لطفا منتظر باشید ...
Using the PIX Firewall in Small Networks
This section details the implementation and configuration of the PIX Firewall in the small network standalone model. WAN connectivity is provided by an ISP-supplied device. The configuration shows only the ACLs and cryptographic parameters that are required for the PIX Firewall to operate as a headend device. This section covers the following primary features and configuration examples:
- Outside interface filtering
- Inside interface filtering
- DMZ interface filtering
- IDS configuration
- VPN configuration
Outside Interface Filtering
By using an ACL, you can filter traffic that is entering from the outside (Internet) interface. This filtering is applied to the outside interface by using the access-group command. You should consider the following common ACL definitions.Allow access to the services that are available on the public services segment:
If required, allow traffic from remotes sites:
access-list outside_access_in permit tcp any host
public-NAT-IP eq ftp
access-list outside_access_in permit tcp any host
public-NAT-IP eq www
access-list outside_access_in permit tcp any host
public-NAT-IP eq smtp
access-list outside_access_in permit tcp any host
public-NAT-IP eq 443
access-list outside_access_in permit udp any host
public-NAT-IP eq domain
Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely, these rules require modification accordingly.
access-list outside_access_in permit ip
remote-site-A-network internal-network
access-list outside_access_in permit ip
remote-site-B-network internal-network
If required, allow management traffic from the remote sites. This can be either a global statement, as shown in the command that follows, or made more specific by electing to specify services.
access-list outside_access_in
deny ip 10.0.0.0 0.255.255.255 any
access-list outside_access_in
deny ip 172.16.0.0 0.15.255.255 any
access-list outside_access_in
deny ip 192.168.0.0 0.0.255.255 any
Allow echo reply to internally generated traffic:
access-list outside_access_in permit ip host
remote-device-IP host management-server-IP
access-list outside_access_in permit icmp any
public-NAT-IP echo-reply
Internal Traffic Filtering
By using an ACL, you can filter traffic that is entering from the inside interface. This filtering is applied to the inside interface by using the access-group command. You should consider the following common ACL definitions.Allow management access to the public services network devices:
Allow internal user access to the public services, such as web and FTP services:
access-list inside_access_in permit tcp host
management-host-IP host PS-device-IP
eq 22
Allow the internal mail server to communicate with the public mail server:
access-list inside_access_in permit tcp
internal-network host public-server-IP
eq service
Allow the internal DNS server to communicate with the public DNS server:
access-list inside_access_in permit tcp host
internal-mail-server-IP
host public-mail-server-IP eq smtp
Allow outbound ICMP traffic:
access-list inside_access_in permit udp host
internal-DNS-IP host public-DNS-IP
eq domain
Deny all other access to the public services segment:
access-list inside_access_in permit icmp any any echo
Permit all other traffic to the outside:
access-list inside_access_in deny ip any
public-services-network
access-list inside_access_in permit ip any any
Public Services Traffic Filtering
Using an ACL, traffic that is entering from the DMZ interface can be filtered. This filtering is applied to the DMZ interface by using the access-group command. You should consider the following common ACL definitions.Allow mail services between the public and internal mail servers:
Allow echo replies from the internal network:
access-list dmz_access_in permit tcp host
public-mail-server-IP
host internal-mail-server-IP eq smtp
Allow HIDS traffic from the public server to the management server:
access-list dmz_access_in permit icmp
public-services-network internal-network eq echo-reply
Allow management traffic to flow from public services segment network devices:
access-list dmz_access_in permit tcp host
public-server-IP host management-server-IP
eq 5000
Deny all other connections to the internal network from the public services segment:
access-list dmz_access_in permit ip host
PS-network-device-IP host management-server-IP
Allow all mail and DNS traffic originating from the public services server:
access-list ps_access_in deny ip any
internal-network
access-list ps_access_in permit tcp host
public-server-IP any eq smtp
access-list ps_access_in permit udp host
public-server-IP any eq domain
IDS Configuration
The implementation of IDS services on a PIX Firewall can be achieved by using the following commands:
ip audit name IDS info action alarm
ip audit name IDS attack action alarm drop reset
ip audit interface outside IDS
ip audit interface inside IDS
ip audit interface dmz IDS
VPN Configuration
The implementation of VPN services on a PIX Firewall can be achieved by using the following commands.To configure remote-site VPNs, use the following commands:
To configure remote-access VPN users, use the following commands:
no sysopt route dnat
crypto ipsec transform-set REMOTESITES esp-3des esp-md5-hmac
crypto map REMOTE 10 ipsec-isakmp
crypto map REMOTE 10 match address remote-sites
crypto map REMOTE 10 set peer peer-IP-A
crypto map REMOTE 10 set transform-set REMOTESITES
crypto map REMOTE interface outside
isakmp enable outside
isakmp key key address IP-address
netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
access-list remote-sites permit ip
internal-network remote-site-network
vpngroup RASVPN address-pool vpnpool
vpngroup RASVPN dns-server dns-address
vpngroup RASVPN default-domain domain-name
vpngroup RASVPN idle-time 1800
vpngroup RASVPN password password
ip local pool vpnpool start-IP-range-end-IP-range
