I have a question about firewalls.
I've been reading the Cisco website and I seem to see there are several places to put
the firewall when installing it.
I kinda don't see why to put the firewall behind a router unless there are some functions that
can't be done on the firewall.
Next, I was wondering if the firewall is placed in front of the router (Cable connection) can for example a Pix
handle the DHCP, and doing it's job for IPv4 (v6.33) or IPv4 and IPv6 (v7.x or 8.x)
Now.. If I don't have a static IP address (IPv4) is it possible to put up a dual stack website. I would assume this would happen in the DMZ.
Also, can the tunnel occur on the firewall? if not, I would assume I would need to reverse the rolls and put the router up front then the firewall behind.
You cannot have a tunnel on an Asa or pix. You would want to have the tunnel on the router and set the firewall behind the router. If your address is dynamic, you just need to update your dns records and the ip address onthe he site so your tunnel keeps working. There are scripts that you can use to make that easier
Cool. I actually am in the process of tearing my network appart. I am putting a different router in front of this one. Then I will put the Pix in behind it. I guess that means I am running the nat on the router correct??
Yes, it is easier to do all your NAT/PAT and tunneling on the router and just use the PIX or ASA as a straight firewall. Its what they are best at.
Is there any particular thing a hacker goes after??
Meaning, they wouldn't go after the tunnel would they?? If a person could not get into the router, could
someone figure out there is a tunnel?
Sounds to me like network access needs to be removed and physical access is the best secure way to work on the router. leaving ssh or telnet up is a potential risk.. (Not so much with ssh)
They'll go after whatever they can. Lock everything down unless you use it. The ASA has a IPv6 firewall that works the same way as IPv4.
Deny everything unless you need it. (Except ICMP)
As far as routers go the bad guys are probably looking for a place to relay traffic from. That way they can use your IP as a jumping off point to attack other people while hiding their true source IP. They would also probably be interested in using access to a router to setup packet captures and man in the middle attacks to try and steal passwords and the like that pass though the router. Or they could be jerks and just erase the router's start up config, change the enable password, disable password recovery, and reboot the thing. And of course they would probably try and use the router to gain access to other things on your LAN. Who knows, they are nasty people who like to kick over other people's sand castles for fun and profit.
I think that the IPv6 internet hasn't caught the attention of many black hats because it just isn't big enough for them to bother with yet. This will change very quickly of course. Once IPv6 deployment starts to take off I'm sure we'll see all the same nasty stuff start to show up on our IPv6 tunnels and networks that we see being flung all over the IPv4 internet today.
Telnet... yeah, turn it off. ;)
SSH is only really as secure as your user name and password combination. It can be brute forced by default on IOS and such an attack can spike the router's CPU and result in a denial of service condition. Personally I would use an access list to limit access to port 22 on the router to external IPs that you trust. If your up for it implementing a client VPN for remote management is also an excellent idea. Gotta love the security of IPSec.
Quote from: cholzhauer on February 28, 2011, 01:18:02 PM
Deny everything unless you need it. (Except ICMP)
This.
The change password/blow config part doesn't scare me, i have it all printed and backed up. The scary part is being locked out of the equipment. That would suck.
BTW - I've got a little problem. I put the pix online with no functions. Just for now, i just want to put it in place. The problem I have is this.
internet net-------router------firewall------router---------internet
From the network, I can not get to the internet. DNS seems to work but slowly adn I can not get a ping reply.
From the router next to the internet, i can ping the internet normally and DNS works. From the same router, I can ping back into the network.
Any Ideas as to why? I've been beating this one all day and as usual, I think it's something simple.
Nat and the tunnel are on the edge router as well. If It's possible to put the tunnel behind the firewall, I'd like to, but, I hear it won't work.
Quote
If It's possible to put the tunnel behind the firewall, I'd like to, but, I hear it won't work.
You can, but it's much easier if you have multiple IP addresses
Multiple Static IPs from the ISP??
Thanks
yes
Hmm. I'll have to think about this one. I'll think I will put it on the back burner. I need to get my net back online.
