PIX 515E New install Help

bchyka · ‎06-02-2003

Hello,

i am new to the Cisco IOS and PIx products but a small company that i work for just purchased a Cisco PIX 515E to protect their network. i am a microsoft person so i am looking for a little help and insight. Right now, dont laugh, they have Microsoft Proxy 2.0 performing NAT and firewall functions on a dual-homed NT Server (1 nic with inside address, 1 with address of ISP router). Proxy is going away and i would like the PIX to take over the NAT function so machines can get on the internet. this is what i have built so far and am looking for any tips, suggestions, etc. We do not have any internal DNS servers, only the our IPS's. i want to keep our other NT server doing DHCP and we also have an Exchange 5.5 server. thanks for any help!

wri t

Building configuration...

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password uLrj/00i9YKCypBQ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX

domain-name ourdomain.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xx.xxx 255.255.255.248

ip address inside 192.168.1.250 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.250 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.250 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 0.0.0.0 0.0.0.0 outside

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:25c8c7b0d6eb6a236ede484a23854251

: end

Bob C.

msitzman · ‎06-02-2003

If you are looking for basic outbound conenctivity and no inbound services then you need one more statment. You need a 'nat (inside) 1 192.168.1.0 255.255.255.0 0 0' statement to allow the inside users through the PIX to the internet.

I would recommed that you limit the ICMP types that are allowed inbound through the PIX to echo-reply, administratively-prohibited, time-exceeded, or any other specific types you require.

For additional tips on configuring the PIX, I would point you to the product documents for technical tips unless you have a specific concern or question:

http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Software_Configuration

Hope this helps...

Marcus

bchyka · ‎06-04-2003

Marcus,

thanks for the info. i am having trouble getting out onto the internet still. here is my new config

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxencrypted

passwd xxxxxxxencrypted

hostname PIX

domain-name xxxx.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host xx.xx.xx.xx eq smtp

pager lines 24

interface ethernet0 auto

<--- More --->

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xx.60 255.255.255.248

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.250 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 1 xx.xx.xx.61 netmask 255.255.255.248 (only free IP for outside access))

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) xx.xx.xx.58 192.168.1.1 netmask 255.255.255.255 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.57 1 (gateway router from ISP)

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.254 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 0.0.0.0 0.0.0.0 outside

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:7xxxxx

: end

for my workstations i should be using the PIX for the gateway and my ISP's dns servers for DNS right? thanks for the help/.......

mostiguy · ‎06-04-2003

yup, that config should work, and you should use pix for gw and their ip's for dns servers