This section details the implementation and configuration of the PIX Firewall in the small network standalone model. WAN connectivity is provided by an ISP-supplied device. The configuration shows only the ACLs and cryptographic parameters that are required for the PIX Firewall to operate as a headend device.
This section covers the following primary features and configuration examples:
Outside interface filtering
Inside interface filtering
DMZ interface filtering
IDS configuration
VPN configuration
By using an ACL, you can filter traffic that is entering from the outside (Internet) interface. This filtering is applied to the outside interface by using the access-group command. You should consider the following common ACL definitions.
Allow access to the services that are available on the public services segment:
access-list outside_access_in permit tcp any host public-NAT-IP eq ftp access-list outside_access_in permit tcp any host public-NAT-IP eq www access-list outside_access_in permit tcp any host public-NAT-IP eq smtp access-list outside_access_in permit tcp any host public-NAT-IP eq 443 access-list outside_access_in permit udp any host public-NAT-IP eq domain
If required, allow traffic from remotes sites:
access-list outside_access_in permit ip remote-site-A-network internal-network access-list outside_access_in permit ip remote-site-B-network internal-network
Apply RFC 1918 filtering. If RFC 1918 addresses are used remotely, these rules require modification accordingly.
access-list outside_access_in deny ip 10.0.0.0 0.255.255.255 any access-list outside_access_in deny ip 172.16.0.0 0.15.255.255 any access-list outside_access_in deny ip 192.168.0.0 0.0.255.255 any
If required, allow management traffic from the remote sites. This can be either a global statement, as shown in the command that follows, or made more specific by electing to specify services.
access-list outside_access_in permit ip host remote-device-IP host management-server-IP
Allow echo reply to internally generated traffic:
access-list outside_access_in permit icmp any public-NAT-IP echo-reply
By using an ACL, you can filter traffic that is entering from the inside interface. This filtering is applied to the inside interface by using the access-group command. You should consider the following common ACL definitions.
Allow management access to the public services network devices:
access-list inside_access_in permit tcp host management-host-IP host PS-device-IP eq 22
Allow internal user access to the public services, such as web and FTP services:
access-list inside_access_in permit tcp internal-network host public-server-IP eq service
Allow the internal mail server to communicate with the public mail server:
access-list inside_access_in permit tcp host internal-mail-server-IP host public-mail-server-IP eq smtp
Allow the internal DNS server to communicate with the public DNS server:
access-list inside_access_in permit udp host internal-DNS-IP host public-DNS-IP eq domain
Allow outbound ICMP traffic:
access-list inside_access_in permit icmp any any echo
Deny all other access to the public services segment:
access-list inside_access_in deny ip any public-services-network
Permit all other traffic to the outside:
access-list inside_access_in permit ip any any
Using an ACL, traffic that is entering from the DMZ interface can be filtered. This filtering is applied to the DMZ interface by using the access-group command. You should consider the following common ACL definitions.
Allow mail services between the public and internal mail servers:
access-list dmz_access_in permit tcp host public-mail-server-IP host internal-mail-server-IP eq smtp
Allow echo replies from the internal network:
access-list dmz_access_in permit icmp public-services-network internal-network eq echo-reply
Allow HIDS traffic from the public server to the management server:
access-list dmz_access_in permit tcp host public-server-IP host management-server-IP eq 5000
Allow management traffic to flow from public services segment network devices:
access-list dmz_access_in permit ip host PS-network-device-IP host management-server-IP
Deny all other connections to the internal network from the public services segment:
access-list ps_access_in deny ip any internal-network
Allow all mail and DNS traffic originating from the public services server:
access-list ps_access_in permit tcp host public-server-IP any eq smtp access-list ps_access_in permit udp host public-server-IP any eq domain
The implementation of IDS services on a PIX Firewall can be achieved by using the following commands:
ip audit name IDS info action alarm ip audit name IDS attack action alarm drop reset ip audit interface outside IDS ip audit interface inside IDS ip audit interface dmz IDS
The implementation of VPN services on a PIX Firewall can be achieved by using the following commands.
To configure remote-site VPNs, use the following commands:
no sysopt route dnat crypto ipsec transform-set REMOTESITES esp-3des esp-md5-hmac crypto map REMOTE 10 ipsec-isakmp crypto map REMOTE 10 match address remote-sites crypto map REMOTE 10 set peer peer-IP-A crypto map REMOTE 10 set transform-set REMOTESITES crypto map REMOTE interface outside isakmp enable outside isakmp key key address IP-address netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 access-list remote-sites permit ip internal-network remote-site-network
To configure remote-access VPN users, use the following commands:
vpngroup RASVPN address-pool vpnpool vpngroup RASVPN dns-server dns-address vpngroup RASVPN default-domain domain-name vpngroup RASVPN idle-time 1800 vpngroup RASVPN password password ip local pool vpnpool start-IP-range-end-IP-range