Anyone got any suggestions?

[IronCityMan]

Hello everyone!

I have just about configured my new PIX firewall 515, and am wondering if I am missing anything. I left my NAT info out because we are still in meetings trying to decide on the schema. Anyway, any ideas?

Thanks in advance!

ICM


PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd ************** encrypted
hostname Fnablah
domain-name Fnablah.COM
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
pager lines 24
logging on
logging buffered errors
logging host inside 192.168.0.0 <- Fake
interface ethernet0 auto
interface ethernet1 auto
icmp permit any traceroute inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.140.28 255.255.255.0
ip address inside 192.168.15.75 255.255.248.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
pdm history enable
arp timeout 14400
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.16.1 Fnablah timeout 10
http server enable
http 192.168.14.127 255.255.255.255 inside
http 192.168.15.76 255.255.255.255 inside
snmp-server location Fnablah
snmp-server contact Fnablah
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt radius ignore-secret
no sysopt route dnat
auth-prompt reject Please try again. Access denied.
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80

 

[yizhar]

HI.

For a new pix, I think it is better to install the latest version 6.1(1).
Ask your CISCO dealer to send it to you along with the latest PDM.

Have you checked that your configuration is working?
The &quot;route&quot; degault gateway command is missing here.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[IronCityMan]

Good point. This machine isn't in production yet.

Thanks!

 

[ChrisAC]

Unless I'm going blind, you've written an access-list but not applied it to an interface. You might want to do that!!

The other thing is have you got any internal services like web or ftp that might require outside access?

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[ChrisAC]

Something else I've just noticed! You've entered a nat (inside) command but you haven't entered the corresponding global (outside) command. Your users won't be able to connect to the outside without having an outside IP address to go out on!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[IronCityMan]

Chris,

The NAT global hasn't been decided on, at least which range of our lisence that we are going to use.

Apply the access list... how do you mean? I know about the route to the router, but apply the access? I am not sure I understand. Which is probably why I haven't done it. Ohhh... to the outside interface. Right! That is kind of silly of me.

We have no web servers or even a DMZ. I am lucky that way, I think.

Anyway, thanks!

I.C.M.

 

[ChrisAC]

Okay, so you've written an access list ..

access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable

Now you need to apply that access list to an interface ..

ip access-group 100 in interface outside (I think this is right!!)

This would apply access-list 100 inbound on the outside interface.

Easy!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************