Sysadmin > CiscoFirewall > PIXConfigExample
Sample of Cisco PIX 515E Configuration
from http://www.howtonetworking.com/cisco/pixsample1.htmPIX Version 6.3(4) interface ethernet0 100full interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 hostname CHICAGOTECH domain-name ciscopix.com clock timezone CST -6 clock summer-time CDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 172.254.0.4 OWA name 10.0.0.3 MAIL name 10.0.0.19 DATA name 10.0.0.29 DC name 10.0.0.28 001109 name 10.0.0.25 Bob name 10.0.0.7 Runit name 10.0.2.57 001288 object-group service TCP-DCs tcp port-object eq ldaps port-object eq 3268 port-object eq ldap port-object eq domain port-object eq 88 port-object eq 135 port-object range 137 netbios-ssn port-object range 1024 65535 port-object eq 445 object-group service TCP-Mail tcp port-object eq 691 port-object eq www port-object eq https port-object eq smtp port-object eq 135 port-object eq 445 port-object eq ftp object-group service UDP-DCs udp port-object eq 389 port-object eq domain port-object eq 88 port-object eq 135 port-object range netbios-ns 139 port-object range 1024 65535 object-group network DCs_ref network-object DATA 255.255.255.255 network-object DC 255.255.255.255 object-group network DCs network-object DATA 255.255.255.255 network-object DC 255.255.255.255 object-group network DCs_ref_1 network-object DATA 255.255.255.255 network-object DC 255.255.255.255 object-group service OWA_Ports tcp port-object eq www port-object eq https port-object eq smtp port-object eq pop3 object-group service TCP_OWA_DCs tcp port-object range 1024 65535 port-object eq domain port-object eq ldap port-object eq 135 port-object eq 88 port-object eq 3268 object-group service UDP_OWA_DCs udp port-object eq domain port-object eq 88 port-object eq 389 object-group service TCP_OWA_MAIL tcp port-object eq www port-object eq 691 port-object eq ftp port-object eq https port-object eq smtp object-group service TCP_OWA_INSIDE tcp port-object eq www port-object eq ftp port-object eq pop3 port-object eq https port-object eq 123 port-object eq smtp access-list outside_access_in permit icmp any any unreachable access-list outside_access_in permit icmp any any time-exceeded access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit tcp any host x.x.x.195 object-group OWA_Ports access-list outside_access_in permit tcp any host x.x.x.202 eq pcanywhere-data access-list outside_access_in deny udp any host x.x.x.197 eq isakmp log access-list outside_access_in deny ah any host x.x.x.197 access-list outside_access_in deny esp any host x.x.x.197 access-list outside_access_in deny udp any host x.x.x.197 eq 4500 access-list outside_access_in deny udp any host x.x.x.202 eq isakmp access-list outside_access_in deny ah any host x.x.x.204 access-list outside_access_in deny esp any host x.x.x.202 access-list outside_access_in deny tcp any host x.x.x.204 eq 3389 access-list outside_access_in permit tcp any host x.x.x.205 eq pcanywhere-data access-list DMZ_access_in permit tcp host OWA object-group DCs_ref_1 object-group TCP_OWA_DCs access-list DMZ_access_in permit udp host OWA object-group DCs_ref_1 object-group UDP_OWA_DCs access-list DMZ_access_in permit icmp host OWA object-group DCs_ref_1 access-list DMZ_access_in permit tcp host OWA host MAIL object-group TCP_OWA_MAIL access-list DMZ_access_in permit tcp host OWA any object-group TCP_OWA_INSIDE access-list DMZ_access_in permit icmp host OWA any echo-reply access-list DMZ_access_in permit icmp host OWA any unreachable access-list DMZ_access_in permit icmp host OWA any time-exceeded access-list VPN_splitTunnelAcl permit ip 10.0.0.0 255.255.0.0 any access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.192 access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.192 pager lines 24 logging on logging timestamp logging trap warnings logging host inside 10.0.1.29 logging host inside 10.0.0.11 logging host inside MAIL logging host outside 192.168.254.3 mtu outside 1500 mtu inside 1500 mtu DMZ 1500 ip address outside x.x.x.194 255.255.255.224 ip address inside 10.0.0.2 255.255.0.0 ip address DMZ 172.254.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool POOL 192.168.254.1-192.168.254.50 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address DMZ pdm location 172.16.100.0 255.255.255.0 inside pdm location OWA 255.255.255.255 DMZ pdm location 001109 255.255.255.255 inside pdm location 10.0.1.29 255.255.255.255 inside pdm location MAIL 255.255.255.255 inside pdm location DATA 255.255.255.255 inside pdm location DC 255.255.255.255 inside pdm location Bob 255.255.255.255 inside pdm location 10.0.0.11 255.255.255.255 inside pdm location apps 255.255.255.255 inside pdm location 192.168.254.3 255.255.255.255 outside pdm location x.x.x.111 255.255.255.255 outside pdm location 70.131.123.103 255.255.255.255 outside pdm location 001288 255.255.255.255 inside pdm group DCs inside pdm group DCs_ref_1 DMZ reference DCs pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 x.x.x.222 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (DMZ) 1 OWA 255.255.255.255 0 0 static (inside,DMZ) 001109 001109 netmask 255.255.255.255 0 0 static (inside,DMZ) 172.16.100.0 172.16.100.0 netmask 255.255.255.0 0 0 static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0 static (DMZ,outside) x.x.x.195 OWA netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.197 Bob netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.204 001109 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.202 001288 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.205 apps netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.199 10.0.0.11 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group DMZ_access_in in interface DMZ route outside 0.0.0.0 0.0.0.0 x.x.x.193 1 route inside 172.16.100.0 255.255.255.0 10.0.100.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication enable console LOCAL aaa authentication telnet console LOCAL http server enable http 10.0.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside isakmp enable outside isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup VPN address-pool POOL vpngroup VPN dns-server DC DATA vpngroup VPN wins-server DC DATA vpngroup VPN default-domain chicgaobotanic.org vpngroup VPN split-tunnel VPN_splitTunnelAcl vpngroup VPN idle-time 1800 telnet x.x.x.103 255.255.255.255 outside telnet 10.0.0.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0
