Protect Your PIX - Page 2

By Cisco Press | Posted Oct 3, 2001
Page 2 of 5   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

The configuration of the primary PIX follows. This section discusses the changes made to this configuration after the listing. The blank lines were added for clarity.

 hostname pixfirewall

 enable password enablepass encrypted
 passwd password encrypted

 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 nameif ethernet2 public security 50
 nameif ethernet3 accounting security 60

 interface ethernet0 auto
 interface ethernet1 auto
 interface ethernet2 auto
 interface ethernet3 auto

 ip address outside
 ip address inside
 ip address public
 ip address accounting

 fixup protocol http 80
 fixup protocol http 10120
 fixup protocol http 10121
 fixup protocol http 10122
 fixup protocol http 10123
 fixup protocol http 10124
 fixup protocol http 10125
 fixup protocol ftp 21
 fixup protocol ftp 10126
 fixup protocol ftp 10127

 failover active
 failover link failover

 no rip inside passive
 no rip outside passive
 no rip public passive
 no rip accounting passive
 no rip inside default
 no rip outside default
 no rip public default
 no rip accounting default

 pager lines 24

 aaa-server TACACS+ (inside) host thekey timeout 20
 aaa authentication include any outbound 0 0 0 0 TACACS+
 aaa authorization include any outbound 0 0 0 0 TACACS+
 aaa accounting include any outbound 0 0 0 0 TACACS+
 aaa authentication serial console TACACS+

 snmp-server community ourbigcompany
 snmp-server location Seattle
 snmp-server contact Mark Newcomb Andrew Mason
 snmp-server host inside
 snmp-server enable traps

 logging on
 logging host
 logging trap 7
 logging facility 20
 no logging console

 outbound limit_acctg deny
 outbound limit_acctg except
 outbound limit_acctg permit
 outbound limit_acctg permit
 apply (accounting) limit_acctg outgoing_dest

 access-list acct_pub permit host
 access-list acct_pub deny
 access-group acct_pub in interface public


 url-server (inside) host timeout 30
 url-server (inside) host
 filter url http 0 0 0 0

 global (outside) 1
 global (outside) 1
 nat (inside) 1 0 0
 nat (inside) 1 0 0
 nat (inside) 1 0 0
 nat (public) 1 0 0
 nat (accounting) 0 0 0

 static (public, outside)
 static (public, outside)
 static (public, outside)

 conduit permit tcp host eq http any
 conduit permit tcp host eq ftp any
 conduit permit tcp host eq smtp any
 conduit permit tcp any eq sqlnet host

 route outside 0 0 1
 route inside 1
 route inside 1
 route inside 1
 route public
 route accounting 1

 arp timeout 7200

 mtu inside 1500
 mtu outside 1500
 mtu public 1500
 mtu accounting 1500

 clear xlate
 write mem
 write standby

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter