Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

resetting my Pix

Status
Not open for further replies.
pixster

pixster

Technical User
Aug 8, 2006
3
US
Hello all. I am not a pix user at all. I have two Pix' one I just reset whose config is below...

/// RELOADED PIX
crashpix# sh config
: Saved
: Written by enable_1 at 18:01:15.130 UTC Wed Aug 9 2006
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname crashpix
domain-name modifiedpix.foo
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto shutdown
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 127.0.0.1 255.255.255.255
ip address inside 10.10.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.174 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
// END RELOADED PIX

I need to add some former configuration lines from this old Pix below to the new one. Is there any easy way to do so? I'm unfamiliar with the syntax and have tried to do it as best as I understood it but it doesn't seem to be working properly so I figure its best to start from the beginning as well as the ACL's. Is there any way to streamline the rules on the access list? Users should be allowed mail and http. Thats it nothing more.

< Pix4# sh config
< : Written by enable_15 at 20:17:50.502 UTC Thu Jan 12 2006
< PIX Version 6.3(4)
< interface ethernet0 auto
< interface ethernet1 auto
< enable password xxxxxxxxxxxxxxxx encrypted
< passwd xxxxxxxxxxxxxxxx encrypted
< hostname Pix4
< domain-name modifieddomain.foo
< fixup protocol dns maximum-length 512
< fixup protocol http 80
< fixup protocol sip 5060
< fixup protocol sip udp 5060
< fixup protocol skinny 2000
< fixup protocol tftp 69
< access-list acl_out permit icmp any any
< access-list acl_out permit tcp any host xx.xxx.x.181 eq 3389
< access-list acl_out permit tcp xx.xx.0.0 255.255.240.0 host xx.xxx.x.179 eq smtp
< access-list acl_out permit tcp any host xx.xxx.x.179 eq smtp
< access-list Pix1 permit ip 192.168.162.0 255.255.255.0 192.168.10.0 255.255.255.0
< access-list Pix2 permit ip 192.168.162.0 255.255.255.0 192.168.20.0 255.255.255.0
< access-list Pix3 permit ip 192.168.162.0 255.255.255.0 192.168.30.0 255.255.255.0
< access-list 100 permit ip 192.168.162.0 255.255.255.0 192.168.10.0 255.255.255.0
< access-list 100 permit ip 192.168.162.0 255.255.255.0 192.168.20.0 255.255.255.0
< access-list 100 permit ip 192.168.162.0 255.255.255.0 192.168.30.0 255.255.255.0
< ip address outside xx.xxx.x.178 255.255.255.248
< ip address inside 192.168.162.50 255.255.255.0
< no failover
< failover timeout 0:00:00
< failover poll 15
< no failover ip address outside
< no failover ip address inside
< pdm logging informational 100
< global (outside) 1 interface
< nat (inside) 0 access-list 100
< nat (inside) 1 0.0.0.0 0.0.0.0 0 0
< static (inside,outside) xx.xxx.x.181 192.168.162.92 netmask 255.255.255.255 0 0
< static (inside,outside) xx.xxx.x.179 192.168.162.4 netmask 255.255.255.255 0 0
< access-group acl_out in interface outside
< route outside 0.0.0.0 0.0.0.0 xx.xxx.x.177 1
< timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
< timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
< aaa-server TACACS+ max-failed-attempts 3
< aaa-server TACACS+ deadtime 10
< aaa-server RADIUS max-failed-attempts 3
< aaa-server RADIUS deadtime 10
< http 192.168.1.0 255.255.255.0 inside
< sysopt connection permit-ipsec
< crypto ipsec transform-set md53des esp-3des esp-md5-hmac
< crypto map vpnmap 10 ipsec-isakmp
< crypto map vpnmap 10 match address Pix1
< crypto map vpnmap 10 set peer xx.xxx.x.194
< crypto map vpnmap 10 set transform-set md53des
< crypto map vpnmap 20 ipsec-isakmp
< crypto map vpnmap 20 match address Pix2
< crypto map vpnmap 20 set peer xx.xxx.x.186
< crypto map vpnmap 20 set transform-set md53des
< crypto map vpnmap 30 ipsec-isakmp
< crypto map vpnmap 30 match address Pix3
< crypto map vpnmap 30 set peer xx.xxx.x.202
< crypto map vpnmap 30 set transform-set md53des
< crypto map vpnmap interface outside
< isakmp enable outside
< isakmp key ******** address xx.xxx.x.194 netmask 255.255.255.255
< isakmp key ******** address xx.xxx.x.186 netmask 255.255.255.255
< isakmp key ******** address xx.xxx.x.202 netmask 255.255.255.255
< isakmp identity address
< isakmp policy 10 authentication pre-share
< isakmp policy 10 encryption 3des
< isakmp policy 10 hash md5
< isakmp policy 10 group 2
< isakmp policy 10 lifetime 86400
< telnet 192.168.162.0 255.255.255.0 inside
< ssh 0.0.0.0 0.0.0.0 outside
< management-access inside
< console timeout 0
< terminal width 80
< Cryptochecksum:c0b0c7786a724a9655ea13b654b8d10c

Pix4# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list acl_out; 9 elements
access-list acl_out line 1 permit icmp any any (hitcnt=171501)
access-list acl_out line 2 permit tcp any host xx.xxx.1.181 eq 3389 (hitcnt=59)
access-list acl_out line 3 permit tcp xx.xx.0.0 255.255.240.0 host xx.xxx.1.179 eq smtp (hitcnt=10261)
access-list acl_out line 4 permit tcp any host xx.xxx.1.179 eq smtp (hitcnt=16)
access-list acl_out line 5 deny tcp any any eq aol (hitcnt=0)
access-list acl_out line 6 deny tcp any 66.77.49.128 255.255.255.192 eq access-list acl_out line 7 deny tcp any 66.77.49.0 255.255.255.0 eq access-list acl_out line 8 deny tcp any 66.77.49.0 255.255.255.0 (hitcnt=0)
access-list acl_out line 9 deny ip any host 216.251.231.128 (hitcnt=0)
access-list Pix1; 1 elements
access-list Pix1 line 1 permit ip 192.168.162.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=285)
access-list Pix2; 1 elements
access-list Pix2 line 1 permit ip 192.168.162.0 255.255.255.0 192.168.20.0 255.255.255.0 (hitcnt=161)
access-list Pix3; 1 elements
access-list Pix3; line 1 permit ip 192.168.162.0 255.255.255.0 192.168.30.0 255.255.255.0 (hitcnt=87)
access-list 100; 3 elements
access-list 100 line 1 permit ip 192.168.162.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=228)
access-list 100 line 2 permit ip 192.168.162.0 255.255.255.0 192.168.20.0 255.255.255.0 (hitcnt=97)
access-list 100 line 3 permit ip 192.168.162.0 255.255.255.0 192.168.30.0 255.255.255.0 (hitcnt=42)
access-list 101; 8 elements
access-list 101 line 1 permit tcp any host xx.xxx.13.51 (hitcnt=0)
access-list 101 line 2 permit tcp any host xx.xxx.13.51 eq telnet (hitcnt=0)
access-list 101 line 3 deny tcp any host 66.77.49.161 eq access-list 101 line 4 deny ip any host 66.77.49.161 (hitcnt=0)
access-list 101 line 5 deny ip any host 216.251.231.128 (hitcnt=0)
access-list 101 line 6 deny ip any 66.77.49.128 255.255.255.192 (hitcnt=0)
access-list 101 line 7 deny ip any host 63.236.98.168 (hitcnt=0)
access-list 101 line 8 deny tcp any any eq aol (hitcnt=0)
access-list inbound; 2 elements
access-list inbound line 1 permit tcp any host 64.201.13.51 eq access-list inbound line 2 permit tcp any host 64.201.13.51 eq 1288 (hitcnt=0)
access-list acl_inside; 15 elements
access-list acl_inside line 1 deny tcp any any eq 554 (hitcnt=0)
access-list acl_inside line 2 deny udp any any eq 1755 (hitcnt=0)
access-list acl_inside line 3 deny udp any any eq 554 (hitcnt=0)
access-list acl_inside line 4 deny tcp any any eq 10000 (hitcnt=0)
access-list acl_inside line 5 deny udp any any eq 10000 (hitcnt=0)
access-list acl_inside line 6 deny tcp any any eq 7000 (hitcnt=0)
access-list acl_inside line 7 deny udp any any eq 7000 (hitcnt=0)
access-list acl_inside line 8 permit tcp any 192.168.162.0 255.255.255.0 eq 1288 (hitcnt=0)
access-list acl_inside line 9 deny tcp any any eq aol (hitcnt=0)
access-list acl_inside line 10 deny tcp any 66.77.49.0 255.255.255.0 eq access-list acl_inside line 11 deny tcp any 66.77.49.0 255.255.255.0 (hitcnt=0)
access-list acl_inside line 12 deny ip any host 216.251.231.128 (hitcnt=0)
access-list acl_inside line 13 deny tcp any host 216.251.231.128 (hitcnt=0)
access-list acl_inside line 14 deny ip any 66.77.49.128 255.255.255.192 (hitcnt=0)
access-list acl_inside line 15 deny ip any host 63.236.98.168 (hitcnt=0)
access-list outbound; 1 elements
access-list outbound line 1 deny tcp any 128.121.4.0 255.255.255.0 eq access-list acl_outside; 2 elements
access-list acl_outside line 1 deny tcp any host 216.251.231.128 (hitcnt=0)
access-list acl_outside line 2 deny tcp any any eq aol (hitcnt=0)
access-list acl_in; 2 elements
access-list acl_in line 1 deny ip any 66.77.49.128 255.255.255.192 (hitcnt=0)
access-list acl_in line 2 deny ip any host 63.236.98.168 (hitcnt=0)
access-list 104; 2 elements
access-list 104 line 1 deny tcp any 66.77.49.128 255.255.255.192 (hitcnt=0)
access-list 104 line 2 deny tcp any host 63.236.98.168 (hitcnt=0)
 
