Results 1 to 3 of 3

Thread: PIX Configuration to be modified

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    140

    PIX Configuration to be modified

    Kindly I have got this configuration on our PIX at work, i want to clear all the unnecessary configuration, but I have to be careful because a production device (not lab one)


    PIX Version 6.3(5)


    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    interface ethernet3 auto shutdown
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    interface ethernet6 auto shutdown
    interface ethernet7 auto shutdown


    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    nameif ethernet3 intf3 security6
    nameif ethernet4 intf4 security8
    nameif ethernet5 intf5 security10
    nameif ethernet6 intf6 security12
    nameif ethernet7 intf7 security14

    enable password S3MRnV/GTGf60fAH encrypted
    passwd lHDYStuqSBB41oZj encrypted
    hostname PIX
    domain-name mycompany.net






    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names



    name 192.168.101.253 exchange
    name 192.168.101.3 mail_relay_pvt
    name 192.168.101.4 web_outlook_pvt
    name 192.168.5.100 gatin
    name 192.168.2.23 exchange_pvt
    name 192.168.101.6 webserver_dmz
    name 192.168.101.8 redlineOWA
    name 192.168.101.7 webredline
    name 192.168.101.9 blackboard_vip
    name 192.168.101.100 blackboard_dmz
    name 192.168.101.99 Dns_Dmz
    name 10.1.1.132 mail_relay
    name 10.1.1.133 web_outlook
    name 10.1.1.134 webserver
    name 10.1.1.136 blackboard
    name 10.1.1.138 intranet_web
    name 10.1.1.137 Dns_Outside
    name 192.168.101.21 intranet_vip
    name 192.168.55.250 cv_inside
    name 10.1.1.147 cv_outside
    name 192.168.101.13 rees_redline
    name 10.1.1.145 rees_out
    name 192.168.101.249 ISADMZ




    access-list outside permit tcp any host mail_relay eq smtp
    access-list outside permit tcp any host webserver eq www
    access-list outside permit tcp any host 10.1.1.135 eq www
    access-list outside permit tcp any host webserver eq https
    access-list outside permit tcp any host blackboard eq www
    access-list outside permit tcp any host blackboard eq 8007
    access-list outside permit tcp any host blackboard eq 8008
    access-list outside permit tcp any host blackboard eq 7001
    access-list outside permit tcp any host blackboard eq 7755
    access-list outside permit tcp any host blackboard eq 8014
    access-list outside permit tcp any host blackboard eq 8015
    access-list outside permit tcp any host Dns_Outside eq domain
    access-list outside permit udp any host Dns_Outside eq domain
    access-list outside permit tcp any host 10.1.1.141 eq www
    access-list outside permit tcp any host 10.1.1.142 eq www
    access-list outside permit tcp any host 10.1.1.143 eq www
    access-list outside permit tcp any host 192.168.101.250 eq www
    access-list outside permit tcp any host blackboard eq 81
    access-list outside permit tcp any host 192.168.101.250 eq 9443
    access-list outside permit udp any host 192.168.101.250 eq 9443

    access-list outside permit tcp host 22x.x.29.221 host 10.1.1.146 eq https
    access-list outside permit udp host 22x.x.29.221 host 10.1.1.146 eq 443
    access-list outside permit tcp host 22x.x.29.221 host 192.168.101.250 eq https
    access-list outside permit udp host 22x.x.29.221 host 192.168.101.250 eq 443

