Hi,
I am new to pix firewalls and wanted to know if there is any certain way of installing a 10/100 Card for a 515? I also wanted to know (or get some example configs) of how to create another interface (DMZ). We currently have an INSIDE interface and an OUTSIDE interface with the following config:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password JEI67SM4xLYoV4sm encrypted
passwd JEI67SM4xLYoV4sm encrypted
hostname CiscoPIX1
domain-name XXXXXXXXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit ip host 172.16.2.1 host X.X.X.X
access-list 200 permit ip host 172.16.2.1 host X.X.X.X
access-list 200 permit ip host 172.16.2.1 host X.X.X.X
access-list 200 permit ip host 172.16.2.1 host X.X.X.X
access-list 101 permit ip host 172.16.2.1 host X.X.X.X
access-list 101 permit ip host 172.16.2.1 host X.X.X.X
pager lines 25
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.192
ip address inside 172.16.1.107 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.8.95 255.255.255.255 inside
pdm location 172.16.8.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location X.X.X.X 255.255.255.0 outside
pdm location 172.16.2.1 255.255.255.255 inside
pdm location X.X.X.X 255.255.255.255 outside
pdm location X.X.X.X 255.255.255.255 outside
pdm location X.X.X.X 255.255.255.255 outside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 200
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside 192.168.0.0 255.255.0.0 172.161.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.16.8.95 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
http 172.16.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set VPN esp-des esp-sha-hmac
crypto map VpnSyan 21 ipsec-isakmp
crypto map VpnSyan 21 match address 100
crypto map VpnSyan 21 set peer X.X.X.X
crypto map VpnSyan 21 set transform-set VPN
crypto map VpnSyan 21 set security-association lifetime seconds 86400 kilobytes
8192
crypto map VpnSyan 22 ipsec-isakmp
crypto map VpnSyan 22 match address 101
crypto map VpnSyan 22 set peer X.X.X.X
crypto map VpnSyan 22 set transform-set VPN
crypto map VpnSyan 22 set security-association lifetime seconds 86400 kilobytes
8192
crypto map VpnSyan interface outside
crypto map vpnsyan 22 ipsec-isakmp
crypto map Vpnsyan 22 ipsec-isakmp
isakmp enable outside
isakmp key ******** address X.X.X.X netmask 255.255.255.255
isakmp key ******** address X.X.X.X netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash sha
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:776a166c28f0592a044a59fc0704e9d2
: end
How do I create the another DMZ interface and create another network say 10.1.1.0/24 and route all 443 (SSL) traffic to a server (10.1.1.1) and deny all other traffic. The traffic will be coming in from the inside interface not the outside interface. Any ideas??
Thanks
I am new to pix firewalls and wanted to know if there is any certain way of installing a 10/100 Card for a 515? I also wanted to know (or get some example configs) of how to create another interface (DMZ). We currently have an INSIDE interface and an OUTSIDE interface with the following config:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password JEI67SM4xLYoV4sm encrypted
passwd JEI67SM4xLYoV4sm encrypted
hostname CiscoPIX1
domain-name XXXXXXXXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit ip host 172.16.2.1 host X.X.X.X
access-list 200 permit ip host 172.16.2.1 host X.X.X.X
access-list 200 permit ip host 172.16.2.1 host X.X.X.X
access-list 200 permit ip host 172.16.2.1 host X.X.X.X
access-list 101 permit ip host 172.16.2.1 host X.X.X.X
access-list 101 permit ip host 172.16.2.1 host X.X.X.X
pager lines 25
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.192
ip address inside 172.16.1.107 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 172.16.8.95 255.255.255.255 inside
pdm location 172.16.8.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location X.X.X.X 255.255.255.0 outside
pdm location 172.16.2.1 255.255.255.255 inside
pdm location X.X.X.X 255.255.255.255 outside
pdm location X.X.X.X 255.255.255.255 outside
pdm location X.X.X.X 255.255.255.255 outside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 200
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside 192.168.0.0 255.255.0.0 172.161.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.16.8.95 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
http 172.16.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set VPN esp-des esp-sha-hmac
crypto map VpnSyan 21 ipsec-isakmp
crypto map VpnSyan 21 match address 100
crypto map VpnSyan 21 set peer X.X.X.X
crypto map VpnSyan 21 set transform-set VPN
crypto map VpnSyan 21 set security-association lifetime seconds 86400 kilobytes
8192
crypto map VpnSyan 22 ipsec-isakmp
crypto map VpnSyan 22 match address 101
crypto map VpnSyan 22 set peer X.X.X.X
crypto map VpnSyan 22 set transform-set VPN
crypto map VpnSyan 22 set security-association lifetime seconds 86400 kilobytes
8192
crypto map VpnSyan interface outside
crypto map vpnsyan 22 ipsec-isakmp
crypto map Vpnsyan 22 ipsec-isakmp
isakmp enable outside
isakmp key ******** address X.X.X.X netmask 255.255.255.255
isakmp key ******** address X.X.X.X netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash sha
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:776a166c28f0592a044a59fc0704e9d2
: end
How do I create the another DMZ interface and create another network say 10.1.1.0/24 and route all 443 (SSL) traffic to a server (10.1.1.1) and deny all other traffic. The traffic will be coming in from the inside interface not the outside interface. Any ideas??
Thanks
