Announcement

Collapse
No announcement yet.

Cisco PIX - dual firewall setup

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco PIX - dual firewall setup

    I'm looking for some help to wrap my head around configuring dual PIX firewalls to protect a DMZ.
    Our current setup is a single PIX with internal, external and DMZ interfaces. My manager wants us to move to a dual firewall config:
    internet ---- |fw1| ----dmz---- |fw2| ---- internal

    I can't find any config examples like this on the cisco site or even a discusion on the theory behind this or 'things to consider'. I'm planning on attacking each FW separately: internal can talk to DMZ but not internet. Internet can talk to DMZ but not internal.

    Part of the config that concerns me is our VPN server and site-to-site VPN. Right now the VPN server sits on the internal network - how would I configure rules to properly pass the VPN request from the internet to FW1 to DMZ to FW2 to internal server and back out? Where would I need to configure the site-to-site VPN and what settnigs would I need to configure?

    If anyone has any pointers or suggestions as to where to begin/things to consider, I'd appreciate it greatly, especially if someone can help me understand how VPN pieces would work.

    Thanks!
    Greg

  • #2
    Re: Cisco PIX - dual firewall setup

    Moved to Cisco security
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Cisco PIX - dual firewall setup

      What type of PIXs? PIXEN? PIXENS? or whatever it is!

      The rules could get quite complicated. What do you have setup on the current PIX for your internal VPN?
      The PIX itself can be a VPN endpoint.

      Like you say though, I agree it is easier to do one by one.
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: Cisco PIX - dual firewall setup

        Right now the PIX 515 is passing through all GRE and PPTP on the external IP to the internal IP of the VPN server. The theory behind the translations is messing with my head

        Comment


        • #5
          Re: Cisco PIX - dual firewall setup

          If you have the current config it should be fairly easy to setup the new PIX. Just would take a bit of time.

          Makes it easier to think of it in terms of external and internal. THe first pix has a internal network and external just happens to be another network. The second pix's internal is just the same network.
          Well, now I read through that...

          Do you have the config you can post without personally identifiable material?
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: Cisco PIX - dual firewall setup

            a: Saved
            :
            PIX Version 6.3(1)
            interface ethernet0 auto
            interface ethernet1 auto
            interface ethernet2 auto
            nameif ethernet0 outside security0
            nameif ethernet1 inside security100
            nameif ethernet2 dmz security4
            enable password encrypted
            passwd encrypted
            hostname Corp1
            domain-name corp1.com
            fixup protocol ftp 21
            fixup protocol h323 h225 1720
            fixup protocol h323 ras 1718-1719
            fixup protocol http 80
            fixup protocol ils 389
            fixup protocol pptp 1723
            fixup protocol rsh 514
            fixup protocol rtsp 554
            fixup protocol sip 5060
            fixup protocol sip udp 5060
            fixup protocol skinny 2000
            no fixup protocol smtp 25
            fixup protocol sqlnet 1521
            names
            access-list outside_access_in permit tcp any host x.x.x.27 eq smtp
            access-list outside_access_in permit tcp any host x.x.x.32 eq www
            access-list outside_access_in permit tcp any host x.x.x.28 eq www
            access-list outside_access_in permit tcp any host x.x.x.28 eq https
            access-list outside_access_in permit tcp any host x.x.x.31 eq www
            access-list outside_access_in permit tcp any host x.x.x.34 eq ftp
            access-list outside_access_in permit tcp any host x.x.x.34 eq ftp-data
            access-list outside_access_in permit tcp any host x.x.x.27 eq telnet
            access-list outside_access_in permit tcp any host x.x.x.26 eq pptp
            access-list outside_access_in permit gre any host x.x.x.26
            access-list outside_access_in permit tcp any host x.x.x.31 eq https
            access-list outside_access_in permit tcp any host x.x.x.44 eq www
            access-list outside_access_in permit tcp any host x.x.x.44 eq https
            access-list outside_access_in permit tcp any host x.x.x.34 eq ssh
            access-list outside_access_in permit tcp any host x.x.x.38 eq https
            access-list outside_access_in permit tcp any host x.x.x.38 eq www
            access-list outside_access_in permit tcp any host x.x.x.x.x.x.39 eq ssh
            access-list outside_access_in permit tcp any host x.x.x.x.x.x.39 eq www
            access-list outside_access_in permit tcp any host x.x.x.43 eq https
            access-list outside_access_in permit tcp any host x.x.x.43 eq www
            access-list outside_access_in permit tcp any host x.x.x.42 eq https
            access-list outside_access_in permit tcp any host x.x.x.42 eq www
            access-list DMZ_in permit ip any any
            pager lines 24
            logging buffered debugging
            mtu outside 1500
            mtu inside 1500
            mtu dmz 1500
            ip address outside x.x.x.37 255.255.255.0
            ip address inside z.z.z.1 255.255.255.0
            ip address dmz y.y.y.1 255.255.255.0
            ip audit info action alarm
            ip audit attack action alarm
            pdm location z.z.z.21 255.255.255.255 inside
            pdm history enable
            arp timeout 14400
            global (outside) 10 interface
            global (dmz) 10 interface
            nat (inside) 10 0.0.0.0 0.0.0.0 0 0
            nat (dmz) 10 0.0.0.0 0.0.0.0 0 0
            static (dmz,outside) x.x.x.27 y.y.y.77 netmask 255.255.255.255 0 0
            static (dmz,outside) x.x.x.32 y.y.y.18 netmask 255.255.255.255 0 0
            static (dmz,outside) x.x.x.28 y.y.y.65 netmask 255.255.255.255 0 0
            static (dmz,outside) x.x.x.34 y.y.y.36 netmask 255.255.255.255 0 0
            static (inside,outside) x.x.x.26 z.z.z.50 netmask 255.255.255.255 0 0
            static (dmz,outside) x.x.x.31 y.y.y.209 netmask 255.255.255.255 0 0
            static (inside,dmz) z.z.z.0 255.255.255.0 netmask 255.255.255.0 0 0
            static (dmz,outside) x.x.x.38 y.y.y.43 netmask 255.255.255.255 0 0
            static (dmz,outside) x.x.x.39 y.y.y.49 netmask 255.255.255.255 0 0
            static (dmz,outside) x.x.x.44 y.y.y.2 netmask 255.255.255.255 0 0
            static (dmz,outside) x.x.x.43 y.y.y.5 netmask 255.255.255.255 0 0
            static (dmz,outside) x.x.x.42 y.y.y.3 netmask 255.255.255.255 0 0
            access-group outside_access_in in interface outside
            access-group DMZ_in in interface dmz
            route outside 0.0.0.0 0.0.0.0 x.x.x.25 1
            timeout xlate 3:00:00
            timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
            timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
            timeout uauth 0:05:00 absolute
            aaa-server TACACS+ protocol tacacs+
            aaa-server TACACS+ (inside) host z.z.z.50 timeout 10
            aaa-server RADIUS protocol radius
            aaa-server RADIUS (inside) host z.z.z.50 timeout 10
            aaa-server LOCAL protocol local
            http server enable
            http z.z.z.21 255.255.255.255 inside
            no snmp-server location
            no snmp-server contact
            snmp-server community public
            no snmp-server enable traps
            floodguard enable
            telnet z.z.z.21 255.255.255.255 inside
            telnet timeout 5
            ssh timeout 5
            console timeout 0
            terminal width 80
            Cryptochecksum:
            : end


            x.x.x.x = external IPs
            z.z.z.z = internal IPs
            y.y.y.y = DMZ IPs

            Things I'm not sure about how to define:
            VPN (PPTP) traffic in the new dual-firewall setup so it goes from the internet to the internal VPN server.
            Which PIX the Site-to-Site VPN (currently sitting in the test lab and held up because of this new dual-firewall requirement) will go on.
            The other translations for services (http, ftp, etc) in the new environment are fairly straight-forward and I'm not too concerned about those. I will, as suggested, treat each of the PIXes as a firewall with an internal and external interface, even though the interface may actually be the DMZ

            Thanks Andy! I appreciate your feedback/advice!

            Greg

            Comment

            Working...
            X