I was in the middle of totally moving the entire net somewhere else when I ran into a distane issue. 175 feet, and i have no signal. tested, and tested and re-tested and nothing. Can't get the router to light up.
O.K. Here is a new one.
I have removed the config from the pix. Base line of nothing. Entered a domain name, user name and that's it. (ip address to outside and inside ports)
What allows these two to pass data??
Found out my other problem earlier. It was an access list for my Pat..
Woops... ::) ::) I forgot to put it in.. Stupid me...
I can't send any data through it, ping or internet traffic.
I guess it's really doing its job. ??? ??? Blocking all traffic.
Security is set at 100 for both in and out ports.
Any suggestions, give me a shout..
Thanks
Anyway.. Trying to get the pix to pass data and I actually removed it in order to get the net back online.
Any suggestions.
make the outside port 0 (untrusted) and the inside 100 (trusted)
Hmm. o.k. Where?? I'm lookin..
O.K. I've changed the security levels of the ports.
I had both inside and outside set at 100 being I really trust everyone (Yeah Right) I did it that way
so I could pass equal traffic to start out with. I guess that didn't work.
Now, going for the trusted/untrusted part. Hmm. Actually, I thought they were one in the same. (security levels and trusted/untrusted)
Also, I am not running a NAT on the Firewall.
Thanks
To set the security level, enter the following command:
hostname(config-if)# security-level number
Hi. I actually figured that out. Thanks very much. Sorry. been swtiching back and forth putting the firewall in, taking it out. Bla Bla bla bla. A lot of manual config changes. Thank god it's only 2 lines of code. and clearing of the routing tables.
Anyway. Here is what I have found.
When I put the firewall on the network, I can not ping through it. I can not get any data through it at all.
But.... If I take it, leave the config on it and put a PC on one end and a server on the other, I can ping til my hearts content. I tried to block the ping,but, I could not. Hmm. I thought that was really funny..
Basically, I setup the two to ping each other through the firewall. I setup 50,000 tries, 1024 in size. The I could not stop the pings from either side. Now I am really perplexed...
Any Ideas on that one??
Sooo. am I missing something here in regards to the Pix/ASA firewalls??
Is the primary function of the firewall to create a NAT?? so this has to happen which is where ip addresses are hidden and it's firewall check is done?? If so, maybe this is what I am trying to avoid and the avoidance is my problem.
Is anyone running a router, with a Pix or ASA where the router is performing the NAT and the tunnel as appose to the router performing the tunnel and the firewall performing the NAT??
I am trying to do the NAT and the Tunnel on the router. Is this a problem??
Thanks.
That is almost exactly how my setup works.
Internet -> Router -> ASA -> LAN
There is no need to perform NAT on the PIX in IPv4. There is an old copy of the running config of my ASA and my 2621xm here (http://www.tunnelbroker.net/forums/index.php?topic=356.msg5520#msg5520). If you are running 7.x or 8.x code on your PIX the command syntax will be the same as my ASA. Just issue the command "no nat-control" on your PIX and it basically becomes a router with a kick ass firewall engine. (Although it does lack a number of features found on real IOS routers.)
Here is what I have run into. I have totally been making so many changes, I can't connect anything I setup to the net. But, funny enough, I plugged this pc to the firewall, gave it the IP address of my last config and here I am. I don't believe it.
This to me is saying there is something wrong with maybe my routes. I actually thought my connection was slower. Much slower, til I connected to He.net. Fired right in here. I was just on speedtest and my speed was around 3 to 5 mps. I wonder if that is because of how slow this machine is. (P4 1.5) Anyway. I'll take a look at the config. Maybe I can see something I am missing.
I need to get some protection before I go to the next step. Boy.. That didn't sound right.. Hmmm.
Anyway.... I'll take a look.
Hi. Did I not detect any IPv4 numbers this configuration??? (Yes in the interfaces)
Only IPv6 correct. I didn't see any routing statements on the 26xx for IPv4..
