1. Home
  2. Cisco Systems
  3. please help me understand

please help me understand

I'm at a new job and one of my new duties is the network. I am beginning to understand the network here as currently installed. I seek understanding of a better, more robust, more secure, more stable method of configuring the network.

As an 'edge router'? (between the internet and the company) is a Netopia router, then a PIX 506 (not E), then a single (to me normal) switch and a bunch of mini-switches/mini-hubs.

I've been doing a lot of reading, though as you know it is difficult to condense into two weeks the equivelent of many years of experience. Seems that I need to implement 'security zones' and re-arrange a few things.

So, what I have right now is:

internet : netopia : pix 506 : inside ^ | I think the DMZ is here that is somehow routed inside for updating an external web site, email, ftp, etc, from a different interface off the netopia

What I think I need is something like:

internet : netopia : pix 506 : layer 3 switch : layer 2 switches

In reading the configuration below, please tell me what you see that may/should be fixed or is odd. I see the current PIX version is 6.3(3). This should be upgraded to (5), yes? What else?

I have currently four VPN users. Is there an easier way to setup VPNs? I prefer having ssh(22) access to my work from home. Is ssh not a good way anymore? Should I create a VPN for myself or a ssh connection for myself? How do I create that connection?

I have changed a few things in the configuration below to try and protect some privacy. (Jack Webb).

I know, I have lots of questions.

Mike

-------------------- PIX 506 pix# show version

Cisco PIX Firewall Version 6.3(3)132 Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 14-Apr-04 20:48 by morlee

pix up 6 days 20 hours

Hardware: PIX-506, 32 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 8MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0005.328f.e9d6, irq 11 1: ethernet1: address is 0005.328f.e9d7, irq 10 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Disabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Limited IKE peers: Unlimited

This PIX has a Restricted (R) license.

Serial Number: 405122448 (0x1825ad90) Running Activation Key: 0x247870f8 0xad413df1 0x2a0b7b8e 0xea754f15 Configuration last modified by enable_15 at 08:57:12.426 UTC Tue Jul 18 2006 pix# show config : Saved : Written by enable_15 at 09:47:02.484 UTC Sat Dec 17 2005 PIX Version 6.3(3)132 interface ethernet0 10baset interface ethernet1 10baset nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 99A2kzdTZd93B/I8 encrypted passwd 99A2kzdTZd93B/I8 encrypted hostname pix domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 64.105.97.148 basis2-outside name 10.1.2.54 basis2-inside object-group network basis network-object basis2-inside 255.255.255.255 network-object 10.1.2.49 255.255.255.255 access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 permit tcp any host 152.24.83.52 eq ssh access-list 101 permit tcp any host 152.24.83.52 eq 28022 access-list 100 permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0 access-list user3group_splitTunnelAcl permit ip 10.1.2.0 255.255.255.0 any pager lines 24 logging on logging buffered errors mtu outside 1500 mtu inside 1500 ip address outside 152.24.83.50 255.255.255.248 ip address inside 10.1.2.50 255.255.255.0 multicast interface inside ip audit info action alarm ip audit attack action alarm ip local pool ipsecpool 10.1.3.1-10.1.3.100 ip local pool user1 10.1.3.110 ip local pool user2 10.1.3.120 ip local pool user3 10.1.3.130 pdm location 10.1.2.31 255.255.255.255 inside pdm location 10.1.2.49 255.255.255.255 inside pdm location 10.1.3.0 255.255.255.0 outside pdm location 10.1.2.0 255.255.255.0 inside pdm location 10.1.3.0 255.255.255.0 inside pdm location basis2-inside 255.255.255.255 inside pdm location basis2-outside 255.255.255.255 outside pdm group basis inside pdm logging errors 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 10.1.2.0 255.255.255.0 0 0 static (inside,outside) tcp 152.24.83.52 ssh 10.1.2.49 ssh netmask

255.255.255.255 0 0 static (inside,outside) tcp 152.24.83.52 28022 basis2-inside 28022 netmask 255.255.255.255 0 0 access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 152.24.83.49 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.1.3.0 255.255.255.0 outside http 10.1.2.0 255.255.255.0 inside http 10.1.3.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set vpnset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set vpnset crypto map vpnmap 10 ipsec-isakmp dynamic dynmap crypto map vpnmap interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpngrp address-pool ipsecpool vpngroup vpngrp split-tunnel 100 vpngroup vpngrp idle-time 28800 vpngroup vpngrp password ******** vpngroup user1group address-pool user1 vpngroup user1group split-tunnel 100 vpngroup user1group idle-time 28800 vpngroup user1group password ******** vpngroup user2group address-pool user2 vpngroup user2group split-tunnel 100 vpngroup user2group idle-time 28800 vpngroup user2group password ******** vpngroup user3group address-pool user3 vpngroup user3group split-tunnel user3group_splitTunnelAcl vpngroup user3group idle-time 3600 vpngroup user3group password ******** vpngroup user4group address-pool ipsecpool vpngroup user4group dns-server 10.1.2.37 vpngroup user4group idle-time 7200 vpngroup user4group password ******** telnet 10.1.2.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:87e86739b4b7103b105888bb863304ab

-------------------- PIX 506

Reply to
Mike
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.