Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 515 Config check

I'm implementing my first PIX this weekend, and I wanted to post my config for you experts to look at before I start. If anybody notices something that may cause some problems, or if you have any suggestions, I would greatly appreciate it. Thanks.

PIX Version 6.3(2)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

hostname PIX

domain-name xxxxxx.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host xxx.xx.xxx.93 eq www

access-list outside_access_in permit tcp host xxx.xx.xxx.82 host 216.27.224.89 eq smtp

access-list outside_access_in permit tcp any host xxx.xx.xxx.92 eq cmd

access-list outside_access_in permit tcp any host xxx.xx.xxx.93 eq https

pager lines 24

logging on

logging timestamp

logging monitor debugging

logging buffered errors

logging trap debugging

logging history errors

logging host DMZ 192.168.0.5

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside xxx.xx.xxx.94 255.255.255.240

ip address inside 10.0.0.1 255.255.255.0

ip address DMZ 192.168.0.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (DMZ,outside) xxx.xx.xxx.93 192.168.0.100 netmask 255.255.255.255 0 0

static (DMZ,outside) xxx.xx.xxx.92 192.168.0.5 netmask 255.255.255.255 0 0

static (DMZ,outside) xxx.xx.xxx.89 192.168.0.25 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xx.xxx.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

ip verify reverse-path interface outside

ip local pool VPN-POOL 10.0.0.175-10.0.0.250

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout uauth 0:05:00 absolute

sysopt connection tcpmss 0

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128

vpdn group PPTP-VPDN-GROUP client configuration address local VPN-POOL

vpdn group PPTP-VPDN-GROUP client configuration dns 10.0.0.6

vpdn group PPTP-VPDN-GROUP client configuration wins 10.0.0.6

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username xxxxxx password <put password here>

vpdn username xxxxxx password <put password here>

vpdn enable outside

vpdn enable inside

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 5

console timeout 0

terminal width 80

1 REPLY
New Member

Re: PIX 515 Config check

Why telnet and ssh on the inside?

Logging "debugging" is a lot of messages.

98
Views
0
Helpful
1
Replies