Cisco PIX 501 Sample Configuration

[dreysh]

I recently purchased PIX 501 to use as a firewall behind my cable modem. My problem is no matter what I do I can't seem to be able to ping any outside ip.

I absolutely don't mind reseting the entire PIX configuration and starting from the scratch. Is there a place where I can find sample step by step instructions on configuring PIX 501, such as which commands to type in step by step. Or maybe there is a sample configuration which I can just copy on my PIX 501?

Thank you much in advance,
-- Andrey

 

[br0ck]

do you have an ACL that will allow icmp

access-list 101 permit icmp any any
access-group 101 in interface outside

post your current config and maybe some of us can help with out a reconfig

here is a basic config to get the pix up and running
(barrowed from dopehead) thx...

interface ethernet0 auto
interface ethernet1 100full
ip address inside insideIP insideMASK
ip address outside dhcp set
global (outside) 1 interface outside
nat (inside) 1 0.0.0.0 0.0.0.0

*will be set by the command DHCP Set above
>route outside 0.0.0.0 0.0.0.0 <isp gateway ip>

i would suggest setting up a dhcp server on the pix
1)dhcpd address xxx.xxx.xxx.100-xxx.xxx.xxx.130 <- must be the same as inside interface address
2)dhcpd auto_config <-this will pass the DNS and domain name from the pix to your clients


if you want ping responce add
1)access-list 101 permit icmp any any
2)access-group 101 in interface outside

 

[dreysh]

>> if you want ping responce add
>> 1)access-list 101 permit icmp any any
>> 2)access-group 101 in interface outside


Thank you, that did the trick!

-- Andrey

 

[dreysh]

Ok, so everything is working via DHCP.

My next step is to setup the same configuration, but with static IP instead. I'm not exactly sure what's wrong, but I'm back to square one with nothing working. Here is my current configuration:

================================
Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxx encrypted
hostname pix501
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list out permit ip any any
access-list out permit icmp any any
access-list out permit udp any any
access-list out permit tcp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 64.xxx.xxx.xxx 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group out in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd dns 64.xxx.xxx.x 64.xxx.xxx.x
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain arecont.com
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxxxxxx
: end
[OK]

================================

What can be wrong here and am I missing anything?

Thanks,
-- Andrey

 

[br0ck]

you have no route in the pix
add
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

xxx.xxx.xxx.xxx = the pix's gateway your routers ip address

correct me if i'm wrong but
i don't think the dhcpd auto_config is going to work without the pix being a dhcp client

remove that

you have the dns, and domain
if needed add wins

you do not have the dhcp server enabled
add
dhcpd server enable inside

my advice is to remove this
<access-list out permit ip any any
<access-list out permit icmp any any
<access-list out permit udp any any
<access-list out permit tcp any any
<access-group out in interface inside
with this you are allowing everything out

the pix does this by default (inside to outside traffic)
**less clutter in the config**

read the FAQ on creating an outbound access list to get a better idea how to use ACL in this manner

good luck

 

[dreysh]

>> route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

Thanks, that worked!

Also, while I'm almost 90% (if there is a such thing like that, hehe), I can't seem to be able to forward WWW, FTP and such to a specific server on the network. I tried to add the following, but that didn't seem to help:

====================================
access-list outside_access_in permit tcp any any eq www

static (inside, outside) tcp interface

http://www 192.168.1.15

http://www netmask

255.255.255.255 0 0

access-group outside_access_in in interface outside
====================================

I'm probably missing something very minor, but I'm not exactly sure what that is.

Thanks again for such a great help,
-- Andrey

 

[dreysh]

here is my latest configuration, and for some really strange reason I can't get any traffic through to

http://www and

ftp servers. Any idea of why that might be?

===========================================

Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname pix501
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list out permit ip any any
access-list out permit icmp any any
access-list out permit udp any any
access-list out permit tcp any any
access-list 101 permit icmp any any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq ftp
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 64.xxx.xxx.xxx 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface

http://www 192.168.1.16

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.1.16 ftp netmask 255.255.255.255 0 0
access-group 102 in interface outside
access-group out in interface inside
route outside 0.0.0.0 0.0.0.0 64.213.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.15-192.168.1.142 inside
dhcpd dns 64.xxx.xxx.xxx 64.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain arecont.com
dhcpd enable inside
terminal width 80
Cryptochecksum:
: end
[OK]

===========================================