Configuring a PIX 501

[Dunestar]

I was recently given a perfectly functional PIX 501 and wanted to connect it to my DHCP network. We only have one server that hosts exchange/DNS and 5 workstations, and I just need a simple, basic config. Honestly, I'm a bit of a PIX noob and wanted to see if there are any step-by-step instructions for configuring it, as I have no clue. I can access the device in HyperTerminal, but not sure which commands to use to reset the device to factory settings and unblock port 25. I checked the Cisco website and they have instructions for plugging the PIX in, however no config instructions that I can find.

Thanks!

 

[unclerico]

PIX(config)# clear config
<confirm when asked>

Where in your network will this PIX be placed? Will it be behind a router??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Dunestar]

Thanks for the fast reply.

Here's how I want it setup once I configure the PIX:

1.Netopia DSL Modem connects to PIX via crossover cable
2.PIX connects to 24-port switch
3.workstations connect to 24-port switch
4.Linksys Wireless Router connects to 24-port switch

Currently I am using the dinky built-in firewall on the Linksys Wireless broadband router. Right now it is connected to the DSL modem directly. The router is handing out 192.168.1.x DHCP addresses currently.

 

[North323]

very helpful tools and templates:

http://www.cisecurity.org/index.html

 

[Dunestar]

Interesting website North - Thanks

unclerico: thanks for the command to reset the PIX. After its reset, how would I go about unblocking port 25? also does the PIX automatically assign 192.168.x.x IP's to my workstations or do I have to set it to DHCP?

 

[unclerico]

I believe it is set up to provide dhcp by default

As for permitting smtp inbound you'll need an access list and a nat statement

Say you want to access smtp via public ip 1.1.1.1 and on the inside 192.168.1.1 is your smtp server

Access-list outside_access_in extended permit tcp any host 1.1.1.1 eq smtp

Static (inside,outside) tcp 1.1.1.1 smtp 192.168.1.1 smtp netmask 255.255.255.255



I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Dunestar]

Thank you very much, this should do it.

By default, the PIX does allow HTTP and FTP, correct? or is every port closed by default? All we use on our network is internet and exchange mail.

Thank you again.

 

[unclerico]

by default all traffic from a higher security interface (ie inside) to a lower security interface (outside or dmz) will be allowed by default. When you attempt to access a higher security interface from a lower security interface all traffic is denied by default.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[JRMS]

Dunestar, how did your project turn off. I have a similar setup in mind.