It gets its default gateway for IPv4 via DCHP from my ISP. The routes to the rest of the LAN are learned via EIGRP from the ASA 5505.
cerberus#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 70.114.32.1 to network 0.0.0.0
70.0.0.0/19 is subnetted, 1 subnets
C 70.114.32.0 is directly connected, FastEthernet0/1
D 192.168.200.0/24 [90/30720] via 10.1.1.2, 4w2d, FastEthernet0/0
C 10.1.1.0/30 is directly connected, FastEthernet0/0
D 192.168.100.0/24 [90/30720] via 10.1.1.2, 4w2d, FastEthernet0/0
S* 0.0.0.0/0 [254/0] via 70.114.32.1
So the whole config is dual stack.
Sorry. Been out of town.
Here is my problem. The pix is currently removed from the network. When I put the pix on the network and plug a PC directly into it, I can get it to work. When I connect a router behind it, I can not seem to get data to pass through. I can't ping through it (I do have an access list enabled to allow icmp) With a PC directly connected, I can ping and access the internet.
When I connect my router, I can ping to that router,but, not through the router. I have not been able to figure out what the problem is. I'd like to get this unit online before I proceed with the next steps in regards to the tunnel process.
The connection from the first router to the pix is a cross over cable. Same Crossover cable works with the PC with no problem. This is normal correct?
I could not get the unit to connect via straight through cables.
Here is my config for the pix. It's pretty box Stock.
Let me know what you think. thanks
# sho run
Heelee
: Saved
:
PIX Version 7.22
!
hostname blabla
domain-name meme.com
enable password x4go3523498oomurw2 encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 100
ip address 192.168.x.253 255.255.255.0
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.x.254 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd 9R38u3jIyI.2erAp encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.x.254
domain-name truckland.com
access-list acl_out extended permit icmp any any
pager lines 28
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 192.168.x.0 255.255.255.0
access-group acl_out in interface outside
!
router eigrp 5
network 192.168.x.0 255.255.255.0
network 192.168.x.0 255.255.255.0
!
router rip
network 192.168.x.0
network 192.168.x.0
version 2
!
route outside 0.0.0.0 0.0.0.0 192.168.x.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.x.253 255.255.255.255 inside
http 192.168.x.0 255.255.255.0 inside
http 192.168.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ntp server 192.5.41.41 prefer
ntp server 192.5.41.209
username blabla password Wxujocni35cRj5fA encrypted privilege 15
prompt hostname context
Cryptochecksum:4GdKR4z7zm9tn4l74ym7o9748796o3T91A
: end
Well the first thing i see is you have the same security level set on both of your interfaces. This can cause the PIX to drop traffic. I would set the outside to "0".
What do the route tables look like on the PIX and both routers when you have them all connected? Do you get proper RIP and/or EIGRP adjacencies between peer devices? Also, how did you get EIGRP working on PIX 7.22? I was under the impression that EIGRP was only available in 8.0 and later.
If the router and the PIX can ping each other then a crossover cable is fine.
I thought by setting all ports to 100, there would not be any processing done of them. (firewall will act neutral as far as running firewall algorithm against the port)
I actually tried setting it up this way. The results were the same.
I'll try again since this is a fresh install.
re: the cross over cable.
Funny. I though so too. When I connect the pc to the Firewall, all seems well. Although, pinging response is cut down really slow.
here is my router config
hostname myohmy
!
boot-start-marker
boot system flash:c2600-advipservicesk9-mz.123-8.bin
boot-end-marker
!
enable secret 5 $1$MZ68246$b/7/J7z6k9TB.
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip domain name mymy.com
ip name-server 209.57.222.252
ip name-server 209.57.222.242
!
ipv6 unicast-routing
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username woops password 7 34563R6DTW981e493BAGAGAFG
!
!
!
!
!
!
!
interface Loopback0
no ip address
ipv6 enable
!
