(4 votes, average: 4.50 out of 5)
Loading ...Cisco – Pix 7.X Basic Configuration
Posted by Josh on Wed 20 Sep 2006Categories: Cisco - [2] Comments
This tutorial will provide the basic configuration for cisco pix firewalls running ver 7.X software. The configuration assumes the ISP is providing a static IP address and this is a new pix configuration.
- Get into config mode:
Pixfirewall>enable
Password:
Pixfirewall#config t
Pixfirewall(config)#
- Configure Pix Hostname & domain name:
hostname blindhog-pix
domain-name blindhog.net - Configure Passwords:
enable password 3nableP4ssword
passwd 55hP4ssword - Configure Interfaces:
interface Ethernet0
nameif outside
security-level 0
ip address 66.111.88.200 255.255.255.224interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0interface Ethernet2
nameif dmz
security-level 50
ip address 10.1.0.254 255.255.255.0 -
Configure Access-Lists to control traffic.
!– Access-lists are defined to permit or deny traffic based on source, destination,
!– protocol or port.
access-list acl_outside extended permit udp any host 66.111.88.193 eq 53
access-list acl_outside extended permit udp any host 66.111.88.194 eq 53
access-list acl_outside extended permit tcp any host 66.111.88.193 eq 53
access-list acl_outside extended permit tcp any host 66.111.88.194 eq 53
access-list acl_outside extended permit tcp any host 66.111.88.195 eq 25
access-list acl_outside extended permit tcp any host 66.111.88.195 eq 443 -
Apply Access-list to outside interface
!– This activates the access-lists created earlier on the outside interface.
access-group acl_outside in interface outside
-
Configure nat0 to disable translation for VPN tunnels
nat (inside) 0 access-list nat0 -
Configure logging parameters
logging enable
logging buffer-size 10000
logging buffered debugging
logging trap debugging !– Defines the level of debug to be sent to syslog
logging host inside 192.168.0.12 !– Defines the syslog host -
Configure icmp parameters
!– Permits or deny’s icmp traffic
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo dmz
icmp permit any echo-reply dmz -
Configure outgoing nat / global combination for outgoing traffic
!– This global configuration translates outgoing traffic in the matching nat statement
!– Below to the ip address of the outside interface.
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 1 10.1.0.0 255.255.255.0 -
Configure static nat statements for incoming traffic.
!– Static statements translate public addresses to private addresses
!– This can also be narrowed down to the port level if necessary.
static (inside,outside) 66.111.88.193 192.168.0.10 netmask 255.255.255.255
static (inside,outside) 66.111.88.194 192.168.0.11 netmask 255.255.255.255
static (inside,outside) 66.111.88.195 192.168.0.12 netmask 255.255.255.255 -
Configure routing
!– This pix only has a default route defined.
route outside 0.0.0.0 0.0.0.0 66.111.88.254 -
Configure ssh access to pix firewall
!– This is a list of networks that are allowed to use the
!– SSH protocol to configure the pix
ssh 12.34.56.224 255.255.255.224 outside
ssh 192.168.0.0 255.255.255.0 inside
October 24th, 2009 at 12:03 am
great tutorial josh, can you post how to create failover pix,
November 7th, 2009 at 4:10 pm
hello josh,
gr8 stuff !
got one question for you.
Could you expand a little bit more on this..
Configure nat0 to disable translation for VPN tunnels
nat (inside) 0 access-list nat0
thanks again mate!
cheers
sam