Configuring Access Rules on HQ
After configuring the basic PIX Firewall parameters, you must create the access rules for the
PIX Firewall at the Reston site (HQ-PIX). The access rules are necessary to enable the remote
sites to connect to the Reston location while limiting access from unauthorized locations.
The following steps define the access rules needed on HQ-PIX:
Step 1 To allow users on the outside interface access to the mail server on the
demilitarized zone (DMZ) interface, enter the following commands:
access-list acl-out permit tcp any host 192.168.1.4 eq smtp
access-group acl-out in interface outside
The access-group command binds the acl-out access list command
statement group to the outside interface.
Step 2 To allow users on the outside interface to access the web server on the
DMZ interface, use the following command:
access-list acl-out permit tcp any host 192.168.1.5 eq www
Step 3 To allow users on the outside interface to access the File Transfer
Protocol (FTP) server on the DMZ interface, use the following
command:
access-list acl-out permit tcp any host 192.168.1.6 eq ftp
Example 20-4 shows the access list configured on the HQ PIX.
Example 20-3 Firewall Configuration for the Houston Office
interface Ethernet 0
nameif outside
security-level 0
ip address 192.168.3.2 255.255.255.0
speed 100
duplex full
interface Ethernet 1
nameif inside
security100
ip address 10.30.10.1 255.255.255.0
speed 100
duplex full
hostname HOU-PIX
nat (inside) 1 10.30.10.0 255.255.255.0
global (outside) 1 192.168.3.12-192.168.3.250 netmask 255.255.255.0
global (outside) 1 192.168.3.252 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.3.1
632 Chapter 20: Case Study and Sample Configuration
Task 3: Configuring Authentication
Incoming FTP connections to HQ-PIX are authenticated using the Terminal Access
Controller Access Control System Plus (TACACS+) server located on the internal network.
To use a TACACS+ server for authentication, you must first identify the IP address of the
TACACS+ server and then indicate which connections will use the TACACS+ server. This
configuration requires the following two steps:
Step 1 Configure the TACACS+ server:
aaa-server TACACS+ (inside) host 10.10.10.7 tacpass
Step 2 Configure authentication, authorization, and accounting (AAA)
authentication for FTP access:
aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+
Example 20-5 shows the TACACS+ configuration.
Task 4: Configuring Logging
To help protect your network configuration, it is important to log events that are happening
on the network. This log information provides valuable insight into what is happening on
the network, especially when the network is being attacked or proved. The following steps
outline the commands necessary to enable logging at the three locations:
Step 1 Enable logging on HQ-PIX to the logging server:
logging on
logging trap informational
logging host DMZ 172.16.31.7
Step 2 Enable logging on HOU-PIX:
logging on
logging trap informational
logging host outside 172.16.31.7
Example 20-4 Access List on the HQ PIX
access-list acl-out permit tcp any host 192.168.1.4 eq smtp
access-list acl-out permit tcp any host 192.168.1.5 eq www
access-list acl-out permit tcp any host 192.168.1.6 eq ftp
access-list acl-out permit udp any host 192.168.1.8 eq 514
access-group acl-out in interface outside