I have an aged Linksys router that connects to a DSL modem that I would like to replace with a PIX. I have 5 static IP addresses assigned from the ISP. What would the basic config look like? I can't seem to find anything Cisco. Maybe I'm looking in the wrong spot?
In article , J1C wrote: :I have an aged Linksys router that connects to a DSL modem that I would :like to replace with a PIX. I have 5 static IP addresses assigned from :the ISP. What would the basic config look like? I can't seem to find :anything Cisco. Maybe I'm looking in the wrong spot?
ip address - one of these per interface
static (inside,outside) - one of these per IP or port you want to act as a public server
access-list -- several lines if you want any device to act as a public server
access-group -- at most one of these per interface
nat (inside) -- at least one of these unless all inside systems will be named in a static command
global -- at least one of these unless all inside systems will be named in nat commands
Then you get your various overhead commands like controlling remote ssh access to the PIX, or controlling how authentication is done, or controlling timeouts.
There are a number of other configuration aspects that do not come into play until you get into Virtual Private Networks.
Thanks Walter. How could I set the pix up to block all outbound traffic but http, https, smtp, pop3 ??
In article , J1C wrote: :How could I set the pix up to block all outbound traffic :but http, https, smtp, pop3 ??
object-group service generic_traffic_tcp tcp description the TCP traffic allowed out to everywhere port-object eq www port-object eq 443 port-object eq smtp port-object eq 110
access-list in2out remark traffic permitted from inside to outside access-list in2out permit tcp any any object-group generic_traffic_tcp
access-group in2out in interface inside
The above is what you -asked- for, but chances are excellent that you really won't like the result. I would suggest that you consider allowing domain name resolution service (DNS) as well.
Ah, yes .. that would be helpful too. port-object eq DNS ?
In article , J1C wrote: :Ah, yes .. that would be helpful too. port-object eq DNS ?
Please quote context. Articles expire, articles don't arrive or arrive out of order, people don't all use software that allows them to go back and see the context easily...
: port-object eq DNS
Not quite. It would be port-object eq domain However DNS service really runs over UDP instead of TCP for most purposes (except DNS Zone Transfers), so you would either code it directly
access-list inside2outside permit udp any any eq domain
or else you would create a 'service' object group of type 'udp' and port-object within that, and follow the tcp acl entry from before but with udp and the appropriate object name.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.