Firewall Wizards mailing list archives

RE: Extreme Problem with PIX Config

From: "Brian Loe" <knobdy () stjoelive com>
Date: Fri, 13 May 2005 13:12:05 -0500

I appreciate the help from all of you - and for the record, the one to be
kicked is me. I've never logged into a PIX until this one and everything I
had in that config are things I've gotten out of other configs I've found on
the Net and what I've gleamed from Cisco documentation... And then a LOT of
fiddling to try and get things to work. This PIX has not been put in
production as yet, only for testing. It will, however, go in tonight as we
got everything working last night. Here is the current config which I would
like to garner some comments on, as I'm not confident I've got everything
right - or as secure as it ought to be. There are a few lines my boss added
on his own as well and I want to make sure we're done going to be doing
anything..."dangerous".

: Saved
: Written by enable_15 at 11:42:46.569 UTC Thu May 12 2005
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
nameif ethernet3 intf3 security6
enable password R5JqnA.7FP.h3CNW encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name nationalmoney.com
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 443
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.100.1.82 phoneM2
name 10.100.1.81 phoneM1
name 10.100.1.86 phoneM6
name 10.100.1.84 phoneM4
name 10.100.1.83 phoneM3
name 192.168.1.12 phone_Gateway
name 192.168.1.39 mail
name 192.168.1.101 ftp
name 192.168.1.104 clkdmz1
name 192.168.1.108 NTXWEB
name 192.168.1.115 KCIT07
object-group network Sister_Company 
  description Sister Company range.
  network-object ip.nt.pub.33 255.255.255.255 
  network-object ip.nt.pub.34 255.255.255.255 
  network-object ip.nt.pub.35 255.255.255.255 
  network-object ip.nt.pub.36 255.255.255.255 
  network-object ip.nt.pub.37 255.255.255.255 
  network-object ip.nt.pub.38 255.255.255.255 
  network-object ip.nt.pub.39 255.255.255.255 
  network-object ip.nt.pub.40 255.255.255.255 
  network-object ip.nt.pub.41 255.255.255.255 
  network-object ip.nt.pub.42 255.255.255.255 
  network-object ip.nt.pub.43 255.255.255.255 
  network-object ip.nt.pub.44 255.255.255.255 
  network-object ip.nt.pub.45 255.255.255.255 
  network-object ip.nt.pub.46 255.255.255.255 
  network-object ip.nt.pub.47 255.255.255.255 
  network-object ip.nt.pub.48 255.255.255.255 
  network-object ip.nt.pub.49 255.255.255.255 
  network-object ip.nt.pub.50 255.255.255.255 
  network-object ip.nt.pub.51 255.255.255.255 
  network-object ip.nt.pub.52 255.255.255.255 
  network-object ip.nt.pub.53 255.255.255.255 
  network-object ip.nt.pub.54 255.255.255.255 
  network-object ip.nt.pub.55 255.255.255.255 
  network-object ip.nt.pub.56 255.255.255.255 
  network-object ip.nt.pub.57 255.255.255.255 
  network-object ip.nt.pub.58 255.255.255.255 
  network-object ip.nt.pub.59 255.255.255.255 
  network-object ip.nt.pub.60 255.255.255.255 
  network-object ip.nt.pub.61 255.255.255.255 
  network-object ip.nt.pub.62 255.255.255.255 
  network-object ip.nt.pub.63 255.255.255.255 
object-group network IBM 
  description IBM range.
  network-object pub.net.ip.197 255.255.255.255 
  network-object pub.net.ip.198 255.255.255.255 
  network-object pub.net.ip.199 255.255.255.255 
  network-object pub.net.ip.200 255.255.255.255 
  network-object pub.net.ip.201 255.255.255.255 
object-group network Internal_Net 
  description All internal networks.
  network-object 10.100.0.0 255.255.254.0 
  network-object 10.100.2.0 255.255.254.0 
  network-object 10.100.4.0 255.255.254.0 
  network-object 10.100.6.0 255.255.254.0 
  network-object 10.101.0.0 255.255.254.0 
  network-object 10.101.2.0 255.255.254.0 
object-group network phone_Group 
  network-object phoneM1 255.255.255.255 
  network-object phoneM2 255.255.255.255 
  network-object phoneM3 255.255.255.255 
  network-object phoneM4 255.255.255.255 
  network-object phoneM6 255.255.255.255 
object-group service WEB_PORTS tcp 
  port-object eq www 
  port-object eq https 
  port-object eq echo 
object-group service FTP_PORTS tcp 
  port-object eq ftp 
  port-object eq ftp-data 
  port-object eq echo 
object-group service WebX tcp 
  group-object FTP_PORTS 
  group-object WEB_PORTS 
  port-object eq 1935 
object-group service Tranlink_TCP tcp 
  group-object WEB_PORTS 
  port-object range 3306 3307 
  port-object eq ssh 
object-group service KCIT07 tcp 
  port-object range 1433 19628 
object-group service DB2_TCP tcp 
  port-object eq 523 
  port-object eq ssh 
  port-object range 50000 50100 
  port-object eq 1415 
object-group service Mail_Ports tcp 
  group-object WEB_PORTS 
  port-object range 1000 1028 
  port-object eq 2000 
  port-object eq 3000 
  port-object eq pop3 
  port-object eq smtp 
object-group service KCIT01 tcp 
  port-object eq pptp 
object-group service EQA_TCP tcp 
  port-object eq 3389 
object-group service Tranlink_UDP udp 
  port-object eq 22 
object-group service DB2_UDP udp 
  port-object range 50000 50100 
object-group service EQA_UDP udp 
  port-object eq 3389 
object-group network DMZ 
  network-object 192.168.1.0 255.255.255.0 
access-list compiled
access-list acl_inbound permit tcp any host ip.pub.nt.114 object-group WebX 
access-list acl_inbound permit tcp any host ip.pub.nt.108 object-group WebX 
access-list acl_inbound permit tcp any host ip.pub.nt.111 object-group
WEB_PORTS 
access-list acl_inbound permit tcp any host ip.pub.nt.107 object-group
Tranlink_TCP 
access-list acl_inbound permit udp any host ip.pub.nt.107 object-group
Tranlink_UDP 
access-list acl_inbound permit tcp any host ip.pub.nt.115 object-group
KCIT07 
access-list acl_inbound permit tcp any host ip.pub.nt.106 object-group
DB2_TCP 
access-list acl_inbound permit udp any host ip.pub.nt.106 object-group
DB2_UDP 
access-list acl_inbound permit tcp any host ip.pub.nt.100 object-group
KCIT01 
access-list acl_inbound permit tcp any host ip.pub.nt.102 object-group
FTP_PORTS 
access-list acl_inbound permit icmp any host ip.pub.nt.102 
access-list acl_inbound permit tcp any host ip.pub.nt.104 eq domain 
access-list acl_inbound permit udp any host ip.pub.nt.104 eq domain 
access-list acl_inbound permit tcp any host ip.pub.nt.99 object-group
Mail_Ports 
access-list acl_inbound permit tcp any host ip.pub.nt.101 object-group
WEB_PORTS 
access-list acl_inbound permit icmp any host ip.pub.nt.116 unreachable 
access-list acl_inbound permit icmp any host ip.pub.nt.116 time-exceeded 
access-list acl_inbound permit icmp any host ip.pub.nt.116 echo-reply 
access-list acl_inbound permit icmp any host ip.pub.nt.116 echo 
access-list acl_inbound permit icmp any any 
access-list acl_inbound permit gre any host ip.pub.nt.100 
access-list in_dmz permit ip any any 
pager lines 24
logging on
logging buffered debugging
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu intf3 1500
ip address outside ip.pub.nt.126 255.255.255.224
ip address inside 10.100.0.3 255.255.254.0
ip address DMZ 192.168.1.1 255.255.255.0
ip address intf3 10.255.255.253 255.255.255.252
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
no failover ip address intf3
pdm location 10.100.1.10 255.255.255.255 inside
pdm location 10.100.1.20 255.255.255.255 inside
pdm location 10.100.1.49 255.255.255.255 inside
pdm location 10.100.1.57 255.255.255.255 inside
pdm location 10.100.1.190 255.255.255.255 inside
pdm location 10.100.2.0 255.255.254.0 inside
pdm location 10.100.4.100 255.255.255.255 inside
pdm location 10.100.4.0 255.255.254.0 inside
pdm location 10.100.6.0 255.255.254.0 inside
pdm location mail 255.255.255.255 DMZ
pdm location 192.168.1.102 255.255.255.255 DMZ
pdm location sommz1 255.255.255.255 DMZ
pdm location NTSWEB 255.255.255.255 DMZ
pdm location 192.168.1.114 255.255.255.255 DMZ
pdm location KCIT07 255.255.255.255 DMZ
pdm location 10.100.0.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 ip.pub.nt.117-ip.pub.nt.119 netmask 255.255.255.224
global (outside) 1 ip.pub.nt.116 netmask 255.255.255.224
global (DMZ) 1 192.168.1.240-192.168.1.250
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) ip.pub.nt.111 10.100.1.57 netmask 255.255.255.255 0
0 
static (DMZ,outside) ip.pub.nt.114 192.168.1.114 netmask 255.255.255.255 0 0

