Protect Your PIX - Page 2

By Cisco Press | Posted Oct 3, 2001
Page 2 of 5   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

The configuration of the primary PIX follows. This section discusses the changes made to this configuration after the listing. The blank lines were added for clarity.

 hostname pixfirewall

 enable password enablepass encrypted
 passwd password encrypted

 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 nameif ethernet2 public security 50
 nameif ethernet3 accounting security 60

 interface ethernet0 auto
 interface ethernet1 auto
 interface ethernet2 auto
 interface ethernet3 auto

 ip address outside 192.168.1.1 255.255.255.0
 ip address inside 172.30.1.2 255.255.255.248
 ip address public 192.168.2.1 255.255.255.0
 ip address accounting 10.200.200.1 255.255.255.0

 fixup protocol http 80
 fixup protocol http 10120
 fixup protocol http 10121
 fixup protocol http 10122
 fixup protocol http 10123
 fixup protocol http 10124
 fixup protocol http 10125
 fixup protocol ftp 21
 fixup protocol ftp 10126
 fixup protocol ftp 10127

 failover active
 failover link failover

 no rip inside passive
 no rip outside passive
 no rip public passive
 no rip accounting passive
 no rip inside default
 no rip outside default
 no rip public default
 no rip accounting default

 pager lines 24

 aaa-server TACACS+ (inside) host 10.1.1.41 thekey timeout 20
 aaa authentication include any outbound 0 0 0 0 TACACS+
 aaa authorization include any outbound 0 0 0 0 TACACS+
 aaa accounting include any outbound 0 0 0 0 TACACS+
 aaa authentication serial console TACACS+

 snmp-server community ourbigcompany
 snmp-server location Seattle
 snmp-server contact Mark Newcomb Andrew Mason
 snmp-server host inside 10.1.1.74
 snmp-server enable traps

 logging on
 logging host 10.1.1.50
 logging trap 7
 logging facility 20
 no logging console

 outbound limit_acctg deny 10.200.200.0 255.255.255.0
 outbound limit_acctg except 10.10.1.51
 outbound limit_acctg permit 10.200.200.66
 outbound limit_acctg permit 10.200.200.67
 apply (accounting) limit_acctg outgoing_dest

 access-list acct_pub permit host 10.200.200.52
 access-list acct_pub deny 10.200.200.0 255.255.255.0
 access-group acct_pub in interface public

 telnet 10.1.1.14 255.255.255.255
 telnet 10.1.1.19 255.255.255.255
 telnet 10.1.1.212 255.255.255.255

 url-server (inside) host 10.1.1.51 timeout 30
 url-server (inside) host 10.1.1.52
 filter url http 0 0 0 0

 global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0
 global (outside) 1 192.168.1.254 255.255.255.0
 nat (inside) 1 10.1.1.0 255.255.255.0 0 0
 nat (inside) 1 10.2.1.0 255.255.255.0 0 0
 nat (inside) 1 10.3.1.0 255.255.255.0 0 0
 nat (public) 1 192.168.2.1 255.255.255.0 0 0
 nat (accounting) 0 0 0

 static (public, outside) 192.168.1.30 192.168.2.30
 static (public, outside) 192.168.1.35 192.168.2.35
 static (public, outside) 192.168.1.49 192.168.2.49

 conduit permit tcp host 192.168.1.30 eq http any
 conduit permit tcp host 192.168.1.35 eq ftp any
 conduit permit tcp host 192.168.1.49 eq smtp any
 conduit permit tcp any eq sqlnet host 192.168.1.30

 route outside 0 0 192.168.1.2 1
 route inside 10.1.1.0 255.255.255.0 172.30.1.1 1
 route inside 10.2.1.0 255.255.255.0 172.30.1.1 1
 route inside 10.3.1.0 255.255.255.0 172.30.1.1 1
 route public 192.168.2.0 255.255.255.0 192.168.2.1
 route accounting 10.200.200.0 255.255.255.0 10.200.200.1 1

 arp timeout 7200

 mtu inside 1500
 mtu outside 1500
 mtu public 1500
 mtu accounting 1500

 clear xlate
 write mem
 write standby

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter