Cisco PIX Firewall Config 1 - GNS3 LAB

New to PIX Firewall, so these are Elementary LABS.

LAB 1.001

I have made a LAB using GNS3 and PIX 8.02

My setup is below:

LAN ---- ETHERNET ---- PIX ------------- OUTSIDE NETWORK

and here's my config, incase I need it.


pixfirewall# sh run
: Saved
:
PIX Version 8.0(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 192.200.200.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list in_nameif_outside remark "This is acl going in to outside interface"
access-list in_nameif_outside extended permit icmp any any echo
access-list in_nameif_outside extended permit icmp any any echo-reply
access-list in_nameif_outside extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging buffered informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.254.0 255.255.255.0 tcp 4000 0
access-group in_nameif_outside in interface outside
route outside 192.100.100.0 255.255.255.0 192.200.200.2 1
route outside 192.168.100.0 255.255.255.0 192.200.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
ssl encryption rc4-sha1
prompt hostname context
Cryptochecksum:162b16acec82534b3fab51c345340f06
: end
pixfirewall#



My PC loopback address is 192.168.254.1

I have an ip address outside which is 192.100.100.1

On my pc, I made a static route for the following address


route add 192.100.100.0 mask 255.255.255.0 192.168.254.254

and

route add 192.200.200.0 mask 255.255.255.0 192.168.254.254


This way, I can ping thus IP on GNS3 LAB


Pinging 192.200.200.2 with 32 bytes of data:

Reply from 192.200.200.2: bytes=32 time=11ms TTL=255
Reply from 192.200.200.2: bytes=32 time=10ms TTL=255
Reply from 192.200.200.2: bytes=32 time=10ms TTL=255
Reply from 192.200.200.2: bytes=32 time=10ms TTL=255

Ping statistics for 192.200.200.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 11ms, Average = 10ms

and

Pinging 192.100.100.1 with 32 bytes of data:

Reply from 192.100.100.1: bytes=32 time=13ms TTL=255
Reply from 192.100.100.1: bytes=32 time=12ms TTL=255
Reply from 192.100.100.1: bytes=32 time=12ms TTL=255
Reply from 192.100.100.1: bytes=32 time=12ms TTL=255

Ping statistics for 192.100.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 12ms, Maximum = 13ms, Average = 12ms


and can even telnet on the router at LAB behind PIX with ip 192.100.100.1

more later...

Horde config on setting default identity mail domain

Horde Config not to forget

- I want to have my default email domain inplace, so that when I login, then create an email, I have automatically a from of user@mydomain.com on my Identity.

Files need to edit.

{horde-root-dir}/imp/config/servers.php

Orig entry of horde-webmail-1.1.1, assuming you only have a singe domain


$servers['_prompt'] = array(
'name' => _("Choose a mail server:")
);

/* Example configurations: */


$servers['imap'] = array(
'name' => 'IMAP Server',
'server' => 'localhost',
'hordeauth' => false,
'protocol' => 'imap/notls',
'port' => 143,
);



and here's the entry with quota monitor

$servers['imap'] = array(
'name' => 'IMAP Server',
'server' => 'localhost',
'hordeauth' => false,
'protocol' => 'imap/notls',
'port' => 143,
'folders' => '',
'namespace' => '',
'maildomain' => 'mydomain.com', //change this to whatever your domain is
'smtphost' => 'localhost',
'smtpport' => 25,
'realm' => '',
'preferred' => '',
'quota' => array(
'driver' => 'command',
'params' => array(
'host' => 'localhost',
'port' => 12345
)
),
'dotfiles' => false,
'hierarchies' => array()
);


Need to Edit the only Allowed programs via GP

I encountered a problem today, I need to allow msimn.exe (exe of Outlook Express) as it is being needed by the web applications that we used on the operations. ( Its a call center, yeah)

It was by default denied to be accessed by a certain team or groups. It took me an hour to search, find at Group Policy Properties. Wow, so here, I'll leave a mark here for next time. Server is Windows 2003 and Clients are Windows XP.

Process is..

Open Active Directory Users and Computers on the Administrative Tools

-> Click on the Particular OU and Right Click on it and Select Properties
-> Group Policy
-> Click Edit a Particular Group Policy
-> User Configuratoin
-> Administrative Templates
-> Systems
-> Then Double Click on Don't Run Specified Windows Applications
-> If the specific exe file has been listed there, remove it.
-> If Run Only Allowed Windows Applications has been enabled, then make sure that it's been added on its list of Exe files.


And DOnt forget to Run gpupdate, let the user to re-login.


Wow, its a microsoft windows.