static (DMZ,outside) ip.pub.nt.108 NTXWEB netmask 255.255.255.255 0 0 
static (inside,outside) ip.pub.nt.107 10.100.1.190 netmask 255.255.255.255 0
0 
static (DMZ,outside) ip.pub.nt.115 KCIT07 netmask 255.255.255.255 0 0 
static (inside,outside) ip.pub.nt.106 10.100.1.49 netmask 255.255.255.255 0
0 
static (inside,outside) ip.pub.nt.100 10.100.4.100 netmask 255.255.255.255 0
0 
static (DMZ,outside) ip.pub.nt.102 192.168.1.102 netmask 255.255.255.255 0 0

static (DMZ,outside) ip.pub.nt.104 clkdmz1 netmask 255.255.255.255 0 0 
static (DMZ,outside) ip.pub.nt.99 mail netmask 255.255.255.255 0 0 
static (inside,outside) ip.pub.nt.101 10.100.1.20 netmask 255.255.255.255 0
0 
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0 
access-group acl_inbound in interface outside
access-group in_dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 ip.pub.nt.97 1
route inside 10.100.2.0 255.255.254.0 10.100.0.1 1
route inside 10.100.4.0 255.255.254.0 10.100.0.1 1
route inside 10.100.6.0 255.255.254.0 10.100.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 1:00:00 mgcp 1:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server RADIUS (inside) host 10.100.1.10 sec.ret timeout 5
aaa-server LOCAL protocol local 
aaa authentication http console RADIUS
aaa authentication serial console RADIUS
aaa authentication ssh console RADIUS
aaa authentication telnet console RADIUS
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server location Lowell
snmp-server contact Brian Loe
snmp-server community R3@d04!y
no snmp-server enable traps
tftp-server inside 10.100.0.169 PIX_DATE
floodguard enable
fragment size 2000 DMZ
fragment timeout 30 DMZ
telnet 10.100.0.1 255.255.255.255 inside
telnet 10.100.0.1 255.255.255.255 DMZ
telnet 10.100.0.1 255.255.255.255 intf3
telnet timeout 5
ssh 10.100.0.0 255.255.254.0 inside
ssh timeout 15
management-access inside
console timeout 15
terminal width 80
banner motd ******************************************
banner motd   *                                        *
banner motd   *             !!!WARNING !!!             *
banner motd   *   All attempts at unauthorized access  *
banner motd   *    will be aggressively pursued and    *
banner motd   *     prosecuted to the full extent      *
banner motd   *    of local and international law.     *
banner motd   *                                        *
banner motd   ******************************************
Cryptochecksum:19c0e4355e47f84a2e9110284a00ce57
: end

-----Original Message-----
From: John Dorsey [mailto:dorsey () colquitt org] 
Sent: Friday, May 13, 2005 10:14 AM
To: Brian Loe
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Extreme Problem with PIX Config

Brian,

I've been fighting this problem for two weeks now. What

follows is the

current config (edited to protect the innocent). If format is 
maintained, the trouble lines will be bolded. These trouble

lines are:

access-list nonat permit ip any any; nat (inside) 0

access-list nonat;

access-group nonat in interface dmz.

[lots of deletia]

      Here's a couple of ideas and recommendations that may help.
First, I don't recommend using the same acl for the 
"access-group" and "nat (interface) 0 ..." purposes; keep 
those acl's separate and things are cleaner.



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Extreme Problem with PIX Config Brian Loe (May 13)
- Re: Extreme Problem with PIX Config John Dorsey (May 15)
  - RE: Extreme Problem with PIX Config Brian Loe (May 15)
- RE: Extreme Problem with PIX Config Ben Nagy (May 15)
- Re: Extreme Problem with PIX Config Devdas Bhagat (May 19)