Pasal Firewall Lagik

[mds 0]

salam untuk sume...

aku budak baru kat sini..sori ar klu kuar topik firewall ni lagik..

act nak mintak tolong pasal firewall tuh..

sebenarnye aku tau config..tapi bile dah buat tak jadi plak..

klu bleh ajar la aku melalui example config..

sbb aku dah ikut command kat cisco nye website..tak jadi2 gak..

basically..

network diagram aku camnie..

router(yg tmnet punye..) nak sambung ke firewall cisco(pix506e) tu...firewall sambung kat switch..switch nie distribut kat sume pc..camtu je..klu bleh..tolong la aku..

klu bleh mail [email protected] bbyk mende aku nak tanye..

smoga bleh blaja dari korang

[crypto.md5 1]

Hi, welcome tu putera.com

Public ip ko static ke dynamic?

Kalau static, katakan public ip ko 200.200.200.200 mask 255.255.255.252

ikut step ni,

firewall(config)#ip address outside 200.200.200.201 255.255.255.252
firewall(config)#ip address inside 192.168.1.1 255.255.255.0
firewall(config)#route outside 0.0.0.0 0.0.0.0 200.200.200.200 1
firewall(config)#nat (inside) 10 0.0.0.0 0.0.0.0 0 0
firewall(config)#global (outside) 10 interface

_________________________________________________________ Kalau dynamic ip? Katakan router ko ip 10.1.1.1 (dhcp enable)

firewall(config)#ip address outside dhcp setroute

!kalau dhcp tak enable?

firewall(config)#ip address outside 10.1.1.2 255.0.0.0

!

firewall(config)#ip address inside 192.168.1.1 255.255.255.0
firewall(config)#route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
firewall(config)#nat (inside) 10 0.0.0.0 0.0.0.0 0 0
firewall(config)#global (outside) 10 interface

step ini adalah untuk basic connectivity supaya pc2 dibelakang firewall dapat access internet

[mds 0]

wah..

jap..sblom aku wat ape yg ko bitau tu..

wat masa skang nie, firewall aku tu attach kat switch..switch tu plak attach direct ke router..sbb tanak kaco lan yg ade intenet dulu..bleh ke wat camtu?

kire nye outside aku ke faE router tu ar..

bleh ke?

[crypto.md5 1]

Yes boleh, kalau ko ragu2, ko boleh test begini

router/modem---->switch---->outside interface PIX

inside interface PIX---->switch---->pc ko..

yg penting outside interface pix IP mesti sama subnet ngan modem/router tu.

[mds 0]

k..sori ar klu nyusah kan ko..

aku suspect ouside nye port rosak..

camne nak check ar?

aku just set ip untuk outside..

outside tu attach kat switch..pc aku pon attach kat switch..

pc ngan outside nye ip aku dah wat same network..

bile aku ping outside nye ip gune hyper terminal(console tu) bleh..

aku try ping pc nye ip..takleh

led kat switch ngan firewall tu nyala..sh inteface pon sume up

aku ping outside nye ip dari pc..takleh..

or cara aku salah..

suggest cara len..

[crypto.md5 1]

paste sini output untuk

firewall(config)#write terminal

senang aku nak tolong

[mds 0]

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list acl_out permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.2 255.255.255.0

ip address inside 202.185.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

[OK]

ni..sbb aku asik write erase je..pastu config balik..

yg faEthernet router aku 192.168.1.1/18,kat outside /24..still dalam network kan

harap dapat tlg aku..

[crypto.md5 1]

Untuk testing, network ko sepatutnya seperti di atas

Cuba tukar ip address 202.185.1.1 tu jadi 10.0.0.1 , macam public ip jer

outside tu attach kat switch..pc aku pon attach kat switch..

yang ni aku kurang paham, adakah pc ko ialah PC 1 di atas? dan ping outside firewall 192.168.1.2? ko ping outside firewall memang boleh, tapi ko tak dapat ping 'pc engkau' 10.0.0.2 tu. satu lagi, PC yg dibelakang firewall gateway mesti point ke PIX inside ip, 10.0.0.1. Cuba check gateway kat pc ko dulu & tukar inside ip ke 10.0.0.1 . Cuba ping router 192.168.1.1

let me know the result

Edited April 24, 2007 by crypto.md5

[mds 0]

aku dah wat cam ko suruh

ni write terminal nye output..yg ni je cukup kan?

ip address outside 192.168.1.2 255.255.0.0

ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

act inside nye port aku pasang direct ke pc aku gune cross cable..aku dah set sume ip ngan gateway yg 10..../24..ping sume bleh,gateway pc aku=pix inside nye ip

outside (192.168.1.2) nye port tu aku sambung kat switch..pastu,aku ping outside nye ip dari pc 1(dalam gambarajah ko tu)..time out..

so.. ko agak2

[mds 0]

lagik satu..

mengikut diagram ko..

