Cisco PIX config check

[tdg]

Cisco gurus, tell me if this config is OK, terrible, will blow up my PIX 501, etc. It's a config hacked from peices of a PAT config that was working, some added port forwarding, and the default config. If anythings wrong tell me what and why and how to fix it, I'm trying to learn this stuff I don't have access to my PIX right now so I cant go ahead and test it unfortunatly.

EDIT: Updated config.

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname toaster
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8080-8081
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.100.101 workstation1
name 192.168.100.102 workstation2
name 168.168.100.113 netprinter1
object-group icmp-type friendly_icmp
icmp-object echo
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
object-group network rfc1918
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
network-object 10.0.0.0 255.0.0.0
object-group protocol tcp_udp
protocol-object tcp
protocol-object udp
object-group network inside
network-object 192.168.100.0 255.255.255.0
object-group service http8080 tcp
port-object range 8080 8080
access-list outside permit icmp any any object-group friendly_icmp log 
access-list inside permit ip object-group inside any 
access-list inside deny ip object-group rfc1918 any log 
access-list outside permit tcp any host workstation1 eq 400
access-list outside permit tcp any host workstation1 eq 1400
access-group outside in interface outside
access-group inside in interface inside
static (inside,outside) tcp interface 400 workstation1 400 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1400 workstation1 1400 netmask 255.255.255.255 0 0
pager lines 24
logging on
logging standby
logging monitor notifications
logging buffered notifications
logging trap notifications
logging history notifications
logging queue 2048
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 16
ip address inside 192.168.100.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm logging debugging 100
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 172.16.0.0 255.240.0.0 inside
pdm location workstation1 255.255.255.255 inside
pdm location workstation2 255.255.255.255 inside
pdm location netprinter1 255.255.255.255 inside
pdm location 192.168.100.100 255.255.255.255 inside
pdm location 192.168.100.200 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm group inside inside
pdm group rfc1918 inside
pdm history enable
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.100.120-192.168.100.129 inside
dhcpd domain ks.ok.cox.net
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

 

[Boscoh]

For the most part, that looks good.

The rfc1918 filtering that you're doing outbound can also be accomplished by just limiting your nat pool to 192.168.100.0 instead of 0.0.0.0. Anything that the PIX doesnt have a nat pool for wont be translated and thus wont make it out of your network.

Also, I dont think you need that route statement. For a typical config, the only route statement you need is an outside route pointing to your next hop, but you're taking care of that with the setroute option.

Also is this line an error?
static (inside,outside) file_server2 file_server2 netmask 255.255.255.255 0 0

You're mapping a private IP on the outside interface to a private IP internally...unless I'm missing something.

You also might want to change your fixup dns to a max length of 1024 or disable it completely. I've noticed some problems on Windows 2003 DNS servers and that command when it's set to 512. Just FYI.

 

[MYPEARL]

how many people can actually reply to this. good stuff tho

 

[tdg]

For the most part, that looks good.

The rfc1918 filtering that you're doing outbound can also be accomplished by just limiting your nat pool to 192.168.100.0 instead of 0.0.0.0. Anything that the PIX doesnt have a nat pool for wont be translated and thus wont make it out of your network.

Which line would fix that? The "nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0" ?

Also is this line an error?
static (inside,outside) file_server2 file_server2 netmask 255.255.255.255 0 0

You're mapping a private IP on the outside interface to a private IP internally...unless I'm missing something.

Yep thats a error, it was another port forwarded to file_server2, but I seem to have written the name twice instead of the port.

You also might want to change your fixup dns to a max length of 1024 or disable it completely. I've noticed some problems on Windows 2003 DNS servers and that command when it's set to 512. Just FYI.

Which would be better, disabling or setting to 1024.. and what exactly does this setting do?

 

[Boscoh]

Which line would fix that? The "nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0" ?

Yep.

Which would be better, disabling or setting to 1024.. and what exactly does this setting do?

Set it to 1024 and if you have any DNS related problems, just remember to disable that line as one of your first troubleshooting steps. I've never seen a problem since I changed it in our network to 1024, but I still see the PIX dropping some packets that are larger than 1024 (which, when sniffed, look like bogus packets).

This setting controls the maximum size in bytes of a DNS packet passing through the PIX.

 

[tdg]

So the NAT command should become "nat (inside) 1 192.168.100.0 255.255.255.0 dns 0 0" correct?

 

[Boscoh]

Yep.

Any reason why you're using the 'dns' flag in that statement? I've never used it, so I'm just curious....

 

[BobSutan]

Also is this line an error?
static (inside,outside) file_server2 file_server2 netmask 255.255.255.255 0 0

FYI, that'll work fine in an Identity NAT setup. Other than that the main points have already been covered. However, I too am interested in why you have the DNS flag in the NAT statement.

Oh, you may want to adjust the max connections and max embryonic connections flags to help mitigate DoS (SYN flood) attacks.

 

[Boscoh]

Good point about limiting the conns and embryonic conns. You can do that in the nat statement as well as in your static statements.

 

[tdg]

FYI, that'll work fine in an Identity NAT setup. Other than that the main points have already been covered. However, I too am interested in why you have the DNS flag in the NAT statement.

Oh, you may want to adjust the max connections and max embryonic connections flags to help mitigate DoS (SYN flood) attacks.

The dns flag was from the config the guy I bought it from did for me, no idea what it does. Is it wrong, need to be moved, or ?

As for max and embryonic connections, what's a good number to start with?

 

[BobSutan]

Good point about limiting the conns and embryonic conns. You can do that in the nat statement as well as in your static statements.

I'd be more concerned with the static than the nat as the static option is where your ingress protection is enabled at and gives you your DoS protection.

Setting the variable at in the NAT statement only protects others from a potential attack coming from inside your network.

For more information, check out the Flood Defender attack guard feature.

As for max and embryonic connections, what's a good number to start with?

I suggest you let the PIX run for about a week without any limits. At the end of the week do a show conn and you'll see how many concurrent connections were established through the device. That's a good starting point. However, out of the max connections, I don't know how many were inbound and how many were outbound. I'll flip through my books at the house and see what I can come up with.

 

[tdg]

I've updated the config posted, I ripped out some of the extra port forwarding and basics that are irrelavent for now to make it easier to check.

Anything else that should be added or changed, I'm going for a secure setup with only a few ports forwarded I need (400&1400) for now.

Any a big thanks to you guys so far, you've been 10x more helpful than my Cisco Pix Firewalls book and google