Configuring PIX 501

ralph.staub · ‎11-17-2005

Hello

I just baught an old PIX 501 running Cisco PIX Firewall Version 6.1(3)

Cisco PIX Device Manager Version 1.1(2)

on it.

Unfortunately I'm really new in this business. I tried to configure the PIX using the manual in order to establishing just connectivity.

Somehow the PIX is "so secure" that everything is blocked between inside and outside (ping's do not work!).

Could somebody help me please?

I want to use the PIX as an internet firewall allowing all inside users to access the internet (first step),

HTTP and E-mail server should be accessable from outside (http,https,smtp,pop3).

Thanx

Ralph

bgleason · ‎11-17-2005

You should probably also use version 7 and asdm to configure your pix. By default icmp is not allowed in on a pix.

Have you set up your nat pool or a pat address for outbound traffic. The pix will allow everthing out and to return unless you prohibit it. You need to create static translation for your web and mail traffic

this statement tells the pix to nat all address on the inside interface using nat pool 1

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

next you need a global statement to match the nat pool the one tells the pix to use the range from 40 to 254 for outbound connections. There is no overflow here. Once you use the 214 available address then you are done. this leasve you with 38 address for static entries

global (outside) 1 24.17.15.40-24.17.15.254 netmask 255.255.255.0

to allow smtp and pop mail and web into a server

access-list acl-out permit tcp any host 24.17.22.97 eq smtp

access-list acl-out permit tcp any host 24.17.22.97 eq pop3

access-list acl-out permit tcp any host 24.17.22.97 eq www

apply acl to the outside interface

access-group acl-out in interface outside

translate the address to the firewall

static (inside,outside) 172.30.25.114 24.17.22.97 netmask 255.255.255.255 0 0

to allow icmp ping traces etc

access-list acl-out permit icmp any any unreachable

access-list acl-out permit icmp any any time-exceeded

access-list acl-out permit icmp any any

access-list acl-out permit icmp any any echo-reply

Hope this helps get you going.

ralph.staub · ‎11-24-2005

Hi bgleason,

finally I managed to configure my PIX that way that at least the ping to an outside host succeeded.

But I am still have some problems:

1. I am not able to access the internal web server from outside.

2. I am not able to access the internet

3. I do not get any pictures from outside web sites.

My topology for the pix configuration is as follows:

-pix inside ip: 192.168.50.1

-pix inside dhcp server enabled managing 10 local ip's

-at the pix inside interface are two machines

one is a dhcp client (windows xp)

one has a static ip (sun web server)

-the "internet gateway" is an adsl router that has a small built in firewall doing nat.

-the router's ip is 192.168.1.1

-the "local" ip's are translated using NAT.

Do you think the pix having firmware 6.1 is able to manage that? What's wrong?

Do you think I should do an upgrade (Where to find the binaries)?

Best regards

jackko · ‎11-17-2005

with pix v6.x, a nat/global or static is a must do before the pix will forward the packet between the interfaces.

below is the sample codes with the scenario you posted:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 80 80 netmask 255.255.255.255

static (inside,outside) tcp interface 443 443 netmask 255.255.255.255

static (inside,outside) tcp interface 25 25 netmask 255.255.255.255

static (inside,outside) tcp interface 110 110 netmask 255.255.255.255

access-list 111 permit tcp any interface outside eq 80

access-list 111 permit tcp any interface outside eq 443

access-list 111 permit tcp any interface outside eq 25

access-list 111 permit tcp any interface outside eq 110

access-group 111 in interface outside

for ping to work from inside to outside only:

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any unreachable

access-list 111 permit icmp any any time-exceeded

for ping to work from both direction, i.e. from inside to outside, and from outside to inside

access-list 111 permit 111 permit icmp any any

please note that i'm assuming that you've got only 1 public ip, and that's why the static statements above are with port forwarding. alternatively, if you have more than 1 public ip, then the static statements should be:

static (inside,outside) netmask 255.255.255.255

access-list 111 permit tcp any eq 80

access-group 111 in interface outside

finally, another quick comment is that pix v7 doesn't support pix 501 and 506/506e.

ralph.staub · ‎11-24-2005

Hi jackko

Many thanx, I finally managed to get some connectivity. But I still have problems the pix making run as I want to.

The command "access-list 111 permit 111 permit icmp any any " was not accepted by the pix.

As I wrote in my posting to your collegue I'd like to use the pix as a "open firewall" from inside but a closed firewall from outside. May be you have some more hints to configure that thing as it should be...

Best regards

Ralph

jackko · ‎11-24-2005

please excuse me for the typo.

it should be

access-list 111 permit icmp any any

jackko · ‎11-24-2005

please excuse me for the typo.

it should be

access-list 111 permit icmp any any

ralph.staub · ‎11-24-2005

Hi jackko

no problem. I thought you ment this.

But never the less I still have some troubles setting up my old pix. May be you could give me some hints how to enable the firewall passing multi-media stuff like songs, tv, pictures or what ever. May be there should be an upgrade... where can I get the needed files?

Regards

Ralph