Announcement

Collapse
No announcement yet.

Cisco 515E Firewall V7 ---> Windows Server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 515E Firewall V7 ---> Windows Server

    Good Morning Gang,

    I have a windows server running from my location, and would like to put a firewall between the internet and windows server..

    I have accuired a Cisco 515E firewall with 6 ports running V7 Software and Unrestricted..

    I have set the Firewall back to default settings and have full access..

    Can anyone supply a configuration to get me started please, nothing fancy as I would like to learn at the same time and build on it.

    Thanks i advance from Alan

  • #2
    Re: Cisco 515E Firewall V7 ---> Windows Server

    Somethnig like this:

    Management:

    en pass TypePasswordHere
    hostname Firewall
    domain-name joebloggs.com

    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    interface ethernet0 100full
    interface ethernet1 100full
    ip address outside “Outside PIX IP” “Subnet”
    ip address inside “Inside PIX IP” “Subnet”
    route outside 0.0.0.0 0.0.0.0 “Router IP”

    Basic Internet Access: (change the 10.0.0.0 255.255.255.0 to your subnet)
    nat (inside) 1 10.0.0.0 255.255.255.0
    global (outside) 1 interface

    Inbound Access:

    static (inside,outside) tcp “External IP” “Port” “Internal IP” “Port” netmask “Subnet”

    access-list “Access List Name” permit tcp any host “External IP” eq “smtp / ftp / www etc”
    access-group “Access List Name” in interface outside


    EDIT:
    Plus
    "write mem" will save
    "write terminal" will show you the config

    EDIT2:
    This is from the wrong doc I think. One min,...
    Last edited by AndyJG247; 14th August 2008, 15:53.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Cisco 515E Firewall V7 ---> Windows Server

      Hi Andy,

      A Very Big thank for the information, and understandable, one question if I may, you have used an inside address 10.0.0.1 , I presume I have to change the windows server ip address from being the original outside ip address to the 10.0.0.X range is this correct...

      Than for for the help.

      All the best from Alan (Who is off to play with new toy)

      Comment


      • #4
        Re: Cisco 515E Firewall V7 ---> Windows Server

        Inside IP can be anything just make sure the NAT works.
        ie

        ip address inside 10.0.0.2 255.255.255.0
        nat (inside) 1 10.0.0.0 255.255.255.0

        or

        ip address inside 192.168.0.2 255.255.255.0
        nat (inside) 1 192.168.0.0 255.255.255.0

        it doesn't matter as long as you use the same subnet for the NAT bit.

        I'm digging out my 7 docs though as I think some of this may be for 6.

        EDIT:
        http://www.cisco.com/en/US/docs/secu...e/cmd_ref.html CMD REF
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Cisco 515E Firewall V7 ---> Windows Server

          Hi Andy,

          Thank you for the command information very helpful

          This is what I have so far...

          hostname fw84
          domain-name askmema.com
          nameif ethernet0 outside security0
          nameif ethernet1 inside security100
          interface ethernet0 100full
          interface ethernet1 100full
          ip address outside 82.70.83.?? 255.255.255.248
          ip address inside 192.168.2.74 255.255.255.0
          route outside 0.0.0.0 0.0.0.0 82.70.83.86 1
          Basic Internet Access:
          nat (inside) 1 192.168.2.0 255.255.255.0 0 0
          global (outside) 1 interface

          Inbound Access:
          static (inside,outside) tcp interface www 192.168.2.84 www netmask 255.255.255.255 0 0
          static (inside,outside) tcp interface ftp 192.168.2.84 ftp netmask 255.255.255.255 0 0
          static (inside,outside) tcp interface smtp 192.168.2.84 smtp netmask 255.255.255.255 0 0
          static (inside,outside) tcp interface ssh 192.168.2.84 ssh netmask 255.255.255.255 0 0

          access-list servergrp permit tcp any host 82.70.83.?? eq ssh
          access-list servergrp permit tcp any host 82.70.83.?? eq ftp
          access-list servergrp permit tcp any host 82.70.83.?? eq smtp
          access-list servergrp permit tcp any host 82.70.83.?? eq http
          access-group servergrp in interface outside

          Now on the windows server I used to use 82.70.83.X and 82.70.83.Y IP's
          I presume I replace them now with 192.168.2.85 and 86

          Am I on the right track Andy

          All the best from Alan
          Last edited by stewartrose; 15th August 2008, 09:51.

