06-02-2003 11:47 AM - edited 02-20-2020 10:46 PM
Hello,
i am new to the Cisco IOS and PIx products but a small company that i work for just purchased a Cisco PIX 515E to protect their network. i am a microsoft person so i am looking for a little help and insight. Right now, dont laugh, they have Microsoft Proxy 2.0 performing NAT and firewall functions on a dual-homed NT Server (1 nic with inside address, 1 with address of ISP router). Proxy is going away and i would like the PIX to take over the NAT function so machines can get on the internet. this is what i have built so far and am looking for any tips, suggestions, etc. We do not have any internal DNS servers, only the our IPS's. i want to keep our other NT server doing DHCP and we also have an Exchange 5.5 server. thanks for any help!
wri t
Building configuration...
: Saved
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password uLrj/00i9YKCypBQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name ourdomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.xxx 255.255.255.248
ip address inside 192.168.1.250 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.250 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.250 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:25c8c7b0d6eb6a236ede484a23854251
: end
Bob C.
06-02-2003 01:24 PM
If you are looking for basic outbound conenctivity and no inbound services then you need one more statment. You need a 'nat (inside) 1 192.168.1.0 255.255.255.0 0 0' statement to allow the inside users through the PIX to the internet.
I would recommed that you limit the ICMP types that are allowed inbound through the PIX to echo-reply, administratively-prohibited, time-exceeded, or any other specific types you require.
For additional tips on configuring the PIX, I would point you to the product documents for technical tips unless you have a specific concern or question:
http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration
Hope this helps...
Marcus
06-04-2003 11:37 AM
Marcus,
thanks for the info. i am having trouble getting out onto the internet still. here is my new config
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxencrypted
passwd xxxxxxxencrypted
hostname PIX
domain-name xxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xx.xx.xx.xx eq smtp
pager lines 24
interface ethernet0 auto
<--- More --->
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.60 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.250 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 xx.xx.xx.61 netmask 255.255.255.248 (only free IP for outside access))
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xx.58 192.168.1.1 netmask 255.255.255.255 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.57 1 (gateway router from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.254 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:7xxxxx
: end
for my workstations i should be using the PIX for the gateway and my ISP's dns servers for DNS right? thanks for the help/.......
06-04-2003 07:14 PM
yup, that config should work, and you should use pix for gw and their ip's for dns servers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: