This tutorial will provide the basic configuration for cisco pix firewalls running ver 7.X software. The configuration assumes the ISP is providing a static IP address and this is a new pix configuration.



  • Get into config mode:
    Pixfirewall>enable
    Password:
    Pixfirewall#config t
    Pixfirewall(config)#
  • Configure Pix Hostname & domain name:
    hostname blindhog-pix
    domain-name blindhog.net
  • Configure Passwords:
    enable password 3nableP4ssword
    passwd 55hP4ssword
  • Configure Interfaces:

    interface Ethernet0
    nameif outside
    security-level 0
    ip address 66.111.88.200 255.255.255.224

    interface Ethernet1
    nameif inside
    security-level 100
    ip address 192.168.0.254 255.255.255.0

    interface Ethernet2
    nameif dmz
    security-level 50
    ip address 10.1.0.254 255.255.255.0

  • Configure Access-Lists to control traffic.
    !– Access-lists are defined to permit or deny traffic based on source, destination,
    !– protocol or port.
    access-list acl_outside extended permit udp any host 66.111.88.193 eq 53
    access-list acl_outside extended permit udp any host 66.111.88.194 eq 53
    access-list acl_outside extended permit tcp any host 66.111.88.193 eq 53
    access-list acl_outside extended permit tcp any host 66.111.88.194 eq 53
    access-list acl_outside extended permit tcp any host 66.111.88.195 eq 25
    access-list acl_outside extended permit tcp any host 66.111.88.195 eq 443

  • Apply Access-list to outside interface
    !– This activates the access-lists created earlier on the outside interface.
    access-group acl_outside in interface outside

  • Configure nat0 to disable translation for VPN tunnels
    nat (inside) 0 access-list nat0

  • Configure logging parameters
    logging enable
    logging buffer-size 10000
    logging buffered debugging
    logging trap debugging !– Defines the level of debug to be sent to syslog
    logging host inside 192.168.0.12 !– Defines the syslog host

  • Configure icmp parameters
    !– Permits or deny’s icmp traffic
    icmp permit any echo-reply outside
    icmp permit any echo outside
    icmp permit any echo inside
    icmp permit any echo-reply inside
    icmp permit any echo dmz
    icmp permit any echo-reply dmz

  • Configure outgoing nat / global combination for outgoing traffic
    !– This global configuration translates outgoing traffic in the matching nat statement
    !– Below to the ip address of the outside interface.
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.255.0
    nat (dmz) 1 10.1.0.0 255.255.255.0

  • Configure static nat statements for incoming traffic.
    !– Static statements translate public addresses to private addresses
    !– This can also be narrowed down to the port level if necessary.
    static (inside,outside) 66.111.88.193 192.168.0.10 netmask 255.255.255.255
    static (inside,outside) 66.111.88.194 192.168.0.11 netmask 255.255.255.255
    static (inside,outside) 66.111.88.195 192.168.0.12 netmask 255.255.255.255

  • Configure routing
    !– This pix only has a default route defined.
    route outside 0.0.0.0 0.0.0.0 66.111.88.254

  • Configure ssh access to pix firewall
    !– This is a list of networks that are allowed to use the
    !– SSH protocol to configure the pix
    ssh 12.34.56.224 255.255.255.224 outside
    ssh 192.168.0.0 255.255.255.0 inside

Be Sociable, Share!