Cisco Config Cookbook PIX Sample Config Step 1: Download most current software from WEB. If using a DOS/Windows PC choose the executable file (pixnnn.exe). This file has the rawrite.exe program compressed into it. The rawrite program creates a bootable floppy disk that has the latest firewall software installed. Follow the readme.txt file instructions that you get once you run the pixnnn.exe. Step 2: Get a console session established to the PIX firewall. Step 3: Configure Network Routers - Set default routes - Set access lists - Set any filters Step 4: Configure the PIX Firewall pixfirewall> enalble Password: pixfirewall# configure t - Enter configuration mode. ---- Identify each interface - you are forced to use the name outside for the outside interface to attain maximum security. pixfirewall(config)# nameif ethernet0 outside security0 pixfirewall(config)# nameif ethernet1 inside security100 ---- Assign each interface an ip address. pixfirewall(config)# ip address inside 192.168.100.1 255.255.255.0 pixfirewall(config)# ip address outside 200.100.100.50 255.255.255.0 ---- Specify network card speed and duplex. Auto uses automatic detection. The AUTO option exists only for ethernet. pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# interface ethernet1 auto ---- This is a good place to save our work. pixfirewall(config)# exit --- Exit config mode. pixfirewall # wr mem --- Save our work. ----Show a little of what we have done. pixfirewall# sh nameif nameif ethernet0 outside security0 nameif ethernet1 inside security100 ---- Continue with the configuration pixfirewall# config t ---- Enter configuration mode ---- Enable Network Address Translation for the outside interface pixfirewall(config)# nat (inside) 1 0 0 - The number 1 is the local NAT ID (between 0 and 2 billion). - The 0 0 is the internal IP address and subnet mask to be translated 0 stands for all ---- Specify NAT and PAT parameters. pixfirewall(config)# global (outside) 1 200.100.100.100 netmask 255.255.255.0 - The number 1 is the Local NAT ID (see above nat statement) - The address and subnet mask is the address to be used for port address translation. PAT will not work with multimedia applications and does not work with H.323 application and caching nameservers. pixfirewall(config)# global (outside) 1 200.100.100.110-200.100.100.150 netmask 255.255.255.0 - The number 1 is the Local NAT id (see nat statement) - The network address range and mask are used for network address translation. NAT gives a limited number of addresses. There has to be a one for one address translation for NAT to work properly. ---- Create a default route to the outside router pixfirewall(config)# route outside 0 0 200.100.100.1 1 - The 0 0 stands for all ip addresses. - The ip address is the address of the router to the ISP - The 1 tells how many hops away the router is from the firewall. ---- Permit ICMP traffic through the firewall pixfirewall(config)# conduit permit icmp any any - check with your security policy ---- Set a host name for the firewall. This also sets the prompt. pixfirewall(config)# hostname wally ---- Set the enable passwork for the firewall. pixfirewall(config)# enable password snnug ---- Exit configuration mode and save our work pixfirewall(config)# exit - Exit pixfirewall# wr mem - Save Building configuration... Cryptochecksum: 975d086a f1df1506 86647656 021580bc [OK] --- Check out the configuration pixfirewall# sh ip address System IP Addresses: ip address outside 200.100.100.50 255.255.255.0 ip address inside 192.168.100.50 255.255.255.0 Current IP Addresses: ip address outside 200.100.100.50 255.255.255.0 ip address inside 192.168.100.50 255.255.255.0 pixfirewall# sh global global (outside) 1 200.100.100.100 netmask 255.255.255.0 global (outside) 1 200.100.100.110-200.100.100.150 netmask 255.255.255.0 pixfirewall# sh nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 pixfirewall# sh route outside 0.0.0.0 0.0.0.0 200.100.100.1 1 OTHER static pixfirewall# write t [back]