          Comment


          • #6
            Re: Cisco 515E Firewall V7 ---> Windows Server

            Couple of small bits

            the things like "Basic Internet Access:" were just for your info so you can remove that line from the config.

            I have changed it slightly:

            Code:
            hostname fw84
            domain-name askmema.com
            nameif ethernet0 outside security0
            nameif ethernet1 inside security100
            interface ethernet0 100full
            interface ethernet1 100full
            ip address outside 82.70.83.?? 255.255.255.248
            ip address inside 192.168.2.74 255.255.255.0
            route outside 0.0.0.0 0.0.0.0 82.70.83.86 1
            nat (inside) 1 192.168.2.0 255.255.255.0 0 0
            global (outside) 1 interface
            static (inside,outside) tcp interface www 192.168.2.84 www netmask 255.255.255.255 0 0
            static (inside,outside) tcp interface ftp 192.168.2.84 ftp netmask 255.255.255.255 0 0
            static (inside,outside) tcp interface smtp 192.168.2.84 smtp netmask 255.255.255.255 0 0
            static (inside,outside) tcp interface ssh 192.168.2.84 ssh netmask 255.255.255.255 0 0
            access-list servergrp permit tcp any host 82.70.83.?? eq ssh
            access-list servergrp permit tcp any host 82.70.83.?? eq ftp
            access-list servergrp permit tcp any host 82.70.83.?? eq smtp
            access-list servergrp permit tcp any host 82.70.83.?? eq http
            access-group servergrp in interface outside
            ------------------------------------------------

            Changes were just:
            NAT - you had 192.168.0.0 not 192.168.2.0 which would match your internal IP range
            plus the removal of the extra lines.


            Other than that looks good to me
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Cisco 515E Firewall V7 ---> Windows Server

              Good Morning Andy,

              I always work from a doc file, that way I dont miss anything I am told, all is loaded into the pix, and yes it should be 192.168.2.0 infact the pix put it right and I did not notice it

              How do I enable ping thought the firewall just for diagnostic purposes

              All the best from Alan [ Thanks I am learning a lot ]

              Comment


              • #8
                Re: Cisco 515E Firewall V7 ---> Windows Server

                moved to Cisco Security where it belongs.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Cisco 515E Firewall V7 ---> Windows Server

                  Excellent.
                  Ping depends on what you want to achieve?
                  From what to what?
                  The inside interface should be pingable already.

                  Have a look at
                  http://www.cisco.com/en/US/products/...80094e8a.shtml

                  and

                  http://www.cisco.com/en/US/docs/secu...nce/i1_72.html
                  cheers
                  Andy

                  Please read this before you post:


                  Quis custodiet ipsos custodes?

                  Comment


                  • #10
                    Re: Cisco 515E Firewall V7 ---> Windows Server

                    Hi Andy,

                    All good information now I can ping both ways showing at least there is a path both ways through the pix.

                    No this is where my skills hit the floor.

                    I have as follows (internet) --- (82.70.83-x -->Ciscopix-->192.168.2.74) ---> Linux server ----> (plesk-hosting-package - ns1.askmema.com = 82.70.83.x)

                    I hope you can understand that, so what ip address do I use on the ethernet card of server, and what ip address do I use in the plesk hosting package.

                    I hope I am not taking to much of your time Andy, sorry if I am.

                    All the best from Alan

                    Comment


                    • #11
                      Re: Cisco 515E Firewall V7 ---> Windows Server

                      No problem
                      Not 100% sure what you want but you have
                      (internet) --- (82.70.83.1 -->Ciscopix-->192.168.2.74) ---> Linux server 192.168.2.73----> (plesk-hosting-package - ns1.askmema.com = 82.70.83.222)
                      which I take it means

                      There is a service on the linux server that is accessed from the internet.
                      So just like you setup your statics for SMTP etc you just create new ones for the linux box.

                      so (making assumptions as above)

                      static (inside,outside) tcp 82.70.83.222 1025 192.168.2.73 1025
                      then add in your access lists to the current one
                      access-list servergrp permit tcp any host 82.70.83.222 eq 1025

                      Do I have the right?
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment


                      • #12
                        Re: Cisco 515E Firewall V7 ---> Windows Server

                        Hi Andy,

                        Lets throw some more information into the pot, and if the script kiddes what to hack me then have fun

                        askmema Domain has 2 dns ip's assigned

                        ns1.askmema.com = 82.70.83.84
                        ns2.askmema.com = 82.70.83.85

                        Plesk is a Domain hosting control panel, and it runs a dns which points to the above..

                        Now lets take my diagram and put this information in

                        (internet modem static ip's) ---> (82.70.83.84 outside-->Ciscopix--inside >192.168.2.74)
                        ---->(Linux server eth1 192.168.2.73)
                        ----> (plesk-hosting-package - ns1.askmema.com = 82.70.83.84 & ns2.askmema.com = 82.70.83.85)

                        And this is what I have so far with your help, saves looking back..

                        nameif ethernet0 outside security0
                        nameif ethernet1 inside security100
                        hostname fw84
                        domain-name askmema.com
                        fixup protocol ftp 21
                        fixup protocol http 80
                        fixup protocol h323 h225 1720
                        fixup protocol h323 ras 1718-1719
                        fixup protocol ils 389
                        fixup protocol rsh 514
                        fixup protocol rtsp 554
                        fixup protocol smtp 25
                        fixup protocol sqlnet 1521
                        fixup protocol sip 5060
                        fixup protocol skinny 2000
                        names
                        object-group service srvgrp_dns tcp-udp
                        port-object eq domain
                        object-group service srvgrp_tcp tcp
                        port-object eq www
                        port-object eq ftp
                        port-object eq pop3
                        port-object eq ssh
                        port-object eq https
                        port-object eq 1025
                        object-group icmp-type srvgrp_ping
                        icmp-object echo
                        icmp-object echo-reply
                        icmp-object time-exceeded
                        icmp-object unreachable
                        object-group service srvgrp_udp udp
                        port-object eq domain
                        access-list outside_in permit icmp any any object-group srvgrp_ping
                        access-list outside_in permit tcp any any object-group srvgrp_tcp
                        access-list outside_in permit udp any any object-group srvgrp_dns
                        access-list outside_in permit udp any any object-group srvgrp_udp
                        interface ethernet0 10full
                        interface ethernet1 10full
                        mtu outside 1500
                        mtu inside 1500
                        ip address outside 82.70.83.84 255.255.255.248
                        ip address inside 192.168.2.74 255.255.255.0
                        arp timeout 14400
                        global (outside) 1 interface
                        nat (inside) 1 192.168.2.0 255.255.255.0 0 0
                        static (inside,outside) tcp interface www 192.168.2.84 www netmask 255.255.255.255 0 0
                        static (inside,outside) tcp interface ftp 192.168.2.84 ftp netmask 255.255.255.255 0 0
                        static (inside,outside) tcp interface ssh 192.168.2.84 ssh netmask 255.255.255.255 0 0
                        static (inside,outside) tcp interface smtp 192.168.2.84 smtp netmask 255.255.255.255 0 0
                        static (inside,outside) tcp interface https 192.168.2.84 https netmask 255.255.255.255 0 0
                        static (inside,outside) tcp interface 1025 192.168.2.73 1025 netmask 255.255.255.255 0 0
                        access-group outside_in in interface outside
                        route outside 0.0.0.0 0.0.0.0 82.70.83.86 1

                        So the overall effect Andy is to run a website behind a firewall, it would be a lot simplier if I did not have to use nat but not sure if that is possible..

                        Thanks again...

                        All the best from Alan

                        Comment

                        Working...
                        X