cisco PIX 506e

[newkid123]

Hello Everyone

I have a small network at home, which consists of a linksys cable modem, linksys wireless router and 2 desktop connected directly to the wireless router and 2 other desktop which are conneected through wireless router. Now I like to add a Cisco PIX 506e firewall to my network, I am very new with cisco network, I appreciate if someone can let me know how to set this PIX back to original factory default. I do not know any password.

Thanks
newkid123

 

[Supergrrover]

Here is the password recovery procedure (blanking really) that will get you access to the pix

http://www.cisco.com/warp/public/110/34.shtml

Then once you are in

configure factory-default
wri mem
reload



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Hi Brent

Thanks for your help, now I keep getting this eror:

monitor> address 192.168.1.1
address 192.168.1.1
monitor> file np63.bin
file np63.bin
monitor> server 192.168.1.101
server 192.168.1.101
monitor> ping 192.168.1.101
Sending 5, 100-byte 0xac87 ICMP Echoes to 192.168.1.101, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp np63.bin@192.168.1.101
TFTP failed (return:-1 arg:0x0)

 

[Supergrrover]

Make sure you have the correct file permissions on the tftp server.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Hi Brent

Thanks again for your help

I managed to reinstall the factory default configuration into my pix 506e. Now if you have time would you please how can I add this to my network then I can use it. My network consist of the following hardware:

1. Linksys cable modem
2. Linksys wireless router which also work as DHCP
3. PC1 which is connected directly to wireless router and the OS is XP home edition.

4. PC2 is also connected directly to wireless router and the OS is XP professional.

5. PC3 is connected NOT directly and the OS is XP professional.

6. PC4 is connected NOT directly and the OS is XP home edition.

I have broadband internet service with Comcast.


Thanks for all your help
newkid123

 

[Supergrrover]

Sorry, I missed this until now.

What exactly are you trying to achieve?

Just an idea (not sure if it's what you want)

Modem - Pix - switch - wireless
and then put the PCs off the swithc and the wireless.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Hi Brent

I just want to add PIX to my network and use it, but I am not sure my connections from pix to network are correct or not.
where do I connect the ethernet1 & ethernet0 ports to? and I need help with the configuration.

Thanks
newkid123

 

[NetworkGhost]

Are you adding the Pix to your network as the primary firewall or just for to use/practice with?

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[Supergrrover]

e0 is the outside interface and e1 is the inside interface (as seen from the pix.)

If it just an addition that you want to play with

modem - linksys router - pix
PCs off the router and one off the pix e1.

post the current config and we'll go from there.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

This PIX will be the primary firewall for my network.
So, per your advice I do the followings:

1. Connect pix e0 to an empty port(WAN, Uplink or any other ports)in router.
2. Connect pix e1 to one of the Pcs.
3. Connect modem to router.
4. Connect the other PC to another empty port in router.

Questions:

1. Currently router also runs DHCP service for the entire network, shall I leave this the way it is or disable this service in router and run DHCP service off of pix.

2. Would you advice to assign static or dynamic IP addresses to all devices.

Thanks
newkid123

 

[Supergrrover]

If you want it the primary firewall you will need to set it up as

1. Connect pix e0 to modem
2. Connect pix e1 to switch
3. Connect router to switch
4. Connect the other PCs to empty ports in router and/or switch.

You should use dhcp off the pix but limit it to a small number of hosts and then assign a static ip to the router that is NOT in that spread. That way you can setup port forwarding and such for testing.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Brent

I do not have any switch, do I need to have one?


newkid123

 

[NetworkGhost]

Should be able to connect the router to your 506e. May need to use a cross over cable if connecting from the WAN port on the router to e1 of the firewall. Although I would get a switch to help in phasing out the router.

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx:8080

 

[Supergrrover]

For the setup you asked about, you will need a switch. Just something small like a 4port or such. They aren't that expensive. The problem is that the 506e has only two interfaces - inside and outside - and you can't connect more devices. The 501 has a small switch built into it built is not as versatile as a 506.

