Chapter 15

370 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

5How do you enable the Mail Guard feature on the PIX?

A mail guard on

B enable mail guard

C fixup protocol mailguard

D fixup protocol smtp Answer: D

6Which of the following describes how the Mail Guard works on the PIX Firewall?

A It lets all mail in except for mail described by an access list.

B It restricts SMTP requests to seven commands.

C It revokes mail messages that contain attacks.

D It performs virus checks on each mail message.

Answer: B

7Which of the following statements about DNS Guard are true?

AIt is disabled by default.

BIt allows only a single DNS response for outgoing requests.

CIt monitors the DNS servers for suspicious activities.

DIt is enabled by default.

Answer: B, D

8Which of the following are PIX Firewall attack mitigation features?

A DNS Guard

B Floodgate Guard

C Mail Guard

D Webguard

Answer: A, C

9What command enables the PIX Firewall IDS feature?

Aids enable

Bip audit

Cip ids audit

Daudit ip ids Answer: B

374 Appendix A: Answers to the “Do I Know This Already?” Quizzes and Q&A Questions

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src 172.16.172.40, dest 172.16.172.34 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

What could be the cause of this problem?

Answer: This is a common mistake. The crypto map has not been applied to the correct interface. To fix the problem, apply the crypto map to the correct interface using the following command:

crypto map mymap interface outside

3Bruce is having problems establishing a VPN session to the Seattle office. He gets the following debug results:

IPSEC(crypto_map_check): crypto map mymap 10 incomplete. No peer or

access-list specified. Packet discarded

What is causing this problem, and how would you help Bruce successfully establish a VPN tunnel to the Seattle office?

Answer: To fix this problem, examine the crypto map statements on both peers. A match address statement is missing from the HQ PIX crypto map.

The configuration should contain the following statement:

crypto map map-name map-number match address access-list-number

4The web administrator in Los Angeles needs to maintain the web servers in the DMZ from the internal network using terminal services (TCP Port 3389). Is the firewall in Los Angeles configured to allow this access? Explain your answer.

Answer: Yes. The web administrator is coming from the inside interface, which has a security level of 100, and is going to the DMZ interface, which has a security level of 70. Traffic traveling from a higher security level to a lower security level does not require a specific access list to be allowed.

5The web administrator in Los Angeles also needs to administer the web servers in Boston and Atlanta. Are the three firewalls configured to allow this access? Explain your answer.

Answer: No. Although the VPNs are configured between Los Angeles and the other two locations, and the sysopt connection permit ipsec line is in the configuration, the VPNs are only between each location's internal network segments. To connect to the web servers, you need to configure a VPN connection from the internal network in Los Angeles and the DMZ segments of Boston and Atlanta.

Appendix B 375

6The web server 172.16.1.13 needs to access an Oracle database server that sits on a segment connected to the internal network at 10.10.11.221. The web server initiates the connection on TCP port 1521 and retrieves inventory data. Can this connection be completed? Explain your answer.

Answer: No. Although an access list allows access between the web server and the database server on port 1521, there is no route to the 10.10.11.X network segment. Therefore, the traffic is routed to 192.168.1.254 instead of going to the database server on the internal network.

7The web server 172.16.1.13 needs to access an Oracle database server on the DMZ in Boston using the address 172.16.2.11. The web server initiates the connection on TCP port 1521 to retrieve financial data. Can this connection be completed? Explain your answer.

Answer: Yes. An access list is not required to allow the web server in Los Angeles outbound to Boston. An access list on the Boston firewall allows the inbound connection, and static translations are in place on both ends.

8 Is the configuration solution to Question 7 a good idea? Explain your answer.

Answer: No. With this configuration, the financial data would be transmitted across the Internet in the clear, not through an encrypted connection.

9The company has installed an FTP server on the DMZ segment in Los Angeles that customers can access to download updates. The FTP server's address is 172.16.1.9. Can all external users access this FTP server? Explain your answer.

Answer: No. An access list is configured to allow this access, but it only allows traffic to 192.168.1.9, which is an external address. No static translation is configured for this FTP server.

