Configuration d'un Firewall Cisco Pix 515

Configuration d'un Firewall Cisco Pix 515 - Windows & Software

Marsh Posté le 17-03-2006 à 09:39:30    

Bonjour,
 
Je me permet de poster ici car je suis à la recherche d'aide.
 
J'ai récemment pris la main sur un Firewall Cisco Pix 515E, et je doit le configurer de façon à mettre en place un accès extérieur sur un serveur Web interne au réseau.
 
Voici sa configuration actuelle :  
 

Citation :

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
hostname CCLPIX
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.252 ccalproxy
name 192.168.1.40 ServeurMail
name 192.168.1.11 test
name 213.41.165.225 Superv_usine_distant
name 192.168.1.150 Superv_usine_local
name 192.168.1.248 Siaal
name 192.168.1.100 ServeurNT
name 192.168.1.159 Compta4
name 192.168.1.160 Compta2
name 192.168.1.27 Compta1
name 192.168.1.26 Compta3
object-group service Web tcp-udp
  port-object range 20 21
  port-object eq www
  port-object eq 443
  port-object eq domain
object-group service WebTCP tcp
  port-object eq www
  port-object eq ftp-data
  port-object eq domain
  port-object eq ftp
  port-object eq https
  port-object eq nntp
  port-object eq 8081
  port-object eq ssh
  port-object eq login
object-group service 8081 tcp
  port-object eq 8081
object-group service InTouch tcp
  port-object range 5413 5414
object-group service InTouch2 udp
  port-object range 135 135
  port-object range 5413 5413
  port-object range www www
object-group service Intouch3 tcp-udp
  port-object range 5413 5413
object-group service GED tcp
  port-object eq pcanywhere-data
object-group service GED-UDP udp
  port-object eq pcanywhere-status
object-group service Webadmin tcp
  port-object eq 1000
  port-object eq www
  port-object eq ssh
  port-object eq https
object-group service siaal tcp
  port-object eq pptp
object-group service MagnusUDP udp
  port-object eq isakmp
access-list out-entrant permit icmp any any echo-reply
access-list out-entrant permit udp any host 192.168.255.251 eq pcanywhere-status
access-list out-entrant permit tcp any host 192.168.255.251 eq pcanywhere-data
access-list out-entrant permit tcp any host Siaal
access-list out-entrant permit tcp any host 192.168.255.40 eq smtp
access-list out-entrant permit tcp any host 192.168.255.40 object-group Webadmin
access-list out-entrant permit tcp any host 192.168.255.40 eq https
access-list out-entrant permit tcp any host 192.168.1.249 object-group WebTCP
access-list out-entrant permit tcp any host 192.168.1.249 eq www
access-list out-entrant permit tcp any host 192.168.1.249 eq https
access-list out-entrant permit tcp any host 192.168.1.249 eq 8080
access-list out-entrant permit tcp any host 192.168.1.249 eq 8081
access-list out-sortant permit udp host 192.168.1.251 object-group GED-UDP any
access-list out-sortant permit tcp host 192.168.1.251 object-group GED any
access-list out-sortant permit tcp host Siaal any
access-list out-sortant permit tcp host ccalproxy any object-group WebTCP
access-list out-sortant permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list out-sortant permit udp any any eq domain
access-list out-sortant permit tcp host Superv_usine_local host Superv_usine_distant
access-list out-sortant permit tcp host 192.168.1.251 object-group GED any eq smtp
access-list out-sortant permit esp any any
access-list out-sortant permit udp any object-group MagnusUDP any object-group MagnusUDP
access-list out-sortant permit tcp host 192.168.1.250 any
access-list out-sortant permit udp host 192.168.1.250 any
access-list out-sortant permit tcp host ServeurMail any eq smtp
access-list out-sortant permit tcp host 192.168.1.249 any
access-list out-DMZ permit ip any any
access-list out-DMZ deny ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.252.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.252.0 255.255.255.192
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 192.168.255.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip address DMZ 192.168.253.1 255.255.255.0
ip audit name IDS attack action alarm drop
ip audit name IDS1 info action alarm
ip audit interface outside IDS1
ip audit interface outside IDS
ip audit interface inside IDS1
ip audit interface inside IDS
ip audit interface DMZ IDS1
ip audit interface DMZ IDS
ip audit info action alarm
ip audit attack action alarm
ip local pool remote 192.168.252.1-192.168.252.50
pdm location ServeurMail 255.255.255.255 inside
pdm location 192.168.1.200 255.255.255.255 inside
pdm location ccalproxy 255.255.255.255 inside
pdm location 192.168.252.0 255.255.255.0 inside
pdm location test 255.255.255.255 inside
pdm location 192.168.1.250 255.255.255.255 inside
pdm location Superv_usine_local 255.255.255.255 inside
pdm location Superv_usine_distant 255.255.255.255 outside
pdm location 192.168.1.240 255.255.255.255 inside
pdm location 192.168.1.251 255.255.255.255 inside
pdm location Siaal 255.255.255.255 inside
pdm location ServeurNT 255.255.255.255 inside
pdm location Compta1 255.255.255.255 inside
pdm location Compta3 255.255.255.255 inside
pdm location Compta4 255.255.255.255 inside
pdm location Compta2 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.255.20
global (DMZ) 1 192.168.253.20
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 Compta3 255.255.255.255 0 0
nat (inside) 0 Compta1 255.255.255.255 0 0
nat (inside) 0 ServeurNT 255.255.255.255 0 0
nat (inside) 0 Compta4 255.255.255.255 0 0
nat (inside) 0 Compta2 255.255.255.255 0 0
nat (inside) 0 Siaal 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.249 www netmask 255.255.255.255 0 0
static (inside,outside) 192.168.255.251 192.168.1.251 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.255.40 ServeurMail netmask 255.255.255.255 0 0
access-group out-entrant in interface outside
access-group out-sortant in interface inside
access-group out-DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.255.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.252.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup FTMETZ address-pool remote
vpngroup FTMETZ idle-time 1800
vpngroup FTMETZ password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
management-access inside


 
Le serveur Web qui doit être accessible à l'adresse IP suivante : 192.168.1.249.
 
Cette configuration est celle que j'ai trouvé sur le Pix.
 
Merci d'avance pour l'aide que vous pourrez m'apporter.

Reply

Marsh Posté le 17-03-2006 à 09:39:30   

Reply

Marsh Posté le 18-03-2006 à 20:49:52    

déjà tu vas y accéder via le pdm en tapant https://adresse_ip_de_ton_pix/ depuis un poste autorisé (192.168.1.200 par exemple d'après ta conf) ça devrait être bveaucoup plus sympa :)

Reply

Marsh Posté le 24-04-2006 à 16:22:00    

dreamer18 a écrit :

déjà tu vas y accéder via le pdm en tapant https://adresse_ip_de_ton_pix/ depuis un poste autorisé (192.168.1.200 par exemple d'après ta conf) ça devrait être bveaucoup plus sympa :)


 
Tu m'e-tonnes!!!  :D  
D'autant plus que le PDM rationalise dejà un minimum ta config au passage, il t'evite de faire de (trop) grosses bourdes...


---------------
XBox? http://www.gamertagdatabase.com
Reply

Marsh Posté le 26-04-2006 à 17:21:56    

Regarde ça pour plus d'info :
http://www.cisco.com/warp/public/707/28.html#acl
 
ça c'est bon :
ip address outside 192.168.255.1 255.255.255.0
access-list out-entrant permit tcp any host 192.168.1.249 eq www  
static (inside,outside) tcp interface www 192.168.1.249 www netmask 255.255.255.255 0 0  
access-group out-entrant in interface outside
 
Il faut que les éléments en gras soient indentiques.
 
T'es pas loin, ça devrait même marcher :d


Message édité par jolebarjo le 26-04-2006 à 17:24:11
Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed