Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Pix 515e
- Thread starter upfront75
- Start date
it would be very difficult to post a full config because we don't know anyting about your environment. Connect to the PIX with a rollover cable and a terminal emulation software such as hyperterminal or teraterm (preferred). Go into whatever emulator you are using and set it to log and then go into the CLI of the PIX and issue a show run command. The emulation software will capture the output of the command. Post a scubbed config here (x out the second and third octets of the public IP's and remove any passwords).
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
- Thread starter
- #3
When I say I have nothing I have nothing yet. I have played with this thing and played with it. The first thing I want to do is replace my 501 and beleave me the commands are nothing alike. I tried the setup thing and it seemed to work getting ether1 setup and I was able to enable ether0 but I still had no internet traffic. I read about routed and transparent, to use this as my fire do I need to set it to transparent? My config as is follows please if you can help I would appreciate it alot. I want my inside ip range to be 192.168.100.1 and outside to be dhcp. I have a dhcp server that all my workgroup computer get dhcp from so I don't need the pix to do this.
!
PIX Version 8.0(4)
!
hostname pixfirewall
enable password encrypted
passwd encrypted
names
!
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e4c16f16577e51d5f7a2636fdbfed85
Code:
pix(config)# no dhcpd address 192.168.1.2-192.168.1.254 inside
pix(config)# no dhcpd enable inside
pix(config)# int e0/0
pix(config-if)# nameif outside
pix(config-if)# security 0
pix(config-if)# ip add dhcp setroute
pix(config-if)# no shut
pix(config)# global (outside) 1 interface
pix(config)# nat (inside) 1 0 0 0 0
pix(config)# access-list outside_access_in extended permit icmp any any echo-reply
pix(config)# access-list outside_access_in extended permit icmp any any time-exceeded
pix(config)# access-list outside_access_in extended permit icmp any any source-quench
pix(config)# access-list outside_access_in extended permit icmp any any unreachable
pix(config)# access-group outside_access_in in interface outside
Code:
pix(config)# asdm image disk0:/asdm-61551.binIf you want to be able to ssh to the device you'll need to generate the crypto keys and enable access:
Code:
pix(config)# domain-name <your_dns_domain_name>
pix(config)# crypto key generate rsa mod 1024
pix(config)# ssh ver 2
pix(config)# ssh 192.168.1.0 255.255.255.0 insideYou SHOULD be set with this, but it's been a long day and I want to go home
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
- Thread starter
- #5
- Thread starter
- #6
Sorry I did not get it to work, I did you what you said but it did not allow internet traffice to flow, I checked the ip's and they where both populated, the only thing I was wondering was when I ran setup; one of the promp's said routed, should this be routed or transparent? Maybe that is the problem.
- Thread starter
- #8
sorry for the late reply I have had alot on my plate, here is the new show run. It did have an ip address on the outside but it would still not hit the internet. Thanks for any help.
PIX Version 8.0(4)
!
hostname pixfirewall
enable password encrypted
passwd encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip addressaccess-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
!
service-policy global_policy global
prompt hostname context
PIX Version 8.0(4)
!
hostname pixfirewall
enable password encrypted
passwd encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip addressaccess-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
!
service-policy global_policy global
prompt hostname context
doh, I forgot this part (perhaps the most important!!!):
Try adding that and you should be good to go.
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
Code:
route outside 0.0.0.0 0.0.0.0 interfaceI hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
- Status
Similar threads
- Locked
- Question
- Locked
- Question