This way the 506 handles the main firewall duties and (in effect) a mini DMZ while the router handles the wireless and a more protected network. Now you can play with the full feature set of the pix, vpns, and networking.

To really get all you can out of it; rather than a simple get a switch the handles 802.1q vlan tagging. Now you can add that in with the mix and the pix's inside interface to get a true DMZ.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Brent

I purchased a linksys switch (8-port workgroup switch-10/100)and connected it the way you told me to my network:
1.pixe0 to modem
2.pixe1 to switch
3.Router to switch (uplink port)
4. PCs to router

and pix has the factory default configuration:

pixfirewall# show run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-len
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 1
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:08ef62eb24b34ccd49d494e311a80d19
: end
pixfirewall#

I have not configured the pix yet, I think that is why I do not have access to Internet, I get "server not found" error.

My ISP is comcast with the following WAN info:

IP : 68.48.50.237
Subnet Mask: 255.255.248.0
Default Gateway: 68.48.48.1
DNS: 68.87.73.242
68.87.71.226

I need help.
Thanks
newkid123

 

[Supergrrover]

Basics - (also to change the default internal networks to something else in case you ever enable a vpn.)

!!!!Make sure you go in through the console cable!!!!

no dhcpd enable inside
no dhcpd address 192.168.1.2-192.168.1.254 inside

ip address inside 192.168.233.1 255.255.255.0
ip address outside 68.48.50.237 255.255.248.0
dhcpd address 192.168.233.10-192.168.233.254 inside
dhcpd dns 68.87.73.242 68.87.71.226
dhcpd domain [example.com]
route outside 0.0.0.0 0.0.0.0 68.48.48.1
fixup prot icmp error
route inside 192.168.250.0 255.255.255.0 192.168.233.2
telnet 192.168.233.0 255.255.255.0 inside
telnet 192.168.250.0 255.255.255.0 inside
dhcpd enable inside
domain-name [example.com]
hostname [INSERT NAME]
no http 192.168.1.0 255.255.255.0 inside
http 192.168.233.0 255.255.255.0 inside
http 192.168.250.0 255.255.255.0 inside
logging on
logging timestamp
logging buffered notification

!!!!Change the password to something strong - make sure both are different from each other!!!!
enable password [XXXXXXXX]
passwd [XXXXXXXXX]
wri mem


Now give your router an IP of 192.168.233.2 and set the inside network of the router to 192.168.250.0 255.255.255.0 and the default route to 192.168.233.1.

The purpose of the switch was so that you could have PCs on both sides of your router so you could have a mini DMZ for testing.

That should get you going. If you post your config again, delete the lines about the passwords. They can be cracked and since you gave your real IP, some ass will definitely try.




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

Brent

Thanks for all your help, I configured pix the way you asked me to however something is not right. As soon as I connect modem to pix e0 my pc can not connect to Internet, it seems the PCs do not get their IPs from PIX because they are different. I can not configure my linksys wireless router almost the way you want me too. I assigned static ip address of 192.168.233.2 with subnet of 255.255.255.255.0 and disabled dhcp. I do not see any place inside the router for other configurations you asked me to do with my router.

 

[Supergrrover]

Where are you attaching the pc - to the router or to the switch? Connect it to the switch first and check that. What ip are you getting on the pc? If you still cannot get out, get onto the pix and try and ping your pc and the internet.

For the linksys, which one do you have? Whe you change the basic page to static ip, other boxes should appear that allow you to set the external IP, subnet mask, default gateway, dns.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[newkid123]

PCs are now connected to the switch.
This is the IP address they get:
PC1: 192.168.233.100
PC2: 192.168.233.101
From pix I can ping Internet at 68.48.50.237
from PC to pix, I can not ping.
from pix to PC I can not ping.

However I have no access to Inrernet from any PCs.

 

[Supergrrover]

Post your config (without passwords.)
Can you ping 68.48.50.237 from the pc?
Is your real ip address dhcp or is it static?


Brent
Systems Engineer / Consultant
CCNP, CCSP