20101122

PIX Firewalls Do Not Eat Large Amounts of Copypasta.

One of the appliances we use frequently here are Cisco PIX firewalls. These devices are excellent in that they help keep your network secure without you having to dedicate a computer to firewalling. They are not-so-excellent in that they're not user-friendly if you don't have much experience with the Cisco IOS, and the PDM doesn't always play nicely with commands entered from the console.

I've not had to worry about messing with these much since we have a Cisco guru in Switzerland, but since I needed to send a PIX to one of our new locations and he is unable to assist me remotely with this currently, I decided to get my hands dirty. Nothing major; just need to copy a config from one PIX to another. Easy, right?

Well, hrm. Doing a write net doesn't guarantee a good "image"; you can't just copy tftp://server/imagefile flash:image back over. The PIX tells you it's invalid.

Okay, no problem. I'll just do a config net to load the config.

Or not. Turns out the PIX config doesn't save in the same order as the commands must be entered.

So I spent today learning about the order in which the commands must be entered into the PIX firewall, and here's what it appears to be (after a write erase and reload:

  1. Interface- and IP-related commands

  2. Protocols

  3. Names

  4. Services (object-group and port-object commands)

  5. VPDN commands

  6. Sysopt commands to permit IPSec &/or PPTP

  7. Crypto commands (except match) and ISAKMP commands & keys

  8. ACLs

  9. Crypto match commands (to link the crypto maps with the ACLs)

  10. DHCPd commands

  11. Everything else (ICMP, PDM, NAT, AAA Server, SNMP, etc).

I would suggest taking an existing config file and rearranging it for this purpose. Use Notepad++, since the config files use LFs only (as opposed to CR+LF).

A colleague suggested that you can then copy/paste the config into the PIX, but, as the title of this post suggests, that doesn't work out so well. The PIX seems to take only the first 10-15 lines, skip several, take another 10-15 lines, skip several more, etc., until you're left with a fragmented, wonky configuration. This doesn't work too well, and copy/pasting 10 lines at a time can be tedious, depending on how long your configuration is and how many VPNs you have to different sites. Instead, you may want to do it via the config net command.

BEFORE DOING SO: Have a TFTP server ready that you can connect directly to the PIX (more info below). Don't try to hack this remotely.


Aaand once more, for the cheap seats:
CAUTION! Don't do this remotely or on a live system unless your connectivity is already botched and you know you have a good working config file!

With that said, here's how you load your newly-rearranged PIX configuration file:

  1. write erase

  2. reload

  3. no (When it asks you if you want managed setup)

  4. enable

  5. configure terminal

  6. interface eth0 auto

  7. interface eth1 100full

  8. ip address inside [ip] [netmask]

  9. config net [TFTPserver]:[reorderedfile]



For [ip] above, set it to the same IP range and subnet as your TFTP server. For mine, I loaded Solarwinds Free TFTP Server on a laptop and connected directly to the PIX via patch cable (port 1-4) for the TFTP connection, and used a Console cable for the actual Terminal connection. The [TFTPserver] above was my laptop's IP.

I keep seeing updated questions from people online regarding PIX firewalls, so I know I can't be the only person who works with them from time to time, despite the newer ASAs out there. Hopefully this information helps someone. Until next time!

Rob
Posted by Rob at 2:44 PM 0 comments

20101104

Setting up HylaFAX: Complete!

No, I didn't just finish the project I started two years ago. I did have to shelve it for several months as something else came up, but I completed in Q3 of 2009. I thought it would be a good idea to finally update this blog with additional details to help others who attempt the same thing!

First off, the Rocketport card works flawlessly. If you can obtain one, I highly recommend it. They're standard analogue loop-start ports; if you're looking for a T1 solution, you'll need to drop some extra money on either a Brooktrout or an Eicon Diva board. But for standard fax lines, the Rocketport card is perfect.

For the mail solution, I ended up going with Qmail on the HylaFAX box. Here's what is required to get QMail talking to Exchange:

  1. HylaFAX needs fax addresses formatted as Name@Number.fax (i.e.:Rob@7701234567.fax). Go to Exchange, navigate to your Connectors under the local Routing Group, and create a new SMTP Connector.

    • On the [General] tab, set it to forward all mail for that connector to the HylaFAX server. You can use the FQDN here as well as the IP address.

    • On the the [Address Space] tab, create an SMTP Address Space for a *.fax address. Set your cost & scope as needed. If you only have one, a cost of 1 and a scope of Entire organization should be good. Just make sure you aren't utilizing another fax solution which requires an address of *.fax. If you're using Rightfax, Faxination or GFI Faxmaker, there should be no conflict. They actually use the FAX address space native in Exchange (used for the "Business Fax" listing in your Contacts).



  2. Back on the HylaFAX server (or whichever server you have hosting QMail), configure for the following:

    • /var/qmail/control/virtualdomains: Add the line .fax:fax

    • /var/qmail/alias/.qmail-fax-default: Add the line /local/etc/mailfax




Bounce your services, and you're good to go. I used Ubuntu 9.04 for Hylamonster, so /etc/init.rd/hylafax restart does the trick.
Posted by Rob at 3:17 PM 0 comments
Subscribe to: Posts (Atom)