Thread: opening ports on 515e
View Single Post
Old 12-13-2007, 10:05 AM   #3 (permalink)
NoReason
HJT Trainee
 
NoReason's Avatar
 
Join Date: Nov 2004
Location: South Carolina
Posts: 514
OS: XP Home


Send a message via Yahoo to NoReason
Re: opening ports on 515e
Here's the nitty Gritty of it, with changes to the IP's...

______________________________________________________________

PIX Version 7.2(1)24
!
hostname myFW
domain-name mydomain.com
enable password XXXXXXXXXXX encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.255
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.19.3 255.255.255.0
!
interface Ethernet2
shutdown
nameif intf2
security-level 10
no ip address
!
passwd xxxxxxxxx encrypted
boot system flash:/pix721-24.bin
ftp mode passive
clock timezone est -5
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit intra-interface
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list acl_out extended permit udp any host xxx.xxx.xxx.xxx eq 443
access-list acl_out extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list acl_out extended permit udp any host xxx.xxx.xxx.xxx eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.xxx eq imap4
access-list acl_out extended permit udp any host xxx.xxx.xxx.xxx eq 143
access-list acl_out extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list acl_out extended permit udp any host xxx.xxx.xxx.xxx eq 25
access-list acl_out extended permit tcp any any eq 7800
access-list 100 remark access-list for nonat
access-list 100 extended permit ip 192.168.19.0 255.255.255.0 192.168.24.0 255.255.255.0
access-list 100 remark access-list entries for VPN client to not be NATED
access-list 100 extended permit ip 172.16.100.0 255.255.255.0 192.168.19.0 255.255.255.0
access-list 100 extended permit ip 192.168.19.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list 120 extended permit ip 192.168.24.0 255.255.255.0 192.168.19.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1000000
logging monitor debugging
logging buffered debugging
logging trap debugging
logging host inside 192.168.19.40
no logging message 713906
no logging message 305012
no logging message 305011
no logging message 710005
no logging message 710003
no logging message 715075
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 715036
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip local pool dealer 172.16.100.1-172.16.100.254
icmp permit any outside
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.19.33 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xxx 192.168.19.39 netmask 255.255.255.255
access-group acl_out in interface outside
access-group test in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 172.16.100.0 255.255.255.0 192.168.19.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy password internal
group-policy password attributes
vpn-idle-timeout 30
group-policy default-domain internal
group-policy default-domain attributes
vpn-idle-timeout 30
group-policy 1company internal
group-policy 1company attributes
wins-server value 192.168.19.31
vpn-idle-timeout 30
group-policy remote internal
group-policy remote attributes
wins-server value 192.168.19.31
vpn-idle-timeout 30
group-policy company internal
group-policy company attributes
wins-server value 192.168.19.31
vpn-idle-timeout 30
username myusername password xxxxxxxxxxxxxxxx encrypted
url-server (inside) vendor smartfilter host 192.168.19.40 port 4005 timeout 30 protocol TCP connections 5
filter url except 192.168.19.73 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 192.168.0.0 255.255.0.0 0.0.0.0 0.0.0.0 longurl-truncate
http server enable
snmp-server host inside 192.168.19.49 poll community WOMROSTRING
snmp-server host inside 192.168.19.217 poll community umtyfrat78
snmp-server host inside 192.168.19.38 poll community umtyfrat78
no snmp-server location
no snmp-server contact
snmp-server community umtyfrat78
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 match address outside_cryptomap_dyn_30
crypto dynamic-map cisco 4 set transform-set 3des
crypto map partner-map 20 match address 120
crypto map partner-map 20 set peer xxx.xxx.xxx.xxx
crypto map partner-map 20 set transform-set 3des
crypto map partner-map 65535 ipsec-isakmp dynamic cisco
crypto map partner-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
tunnel-group DefaultRAGroup general-attributes
address-pool (outside) dealer
authentication-server-group (outside) LOCAL
tunnel-group default-domain type ipsec-ra
tunnel-group default-domain general-attributes
authentication-server-group (outside) LOCAL
default-group-policy default-domain
tunnel-group password type ipsec-ra
tunnel-group password general-attributes
authentication-server-group (outside) LOCAL
default-group-policy password
tunnel-group remote type ipsec-ra
tunnel-group remote general-attributes
address-pool dealer
authentication-server-group (outside) LOCAL
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key X
tunnel-group company type ipsec-ra
tunnel-group company general-attributes
address-pool dealer
authentication-server-group (outside) LOCAL
default-group-policy company
tunnel-group company ipsec-attributes
pre-shared-key X
tunnel-group 1company type ipsec-ra
tunnel-group 1company general-attributes
address-pool dealer
authentication-server-group (outside) LOCAL
default-group-policy 1company
tunnel-group 1company ipsec-attributes
pre-shared-key X
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key X
telnet 192.168.19.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
url-block block 40
ntp server 192.5.41.40 source outside prefer
ntp server 18.26.4.105 source outside
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
__________________
"Four freedoms: The first is freedom of speech and expression - everywhere in the world. The second is freedom of everyone to worship God in his own way, everywhere in the world. The third is freedom from want . . . everywhere in the world. The fourth is freedom from fear . . . anywhere in the world."
--Franklin D. Roosevelt U.S. President
NoReason is offline   Reply With Quote