Sort by date Sort by votes
If that is all that is allowed out then, delete the ACL acl_inside and make a new one (I added lines from the old config and consolidated a little.)

access-list acl_inside deny ip any 66.77.49.0 255.255.255.0 (FROM OLD CONFIG)
access-list acl_inside deny ip any host 216.251.231.128 (FROM OLD CONFIG)
access-list acl_inside deny ip any host 63.236.98.168 (FROM OLD CONFIG)
access-list acl_inside permit tcp 192.168.162.0 255.255.255.0 any eq 80 (HTTP)
access-list acl_inside permit tcp 192.168.162.0 255.255.255.0 any eq 443 (HTTPS)
access-list acl_inside permit tcp 192.168.162.0 255.255.255.0 any eq 25 (SMTP - you may want to limit this to a specific server)
access-list acl_inside permit tcp 192.168.162.0 255.255.255.0 any eq 110 (POP3)
access-list acl_inside permit tcp 192.168.162.0 255.255.255.0 any eq 143 (IMAP)
access-list acl_inside permit tcp any 192.168.162.0 255.255.255.0 eq 1288 (FROM OLD CONFIG)
access-list acl_inside deny ip any any

access-group acl_inside in interface inside

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
2K
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
207
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
259
brownmab53
brownmab53
MeesterDull
  • Locked
  • Question
Can't remote into my SonicWall
Replies
0
Views
178
MeesterDull
MeesterDull

Part and Inventory Search

Sponsor

Back
Top