Search This Blog

Tuesday, March 15, 2011

firewall-wizards Digest, Vol 56, Issue 2

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: PIX 515 7.1 vs: 8.0 (John Morrison)
2. Re: PIX 515 7.1 vs: 8.0 (Christopher J. Wargaski)


----------------------------------------------------------------------

Message: 1
Date: Mon, 14 Mar 2011 20:32:56 +0000
From: John Morrison <john.morrison101@gmail.com>
Subject: Re: [fw-wiz] PIX 515 7.1 vs: 8.0
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTi=P8ZDLz0HB2n_UVKQ0Y5FdYyiXfy6=oyn1sWMD@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Brian,

I don't see an address range defined for the inside. For example:
dhcpd address 192.168.99.10-192.168.99.250 inside

Or the dhcpd enable:
dhcpd enable inside


On 9 March 2011 01:24, Brian Blater <brb.lists@gmail.com> wrote:
> I was recently able to pick up another pix to play with. I currently
> have a PIX 515e with 7.1, but this new one comes with 8.0. I'm
> wondering if there is something new in the 8.0 version that is working
> differently and has me stumped. One difference between the two PIXs I
> have is that the new one has a 4 port card for a total of 6 ethernet
> ports. I've setup DHCPD on two of the interfaces, but I can't get it
> to assign an address to anything connected to those interfaces (dmz
> and vonage). Also, if I manually assign an IP to a device on one of
> those networks I can't even get out the internet. So, either some ACL
> or static mapping is interfering there, but I can't see what I've
> messed up. The DMZ port on the PIX 515e with 7.1 just works both with
> DHCPD and internet access, but even if I try the same ACLs and statics
> on the 8.0 PIX I"m still not getting anything working. Basically I'm
> stumped.
>
> I've attached the 8.0 config below. If anyone can give me a hand and
> let me know what I'm missing that would be great.
>
> Thanks for your help.
>
> Brian
>
>
>
> PIX Version 8.0(4)32
> !
> hostname brb-pix
> domain-name bfamily.org
> enable password xxxxxx encrypted
> passwd xxxxxxx encrypted
> names
> !
> interface Ethernet0
> ?nameif outside
> ?security-level 0
> ?ip address 24.199.216.33 .255.255.255.248
> !
> interface Ethernet1
> ?nameif inside
> ?security-level 100
> ?ip address 192.168.99.1 255.255.255.0
> !
> interface Ethernet2
> ?nameif dmz
> ?security-level 50
> ?ip address 192.168.109.1 255.255.255.0
> !
> interface Ethernet3
> ?nameif vonage
> ?security-level 25
> ?ip address 192.168.149.1 255.255.255.0
> !
> interface Ethernet4
> ?shutdown
> ?no nameif
> ?no security-level
> ?no ip address
> !
> interface Ethernet5
> ?shutdown
> ?no nameif
> ?no security-level
> ?no ip address
> !
> ftp mode passive
> clock timezone EST -5
> clock summer-time EDT recurring
> dns domain-lookup inside
> dns server-group DefaultDNS
> ?name-server 192.168.99.201
> ?domain-name bfamily.org
> access-list outside remark access list for outside
> access-list outside extended permit icmp any any echo-reply
> access-list outside extended permit icmp any any unreachable
> access-list outside extended permit tcp any any eq https
> access-list outside extended permit tcp any any eq 2525
> access-list dmz remark access list for dmz
> access-list dmz extended permit icmp 192.168.109.0 255.255.255.0
> 192.168.99.0 255.255.255.0 echo-reply
> access-list dmz extended permit icmp 192.168.109.0 255.255.255.0
> 192.168.99.0 255.255.255.0 unreachable
> access-list dmz extended permit udp 192.168.109.0 255.255.255.0 host
> 192.168.99.201 eq domain
> access-list dmz extended permit ip 192.168.109.0 255.255.255.0 any
> access-list nonat remark nonat for dmz and inside interfaces
> access-list nonat extended permit ip 192.168.99.0 255.255.255.0
> 192.168.109.0 255.255.255.0
