Can any body help me to understand the Cisco Pix Firewall 515?

[Samengr]

We are using the Cisco Pix Firewall 515 in our live setup. I am new with Pix Firewall. dont have any documentation that which rules were configured. I have only its config file. Can any body tell me how can i understand this? Can any body let me know the format so that i can understand this config file and know which rules have been configured?

Thanks

 

[nnnnnnnnnn]

Post a sanitized copy of your config, if its not huge it shouldn't be to hard.

cheers

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/config.html

 

[Samengr]

please see the config file below.

*************
object-group network client-trusted
network-object IP
network-object host IP
network-object Live-IP 255.255.255.240
object-group service client-trusted-tcp tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq 8090
port-object eq telnet
object-group network lom-ports
network-object host Live-IP -C
network-object host Live-IP -D
network-object host Live-IP -E
access-list outside-in remark ----- Client Public Access Rules - start -----
access-list outside-in permit tcp any host Live-IP eq www
access-list outside-in permit tcp host IP host Live-IP eq https
access-list outside-in permit tcp any Live-IP eq https
access-list outside-in permit tcp any host Live-IP eq 8090
access-list outside-in permit tcp any host Live-IP eq 8080
access-list outside-in permit tcp any Live-IP 255.255.255.240 eq 8080
access-list outside-in remark ----- Client Public Access Rules - end -----
access-list outside-in remark ----- Client Access Rules - start -----
access-list outside-in permit tcp object-group client-trusted Live-IP 255.255.255.224 eq ssh
access-list outside-in permit tcp Live-IP 255.255.255.240 host Live-IP eq 2393
access-list outside-in permit tcp Live-IP 255.255.255.240 host Live-IP eq 2394
access-list outside-in permit tcp Live-IP 255.255.255.240 object-group lom-ports eq www
access-list outside-in permit tcp Live-IP 255.255.255.240 object-group lom-ports eq https
access-list outside-in permit tcp object-group client-trusted Live-IP 255.255.255.224 object-group client-trusted-tcp
access-list outside-in remark ----- Client Access Rules - end -----
access-list inside-out remark ----- Client Access Rules - WEB - start -----
access-list inside-out permit icmp Internal-IP-Network-1 255.255.255.0 Internal-IP 255.255.255.0 echo
access-list inside-out permit udp Internal-IP-Network-1 255.255.255.0 Internal-IP 255.255.255.0 eq netbios-ns
access-list inside-out permit tcp Internal-IP-network-1 255.255.255.0 any eq www
access-list inside-out permit tcp Internal-IP-network-1 255.255.255.0 any eq https
access-list inside-out permit tcp Internal-IP-network-1 255.255.255.0 any eq smtp
access-list inside-out remark ----- Client Access Rules - WEB - end -----
access-list db-out remark ----- Client Access Rules - DB - start -----
access-list db-out permit udp Internal-IP-network-2 255.255.255.0 192.168.1.0 255.255.255.0 eq ntp
access-list db-out permit tcp Internal-IP-network-2 255.255.255.0 Live-IP 255.255.255.240 eq 2393
access-list db-out permit tcp Internal-IP-network-2 255.255.255.0 host Live-IP eq 3690
access-list db-out permit udp Internal-IP-network-2 255.255.255.0 Live-IP 255.255.255.240 eq 3690
access-list db-out permit udp Internal-IP-network-2 255.255.255.0 host Live-IP eq 3690
access-list db-out permit icmp Internal-IP-network-2 255.255.255.0 Internal-IP-network-1 255.255.255.0 echo
access-list db-out permit icmp Internal-IP-network-2 255.255.255.0 Internal-IP-network-1 255.255.255.0 echo-reply
access-list db-out permit udp Internal-IP-network-2 255.255.255.0 Internal-IP-network-1 255.255.255.0 eq netbios-dgm
access-list db-out permit tcp Internal-IP-network-2 255.255.255.0 any eq www
access-list db-out permit tcp Internal-IP-network-2 255.255.255.0 any eq https
access-list db-out permit tcp Internal-IP-network-2 255.255.255.0 192.168.1.0 255.255.255.0 eq smtp
access-list db-out permit tcp Internal-IP-network-2 255.255.255.0 any eq 8090
access-list db-out remark ----- Client Access Rules - DB - end -----
access-list nonat-inside remark ----- No NAT from WEB to DB - start -----
access-list nonat-inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat-inside remark ----- No NAT from WEB to DB - end -----
access-list nonat-db remark ----- No NAT from DB to WEB - start -----
access-list nonat-db permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat-db remark ----- No NAT from DB to WEB - end -----
ip address outside 213.52.224.194 255.255.255.224
ip address inside 192.168.101.1 255.255.255.0
ip address db 192.168.2.1 255.255.255.0
static (inside,outside) Live-IP Internal-IP-network-3 netmask 255.255.255.255 0 0
static (inside,outside) Live-IP Internal-IP-network-1 netmask 255.255.255.255 0 0
static (db,outside) Live-IP Internal-IP-network-2 netmask 255.255.255.255 0 0
****************

I have changes the Live IPs with "Live-IP" and internal entwork IPs with "Internal-Network-1/2/3".

I will be greatful if you can tell what the each tag shows?

Thanks

Sam

 

[nnnnnnnnnn]

If I am understanding the question correctly you did not post that part. those tags are names that have been defined for referance through out the config. you can see those enries in the configuration, use this command.

show run names


hope that helps

cheers

 

[Supergrrover]

Translating every line will be tedious but this is how you read them

access-list [Name_of_ACL] [permit_or_deny] [tcp/udp] [Source] [destination] eq [Service]

The [Name_of_ACL] is anything you want - should tell you where it is applied or what it is intended to do.

The [permit_or_deny] tells you whether to allow the traffic or block it.

The [tcp/udp] says whether it is TCP or UDP traffic.

The [Source] is where the traffic originated. It could be a single IP with the "host" keyword in front. It could be a network with a subnet mask - 172.16.1.0 255.255.255.0. Or it could be "any" meaning that it doesn't care where the traffic originated - usually to the outside interface from the internet if you are providing services.

The [destination] is the same format as the source but it tells you where th traffic is destined. So internet traffic to the PIX would have this set as the PIX's IP. Traffic from the internal network may have this set to a specific web site's IP so that you could block ebay.com.

The [Service] tells you what service is the port number or service is -

http://www (80),

https (443), smtp (25), etc. So you could only allow

http://WWW and

HTTPS to an internal server and not allow SMTP from your internal network except for a trusted mail server.

Now in the ACL you can use object-groups. These group services, IPs, or networks together so you can limit what you need to type for the ACL. So you may have a cluster of mail servers that you want to allow SMTP out of but not let eny other computer send mail from your internal network. You would use an object-group to list those servers and then only have one line in the ACL.

ACL's are applied to interfaces and filter traffic coming into that interface only. There will be lines after the NAT statements that say "access-group [ACL_name} in interface [interface_name]" these tell you what ACL is controlling the traffic entering that interface.

Now lastly the statics. They map an external IP (and possibly service) to an internal IP (and possibly service.)
static (inside,outside) [external_IP] [internal_IP]

Adding the service is optional and without it all traffic sent to the external IP will be processed for the internal IP unless it is blocked by the ACL.

There are a more options and a lot more complicated ways to set things up but this is the basic. If this didn't really help, try loading the PDM. It is a GUI interface to the PIX that might make a little more sense. Just open a web browser to the PIX internal IP. You didn't post that part of the config but most people set it up. If it isn't up, it is any easy addition.

All config examples

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Samengr]

Thanks Brent for help. I really appreciate your time.
Can you please help me to understand these access lists?


access-list nonat-inside permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Here nonat-inside access list is permiting the IP(trafic) from (source)192.168.1.0/255.255.255.0 to (destination)192.168.2.0/255.255.255.0 but here the part is missing ( eq service/port) if this part is missing then how we will understand this?

*******

access-list nonat-inside remark ----- No NAT from WEB to DB - end -----
access-list nonat-db remark ----- No NAT from DB to WEB - start -----

Cant understand the above two lines...

********

access-list nonat-db permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat-db remark ----- No NAT from DB to WEB - end -----

ip address outside External-IP 255.255.255.224
ip address inside 192.168.101.1 255.255.255.0
ip address db 192.168.2.1 255.255.255.0

how we will understand the above statement start with ip?

*********


static (inside,outside) 192.168.101.20 netmask 255.255.255.255 0 0
static (inside,outside) External-IP 192.168.101.22 netmask 255.255.255.255 0 0

how we will understand the above statements start with static??


I have replaced the lives ips with External-IP.

hope to see the response soon.
Thanks.

 

[Supergrrover]

The non-nat lines are for VPNs or inter-interface conmmunication. They tell the pix not to nat traffic going onto the vpn or to the other interface. They also can be used to tell the pix to encrypt the same traffic over the vpn.
The remark lines are just that, they are added so you can tell what's going on but they don't actually do anything.

ACL's don't need to have a port number. The "ip" keyword tells it to do this to all traffic (TCP, UDP, ICMP, etc.) The service part just allows you to be more specific but isn't a necessary part.

The statics say that all traffic destined to the pix IP from the internet will go to 192.168.101.22. The line before that is wrong or a typo.

Hope that helps.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Samengr]

Thanks Supergrrover for your time and help.
Sam