Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX Configuration Advice

Dear All,

I am new to PIX firewall .. but have done some basic configuration on Cisco small routes long time ago.

I have configured my pix 515 firewall .. but I am wondering if the configuration is correct or not & if I misconfigured anything

== Config Start ==

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password MHsdfdssb/9W67Gz encrypted

passwd su/ssdsfdfdfdjA.b encrypted

hostname RRR-PIX

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group icmp-type ICMP-INBOUND

  description Permit necessary inbound ICMP traffic

  icmp-object echo-reply

  icmp-object unreachable

  icmp-object time-exceeded

access-list INBOUND permit icmp any any object-group ICMP-INBOUND

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside dhcp setroute

ip address inside 10.0.130.254 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group INBOUND in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.0.130.30 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 10.0.130.30 TFTP-Root

floodguard enable

telnet 10.0.130.30 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:e6d7a546b55e6741b8e4ca66ef66b459

== Config End ==

Thanks in advance.

Everyone's tags (3)
4 REPLIES

PIX Configuration Advice

Hi Ahmad,

Oho 6.3, you might take into consideration upgrading this image.

Yes it's correct , but for what ?

You have

- outside set to get its ip via DHCP

- inside static ip 10.0.130.254/24

- pat all the inside sourced packets to the outside interface

The only issue that I can see is the INBOUND access-list applied on inside interface , in direction that is permiting only icmp. So you will be able anly to ping from inside -> outside

access-list INBOUND permit icmp any any object-group ICMP-INBOUND

Dan

New Member

PIX Configuration Advice

Hi Dan,

I really appreciate your reply.

Upgrading the ios requires 64 of RAM wich I don't have & unable to provide it, so I am stuck with 6.3.

Regarding your points:

1. outside via DHCP, that because I don't have a static IP for my internet, the IP keep changing everytime the DSL get restarted.

2. is the (inside) static IP address for the pix .. shouldn't be this way ?

3. For Pat .. what is the best confg?

4. for ICMP .. I am allowig ping only inside -> outside, I don't see any point to accept ping from outside -> inside, specially since my dsl provides a dynamic IP.

Kindly, give me your opinion

Thanks.

PIX Configuration Advice

Hi Ahmad,

The only issue that I see with your config is the INBOUND access-list which permits only icmp - this means that nothing else is permited - is this the required behaviour ?

Dan

New Member

PIX Configuration Advice

Hi Dan,

Sorry for late in reply.

Yes this is the required behaviour for this moment ... coz for this LAN users are only utilizing the internet, and they have no services inside the network to be used by outside users, no web - smtp etc servers.

544
Views
0
Helpful
4
Replies
CreatePlease to create content