10The exchange server is installed on the DMZ segment in Los Angeles using the address 172.16.1.14. The firewall is configured to allow SMTP access for inbound mail and SSL access for users who want to connect using Outlook Web Access via an HTTPS connection. Will any users be able to receive their mail with this configuration? Explain your answer.

Answer: No. The access list allowing access to the mail server is using the name "Exchange." The access group "Exchange" is applied to the outside interface. Unfortunately, only one access group can be applied to an interface at a time, and the "Inbound" access group is already applied to that interface.

11What needs to be done in Los Angeles to allow access to the mail server?

Answer: Change the access list name from "Exchange" to "Inbound."

A P P E N D I X B

Case Study and Sample

Configuration

The DUKEM consulting firm is a medium-sized company with 700 employees. It has three offices across the continental U.S. Twenty percent of DUKEM’s employees are mobile or telecommute. Figure B-1 shows the current DUKEM network infrastructure.

Figure B-1 DUKEM Network Infrastructure

Task 1: Basic Configuration for the Cisco PIX Firewall 381

Table B-4 shows what IP addresses or network segments are to be translated (into the global addresses) as they pass through the firewall.

Table B-5 shows static IP address mapping for resources that are accessed from the outside (public) network. The static IP address is the address that is configured on the individual server, and the host IP address is the IP address that the PIX uses when answering for the server.

Example B-1 shows the individual configuration commands for all the items documented in Tables B-1 through B-5.

Example B-1 Firewall Configuration for the Reston Headquarters

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security80

interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full

ip address inside 10.10.10.2 255.255.255.0 ip address outside 192.168.1.2 255.255.255.0 ip address outside 172.16.31.1 255.255.255.0

hostname HQ-PIX

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 192.168.1.12-192.168.1.250 netmask 255.255.255.0 global (outside) 1 192.168.1.252 netmask 255.255.255.0

continues

384 Appendix B: Case Study and Sample Configuration

Table B-11 depicts what routes need to be configured on the PIX Firewall in the Houston office.

Table B-12 lists the global IP addresses or address ranges that are used in conjunction with NAT for translation purposes.

Table B-13 lists what addresses are dynamically translated on the PIX Firewall.

Example B-3 depicts the individual configuration commands for each of the items listed in Tables B-10 through B-13.

Example B-3 Firewall Configuration for the Houston Office

nameif ethernet0 outside security0 nameif ethernet1 inside security100

interface ethernet0 100full interface ethernet1 100full

ip address inside 10.30.10.1 255.255.255.0 ip address outside 192.168.3.2 255.255.255.0

hostname HOU_PIX

nat (inside) 1 10.30.10.0 255.255.255.0

global (outside) 1 192.168.3.12-192.168.3.250 netmask 255.255.255.0 global (outside) 1 192.168.3.252 netmask 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.3.1

Task 3: Configuring Authentication 385

Task 2: Configuring Access Rules on HQ

Step 1 To let users on the outside interface access the mail server on the DMZ interface, enter the following commands:

access-list acl_out permit tcp any host 192.168.1.4 eq smtp

access-group acl_out in interface outside

The access-group command binds the acl_out access list command statement group to the outside interface.

Step 2 To let users on the outside interface access the web server on the DMZ interface, use the following command:

access-list acl_out permit tcp any host 192.168.1.5 eq www

Step 3 To let users on the outside interface access the FTP server on the inside interface, use the following command:

access-list acl_out permit tcp any host 192.168.1.6 eq ftp

Step 4 Permit logging traffic to go to the logging server on the DMZ:

access-list acl_out permit tcp any host 192.168.1.8 eq 514

Example B-4 shows the access list configured on the HQ PIX.

Example B-4 Access List on the HQ PIX

access-list acl_out permit tcp any host 192.168.1.4 eq smtp access-list acl_out permit tcp any host 192.168.1.5 eq www access-list acl_out permit tcp any host 192.168.1.6 eq ftp access-list acl_out permit tcp any host 192.168.1.8 eq 514 access-group acl_out in interface outside

Task 3: Configuring Authentication

Step 1 Configure the TACACS+ server:

aaa-server TACACS+ (inside) host 10.10.10.7

Step 2 Configure AAA authentication for FTP access:

aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+

Step 3 Configure AAA authentication for Telnet:

aaa authentication include telnet inside 0.0.0.0 0 0.0.0.0 TACACS+

Example B-5 shows the TACACS+ configuration.

