CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Using the PIX Firewall in Medium-Sized Networks

This section details the implementation and configuration of the PIX Firewall in the medium-sized network. The PIX Firewall in the medium-sized network model uses four interfaces: an inside interface, an outside interface, a remote-access segment interface, and a public services segment interface.

The configuration shows only the ACLs and cryptographic parameters that are required to achieve the required functionality.

The primary features and configuration examples that are described in this chapter cover the following:

• Outside interface filtering

• Inside interface filtering

• Public services segment filtering

• Remote-access segment filtering

• VPN configuration

Outside Interface Filtering

By using an ACL, you can filter traffic that is entering from the outside (public VLAN) interface. This filtering is applied to the outside interface by using the access-group command. You should consider using the following common ACL definitions.

Allow access to the services that are available on the public services segment:

access-list outside_access_in permit tcp any host 
public-NAT-IP eq ftp
access-list outside_access_in permit tcp any host 
public-NAT-IP eq www
access-list outside_access_in permit tcp any host 
public-NAT-IP eq smtp
access-list outside_access_in permit tcp any host 
public-NAT-IP eq 443
access-list outside_access_in permit udp any host
 public-NAT-IP eq domain

If required, allow traffic from remote sites:

access-list outside_access_in permit ip 
remote-site-A-network internal-network
access-list outside_access_in permit ip 
remote-site-B-network internal-network

Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely, these rules require modification accordingly.

access-list outside_access_in deny ip 10.0.0.0 0.255.255.255 any
access-list outside_access_in deny ip 172.16.0.0 0.15.255.255 any
access-list outside_access_in deny ip 192.168.0.0 0.0.255.255 any

If required, allow management traffic from the remote sites. You can either make this statement global, as the following shows, or make it more specific by specifying particular services:

access-list outside_access_in permit ip host 
remote-device-IP  host
management-server-IP

Allow echo replies to internally generated traffic:

access-list outside_access_in permit icmp any
 public-NAT-IP echo-reply

Allow traffic from the public VLAN devices to the management servers for syslog, TACACS+, and TFTP:

access-list outside_access_in permit host 
public-VLAN-device-IP  host
management-server-IP eq syslog
access-list outside_access_in permit host
 public-VLAN-device-IP  host
management-server-IP eq tftp
access-list outside_access_in permit host public-VLAN-device-IP  host
management-server-IP eq tacacs

Inside Interface Filtering

By using an ACL, you can filter traffic that is entering from the inside interface. This filtering is applied to the inside interface by using the access-group command. You should consider using the following common ACL definitions.

Allow management access to the public services network devices:

access-list inside_access_in permit tcp host 
management-host-IP host PS-device-IP
eq 22

Allow internal user access to public services such as web and FTP services:

access-list inside_access_in permit tcp 
internal-network host public-server-IP
eq service

Allow the internal mail server to communicate with the public mail server:

access-list inside_access_in permit tcp host 
internal-mail-server-IP
host public-mail-server-IP eq smtp

Allow the internal DNS server to communicate with the public DNS server:

access-list inside_access_in permit udp host 
internal-DNS-IP host public-DNS-IP eq domain

Allow outbound ICMP traffic:

access-list inside_access_in permit icmp any any echo

Deny all other access to the public services segment:

access-list inside_access_in deny ip any 
public-services-network

Permit all other traffic to the outside:

access-list inside_access_in permit ip any any

Public Services Segment Filtering

By using an ACL, you can filter traffic that is entering from the public services interface. This filtering is applied to the public services interface by using the access-group command. You should consider using the following common ACL definitions.

Allow mail services between the public and internal mail servers:

access-list ps_access_in permit tcp host 
public-mail-server-IP
host internal-mail-server-IP eq smtp

Allow echo replies from the internal network:

access-list ps_access_in permit icmp
 public-services-network internal-network
eq echo-reply

Allow host-based IPS traffic from the public server to the management server:

access-list ps_access_in permit tcp host 
public-server-IP host management-server-IP
eq 5000

Allow management traffic to flow from the public services segment network devices:

access-list ps_access_in permit ip host 
PS-network-device-IP host management-server-IP

Deny all other connections to the internal network from the public services segment:

access-list ps_access_in deny ip any 
internal-network

Allow all mail and DNS traffic that originates from the public services server:

access-list ps_access_in permit tcp host 
public-server-IP any eq smtp
access-list ps_access_in permit udp host 
public-server-IP any eq domain

Remote-Access Segment Filtering

By using an ACL, you can filter traffic that is entering from the remote-access interface. This filtering is applied to the RS interface by using the access-group command. You should consider using the following common ACL definitions.

Allow traffic from the remote-access segment devices to the management servers for syslog, TACACS+, and TFTP:

access-list remote_access_in permit host 
ra-segment-device-IP  host
management-server-IP eq syslog
access-list remote_access_in permit host 
ra-segment-device-IP  host
management-server-IP eq tftp
access-list remote_access_in permit host 
ra-segment-device-IP  host
management-server-IP eq tacacs

Allow remote-access users to access the services that are available on the public services segment:

access-list remote_access_in permit tcp 
ra-user-pool-network host public-server-IP
eq ftp
access-list remote_access_in permit tcp 
ra-user-pool-network host public-server-IP
eq www
access-list remote_access_in permit tcp 
ra-user-pool-network host public-server-IP
eq smtp
access-list remote_access_in permit tcp 
ra-user-pool-network host public-server-IP
eq 443
access-list remote_access_in permit udp
 ra-user-pool-network host public-server-IP
eq domain

Permit remote-access users' traffic to the Internet and internal network:

access-list remote_access_in permit ip 
ra-user-pool-network any

Allow remote-access segment devices to synchronize time with the internal time server:

access-list remote_access_in permit udp 
ra-segment-device-IP host time-server-IP
eq ntp

VPN Configuration

You can implement VPN services on a PIX Firewall by using the commands that are described next.

To configure remote-site VPNs, use the following commands:

no sysopt route dnat
crypto ipsec transform-set REMOTESITES esp-3des esp-md5-hmac
crypto map REMOTE 10 ipsec-isakmp
crypto map REMOTE 10 match address remote-sites
crypto map REMOTE 10 set peer peer-IP-A
crypto map REMOTE 10 set transform-set REMOTESITES
crypto map REMOTE interface outside
isakmp enable outside
isakmp key key address IP-address 
netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
access-list remote-sites permit ip internal-network remote-site-network