Protect Your PIX - Page 2
By
Cisco Press | Oct 3, 2001
Page 2 of 5 | Back to Page 1
The configuration of the primary PIX follows. This section discusses the changes made to this configuration after the listing. The blank lines were added for clarity.
hostname pixfirewall enable password enablepass encrypted passwd password encrypted nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 public security 50 nameif ethernet3 accounting security 60 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto ip address outside 192.168.1.1 255.255.255.0 ip address inside 172.30.1.2 255.255.255.248 ip address public 192.168.2.1 255.255.255.0 ip address accounting 10.200.200.1 255.255.255.0 fixup protocol http 80 fixup protocol http 10120 fixup protocol http 10121 fixup protocol http 10122 fixup protocol http 10123 fixup protocol http 10124 fixup protocol http 10125 fixup protocol ftp 21 fixup protocol ftp 10126 fixup protocol ftp 10127 failover active failover link failover no rip inside passive no rip outside passive no rip public passive no rip accounting passive no rip inside default no rip outside default no rip public default no rip accounting default pager lines 24 aaa-server TACACS+ (inside) host 10.1.1.41 thekey timeout 20 aaa authentication include any outbound 0 0 0 0 TACACS+ aaa authorization include any outbound 0 0 0 0 TACACS+ aaa accounting include any outbound 0 0 0 0 TACACS+ aaa authentication serial console TACACS+ snmp-server community ourbigcompany snmp-server location Seattle snmp-server contact Mark Newcomb Andrew Mason snmp-server host inside 10.1.1.74 snmp-server enable traps logging on logging host 10.1.1.50 logging trap 7 logging facility 20 no logging console outbound limit_acctg deny 10.200.200.0 255.255.255.0 outbound limit_acctg except 10.10.1.51 outbound limit_acctg permit 10.200.200.66 outbound limit_acctg permit 10.200.200.67 apply (accounting) limit_acctg outgoing_dest access-list acct_pub permit host 10.200.200.52 access-list acct_pub deny 10.200.200.0 255.255.255.0 access-group acct_pub in interface public telnet 10.1.1.14 255.255.255.255 telnet 10.1.1.19 255.255.255.255 telnet 10.1.1.212 255.255.255.255 url-server (inside) host 10.1.1.51 timeout 30 url-server (inside) host 10.1.1.52 filter url http 0 0 0 0 global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0 global (outside) 1 192.168.1.254 255.255.255.0 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 nat (inside) 1 10.2.1.0 255.255.255.0 0 0 nat (inside) 1 10.3.1.0 255.255.255.0 0 0 nat (public) 1 192.168.2.1 255.255.255.0 0 0 nat (accounting) 0 0 0 static (public, outside) 192.168.1.30 192.168.2.30 static (public, outside) 192.168.1.35 192.168.2.35 static (public, outside) 192.168.1.49 192.168.2.49 conduit permit tcp host 192.168.1.30 eq http any conduit permit tcp host 192.168.1.35 eq ftp any conduit permit tcp host 192.168.1.49 eq smtp any conduit permit tcp any eq sqlnet host 192.168.1.30 route outside 0 0 192.168.1.2 1 route inside 10.1.1.0 255.255.255.0 172.30.1.1 1 route inside 10.2.1.0 255.255.255.0 172.30.1.1 1 route inside 10.3.1.0 255.255.255.0 172.30.1.1 1 route public 192.168.2.0 255.255.255.0 192.168.2.1 route accounting 10.200.200.0 255.255.255.0 10.200.200.1 1 arp timeout 7200 mtu inside 1500 mtu outside 1500 mtu public 1500 mtu accounting 1500 clear xlate write mem write standby
jfreund@internet.com