Example B-5 TACACS+ Configuration

aaa-server TACACS+ (inside) host 10.10.10.7

aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+

aaa authentication include telnet inside 0.0.0.0 0 0.0.0.0 TACACS+

Task 5: Configuring VPN 387

Step 5 Define a crypto map for both Houston and Minneapolis:

crypto map Dukem-Map 20 ipsec-isakmp crypto map Dukem-Map 20 match address 120

crypto map Dukem-Map 20 set peer 192.168.3.2 crypto map Dukem-Map 20 set transform-set myset

crypto map Dukem-Map 30 ipsec-isakmp crypto map Dukem-Map 30 match address 130

crypto map Dukem-Map 30 set peer 192.168.2.2 crypto map Dukem-Map 30 set transform-set myset

Step 6 Apply the crypto map to the outside interface:

crypto map Dukem-Map interface outside

Step 7 Specify that IPSec traffic is implicitly trusted (permitted):

sysopt connection permit-ipsec

Step 8 Configure a NAT 0 policy so that traffic between the offices is excluded from NAT:

access-list VPN permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0

access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0

nat 0 access-list VPN

Example B-6 shows the complete configuration for the HQ PIX.

Example B-6 HQ PIX Firewall Configuration

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50

enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname HQ_PIX

fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names

access-list dmz permit tcp any host 192.168.1.4 eq smtp access-list dmz permit tcp any host 192.168.1.5 eq www access-list dmz permit tcp any host 192.168.1.6 eq ftp access-list dmz permit tcp any host 192.168.1.8 eq 514 !--- Traffic to HOU-PIX:

access-list 120 permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0 !--- Traffic to MN-PIX:

continues

Task 5: Configuring VPN 391

Example B-7 Houston PIX Firewall Configuration (Continued)

access-list 110 permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ:

access-list VPN permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0 pager lines 24

logging on

no logging timestamp no logging standby no logging console no logging monitor no logging buffered logging trap 6

no logging history logging facility 20 logging queue 512

interface ethernet0 100full interface ethernet1 100full mtu outside 1500

mtu inside 1500

ip address outside 192.168.3.2 255.255.255.0 ip address inside 10.30.10.1 255.255.255.0 ip audit info action alarm

ip audit attack action alarm no failover

failover timeout 0:00:00 failover poll 15

failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400

global (outside) 1 192.168.3.12-192.168.3.250 netmask 255.255.255.0 global (outside) 1 192.168.3.252 netmask 255.255.255.0

nat (inside) 1 10.30.10.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ: nat (inside) 0 access-list VPN

route outside 0.0.0.0 0.0.0.0 192.168.3.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location

no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable

sysopt connection permit-ipsec no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac !--- Traffic to Reston HQ:

crypto map Dukem-Map 10 ipsec-isakmp

continues

392 Appendix B: Case Study and Sample Configuration

Example B-7 Houston PIX Firewall Configuration (Continued)

crypto map Dukem-Map 10 match address 110 crypto map Dukem-Map 10 set peer 192.168.1.2 crypto map Dukem-Map 10 set transform-set myset crypto map Dukem-Map interface outside

isakmp enable outside

isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share isakmp policy 10 encryption des

isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5

ssh timeout 5 terminal width 80

Cryptochecksum:b23cc9772a79ea76d711ea747f182a5f

Configuring the Minneapolis PIX Firewall, MN_PIX, for VPN Tunneling

Step 1 Configure an ISAKMP policy:

isakmp enable outside

isakmp policy 10 authentication pre-share isakmp policy 10 encryption des

isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000

Step 2 Configure a preshared key and associate it with the peer (Houston and Minneapolis):

crypto isakmp key sept1302 address 192.168.1.2

Step 3 Configure the supported IPSec transforms:

crypto ipsec transform-set myset esp-des esp-md5-hmac

Step 4 Create an access list:

access-list 110 permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0

Step 5 Define a crypto map for both Houston and Minneapolis:

crypto map Dukem-Map 20 ipsec-isakmp crypto map Dukem-Map 20 match address 110

crypto map Dukem-Map 20 set peer 192.168.1.2 crypto map Dukem-Map 20 set transform-set myset

