cisco pix firewall set up 3 security zones ***cs580*** john trafecanty jules r. nya baweu august 23,...
TRANSCRIPT
Cisco PIX firewall Set up 3 security zones
***CS580***
John TrafecantyJules R. Nya Baweu
August 23, 2005
PIX with 3 interfaces - 3 security zones
Purpose - This is the most used PIX
config. in use in most enterprise networks today
- It allows company servers sitting on the DMZ interface to be accessed from the public network while other computers sitting on the inside remain secured and inaccessible by intruders.
Firewall policy rules - Inside users can initiate
connections to the outside and DMZ.
- Outside users can initiate connections only to the DMZ but not to the inside.
- DMZ servers can only initiate connections to the outside but not to the inside.
Pix with 3 interfaces - 3 security zones
Outside Inside DMZ
Our environment of work
Our setup
Our setup - Simplified
Config. on Switch S2 - Vlan
Config. on Router R5
Config. on Router R6
Detailed config. command On the Cisco PIX Firewall
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50
interface ethernet0 100basetx interface ethernet1 100basetx interface ethernet2 100basetx
ip address outside 209.165.201.3 255.255.255.224 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0
fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521
arp timeout 14400
names name 192.168.0.2 webserver
pager lines 24
logging console 7
nat (inside) 1 10.0.0.0 255.255.255.0 nat (dmz) 1 192.168.0.0 255.255.255.0
global (outside) 1 209.165.201.10-209.165.201.30 global (outside) 1 209.165.201.5 global (dmz) 1 199.168.0.10-199.168.0.20
static (dmz,outside) 209.165.201.6 webserver
Detailed config. command On the Cisco PIX Firewall
access-list acl_out permit tcp any host 209.165.201.6 eq http
Access-group acl_out in interface outside
rip outside passive version 2
rip outside default version 2
rip inside passive version 1
rip dmz passive version 2
route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
mtu outside 1500 mtu inside 1500 mtu dmz 1500
telnet 10.0.0.199 inside telnet timeout 5
terminal width 80
Config. on Pix firewall
Scenario of traffic from inside to the outside – Telnet to the router R4
“This traffic is allowed”
Scenario of traffic from inside to the outside – ping to the router R4
“This traffic is allowed”
Scenario of traffic from outside to the inside – Telnet to Router R6
“Dest. Unreachable, since R6 is using private ip”
Scenario of traffic from outside to the DMZ –ping to Router R5
“Only http traffic is allowed to the dmz from outside”
Scenario of traffic from outside to the DMZ – Status on the Pix firewall after ping to Router R5
“Only http traffic is allowed to the dmz from outside”
Scenario of traffic from outside to the DMZ – Telnet to Router R5
“Telnet is no allowed to the dmz from outside”
Scenario of traffic from outside to the DMZ – Status on the Pix firewall after telnet to Router R5
“Telnet is no allowed to the dmz from outside”
Conclusion
This lab project has shown an example of how to configure a stateful packet filter - Cisco PIX Firewall.
The set up of the Cisco PIX firewall through the 3 security zones scheme is used today in complex networks and can provide an effective security protection for enterprise networks .