1. Home
  2. Cisco Systems
  3. Setting up a PIX 501 from scratch

Setting up a PIX 501 from scratch

Hi all,

I'm setting up a shiny new (to me) PIX 501, and I need it set up as follows:

  1. I have 64 usable public IP's

  1. I'll need one internal NAT subnet, 192.168.1.0/24, with the router using one of the public IP's

  2. Outbound traffic from NAT LAN clients will be PAT'd through the router's WAN address (I'm used to calling this NAT, but it seems PAT is the correct term in the cisco lexicon)

  1. DHCP pool on the LAN, starting at 192.168.1.100

  2. Two servers computers on the LAN, for which I'd like to set up a few one-to-one mappings, using two of my 64 public IP's. I want to deny all trafiic except that necessary for server processes (mail, web, etc). So, for example, 11.22.33.44 maps to 192.168.1.10, but only allows inbound traffic on ports 25, 110, and 143. And 11.22.33.45 maps to
192.168.1.11, but only allows inbound traffic on ports 80 and 443.

  1. I'd also like to have some commands at the ready to set up and remove future one-to-one mappings and rules for allowing/denying network traffic.

I grabbed a sample config file from the cisco support website, modified it, as shown below. Can anyone tell me if I've got this right? I'm not sure of the syntax for the inbound server services (not the '?'s, nor do I know how to create the DHCP pool.

Any help appreciated!!

My Config file:

=====

Building configuration... : Saved : PIX Version 5.3(1) nameif gb-ethernet0 outside security0 nameif gb-ethernet1 inside security100 nameif ethernet0 intf2 security10 nameif ethernet1 intf3 security15 enable password encrypted passwd encrypted hostname firewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names

!--- Create an access list to allow pings out !--- and return packets back in. access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable

!--- Allows anyone on the Internet to connect to !--- servers for listed services only. access-list 100 permit tcp any host 11.22.33.44 eq smtp, pop3, imap, ??? access-list 100 permit tcp any host 11.22.33.45 eq www, ??? pager lines 24

!--- Enable logging. logging on no logging timestamp no logging standby no logging console no logging monitor

!--- Enable error and more severe syslog messages !--- to be saved to the local buffer. logging buffered errors

!--- Send notification and more severe syslog messages !--- to the syslog server. logging trap notifications no logging history logging facility 20 logging queue 512

!--- Send syslog messages to a syslog server !--- on the inside interface. logging host inside 192.168.1.220

!--- All interfaces are shutdown by default. interface gb-ethernet0 1000auto interface gb-ethernet1 1000auto interface ethernet0 auto shutdown interface ethernet1 auto shutdown mtu outside 1500 mtu inside 1500 mtu intf2 1500 mtu intf3 1500

!--- set up PIX interfaces: ip address outside 208.176.183.66 255.255.255.192 ip address inside 192.168.1.1 255.255.255.0 ip address intf2 127.0.0.1 255.255.255.255 ip address intf3 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address intf2 0.0.0.0 failover ip address intf3 0.0.0.0 arp timeout 14400

!--- Define a Network Address Translation (NAT) pool that !--- internal hosts use when going out to the Internet. !--- commented out for now, using PAT only, below: !--- global (outside) 1 204.69.198.15-204.69.198.253

!--- Define a Port Address Translation (PAT) address: global (outside) 1 208.176.183.72

!--- Allow all internal hosts to use !--- the NAT or PAT addresses specified above. nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- Define a static translation for the mailserver !--- to be accessible from the Internet. static (inside,outside) 11.22.33.44 192.168.1.10 netmask 255.255.255.255 0 0

!--- Define a static translation for the !--- webserver to be accessible from the Internet. static (inside,outside) 11.22.33.45 192.168.1.11 netmask 255.255.255.255 0 0

!--- Apply access list 100 to the outside interface. access-group 100 in interface outside

!--- Define a default route to the ISP's router. route outside 0.0.0.0 0.0.0.0 208.176.183.65 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat isakmp identity hostname

!--- Allow the host 192.168.1.254 to be able to !--- Telnet to the inside of the PIX. telnet 192.168.1.254 255.255.255.255 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:3e7ba2f76bf9a6b42ff656d31ebda5c5 : end [OK]

Reply to
Dave
Loading thread data ...

Why not use the GUI?? ~Peter

Reply to
Peter

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.