permit tcp any any object-group Outbound-UDP

access-group outbound in interface inside

Ping and traceroute is another topic, here some information abouot that:

First things to know is: Without an access-list on the interface a higher level interface. eg inside, can access all other lower interfaces as outside.

Second thing to know is: Ping is not a stateful protocol. To allow pings from the inside to the outside interface you need to create an access-list. If you want to ping the same interface that you are physicly connected you need to configure the "icmp" command.

example:

See: Handling ICMP Pings with the PIX Firewall

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

The PIX and the traceroute Command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml

examples:

Traveroute

Microsoft:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

access-list 101 permit icmp any host YourPublicIP echo-reply

UNIX:

access-group 101 in interface outside

access-list 101 permit icmp any host YourPublicIP unreachable

access-list 101 permit icmp any host YourPublicIP time-exceeded

ICMP command example

icmp deny any outside

icmp permit any echo-reply outside

icmp permit any echo-reply inside

icmp permit host 192.168.1.30 echo inside

icmp permit host 192.168.1.31 echo inside

icmp permit host 192.168.1.20 echo inside

icmp permit host 192.168.1.40 echo inside

icmp permit host 192.168.1.100 echo inside

sincerely

Patrick

128
Views
0
Helpful
2
Replies
CreatePlease login to create content