> access-list nonat extended permit ip 192.168.109.0 255.255.255.0
> 192.168.99.0 255.255.255.0
> access-list nonat extended permit ip 192.168.99.0 255.255.255.0
> 192.168.129.0 255.255.255.0
> access-list nonat extended permit ip 192.168.129.0 255.255.255.0
> 192.168.99.0 255.255.255.0
> access-list vonage remark access list for vonage network
> access-list vonage_access_in extended permit ip 192.168.149.0 255.255.255.0 any
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
> mtu vonage 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list nonat
> nat (inside) 1 192.168.99.0 255.255.255.0
> nat (dmz) 0 access-list nonat
> nat (dmz) 1 192.168.109.0 255.255.255.0
> nat (vonage) 0 access-list nonat
> nat (vonage) 1 192.168.149.0 255.255.255.0
> static (dmz,outside) tcp interface https 192.168.109.44 https netmask
> 255.255.255.255
> static (inside,outside) tcp interface 2525 192.168.99.202 smtp netmask
> 255.255.255.255
> static (inside,dmz) 192.168.99.0 192.168.99.0 netmask 255.255.255.0
> static (inside,vonage) 192.168.99.0 192.168.99.0 netmask 255.255.255.0
> access-group outside in interface outside
> access-group dmz in interface dmz
> access-group vonage_access_in in interface vonage
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> timeout tcp-proxy-reassembly 0:01:00
> dynamic-access-policy-record DfltAccessPolicy
> http server enable
> http 192.168.99.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> telnet 192.168.99.0 255.255.255.0 inside
> telnet timeout 5
> ssh 192.168.99.0 255.255.255.0 inside
> ssh 192.168.109.0 255.255.255.0 dmz
> ssh timeout 60
> console timeout 0
> dhcpd dns 4.2.2.1 8.8.8.8
> dhcpd lease 259200
> dhcpd ping_timeout 750
> dhcpd domain bfamily.org
> !
> dhcpd address 192.168.109.101-192.168.109.110 dmz
> dhcpd dns 208.67.222.222 208.67.220.220 interface dmz
> dhcpd lease 259200 interface dmz
> dhcpd ping_timeout 750 interface dmz
> dhcpd domain bfamily.org interface dmz
> dhcpd enable dmz
> !
> dhcpd address 192.168.149.101-192.168.149.110 vonage
> dhcpd enable vonage
> !
> threat-detection basic-threat
> threat-detection statistics host
> threat-detection statistics port
> threat-detection statistics protocol
> threat-detection statistics access-list
> no threat-detection statistics tcp-intercept
> username bblater password xxxxxxxxx encrypted privilege 15
> !
> class-map inspection_default
> ?match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> ?parameters
> ?message-length maximum 512
> policy-map global_policy
> ?class inspection_default
> ?inspect dns preset_dns_map
> ?inspect ftp
> ?inspect h323 h225
> ?inspect h323 ras
> ?inspect netbios
> ?inspect rsh
> ?inspect rtsp
> ?inspect skinny
> ?inspect esmtp
> ?inspect sqlnet
> ?inspect sunrpc
> ?inspect tftp
> ?inspect sip
> ?inspect xdmcp
> !
> service-policy global_policy global
> prompt hostname context
> Cryptochecksum:
> brb-pix#
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 2
Date: Fri, 11 Mar 2011 23:54:35 -0600
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] PIX 515 7.1 vs: 8.0
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTik6RfDiEgFt3tkgEUPUc+qyLNXhMG3zd+bo498o@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hey Brian--

Configuration-wise you should have no problems with 8.0 if you know 7.1.

You appear to have NAT configured correctly. You ACLs look good too. what
I do not see are any route statements--do you have a default route set?

Also, you should increase the message-length maximum to 4096 given the
rollout of DNSsec.

cjw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110311/2a0ae045/attachment-0001.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 56, Issue 2
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)