Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Basic Pix Config for 3 ports

Status
Not open for further replies.
RavenFriend

RavenFriend

IS-IT--Management
May 14, 2003
4
IN
Hello, 1st post here.

I have read through alot of the posts, but have not found what I need.

I have a Pix 515 with 3 ports.
Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(0)148

I am looking for the bare-bones starting config to allow:

Inside Interface: (10.0.0.1)
IP Addresses: 10.0.0.x 255.255.255.0
Access: Outside(full access for now)
DMZ (Webserver port 80)
Admin workstation: 10.0.0.3
Ping, Traceroute
FTP to Webserver on DMZ
Access to PDM
Access to PIX Via Telnet

DMZ Interface: (172.16.2.1)
IP Addresses: 172.16.1.x 255.255.255.0
Webserver: 172.16.1.2
Access: Nothing

Outside Interface: DHCP Client w/setroute
Access: Webserver on DMZ (Port 80 Only)

--------------------------------------------
Config So far
--------------------------------------------
interface ethernet0 auto
nameif ethernet0 outside security0
ip address outside dhcp setroute

interface ethernet1 auto
nameif ethernet1 inside security100
ip address inside 10.0.0.1 255.255.255.0

interface ethernet2 auto
nameif ethernet2 dmz security50
ip address dmz 172.16.1.1 255.255.255.0

name admin 10.0.0.3
name webserver 172.16.1.2

no failover

global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0

http server enable
http admin 255.255.255.0 inside
telnet admin 255.255.255.0 inside
telnet timeout 5

--------------------------------------------

My preference is to use CLI not PDM for the starting config.
No Conduits. Security is obviously the most important consideration, so I would like to avoid statics between DMZ and Inside.

Any Assistance would be greatly appreciated.

Thank you.
 
Sort by date Sort by votes
HI.

> Ping, Traceroute
For these to work, you should add an access-list entry to permit return ICMP traffic on external interface (wether outside, dmz or both).
However since security is the main issue here, you can as administrator telnet to the external router, and issue ping/traceroute from the router only and not via the pix.

Add this:
global (dmz) 10 172.16.1.3

> Webserver: 172.16.1.2
> Access: Nothing
If the web server will need access to DNS or other services like automatic OS updates, you will need to let it go out by adding nat (dmz) statement and optionally access-list.

> I would like to avoid statics between DMZ and Inside.
That's Good.

> My preference is to use CLI not PDM for the starting
You can use my pixcript tool to get some sample commands:
And you'll find the pix command reference here:

However - PDM is good and have some useful features for monitoring and managing the pix, so even if you work with CLI, it is good to verify that PDM can load and parse your configuration.
BTW - in PDM you can use the "Preferences" menu option to see the CLI commands it generates.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
580
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
513
XLNTech1
XLNTech1
tjbradford
  • Locked
  • Question
ASAX 5508 - basic config - packet loss
Replies
0
Views
157
tjbradford
tjbradford
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
243
acabezas2014
acabezas2014
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
711
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top