Sysadmin > CiscoFirewall > PIXConfigExample

Sample of Cisco PIX 515E Configuration

from http://www.howtonetworking.com/cisco/pixsample1.htm

PIX Version 6.3(4)

interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
hostname CHICAGOTECH
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.254.0.4 OWA
name 10.0.0.3 MAIL
name 10.0.0.19 DATA
name 10.0.0.29 DC
name 10.0.0.28 001109
name 10.0.0.25 Bob
name 10.0.0.7 Runit
name 10.0.2.57 001288
object-group service TCP-DCs tcp
  port-object eq ldaps
  port-object eq 3268
  port-object eq ldap
  port-object eq domain
  port-object eq 88
  port-object eq 135
  port-object range 137 netbios-ssn
  port-object range 1024 65535
  port-object eq 445
object-group service TCP-Mail tcp
  port-object eq 691
  port-object eq www
  port-object eq https
  port-object eq smtp
  port-object eq 135
  port-object eq 445
  port-object eq ftp
object-group service UDP-DCs udp
  port-object eq 389
  port-object eq domain
  port-object eq 88
  port-object eq 135
  port-object range netbios-ns 139
  port-object range 1024 65535
object-group network DCs_ref
  network-object DATA 255.255.255.255
  network-object DC 255.255.255.255
object-group network DCs
  network-object DATA 255.255.255.255
  network-object DC 255.255.255.255
object-group network DCs_ref_1
  network-object DATA 255.255.255.255
  network-object DC 255.255.255.255
object-group service OWA_Ports tcp
  port-object eq www
  port-object eq https
  port-object eq smtp
  port-object eq pop3
object-group service TCP_OWA_DCs tcp
  port-object range 1024 65535
  port-object eq domain
  port-object eq ldap
  port-object eq 135
  port-object eq 88
  port-object eq 3268
object-group service UDP_OWA_DCs udp
  port-object eq domain
  port-object eq 88
  port-object eq 389
object-group service TCP_OWA_MAIL tcp
  port-object eq www
  port-object eq 691
  port-object eq ftp
  port-object eq https
  port-object eq smtp
object-group service TCP_OWA_INSIDE tcp
  port-object eq www
  port-object eq ftp
  port-object eq pop3
  port-object eq https
  port-object eq 123
  port-object eq smtp
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host x.x.x.195 object-group OWA_Ports
access-list outside_access_in permit tcp any host x.x.x.202 eq pcanywhere-data
access-list outside_access_in deny udp any host x.x.x.197 eq isakmp log
access-list outside_access_in deny ah any host x.x.x.197
access-list outside_access_in deny esp any host x.x.x.197
access-list outside_access_in deny udp any host x.x.x.197 eq 4500
access-list outside_access_in deny udp any host x.x.x.202 eq isakmp
access-list outside_access_in deny ah any host x.x.x.204
access-list outside_access_in deny esp any host x.x.x.202
access-list outside_access_in deny tcp any host x.x.x.204 eq 3389
access-list outside_access_in permit tcp any host x.x.x.205 eq pcanywhere-data
access-list DMZ_access_in permit tcp host OWA object-group DCs_ref_1 object-group TCP_OWA_DCs
access-list DMZ_access_in permit udp host OWA object-group DCs_ref_1 object-group UDP_OWA_DCs
access-list DMZ_access_in permit icmp host OWA object-group DCs_ref_1
access-list DMZ_access_in permit tcp host OWA host MAIL object-group TCP_OWA_MAIL
access-list DMZ_access_in permit tcp host OWA any object-group TCP_OWA_INSIDE
access-list DMZ_access_in permit icmp host OWA any echo-reply
access-list DMZ_access_in permit icmp host OWA any unreachable
access-list DMZ_access_in permit icmp host OWA any time-exceeded
access-list VPN_splitTunnelAcl permit ip 10.0.0.0 255.255.0.0 any
access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.192
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 10.0.1.29
logging host inside 10.0.0.11
logging host inside MAIL
logging host outside 192.168.254.3
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside x.x.x.194 255.255.255.224
ip address inside 10.0.0.2 255.255.0.0
ip address DMZ 172.254.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool POOL 192.168.254.1-192.168.254.50
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
pdm location 172.16.100.0 255.255.255.0 inside
pdm location OWA 255.255.255.255 DMZ
pdm location 001109 255.255.255.255 inside
pdm location 10.0.1.29 255.255.255.255 inside
pdm location MAIL 255.255.255.255 inside
pdm location DATA 255.255.255.255 inside
pdm location DC 255.255.255.255 inside
pdm location Bob 255.255.255.255 inside
pdm location 10.0.0.11 255.255.255.255 inside
pdm location apps 255.255.255.255 inside
pdm location 192.168.254.3 255.255.255.255 outside
pdm location x.x.x.111 255.255.255.255 outside
pdm location 70.131.123.103 255.255.255.255 outside
pdm location 001288 255.255.255.255 inside
pdm group DCs inside
pdm group DCs_ref_1 DMZ reference DCs
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.222
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 OWA 255.255.255.255 0 0
static (inside,DMZ) 001109 001109 netmask 255.255.255.255 0 0
static (inside,DMZ) 172.16.100.0 172.16.100.0 netmask 255.255.255.0 0 0
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0
static (DMZ,outside) x.x.x.195 OWA netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.197 Bob netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.204 001109 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.202 001288 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.205 apps netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.199 10.0.0.11 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
route inside 172.16.100.0 255.255.255.0 10.0.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN address-pool POOL
vpngroup VPN dns-server DC DATA
vpngroup VPN wins-server DC DATA
vpngroup VPN default-domain chicgaobotanic.org
vpngroup VPN split-tunnel VPN_splitTunnelAcl
vpngroup VPN idle-time 1800
telnet x.x.x.103 255.255.255.255 outside
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0