    access-list outside permit tcp any host cv_outside eq www
    access-list outside permit tcp any host cv_outside eq https
    access-list outside permit tcp any host cv_outside eq 4060
    access-list outside permit tcp any host cv_outside eq 5055
    access-list outside permit tcp any host cv_outside eq 4050
    access-list outside permit udp any host cv_outside eq 4050
    access-list outside permit udp any host cv_outside eq 5055
    access-list outside permit udp any host cv_outside eq 4101
    access-list outside permit udp any host cv_outside eq 4102
    access-list outside permit udp any host cv_outside eq 4103
    access-list outside permit udp any host cv_outside eq 4104
    access-list outside permit udp any host cv_outside eq 4105
    access-list outside permit udp any host cv_outside eq 4106
    access-list outside permit udp any host cv_outside eq 4107
    access-list outside permit udp any host cv_outside eq 4108
    access-list outside permit udp any host cv_outside eq 4109
    access-list outside permit udp any host cv_outside eq 4110
    access-list outside permit udp any host cv_outside eq 4111
    access-list outside permit udp any host cv_outside eq 4112
    access-list outside permit udp any host cv_outside eq 4113
    access-list outside permit udp any host cv_outside eq 4114
    access-list outside permit udp any host cv_outside eq 4115
    access-list outside permit udp any host cv_outside eq 4116
    access-list outside permit tcp any host rees_out eq www
    access-list outside permit tcp any host cv_outside eq 1301
    access-list outside permit tcp host 22x.x.48.62 any eq 8050
    access-list outside permit udp host 22x.x.48.62 any eq 8050
    access-list outside permit udp host 22x.x.48.62 any eq 15000
    access-list outside permit tcp host 22x.x.48.62 any eq 15000
    access-list outside permit tcp host 22x.x.48.60 any eq 9050
    access-list outside permit udp host 22x.x.48.60 any eq 9050
    access-list outside permit udp host 22x.x.48.57 any eq 1571
    access-list outside permit tcp host 22x.x.48.57 any eq 1571
    access-list outside permit tcp host 22x.x.48.57 any eq 1676
    access-list outside permit udp host 22x.x.48.57 any eq 1676
    access-list outside permit tcp any host 10.1.1.146 eq www
    access-list outside permit tcp host 22x.x.54.214 any eq https
    access-list outside permit tcp any host 10.1.1.141 eq https
    access-list outside permit tcp any host 10.1.1.142 eq https
    access-list outside permit tcp any host intranet_web eq www
    access-list outside permit tcp any host web_outlook eq www
    access-list outside permit tcp any host web_outlook eq https
    access-list dmz permit tcp host mail_relay_pvt host exchange eq smtp
    access-list dmz permit ip host web_outlook_pvt host exchange
    access-list dmz permit tcp host web_outlook_pvt host 192.168.101.210 eq domain
    access-list dmz permit tcp host web_outlook_pvt host 192.168.101.211 eq domain
    access-list dmz permit udp host web_outlook_pvt host 192.168.101.211 eq domain
    access-list dmz permit udp host web_outlook_pvt host 192.168.101.210 eq domain
    access-list dmz permit tcp host web_outlook_pvt host 192.168.101.210 eq ldap
    access-list dmz permit tcp host web_outlook_pvt host 192.168.101.211 eq ldap
    access-list dmz permit udp host web_outlook_pvt host 192.168.101.211 eq 3
    access-list dmz permit udp host web_outlook_pvt host 192.168.101.211 eq 389
    access-list dmz permit udp host web_outlook_pvt host 192.168.101.210 eq 389
    access-list dmz permit tcp host web_outlook_pvt host 192.168.101.210 eq 3268
    access-list dmz permit tcp host web_outlook_pvt host 192.168.101.211 eq 3268
    access-list dmz permit tcp host web_outlook_pvt host 192.168.101.210 eq 88
    access-list dmz permit tcp host web_outlook_pvt host 192.168.101.211 eq 88
    access-list dmz permit udp host web_outlook_pvt host 192.168.101.211 eq 88
    access-list dmz permit tcp host webserver_dmz host 192.168.101.33 eq imap4
    access-list dmz permit udp host web_outlook_pvt host 192.168.101.210 eq 88
    access-list dmz permit tcp host webserver_dmz host 192.168.101.33 eq 152
    access-list dmz permit tcp host webserver_dmz host 192.168.101.33 eq 1433
    access-list dmz permit tcp host webserver_dmz host 192.168.101.33 eq sqlnet
    access-list dmz permit tcp host webserver_dmz host 192.168.101.33 eq 1523


    access-list dmz permit tcp any host 192.168.101.33 eq 1433
    access-list dmz permit tcp any host 192.168.101.33 eq 1434

    access-list dmz permit ip 192.168.101.0 255.255.255.0 any
    access-list dmz permit tcp any host 192.168.2.12 eq netbios-ssn
    access-list dmz permit tcp any host 192.168.2.12 range 2967 2968
    access-list dmz permit tcp any host 192.168.2.12 range 1024 4999
    access-list dmz permit ip any host 192.168.101.30
    access-list dmz permit ip host 192.168.101.11 host 192.168.2.34
    access-list dmz permit tcp any host 192.168.101.33 eq sqlnet
    access-list dmz permit icmp any any
    access-list dmz permit tcp host 192.168.101.20 any eq 445
    access-list dmz permit tcp host intranet_vip any eq 445
    access-list dmz permit udp host intranet_vip any eq 445
    access-list dmz permit udp host 192.168.101.20 any eq 445
    access-list dmz permit udp host 192.168.101.20 any eq 88
    access-list dmz permit udp host intranet_vip any eq 88
    access-list dmz permit tcp host intranet_vip any eq 88
    access-list dmz permit tcp host 192.168.101.20 any eq 88
    access-list dmz permit udp host 192.168.101.20 any eq 389
    access-list dmz permit udp host intranet_vip any eq 389
    access-list dmz permit udp host intranet_vip any eq domain
    access-list dmz permit udp host 192.168.101.20 any eq domain
    access-list dmz permit tcp host 192.168.101.20 any eq domain
    access-list dmz permit tcp host Dns_Dmz host 192.168.2.21 range 8400 840
    access-list dmz permit tcp host Dns_Dmz host 192.168.2.21 range 8600 862
    access-list dmz permit tcp host intranet_vip any eq domain
    access-list dmz permit tcp host intranet_vip host 192.168.2.21 range 8400 8403
    access-list dmz permit tcp host intranet_vip host 192.168.2.21 range 8600 8620
    access-list dmz permit tcp host Dns_Dmz host 192.168.2.21 range 8400 8403
    access-list dmz permit tcp host Dns_Dmz host 192.168.2.21 range 8600 8620
    access-list dmz permit tcp host 192.168.101.30 host 192.168.2.21 range 8400 8403
    access-list dmz permit tcp host 192.168.101.30 host 192.168.2.21 range 8600 8620
    access-list dmz permit tcp host 192.168.101.11 host 192.168.2.21 range 8400 8403
    access-list dmz permit tcp host 192.168.101.11 host 192.168.2.21 range 8600 8620
    access-list dmz permit tcp host 192.168.101.250 host 192.168.2.21 range 8400 8403
    access-list dmz permit tcp host 192.168.101.250 host 192.168.2.21 range 8600 8620

    access-list inside permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
    access-list inside permit ip 192.168.4.0 255.255.255.0 192.168.101.0 255.255.255.0
    access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 2186
    access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 2187
    access-list inside deny ip 192.168.1.0 255.255.255.0 any
    access-list inside deny ip 192.168.4.0 255.255.255.0 any
    access-list inside permit tcp host 192.168.1.1 any
    access-list inside permit tcp host 192.168.1.2 any
    access-list inside permit tcp host 192.168.1.3 any
    access-list inside permit tcp host 192.168.1.15 any
    access-list inside permit tcp host 192.168.1.100 any
    access-list inside permit tcp host 192.168.100.1 any
    access-list inside permit tcp host 192.168.100.2 any
    access-list inside permit tcp host 192.168.100.3 any
    access-list inside permit tcp host 192.168.2.11 any
    access-list inside permit tcp host 192.168.2.10 any
    access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq www
    access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq 8080
    access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq domain
    access-list inside permit tcp any 192.168.101.0 255.255.255.0
    access-list inside permit ip any any

    pager lines 24
    logging timestamp
    logging monitor notifications
    logging buffered notifications
    logging trap debugging
    logging host inside 192.168.1.201
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    mtu intf6 1500
    mtu intf7 1500




    ip address outside 10.1.1.130 255.255.255.0
    ip address inside 192.168.100.1 255.255.255.0
    ip address dmz 192.168.101.1 255.255.255.0
    no ip address intf3
    no ip address intf4
    no ip address intf5
    no ip address intf6
    no ip address intf7
    ip audit info action alarm
    ip audit attack action alarm




    failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside 192.168.105.2
    failover ip address inside 192.168.100.2
    failover ip address dmz 192.168.101.2
    no failover ip address intf3
    no failover ip address intf4
    no failover ip address intf5
    no failover ip address intf6
    no failover ip address intf7


    pdm location 10.1.1.135 255.255.255.255 outside
    pdm location 192.168.2.12 255.255.255.255 inside
    pdm location 192.168.2.21 255.255.255.255 inside
    pdm location 192.168.2.34 255.255.255.255 inside
    pdm location 192.168.101.30 255.255.255.255 dmz
    pdm location 192.168.101.250 255.255.255.255 dmz
    pdm location 10.2.2.0 255.255.255.0 inside
    pdm location 172.168.1.0 255.255.255.0 inside
    pdm location 192.168.1.1 255.255.255.255 inside
    pdm location 192.168.1.2 255.255.255.255 inside
    pdm location 192.168.1.3 255.255.255.255 inside
    pdm location 192.168.1.15 255.255.255.255 inside
    pdm location 192.168.1.100 255.255.255.255 inside
    pdm location 192.168.1.201 255.255.255.255 inside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location 192.168.2.10 255.255.255.255 inside
    pdm location 192.168.2.11 255.255.255.255 inside
    pdm location exchange_pvt 255.255.255.255 inside
    pdm location 192.168.4.0 255.255.255.0 inside
    pdm location cv_inside 255.255.255.255 inside
    pdm location 192.168.100.2 255.255.255.255 inside
    pdm location 192.168.100.3 255.255.255.255 inside
    pdm location 192.168.0.0 255.255.0.0 inside
    pdm location mail_relay_pvt 255.255.255.255 dmz
    pdm location web_outlook_pvt 255.255.255.255 dmz
    pdm location webserver_dmz 255.255.255.255 dmz
    pdm location webredline 255.255.255.255 dmz
    pdm location redlineOWA 255.255.255.255 dmz
    pdm location 192.168.101.11 255.255.255.255 dmz
    pdm location rees_redline 255.255.255.255 dmz
    pdm location 192.168.101.14 255.255.255.255 dmz
    pdm location 192.168.101.15 255.255.255.255 dmz
    pdm location 192.168.101.16 255.255.255.255 dmz
    pdm location 192.168.101.20 255.255.255.255 dmz
    pdm location intranet_vip 255.255.255.255 dmz
    pdm location Dns_Dmz 255.255.255.255 dmz
    pdm location blackboard_dmz 255.255.255.255 dmz
    pdm location 192.168.101.210 255.255.255.255 dmz
    pdm location 192.168.101.211 255.255.255.255 dmz
    pdm location 22x.x.29.221 255.255.255.255 outside
    pdm location 22x.x.48.57 255.255.255.255 outside
    pdm location 22x.42.48.60 255.255.255.255 outside
    pdm location 22x.x.48.62 255.255.255.255 outside
    pdm location 22x.x.54.214 255.255.255.255 outside
    pdm location ISADMZ 255.255.255.255 dmz
    pdm history enable
    arp timeout 14400


    10.1.1.150-10.1.1.155 .
    global (outside) 1 10.1.1.150-10.1.1.155
    global (outside) 1 10.1.1.156

    global (dmz) 1 interface


    nat (inside) 1 10.2.2.0 255.255.255.0 0 0
    nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,this is wrong because it is public ip address
    nat (inside) 1 192.168.0.0 255.255.0.0 0 0
    nat (dmz) 1 192.168.101.0 255.255.255.0 0 0


