Cisco and firewalls!
------------------------
What is Cisco? =
https://sv.wikipedia.org/wiki/Cisco_Systems
The Pix series! =
https://en.wikipedia.org/wiki/Cisco_PIX
http://media.cablesandkits.com/p/PIX-515E-R-BUNf.jpg
As i have said earlier.. i ran over some old cisco firewalls and went about using them.
This are my story of success and pain with the PIX515E.
After alot of research, it came clear that these firewalls had there own speciall way for manage'ing traffic.
With that, i don't mean by my own experience but what others(internet) say about them.
And more over.. the commands changes from different series and EVEN upgrades!
Anyhow..at the same time(strangely?) there are alot of love for these old FW's.
Can i use them for anything else then a bookshelf?
-------------------------------------------------------------
In MY opinion, yes.. there are alot of good features in them and they still do alot of the job for you.
With that said, ofcourse.. these are old firewalls, and with the latest PIXOS/ASDM/ASA code.. you get the best possible protection(FOR YEAR 2009 - 2010).
So.. if you are thinking these will give you a watertight protection with lightning speed performance, you can stop reading her!
CONSOLE/PDM/ASDM.
---------------------------
The pix is accessable through either console(ssh, telenet, failover) or PDM(Pix Device Manager) or ASDM(Adaptive security Device Manager) depending
on what cpu/memory and what pixos version you have.
The way the Pix goes!
---------------------------
"Sure.. i can open the door to let you out, but you can never come back wihout me knowing you.. so start talking"
The firewall uses different options to achieve this depending on what you want.
For example: There are STATIC or DYNAMIC NAT's(Network address translation) or PAT(Port address translation) in co-operation with ROUTE'S defined.
To make things harder, the device are a bit "sensitive" about it's translation-table(or xlate), so you have to use the "clear xlate" command frequently
when messing around with the static/dynamic NAT's!
After you have achieved a stable(the right way) translation.. you also have to set ACL's(Access-list's) for you defined translations.
Factory settings!
--------------------
By default(after you have followed the setup-wizard) you have ONE implicit rule(allowing anyone/anything from the inside to the outside).
This is done through a dynamic PAT.
Anything from the OUTSIDE is dropped at the gate byt the "evil Pix guard". .-)
Now.. this "guard" won't let you pass with anything UNTIL you have the right/correct pass to do so.
The pix does this through assigning the INSIDE INTERFACE the number '100' wich means full security interface, the other
side of the pix is regared as the "least" secure and get's therefore number '0'.
This is were the battle starts..
To use Console and PDM.
-----------------------
To follow this "somewhat" guide, you may need to be a little familiar with the Console-mode and PDM-mode.
Information on these is spread all over the net, duckduckgo????
ASDM won't be covered.
Trial and error.
-------------------
For me, it was a long struggle, because of the "Cisco way" and how "I" wanned to do it.
But from not giving up, success came.
So.. here are the the way "I" did it.
To open up for incoming traffic!
--------------------------------
Fast explanation:
-----------------
OBS: I will not bring up Port forwarding, because it may differ some from brand to brand.. and maybe you(who read's this)
don't even use one on the OUTSIDE INTERFACE of the Pix.
This is how "I" did it, there are other ways, and.. ofcourse this assumes you already have STATIC assigned host's on the INSIDE.
Firstly, i removed the default dynamic PAT made by the Setup-wizard and made sure no DHCP was used on inside/outside.
Then i made sure the outside and the inside interface was a STATIC IP.
On the outside static ip, i then used a dynamic PAT for ALL host's outgoing(Internet access).
I then gave the inside interface/networks a STATIC ROUTE to the outside(for me, this was a router).
Then i made a new STATIC NAT for one inside host(server) to an new outside host(New outside server) and cleared the xlate table.
Next step was adding access in the ACCESS LIST(ACL) for the required ports(outbound TO inbound) on the new outside host(server).
Wow, that was fast, i diden't get any of it!!!!
-----------------------------------------------
Neither did i in the begining, so take it easy.
OBS: The TCP port 10102(outgoing) is already fixed because of the STATIC PAT and implicit access rule, so in
this example of configuration, we won't have anything to do with it.
For ex:
let's say you have a host "192.168.100.101" that resides on the inside network "192.168.100.0" of the Pix.
we can imagine this is the vgoemu server, and therefor it need's the "minimum" UDP port's 10100, 10194-10300
to be open for incoming packets.
The outside interface got the STATIC IP 192.168.4.5!
As you already have an STATIC inside and outside address assigned, let us now give the inside host's internet access.
In more detail, step by step..
Let's start with a clear table.. so from the start:
-------------------------------------------------------------------
In console mode:
nat (inside) 1 0.0.0.0 0.0.0.0 "followed by 'enter key'"
global (outide) 1 interface "followed by 'enter key'"
route outside 0.0.0.0. 0.0.0.0 x.x.x.x "followed by 'enter key'"
clear xlate "followed by 'enter key'"
-------------------------------------------------------------------
Explanation for the above:
The first line gives ALL NETWORKS AND HOSTS on the INSIDE.. NAT to the OUTSIDE.
The next row tell's the pix that the OUTSIDE INTERFACE is GLOBAL(Next subnet/router/internet etc) and is where it should listen for established connections.
The third row gives the INSIDE NETWORK/HOSTS a GATEWAY to next hop(Next subnet/router/internet etc)
The last row clears the xlate table.
To now open the ports we need for our vgoemu server, we firstly need to tell the Pix(firewall) what host/network's to translate to the outside.
This is the "Pix way" of doing INBOUND traffic.
The host NEED to be put on the outside as STATIC IP(Dynamic PAT only works for OUTGOING), that's just the way it is.
So.. as follows:
------------------------------------------------------------------------------
In console mode:
static (inside,outside) 192.168.4.6 192.168.100.101 "followed by 'enter key'".
clear xlate "followed by 'enter key'"
------------------------------------------------------------------------------
Explanation for the above:
--------------------------
This creates a static NAT translation and put's the 192.168.100.101 ip on the outside interface, TRANSLATED to 192.168.4.6(in this example).
The last row clears the xlate table.
Now we can move on to ACL's and start having some traffic in!
-------------------------------------------------------------
Now.. to use our STATIC NAT table, were gonna open up the needed ports in the ACL!
To do this i prefer the PDM(GUI way).. tho.. you can ofcourse go the Console way.
To MY best understanding, the "Console way" would look something like this.
You may have to switch the "order" of things to get it right, but to my knowledge, this "should" work, but don't take it for granted.
If you can't make it work the "Console way", do it through the PDM, it gives you a better perspective of things.
-------------------------------------------------------------------------------------
In Console mode:
access-list open_ports_vgsoh1 permit udp 192.168.100.101 any eq 10100 eq any
access-list open_ports_vgsoh2 permit udp 192.168.100.101 any range 10194 10300 eq any
-------------------------------------------------------------------------------------
Explanation for the above:
--------------------------
The first row make's a PERMIT rule with name: "open_port_vgsoh1", UDP is the selected protocol, after that follows the INSIDE IP, then
the OUTSIDE(in this case: "ANY"), eq 10100 = equal selected port on INSIDE, eq any = equal selected port on the OUSIDE(in this case: "ANY").
The second row is the same as the first BUT with the difference of a selection of RANGED ports.
What i have learned(the hard way) is that you can't think of ports as END PORTS!
For ex:
If you are gonna connect to a FTP server somewhere on the internet with an ftp client, port 21 will/must be open in your computer
and at the server side.
BUT.. in between, this port number is translated into "something(some other port/port range)" along the way, and is then translated
back to port 21 at the server side.
So in short, think "translated port number" for INBOUND packets instead of endport number.
This caused me headache under many hours, but as they say: "You learn as long you live!!!!"
So... there it is, with any luck someone might find this usefull.
Extra information!
------------------
I have managed to get the PDM to work under Xorg(linux).
If there is any interest for information about how to do this, let me know.
This goes for both PDM/ASDM.
END!
---
OBS: This story/guide or whatever you will call it is how "I" did it.
Ofcourse there is better ways.. and with this configuration there are security issues.
This is just meant as a "starter up".
My advice is that you learn as much as you can about it to get where you wan't to be.
With best regards Donnarien!
