PIX 501 help

Unanswered Question
May 22nd, 2008

Hello all,

All of my Cisco experience has been with switches and routers. I was recently given a PIX 501 to configure (obtained from old client).

First wall to get by is logging in. No one seems to know login info. Ideas?

Next is configuration. PIX is new to me. Does anyone know of any bare-bone configurations I can start with? The client I'm giving it to just needs very basic/standard access. HTTP, FTP, telnet, etc.

Any tips or help would be greatly appreciated!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
arturo.guzman Thu, 05/22/2008 - 06:42

ip address outside // this is the wan in the most of cases.

ip address inside // this is the LAN the most of cases.

telnet inside //this is the permited ip to access by telnet protocol to pix can be an ip or may be a segment.

route outside 0.0.0.0 0.0.0.0 1 //default route

access-list inside_access_in permit icmp any any // permit icmp to inside interfece.

access-list outside_access_in permit icmp any any // permit icmp to outside interfaces from all ips' to all ips

access-group outside_access_in in interface outside //apply the access-list

access-group inside_access_in in interface inside //apply the access-list.

//NAT.

global (outside) 1 //tho make nat overload or pat.

nat (inside) 1

this is the basic configuration.

If you need any ip lan go to outside only have to add a acl like this.

access-list inside_access_in permit tcp any eq www

access-list inside_access_in permit tcp any eq ftp

Don't forget qualify me.

Armegeden Thu, 05/22/2008 - 06:46

Thanks arturo.

I'll have to go through your response line-by-line when I get the enable password reset. Just did some google'ing and just got the np60.bin to try and reset the password.

Once I get in, your post will be very helpful.

Thanks!

Armegeden Thu, 05/22/2008 - 09:08

Alright,

I managed to do the password recovering BIN thing and just reset the passwords without losing the config. Given, all IP schemes and ACL's need to be changed, but it helps with insight, especially since your helpful post.

So I have a question on this:

----

access-list if_outside permit icmp any any

access-list if_outside permit tcp any host 216.254.109.67 eq smtp

access-list if_inside permit ip 192.168.4.0 255.255.255.0 any

access-group if_outside in interface outside

access-group if_inside in interface inside

----

I'm assuming this allows ICMP incoming from the outside interface to the inside.

And then allows traffic from any host outside with SNMP traffic to 216.254.109.67... ?

The clearification I need is with applying the access lists. Could someone clearify those last two lines?

jonesm111 Tue, 09/02/2008 - 11:04

The last 2 lines..

access-group if_outside in interface outside

access-group if_inside in interface inside

1- Apply access list named "if_outside" in (inbound traffic only) interface outside (apply to interface named "outside"

2- same except ACL named if_inside, inbound traff again, applied to interface named inside

Please rate if this helps...

--Mike

Actions

This Discussion