Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 3
You add a new interface, name it public, and assign a security level of 50 with the following line:
nameif ethernet2 public security 50Because the security level of this interface is less than the inside and greater than the outside, some default behaviors come into play. By default, packets from the outside interface are not allowed into this network. Packets from the inside are, by default, allowed into this network.
You also changed the speeds for all of the interfaces. You are now using the keyword auto with the interface command. This allows the interface to connect in whatever form is most appropriate, based on the equipment to which it is connected. You added an IP address for the new network card and a subnet mask for the network.
Several fixup commands were entered. Some fixup commands appear in the configuration by default, others are added as needed. The fixup protocol commands allow changing, enabling, and disabling the use of a service or protocol through the PIX Firewall. The ports specified for each service are listened to by the PIX Firewall. The fixup protocol command causes the ASA to work on port numbers other than the defaults. The following fixup protocol commands are enabled by default:
fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521You added the following lines regarding the HTTP protocol:
fixup protocol http 10120 fixup protocol http 10121 fixup protocol http 10122 fixup protocol http 10123 fixup protocol http 10124 fixup protocol http 10125These lines accomplish a very specific task. When HTTP traffic is seen by the PIX, it can now be on any of the previously listed ports. Before these lines were entered, the PIX would have seen what looked like HTTP traffic entering the PIX. Because the destination port was set to something other than the default of 80, that traffic would be denied. For example, if an outside user tried to connect to the Web server with the following URL, the user would be denied:
http://www.ourcompany.com:10121The reason for the denial is that the :10121 at the end of the URL specifies that the connection should be made on port 10121, rather than on the default port of 80. The Web developers have specific reasons for wanting to allow users to connect to these ports. The configuration allows the users to connect with these ports, and you still maintain the same safeguards regarding HTTP traffic that is true for port 80.
Similarly, the developers have specific reasons for wanting to change the defaults. The developers decided that users requiring FTP access should be able to gain access through the default port of 21 or ports 10126 and 10127. You have no idea why they want to do this, nor do you really care. What you care about is that you can open these ports to FTP traffic, and only FTP traffic, without compromising the network security. To accomplish this, you add the following lines:
fixup protocol ftp 21 fixup protocol ftp 10126 fixup protocol ftp 10127It should be noted that the fixup protocol command is global in nature. For example, when you told the PIX that port 10121 was part of the HTTP protocol, this applied to all interfaces. You cannot selectively cause port 10121 to be regarded as HTTP traffic on one interface, but not on another interface.
There might be times when it is necessary to disable one of the default fixup protocol commands. For example, if your company develops e-mail software and the PIX is used to separate the test network from the corporate network. In this case, you might want to allow more commands than HELLO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT to travel through the PIX. In this case, using the no form of the fixup protocol command will disable the feature. An example of removing the Mailguard feature is as follows:
no fixup protocol smtp 25