spatut nye pc1 bleh ping pix outside nye ip kan?

walaupon inside tak sambung ape2..

kan..

ke tak..uhuh

[crypto.md5 1]

Berapa kali ko dah write erase? kehkehkeh, aku tau ko dah pening (member ko bagitau aku ). Untuk establish basic connectivity memang ni jerrlah commandnya my prenn..

act inside nye port aku pasang direct ke pc aku gune cross cable..aku dah set sume ip ngan gateway yg 10..../24..ping sume bleh,gateway pc aku=pix inside nye ip

tak pakai switch? patutla..rekomen guna switch dari pix inside interface, sebab model ni tak macam PIX501 yg ada built in switch. Cuba pakai switch kejap, bukan apa, aku pernah try guna cross cable, langsung pc aku tak dapat communicate dengan router kat luar. Ko pakai cable yg disupply warna oren tu kan?

P/S: rileksss

[mds 0]

kene switch gak ke..

adeh..mana nak carik lagik..kene tanye member aku tu ar

act..die bos aku..hoho..

tapi kan,yg cross tu bukan cable yg die bg..aku wat sindri..huhu..

konpem ar cable tu elok..

tapi,bile aku gune direct cross tu..aku ping inside sume ok..

takpe..aku try carik switch...

k..nnt aku reply balik..

tunggu..heh..

thanks utk sume info

[crypto.md5 1]

oooo, ok arr tuh, bos ngan pekerja berkawan baik

pix inside memang ok, tapi traffic nak keluar tu masalahnya. router pun cisco router gak ker..

[mds 0]

haaa br0..

dah dapat switch dah..ni baek nye,bos aku cilok kat lab mana ntah...

ni tgh wat kajian ni..

router bukan cisco nye...billion..yg tmnet bg..

kene configure pape tak kat router tu?..

aku sebenarnye student lagik...baru praktikal ni..masih mentah

hoho..

aku bg network diagram kat sini secara taip (nak lukis lambat sket)..

router(brand billion yg tmnet nye) LAN = 192.168.1.1/18

router --> swith --> pc camtu la

sume pc dalam sini direct terus g router tu ar..gateway pc 192.168.1.1 gune subnet /18

buat masa nie aku nak bubuh firewall cam diagram ko tu..sbb nak maen2 menatang pix ni dulu..

patut kah aku bubuh ip pix outside 192.168.1.2/18....?

yg inside aku buat yg 10....cam yg diagram ko tu..

[mds 0]

lagik satu..

aku suspect port outside rosak...suspek je..hehe

camne kite nak tau ar?aku dah wat cam diagram ko sume tu..tapi takleh gak..

pokemon tol..

pastu..camne klu aku nak konpom yg port tu elok?

klu aku sambung port pix outside tu kat switch..pastu satu pc sambung kat switch yg sama..

klu try ping ip pix outside tu dari pc leh ark?

bleh ke ar?aku just set ip pix outside je jkat firewall tu..

[crypto.md5 1]

Cepatnya dapat switch, ehehe, ok, bagaimana? ok tak pc 10.0.0.2 tu? sepatutnya boleh access internet dah tu..

naper tak guna je subnet simple 192.168.1.0/24

Ok, gini, kalau masih tak dapat access internet gak, kat modem/router tu on DHCP

jadi kat firewall ko config begini

firewall(config)#ip address outside dhcp setroute

Biar firewall tu received ip automatically dari dhcp modem/router tu

dalam process tu, ko akan tengok dot dot dot.. .... ko tunggu jer sampai pix tu dapat ip

ooo yer, bagi output untuk

firewall(config)#show interface

klu aku sambung port pix outside tu kat switch..pastu satu pc sambung kat switch yg sama..

klu try ping ip pix outside tu dari pc leh ark?

By default, pix outside interface memang dapat ping, takpe, bagi aku output interface

bleh ke ar?aku just set ip pix outside je jkat firewall tu..

Apa? just set outside jer and inside tak config apa2? hoho.. cannot boy cannot.. buat semuanya

Edited April 24, 2007 by crypto.md5

[mds 0]

pasal dhcp nak enable tu aku takleh wat skg..

act tempat keje aku ni kolej..

byk pc yg tgh layan tenet ni..

kang kaco sume..

maybe aku try ari ahad ni...

wat masa nie aku bergantung kat ko je ar..

bos aku kata,outsource luar mau dekat ribu2 kena..

huh..

tapi nak blaja gak ngan ko mende laen..nnt aku tanye lagik erk..

yg firewall aku tunggu ahad..

k..nnt aku post lagik..hoho

[crypto.md5 1]

Memang kalau implement PIX ni RM beribu lebih, troubleshooting jer kekadang mencecah 4 angka, ehehe, kes ko ni troubleshooting dah tu sbb dengan beberapa step tu, pc ko memang boleh access ke internet dibelakang firewall..

