Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using a PIX501 to Secure & Share a cable internet connection

Hello All,

I have bought a PIX501 to secure my home cable modem connection and share it around my house. The PIX will act as a DHCP client (my ISP uses dynamic IP addressing) and uses nat and DHCP sever with my small number of inside clients.

The default config (set using the PIX set-up) seems ok- however I have made a few "tweaks" following some negative PIX reviews I read here in the UK.

Specifically I have:-

- Denied incoming icmp requests (to make the PIX "invisible" to the outside world)

- Created an access list to allow responses to my outbound pings (something every network geek must be able to do)

- Set "fragment chain 1 outside" to drop incoming fragmented packets

- Limited the number of connections to 200 and embroyonic connections to 50

- Enabled floodguard (Although I don't believe this should be necessary on such a lightly loaded network)

- Enabled console logging so I have at least some history of any attacks

- Reduced some of the connection timeouts from their defaults

As I an fairly new to this sort of thing does anyone have any other specific tips or advice for a pix used in this way?

Thanks in advance,

Andrew.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Using a PIX501 to Secure & Share a cable internet connection

When working with ICMP, remember that the [icmp] command is used to affect ICMP messages to the pix as a host while the [access-list] command is used to affect ICMP messages traversing the Pix.

If you're using IPSec tunnels throught the Pix, you may want to consider letting in fragment chain sizes of 2. IPSec creates enough overhead to cause a lot of packets to be fragmented. MTU path discovery would prevent this, but many networks prevent the inbound requests that allow the discovery to work. For this same reason, you may also want to consider allowing the Pix to receive unreachables on your inside hosts behalf if you the Pix will terminate VPN tunnels. [icmp permt any unreachables outside]

Floodguard is enabled by default and doesn't need to be enabled. It shouldn't be needed on a lightly loaded network, but it would be needed in times of a DoS attack if you're Pix does authentication "uauth" of traffic entering or leaving the network.

If you're interested, the Pix can authenticate users on the inside before allowing the traffic to leave using RADIUS. This is helpful in situations such as a web server on the inside is hacked from the outside. By enforcing authentication for other traffic to leave, the options to the offending hosts are severely limited. A timeout is used to trigger authentication again after a specified time. The [floodguard] is used to protect this "uauth" feature of the Pix.

The Pix has VERY BASIC IDS signatures built-in that you may want to enable using the [ ip audit ] command set.

Enable SSH for authentication and encryption by generating an RSA key and saving it to flash. [ca generate rsa key 1024] and [ca save all] Disable telnet by removing any [telnet] commands and replace them with [ssh]. [http] should also be restricted as much as possible for administration.

2 REPLIES
Silver

Re: Using a PIX501 to Secure & Share a cable internet connection

When working with ICMP, remember that the [icmp] command is used to affect ICMP messages to the pix as a host while the [access-list] command is used to affect ICMP messages traversing the Pix.

If you're using IPSec tunnels throught the Pix, you may want to consider letting in fragment chain sizes of 2. IPSec creates enough overhead to cause a lot of packets to be fragmented. MTU path discovery would prevent this, but many networks prevent the inbound requests that allow the discovery to work. For this same reason, you may also want to consider allowing the Pix to receive unreachables on your inside hosts behalf if you the Pix will terminate VPN tunnels. [icmp permt any unreachables outside]

Floodguard is enabled by default and doesn't need to be enabled. It shouldn't be needed on a lightly loaded network, but it would be needed in times of a DoS attack if you're Pix does authentication "uauth" of traffic entering or leaving the network.

If you're interested, the Pix can authenticate users on the inside before allowing the traffic to leave using RADIUS. This is helpful in situations such as a web server on the inside is hacked from the outside. By enforcing authentication for other traffic to leave, the options to the offending hosts are severely limited. A timeout is used to trigger authentication again after a specified time. The [floodguard] is used to protect this "uauth" feature of the Pix.

The Pix has VERY BASIC IDS signatures built-in that you may want to enable using the [ ip audit ] command set.

Enable SSH for authentication and encryption by generating an RSA key and saving it to flash. [ca generate rsa key 1024] and [ca save all] Disable telnet by removing any [telnet] commands and replace them with [ssh]. [http] should also be restricted as much as possible for administration.

Anonymous
N/A

Re: Using a PIX501 to Secure & Share a cable internet connection

Hmmmm... Thanks for that information. Some good points for me to think about there.

My intention in buying a PIX (rather than some cheap nasty firewall router) is to learn a bit more about Cisco kit and security in general. Looks like I've got some interesting reading and experimenting to try!

Regards,

Andrew.

97
Views
3
Helpful
2
Replies
CreatePlease login to create content