05-22-2008 06:05 AM - edited 03-05-2019 11:09 PM
Hello all,
All of my Cisco experience has been with switches and routers. I was recently given a PIX 501 to configure (obtained from old client).
First wall to get by is logging in. No one seems to know login info. Ideas?
Next is configuration. PIX is new to me. Does anyone know of any bare-bone configurations I can start with? The client I'm giving it to just needs very basic/standard access. HTTP, FTP, telnet, etc.
Any tips or help would be greatly appreciated!
05-22-2008 06:42 AM
ip address outside
ip address inside
telnet
route outside 0.0.0.0 0.0.0.0
access-list inside_access_in permit icmp any any // permit icmp to inside interfece.
access-list outside_access_in permit icmp any any // permit icmp to outside interfaces from all ips' to all ips
access-group outside_access_in in interface outside //apply the access-list
access-group inside_access_in in interface inside //apply the access-list.
//NAT.
global (outside) 1
nat (inside) 1
this is the basic configuration.
If you need any ip lan go to outside only have to add a acl like this.
access-list inside_access_in permit tcp
access-list inside_access_in permit tcp
Don't forget qualify me.
05-22-2008 06:46 AM
Thanks arturo.
I'll have to go through your response line-by-line when I get the enable password reset. Just did some google'ing and just got the np60.bin to try and reset the password.
Once I get in, your post will be very helpful.
Thanks!
05-22-2008 09:08 AM
Alright,
I managed to do the password recovering BIN thing and just reset the passwords without losing the config. Given, all IP schemes and ACL's need to be changed, but it helps with insight, especially since your helpful post.
So I have a question on this:
----
access-list if_outside permit icmp any any
access-list if_outside permit tcp any host 216.254.109.67 eq smtp
access-list if_inside permit ip 192.168.4.0 255.255.255.0 any
access-group if_outside in interface outside
access-group if_inside in interface inside
----
I'm assuming this allows ICMP incoming from the outside interface to the inside.
And then allows traffic from any host outside with SNMP traffic to 216.254.109.67... ?
The clearification I need is with applying the access lists. Could someone clearify those last two lines?
09-01-2008 08:12 PM
access-list if_outside permit tcp any host 216.254.109.67 eq smtp
The previous customer that was allowing incoming smtp traffic to an internal server
Do you still need a basic configuration to start out with? What will you be using the pix for? What kind of traffic are you going to be needing to allow?
09-02-2008 11:04 AM
The last 2 lines..
access-group if_outside in interface outside
access-group if_inside in interface inside
1- Apply access list named "if_outside" in (inbound traffic only) interface outside (apply to interface named "outside"
2- same except ACL named if_inside, inbound traff again, applied to interface named inside
Please rate if this helps...
--Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide