About altoHiwayProducts and ServicesResellersPress and MediaTechnical Centre

Take a long term
view with altoHiway

altohiway is one of the fastest growing business only service providers in the UK. Why? Over nine years experience focusing on innovative business Internet solutions and a culture of customer care.
alto/webmail (secure)
Customer login
Knowledge base
Site map

altoHiway Knowledge Base / Security / Firewalls ID=61

Cisco - PIX Configuration basics

Example PIX firewall configuration

Important

This configuration is not designed to be used as-is. It is designed as a reference to some of the commands which can be used, please do NOT configure a firewall unless you are sure of what you are doing, misconfigured firewalls can often be more dangerous than no firewall at all.

This configuration is designed to be used as a reference to commmand usage.

Explanation

Servers connected behind the firewall use private address space and the public services are punched through the firewall to the servers sitting behind the firewall.

Please note that there is no external access to the servers to perform admin tasks on the servers as this is done via remote modem connections to the servers. You can configure SSL Access however this is not included in this document.

Also note that the firewall will not allow incoming connections to itself for admin, which means that the system has to be configured via the console port. 

;

; The following two lines define a name and the level of trust placed on the physical interfaces.
; The number following the word security defines how secure that network is, 0 being the lowest
; and 100 being a secure trusted network.  This is important, as this affects the flow of data from
; and to the various interfaces.  Data can always flow from an interface that has a higher security
; level than the interface it’s going to pass through.  Or in other words the inside network can pass
; data to the outside network due to the trust level of the internal network being higher than the 
; external network.
;



nameif ethernet0 outside security0
nameif ethernet1 inside security100
;

; The PIX like other Cisco products has two levels of password security, much the same as a Cisco
; router.


enable password BGogFIdB6jmwTyg7 encrypted
passwd BGogFIdB6jmwTyg7 encrypted


;

; The hostname of the PIX, not that important, but should be set to something which makes sense.
;



hostname 


fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060


names


;

; Access list to allow incoming connections to the secured servers
;



access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host  eq 443
access-list 100 permit tcp any host  eq 443
access-list 100 permit tcp any host  eq www
access-list 100 permit tcp any host  eq www
;

; The number of lines that the console can display without the need for paging.
;



pager lines 24


;

; The logging configuration, not that different to other Cisco products.
;



logging on


no logging timestamp
no logging standby
no logging console
no logging monitor
logging buffered errors
logging trap notifications
no logging history
logging facility 20
logging queue 512


;

; Note:  The interfaces are by default shutdown, even after configuration, this can
; be a gotcha.  This can be checked with a show interface command.


; Also define the MTU of each interface, normally set to 1500 for Ethernet.
;



interface ethernet0 auto
interface ethernet1 auto


mtu outside 1500
mtu inside 1500


;

; IP Address of the outside of the firewall
;



ip address outside  


;

; IP Address of the inside of the firewall, the servers default gateway
;



ip address inside  


ip audit info action alarm
ip audit attack action alarm


arp timeout 14400


;

; The firewalls global outside address, used for outgoing nat communications.  This means
; that the firewall needs two public addresses.
;



global (outside) 1 


nat (inside) 1 0.0.0.0 0.0.0.0 0 0


;

; Published address space, psudeo addresses of the servers, used to punch through the
; fireall.  Note however that this does no grant global access to these addresses, but
; merely sets the connection between the ip addresses up.
;



static (inside,outside)   netmask 255.255.255.255 255 0


static (inside,outside)   netmask 255.255.255.255 255 0


access-group 100 in interface outside


;

; The default route for the firewall, should be pointed to the next hop router
;



route outside 0.0.0.0 0.0.0.0  1


;

; Timeouts for nat translation and connections through the PIX, all defaults. 


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute


;

; Standard configuration of various aspects of the PIX mostly unused.
;



aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius


no snmp-server location
no snmp-server contact


snmp-server community public
no snmp-server enable traps


floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet timeout 5
ssh timeout 5
terminal width 80

PIX Configuration With VPN Support

PIX Version 5.3(1)


nameif ethernet0 outside security0
nameif ethernet1 inside security100


enable password BGogFIdB6jmwTyg7 encrypted
passwd BGogFIdB6jmwTyg7 encrypted


hostname hostname-pix
domain-name hostname.co.uk


fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060


names


access-list incoming-outside permit tcp any host 195.12.20.155 eq smtp


access-list incoming-outside permit icmp any any echo-reply


access-list vpn-nonat permit ip 192.9.200.0 255.255.255.0 192.10.200.0 255.255.255.0


pager lines 24


logging on


no logging timestamp
no logging standby


logging console debugging
logging monitor debugging


no logging buffered
no logging trap
no logging history


logging facility 20
logging queue 512


interface ethernet0 auto
interface ethernet1 auto


mtu outside 1500
mtu inside 1500


ip address outside [OUTSIDE_IP] 255.255.255.248
ip address inside [INSIDE_IP] 255.255.255.0


ip audit info action alarm
ip audit attack action alarm


ip local pool remote-vpn 192.10.200.1-192.10.200.100


arp timeout 14400


global (outside) 1 [OUTSIDE_IP]


nat (inside) 0 access-list vpn-nonat
nat (inside) 1 192.1.1.0 255.255.255.0 255 2024


static (inside,outside) [OUTSIDE_IP] [INSIDE_IP] netmask 255.255.255.255 0 0


access-group incoming-outside in interface outside


route outside 0.0.0.0 0.0.0.0 [DEFAULT_GATEWAY] 1


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00


timeout uauth 0:05:00 absolute


aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius


filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0


no snmp-server location
no snmp-server contact


snmp-server community public
no snmp-server enable traps
floodguard enable


sysopt connection permit-ipsec


no sysopt route dnat


crypto ipsec transform-set transset1 esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set transset1
crypto map remotemap 10 ipsec-isakmp dynamic dynmap
crypto map remotemap client configuration address initiate
crypto map remotemap client configuration address respond
crypto map remotemap interface outside


isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local remote-vpn outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400


telnet timeout 5


ssh [AMIN_IP] 255.255.255.255 outside
ssh timeout 10
  
  
Last Updated: Wed 05 Jun 02
Knowledge Base Index:[Main] / [Security] / [Firewalls]
Copyright altoHiway ©2006