!
interface FastEthernet0/0
ip dhcp client hostname goonie
ip address dhcp
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
ipv6 enable
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0/1
description Network Conection from Firewall to Home Network
ip address 192.168.X.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
ipv6 address
ipv6 enable
ipv6 rip ipv6 enable
ipv6 ospf 1 area 0
!
router eigrp 5
network 192.168.X.0
auto-summary
!
router rip
version 2
network 192.168.X.0
neighbor 192.168.X.254
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 192.168.x.0 255.255.255.0 192.168.x.253
!
ip dns server
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.0.0.0 0.255.255.255
access-list 104 permit tcp any any eq echo established
access-list 104 permit tcp any any eq
access-list 104 permit tcp any any eq
access-list 104 permit ip any any
access-list 104 permit 41 any any
access-list 104 deny tcp any any eq established log
access-list 104 deny tcp any any eq established log
access-list 104 deny tcp any any eq established log
access-list 104 deny tcp any any eq established log
access-list 104 deny tcp any any eq established log
access-list 104 deny ip 172.16.0.0 0.0.255.255 any log
access-list 104 deny ip 10.0.0.0 0.0.255.255 any log
access-list 104 deny ip 224.0.0.0 0.31.255.255 any log
ipv6 route 2001:000:0001::/64 FastEthernet0/0
ipv6 route ::/0 Tunnel0
ipv6 router ospf 1
log-adjacency-changes
!
ipv6 router rip ipv6
!
ipv6 router rip process1
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
password you must be serious
login
line aux 0
line vty 0 15
login
transport input telnet
!
ntp clock-period 17180388
ntp server 192.5.41.41 prefer
ntp server 192.5.41.209
!
end
Well it looks like your EIGRP config is missing its net mask. Its also not redistributing the default route out. And running unauthenticated EIGRP on your internet facing interface really isn't a good idea. It should look something like this:
router eigrp 5
redistribute static
passive-interface FastEthernet0/0
network 192.168.100.0 0.0.0.255
auto-summary
My guess is that this preventing your PIX from peering with the router and/or getting a default gateway from it. You can check by looking at the PIX's route table and its EIGRP neighbor table. Also is there a reason you are running both RIP and EIGRP in IPv4? You really only need one. Personally I would turn off RIP since it sucks. And unless you have another RIPv6 or OSPFv3 capable router I would also turn off RIP and OSPF for IPv6 as well.
Oh and make sure you have issued the command "no nat-control" on your PIX and set the security level of the outside interface to something less than 100. Like 0 for example. Setting two interfaces to the same level does not stop the PIX from processing packets sent through them through its stateful inspection engine. It just messes with how permit and deny decisions are made based whether or not you have "same-security-traffic permit inter-interface" in your config.
thanks for the reply.
I will give this a shot. I have made so many changes it's kinda gotten out of hand. Test lab though.
Between the tunnel, switching routers around, adding multiple routers, adding multiple vlans adding new swtiches, dealing with a 200 foot cabling issue, moving the eqipment to a different location in the house.
has gotten kind silly. My config didn't look like this though and it seemed to work without a hitch. Kind a like now. I don't have the pix in place and it's not complaining. Rip and EIGRP updates are happening.
Anyway. I'm by no way a wiz at this,but, I really enjoy working with it. I also appreciate yours and any help I receive.
Thank You..
I've goto to go out for a while. I'll be back and let you know what I find.
Thanks
Hi there. I tried the config changes and the results are the same.
Hmm. I wonder why the PC can connect and the via the firewall and the network can not.
Well, I am able to ping from the Firewall and from inside router. I was missing a route command on the inside of the firewall. But, still can't access the network from the netwworks on the internal router. Now, if I ping from the workstation, DNS works but, no pings are going through. I guess it's time to pull out a mini hub and put it between the workstation and router and sniff the packets.
I fixed it... ;D ;D ;D ;D ;D ;D
Pix is up and running
Come to find out after looking over and over and over code, reading books checking myself over and over
I found there is a something different about these two commands
ip route 0.0.0.0 0.0.0.0 interface
ip route 0.0.0.0 0.0.0.0 next hop
what a pain in the :o ??? ::)
I assume "interface" is the one that worked?
Actually, it didn't. that is what I have thought all this time
The one that worked was the next hop..
I don't know why..
Simply one change and bang, up and running...