    alias (dmz) 192.168.101.210 192.168.2.10 255.255.255.255
    static (inside,dmz) exchange exchange_pvt netmask 255.255.255.255 0 0
    static (inside,dmz) 192.168.101.211 192.168.2.11 netmask 255.255.255.255 0 0
    static (dmz,outside) mail_relay mail_relay_pvt netmask 255.255.255.255 0 0
    static (dmz,outside) webserver webredline netmask 255.255.255.255 0 0
    static (dmz,outside) blackboard blackboard_dmz netmask 255.255.255.255 0 0
    static (dmz,outside) Dns_Outside Dns_Dmz netmask 255.255.255.255 0 0
    static (inside,dmz) 192.168.101.33 192.168.2.34 netmask 255.255.255.255 0 0
    static (dmz,outside) 10.1.1.141 192.168.101.16 netmask 255.255.255.255 0 0
    static (dmz,outside) 10.1.1.142 192.168.101.15 netmask 255.255.255.255 0 0
    static (dmz,outside) 10.1.1.143 192.168.101.14 netmask 255.255.255.255 0 0
    static (dmz,outside) 10.1.1.146 192.168.101.250 netmask 255.255.255.255 0 0
    static (dmz,outside) intranet_web intranet_vip netmask 255.255.255.255 0 0
    static (dmz,outside) rees_out rees_redline netmask 255.255.255.255 0 0
    static (inside,outside) cv_outside cv_inside netmask 255.255.255.255 0 0
    static (inside,dmz) 192.168.101.212 192.168.2.12 netmask 255.255.255.255 0 0
    static (inside,dmz) 192.168.101.210 192.168.2.10 netmask 255.255.255.255 0 0

    static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
    static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0

    static (dmz,outside) web_outlook redlineOWA netmask 255.255.255.255 0 0



    access-group outside in interface outside
    access-group inside in interface inside
    access-group dmz in interface dmz



    route outside 0.0.0.0 0.0.0.0 10.1.1.129 1
    route inside 10.2.2.0 255.255.255.0 192.168.55.254 1
    route inside 172.168.1.0 255.255.255.0 192.168.100.3 1
    route inside 192.168.0.0 255.255.0.0 192.168.100.3 1

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local



    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community mycompany2004pub
    no snmp-server enable traps
    floodguard enable
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 20
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 dmz
    ssh 0.0.0.0 0.0.0.0 intf3
    ssh 0.0.0.0 0.0.0.0 intf4
    ssh 0.0.0.0 0.0.0.0 intf5
    ssh timeout 5
    console timeout 0
    terminal width 80

  2. #2
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    access-list outside permit tcp host 22x.x.29.221 host 10.1.1.146 eq https
    access-list outside permit udp host 22x.x.29.221 host 10.1.1.146 eq 443
    access-list outside permit tcp host 22x.x.29.221 host 192.168.101.250 eq https
    access-list outside permit udp host 22x.x.29.221 host 192.168.101.250 eq 443
    Does it make scene to permit public ip addresses, though our pix is connected to another pix via ip address 10.x.x.x,,,,,and the another PIX is connected to public ip address ?


    access-list dmz permit tcp any host 192.168.101.33 eq 1433
    access-list dmz permit tcp any host 192.168.101.33 eq 1434
    Does not make sense for me, Why do I need to permit any host within dmz, to access another specific host within dmz as well ?,,,,format 192.168.101.x ip addresses are within dmz area


    pdm location 22x.42.48.60 255.255.255.255 outside
    pdm location 22x.x.48.62 255.255.255.255 outside
    pdm location 22x.x.54.214 255.255.255.255 outside
    pdm location ISADMZ 255.255.255.255 dmz
    pdm history enable
    arp timeout 14400
    I accessed the PIX (inside address) device Manager (PDM) from my desktop (192.168.1.104) on our LAN and from another Desktop (192.168.1.56) on our LAN as well, why can not I see the "pdm location" for both those desktops ?

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    The issue here is that you need a real firewall audit. I happen to have *plenty* of experience with this. Here is how you do it on a production firewall:

    1) Approach the system owners, starting with the edge servers (closest to the internet) and ask for a system security plan that provides specific details on what the box does and what needs to be accessed. If they don't have one, ask them to create one. If they resist, be sure they understand that they own the risk should something go wrong.

    2) Once you have all the technical specifics, go through the ruleset and remove ACLs but place comments in there stating why you've done so. If there are no issues after a few months, you can remove the commented out ACLs and the explanations.

    3) When you wrap up the audit, a good idea would be to run a vulnerability assessment tool (like Nessus) to see what your security stance is. If you find it unacceptable, you'll have enough organizational knowledge to suggest changes to lower risk.

    This is an involved process that will take time. You certainly don't want to start removing ACLs from a production PIX without fully understanding the impact.

    Also note that this is a simplified view of the process. You'll need to consider regulatory compliance issues when doing this and for the operational end of the equasion.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •