PDA

View Full Version : Need some Assistance with my firewall


zoomy942
02-24-09, 01:10 PM
So, Cox decided it would be cute to force me to change my IP's for my company (I only use 1 of 3) and while calling my Start of Authority for the A records is no big deal, i dont know for sure how to change my firewall to reflect those changes. I am looking at it with telnet and there are tons of 68.105.222.74 entries, and i assume i have to change them to say the new address. is this a manual thing i have to do? i have until Thrusday night to figure this part out. any help the guru's out there could offer would be excellent.

Bman212121
02-24-09, 05:06 PM
First question would be what type of device are we talking about? Secondly get rid of telnet and use SSH. ;)

zoomy942
02-24-09, 05:32 PM
its a cisco pix 501 and ...um... i dont know how to use SSH :(

Bman212121
02-24-09, 10:59 PM
To SSH do this:

http://www.informit.com/articles/article.aspx?p=25342&seqNum=3

If your in configure terminal mode show the running config as they might already have ssh setup for a certain address.

I would say that you will need to change that ip for each time it comes up in your config, as everything is going to be manual. The easiest way is to copy/paste the running config into notepad, change them, then copy paste it back. Just make sure you do a "copy run start" or "write mem" to save the changes. (Not sure if both work on that model or not)

The two obvious things that will need to be changed are:

ip address outside

route outside

It will probably list a 2nd entry if you copy paste, so you will probably need to do a "no ip address outside 68.105.222.74 255.255.X.X"

Not really sure what all of the other entries would be unless it's port forwarding for devices. Do a bunch of lines look like this?

access-list 102 permit icmp host 10.1.1.1 host 68.105.222.74 timestamp-reply

Other than that it should work, but it isn't always that simple when it comes to Cisco equipment. I only have a little experience with their stuff, so there might be a few other things that I don't know about you would have to do.

zoomy942
02-25-09, 10:01 AM
so this copy to notepad thing...

how does that work? i can copy and paste everything over and then change it and apply it?

Bman212121
02-25-09, 10:40 AM
so this copy to notepad thing...

how does that work? i can copy and paste everything over and then change it and apply it?

Yes. If you type "show run" it will give you a big ol output of every setting that is configured on the device. Just copy all of that text into notepad. Then you can make the changes there making it much easier to work with the device. Then just copy and paste the document back onto the pix and it will apply all of the changes. (When your in configure terminal mode it will take each line as a separate command) One note is that if it's a long config you might need to break it up into a couple of pieces as the device can only buffer so much information. The nice thing about doing it this way is that you can save your notepad document for future reference. If someone accidentally breaks the device just copy/paste the backup config to it. Make sure you backup the running config before you make changes as well, just in case you screw something up. ;)

zoomy942
02-25-09, 11:18 AM
let me ask you this..

i understand that i have to run the NO command to remove the old stuff and then apply the new stuff...

would my copy and paste look like..

no ip route...yadada
ip route...yadadda

Bman212121
02-25-09, 10:56 PM
Actually I would just copy and paste everything as normal first, and then run the "NO IP route" commands on whatever you needed to remove. A lot of the commands aren't going to duplicate, but commands like IP addresses you're allowed to have multiple of them, so that is why you'll end up with more than one. If you're telnet/SSH in and you run a no IP address before you assign the new one, you might be able to lock yourself out of the pix. :)

I'm not sure if I made that clear or not. You won't need to have any "no" commands in your config. The only time where you might need to use it is to remove something that didn't overwrite the old value, but instead made another one. IE:

ip address 192.168.1.2
ip address 192.168.2.2

If I were changing the ip to 192.168.2.2 that is most likely what would happen when I type the command. To fix this I'll type "no ip address 192.168.1.2" and it will remove the old ip. Another common use for no is when you have a port that is disabled. You can type "no shut" and it will enable the port.

zoomy942
02-26-09, 10:03 AM
i looked at that article and one thing it doesne explain is why SSH is better than telnet

Bman212121
02-26-09, 10:40 AM
i looked at that article and one thing it doesne explain is why SSH is better than telnet

SSH uses encryption, telnet is just plain text for everything. Telnet is considered very insecure because anyone with a packet sniffer could easily get your login and enable passwords.

http://articles.techrepublic.com.com/5100-10878_11-5875046.html


Takeaway: Most IT pros know that using Telnet to manage routers, switches, and firewalls is not exactly a security best practice. Instead, the accepted alternative to Telnet's lack of security is Secure Shell (SSH). Learn how to configure SSH on your Cisco router. David Davis has the details.

zoomy942
02-26-09, 10:48 AM
um. stupid thing wont let me highlight the big long thing in command prompt

EDIT : got it