Jadi, sementara ko masih practical ni, gunalah peluang yg ada, sambil tu mintak2 bos ko belanja minum

[mds 0]

bro...

sori ar..aku dah balik keje..

kat opis je la bleh men tenet..kat umah dah tak mampu..

tapi kan..

aku tak puas ati tol ngan firewall ni..

takkan la susah sangat nak config..

klu dah tak terer tu nak wat camne erk..

sbb biasanya aku maen2 pon ngan router cisco je..itupon sbb ccna nye course..tapi tak terer pon..hoho

firewall ni la 1st time..

ko keje ngan cisco ke br0..gempak je..

sori ar..bru lagik kat sini..femes gak ko kat sini erk..

[crypto.md5 1]

Sekadar nak bagi pass outbound traffic (traffic keluar) simple saja, seperti step yg aku dah tunjuk

1) Assign IP Address Kat Outside & Inside Interface

2) Route IP Address Outside ke router

3) NAT semua PC2 kat Inside Interface

Itu saja untuk outbound, untuk Inbound traffic ni yang banyak sikit tapi tu jangan difikirkan dulu. Apa yang aku dapat tahu dari Bos ko, PIX yang ko pegang sekarang ni, dulu beroperasi normal, tidak ada problem, lepas Modem/Router tu Ditukar, tu yg problem dia timbul kan?

Apa yg aku nak ko buat sekarang, ko set Outside Interface tu pegi DHCP

P/S: aku low profile, kuli jer

[mds 0]

tu la..

sekadar nak bagi pass outbound traffic (traffic keluar) simple saja, seperti step yg ko dah tunjuk..

tu la..

aku pon heran..

sbb byk gak aku usha exmple config dari cisco...dah dekat 2 minggu aku try..tak jadik2 gak..

tinggal yg dhcp tu je la erk..

aku klu bleh nak try skg gak..nak setel cepat2 mende ni..maklum ar. .praktikal,nnt lecturer aku datang..aku kene present..

aku tade wat mende laen selaen support it kat sini ngan firewall ni je..

kang firewall ni tak jadik..ape aku nak bohong kat lect aku..huhu..

nasib baek ko ade..wahaha..thanks bro..

klu ko nak tau..d line aku config ni dah lepas..

pastu..bos aku kenal ko..die suruh try lagik..

huhu..outsource mahal..hoho

lagi pon..bleh aku blaja mende ni..

thanks lagik skali bro

[mds 0]

aku lagik..

brO..

aku geram ngan port outside nie..

camni..bleh tak aku just configure ip pix outside je..

pastu aku sambung kat switch ni..

switch yg sama..aku sambung satu pc..

pastu..aku try ping dari pc ke ip pix outside..

tapi time out..

keadaan skg nie..

pc --> switch <--- pix outside(aku tak configure untk inside/pix inside aku tak sambung pape pon)

masa aku buat utk inside bleh je...buat kat outside takleh..

pixfirewall(config)# sh in e0

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is 000f.f79f.ab4e

IP address 192.168.1.2, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

46 packets output, 2760 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/0)

output queue (curr/max blocks): hardware (0/1) software (0/1)

pstu..kat switch, port yg sambung kat ke outside..led die kelip2..cam bz..

ko agak2?

ke...

[crypto.md5 1]

cun pulak output , hmmm

kena configure 2 interface sekali,

try

firewall(config)#icmp permit any outside

Makan dulu

[mds 0]

aku dah try code yg ko bg tu..

tak bleh gak..ntah2 firewall ni hardware prob

ko cuba tgk step aku..

1. int e1 100full/int e0 100full

2. int outside 192.168.1.2 255.255.255.0

int inside 10.1.1.1 255.255.255.0

3. nat (inside) 10 0.0.0.0 0.0.0.0 0 0 //yg ni aku folo ko nye

global (outside) 10 interface

4. route outside 0 0 192.168.1.1

5. icmp permit any outside

6. ade tambah yg access-list,aku ikut folo dari cisco nye wsite

ok ark?

pastu setel ark?ade pape lagik kene tambah..

pastu selalu ar aku wat ble tak jadik...command ni "write erase...reload"..heh

PIX Version 6.3(5)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_out permit icmp any any echo-reply

access-list acl_out permit icmp any any time-exceeded

access-list acl_out permit icmp any any unreachable

pager lines 24

icmp permit any outside

mtu outside 1500

mtu inside 1500

ip address outside 192.168.1.2 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

[crypto.md5 1]

kejap, modem/router tu transmission mode dia full100 gak ker? bukan auto?

kalau auto, pix outside pun mesti auto,

firewall(config)#interface ethernet0 auto

tak payah write erase, tukar satu command tu jer,yg lain cun dah tu Tapi, tak patut jugak sebab interface outside takde collision, anyway, just give a try, dan ko dah cuba ke tak dhcp kat outside

firewall(config)#ip address outside dhcp setroute

Edited April 25, 2007 by crypto.md5