Search This Blog

Saturday, March 12, 2011

firewall-wizards Digest, Vol 56, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. PIX 515 7.1 vs: 8.0 (Brian Blater)


----------------------------------------------------------------------

Message: 1
Date: Tue, 8 Mar 2011 20:24:50 -0500
From: Brian Blater <brb.lists@gmail.com>
Subject: [fw-wiz] PIX 515 7.1 vs: 8.0
To: FW Wiz <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTi=u3mYEXTO+2PzSheFvkofPL5yqbKZ6XZSYO9qK@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I was recently able to pick up another pix to play with. I currently
have a PIX 515e with 7.1, but this new one comes with 8.0. I'm
wondering if there is something new in the 8.0 version that is working
differently and has me stumped. One difference between the two PIXs I
have is that the new one has a 4 port card for a total of 6 ethernet
ports. I've setup DHCPD on two of the interfaces, but I can't get it
to assign an address to anything connected to those interfaces (dmz
and vonage). Also, if I manually assign an IP to a device on one of
those networks I can't even get out the internet. So, either some ACL
or static mapping is interfering there, but I can't see what I've
messed up. The DMZ port on the PIX 515e with 7.1 just works both with
DHCPD and internet access, but even if I try the same ACLs and statics
on the 8.0 PIX I"m still not getting anything working. Basically I'm
stumped.

I've attached the 8.0 config below. If anyone can give me a hand and
let me know what I'm missing that would be great.

Thanks for your help.

Brian

PIX Version 8.0(4)32
!
hostname brb-pix
domain-name bfamily.org
enable password xxxxxx encrypted
passwd xxxxxxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 24.199.216.33 .255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.99.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.109.1 255.255.255.0
!
interface Ethernet3
nameif vonage
security-level 25
ip address 192.168.149.1 255.255.255.0
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.99.201
domain-name bfamily.org
access-list outside remark access list for outside
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any unreachable
access-list outside extended permit tcp any any eq https
access-list outside extended permit tcp any any eq 2525
access-list dmz remark access list for dmz
access-list dmz extended permit icmp 192.168.109.0 255.255.255.0
192.168.99.0 255.255.255.0 echo-reply
access-list dmz extended permit icmp 192.168.109.0 255.255.255.0
192.168.99.0 255.255.255.0 unreachable
access-list dmz extended permit udp 192.168.109.0 255.255.255.0 host
192.168.99.201 eq domain
access-list dmz extended permit ip 192.168.109.0 255.255.255.0 any
access-list nonat remark nonat for dmz and inside interfaces
access-list nonat extended permit ip 192.168.99.0 255.255.255.0
192.168.109.0 255.255.255.0
access-list nonat extended permit ip 192.168.109.0 255.255.255.0
192.168.99.0 255.255.255.0
access-list nonat extended permit ip 192.168.99.0 255.255.255.0
192.168.129.0 255.255.255.0
access-list nonat extended permit ip 192.168.129.0 255.255.255.0
192.168.99.0 255.255.255.0
access-list vonage remark access list for vonage network
access-list vonage_access_in extended permit ip 192.168.149.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vonage 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.99.0 255.255.255.0
nat (dmz) 0 access-list nonat
nat (dmz) 1 192.168.109.0 255.255.255.0
nat (vonage) 0 access-list nonat
nat (vonage) 1 192.168.149.0 255.255.255.0
static (dmz,outside) tcp interface https 192.168.109.44 https netmask
255.255.255.255
static (inside,outside) tcp interface 2525 192.168.99.202 smtp netmask
255.255.255.255
static (inside,dmz) 192.168.99.0 192.168.99.0 netmask 255.255.255.0
static (inside,vonage) 192.168.99.0 192.168.99.0 netmask 255.255.255.0
access-group outside in interface outside
access-group dmz in interface dmz
access-group vonage_access_in in interface vonage
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.99.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.99.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.99.0 255.255.255.0 inside
ssh 192.168.109.0 255.255.255.0 dmz
ssh timeout 60
console timeout 0
dhcpd dns 4.2.2.1 8.8.8.8
dhcpd lease 259200
dhcpd ping_timeout 750
dhcpd domain bfamily.org
!
dhcpd address 192.168.109.101-192.168.109.110 dmz
dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
dhcpd lease 259200 interface dmz
dhcpd ping_timeout 750 interface dmz
dhcpd domain bfamily.org interface dmz
dhcpd enable dmz
!
dhcpd address 192.168.149.101-192.168.149.110 vonage
dhcpd enable vonage
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username bblater password xxxxxxxxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
brb-pix#


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 56, Issue 1
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)