Step 6 Apply the crypto map to the outside interface:

crypto map Dukem-Map interface outside

394 Appendix B: Case Study and Sample Configuration

Example B-8 Minneapolis PIX Firewall Configuration

failover ip address inside 0.0.0.0 arp timeout 14400

global (outside) 1 192.168.2.12-192.168.2.250 netmask 255.255.255.0 global (outside) 1 192.168.2.252 netmask 255.255.255.0

nat (inside) 1 10.20.10.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ: nat (inside) 0 access-list VPN

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location

no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable

sysopt connection permit-ipsec no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac !--- Traffic to Reston HQ:

crypto map Dukem-Map 10 ipsec-isakmp crypto map Dukem-Map 10 match address 110

crypto map Dukem-Map 10 set peer 192.168.1.2 crypto map Dukem-Map 10 set transform-set myset crypto map Dukem-Map interface outside

isakmp enable outside

isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share isakmp policy 10 encryption des

isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5

ssh timeout 5 terminal width 80

Cryptochecksum:d962d33d245ad89fb7c9b4f0db3c2dc0

Verifying and Troubleshooting

After you configure the PIX for VPN, the next step is to verify the configuration. The show, clear, and debug commands are used to verify and troubleshoot your configuration.

Task 6: Configuring Failover 395

show Commands

•show crypto ipsec sa—Displays the current status of the IPSec security associations. This is useful in determining if traffic is being encrypted.

•show crypto isakmp sa—Displays the current state of the IKE security associations.

debug Commands

If you have problems establishing any of the VPN tunnels, use the following commands for troubleshooting:

Step 1 If you are connected to the PIX via the console port, enable debugging on the console using this command:

logging console debugging

If you are connected to the PIX via Telnet, enable debugging using this command:

logging monitor debugging

Step 2 To view debug information related to the VPN configuration, use the following commands:

—debug crypto ipsec—Used to debug IPSec processing.

—debug crypto isakmp—Used to debug ISAKMP processing.

—debug crypto engine—Displays debug messages about crypto engines, which perform encryption and decryption.

Step 3 To clear security associations (SAs), use the following commands in the PIX’s configuration mode:

—clear [crypto] ipsec sa—Deletes the active IPSec security associations. The keyword crypto is optional.

—clear [crypto] isakmp sa—Deletes the active Internet Key Exchange (IKE) security associations. The keyword crypto is optional.

Task 6: Configuring Failover

Failover is configured on the PIX only at the Reston site.

Step 1 Make sure that failover is enabled:

failover on

Failover is enabled by default.

396 Appendix B: Case Study and Sample Configuration

Step 2 Configure failover ip address for all interfaces that have an IP address configured on them:

failover ip address inside 10.1.1.2 failover ip address outside 192.168.1.3 failover ip address dmz 172.16.31.2 failover ip address failover 1.1.1.2

Step 3 Check the status of your failover configuration:

show failover

Failover On

Cable status: Unknown

Reconnect timeout 0:00:00

Poll frequency 15 seconds

This host: primary - Active

Active time: 225 (sec)

Interface failover (1.1.1.1): Normal (Waiting)

Interface dmz (172.16.31.1): Normal (Waiting)

Interface outside (192.168.1.2): Normal (Waiting)

Interface inside (10.1.1.1): Normal (Waiting)

Other host: secondary - Standby

Active time: 0 (sec)

Interface failover (1.1.1.2: Unknown (Waiting)

Interface dmz (172.16.31.2): Unknown (Waiting)

Interface outside (192.168.1.3): Unknown (Waiting)

Interface inside (10.1.1.2): Unknown (Waiting)

Step 4 Enable stateful failover:

failover link failover

Step 5 Power on the secondary unit.