Setting up a PIX 501 from scratch

Discussion in 'Cisco' started by Dave, Feb 10, 2006.

  1. Dave

    Dave Guest

    Hi all,

    I'm setting up a shiny new (to me) PIX 501, and I need it set up as

    1. I have 64 usable public IP's

    2. I'll need one internal NAT subnet,, with the router
    using one of the public IP's

    3. Outbound traffic from NAT LAN clients will be PAT'd through the
    router's WAN address (I'm used to calling this NAT, but it seems PAT is
    the correct term in the cisco lexicon)

    4. DHCP pool on the LAN, starting at

    5. Two servers computers on the LAN, for which I'd like to set up a few
    one-to-one mappings, using two of my 64 public IP's. I want to deny all
    trafiic except that necessary for server processes (mail, web, etc).
    So, for example, maps to, but only allows
    inbound traffic on ports 25, 110, and 143. And maps to, but only allows inbound traffic on ports 80 and 443.

    6. I'd also like to have some commands at the ready to set up and
    remove future one-to-one mappings and rules for allowing/denying
    network traffic.

    I grabbed a sample config file from the cisco support website, modified
    it, as shown below. Can anyone tell me if I've got this right? I'm not
    sure of the syntax for the inbound server services (not the '?'s, nor
    do I know how to create the DHCP pool.

    Any help appreciated!!

    My Config file:


    Building configuration...
    : Saved
    PIX Version 5.3(1)
    nameif gb-ethernet0 outside security0
    nameif gb-ethernet1 inside security100
    nameif ethernet0 intf2 security10
    nameif ethernet1 intf3 security15
    enable password <myPassword_here> encrypted
    passwd <myPassword_here> encrypted
    hostname firewall
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060

    !--- Create an access list to allow pings out
    !--- and return packets back in.
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit icmp any any unreachable

    !--- Allows anyone on the Internet to connect to
    !--- servers for listed services only.
    access-list 100 permit tcp any host eq smtp, pop3, imap,
    access-list 100 permit tcp any host eq www, ???
    pager lines 24

    !--- Enable logging.
    logging on
    no logging timestamp
    no logging standby
    no logging console
    no logging monitor

    !--- Enable error and more severe syslog messages
    !--- to be saved to the local buffer.
    logging buffered errors

    !--- Send notification and more severe syslog messages
    !--- to the syslog server.
    logging trap notifications
    no logging history
    logging facility 20
    logging queue 512

    !--- Send syslog messages to a syslog server
    !--- on the inside interface.
    logging host inside

    !--- All interfaces are shutdown by default.
    interface gb-ethernet0 1000auto
    interface gb-ethernet1 1000auto
    interface ethernet0 auto shutdown
    interface ethernet1 auto shutdown
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    mtu intf3 1500

    !--- set up PIX interfaces:
    ip address outside
    ip address inside
    ip address intf2
    ip address intf3
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside
    failover ip address inside
    failover ip address intf2
    failover ip address intf3
    arp timeout 14400

    !--- Define a Network Address Translation (NAT) pool that
    !--- internal hosts use when going out to the Internet.
    !--- commented out for now, using PAT only, below:
    !--- global (outside) 1

    !--- Define a Port Address Translation (PAT) address:
    global (outside) 1

    !--- Allow all internal hosts to use
    !--- the NAT or PAT addresses specified above.
    nat (inside) 1 0 0

    !--- Define a static translation for the mailserver
    !--- to be accessible from the Internet.
    static (inside,outside)
    netmask 0 0

    !--- Define a static translation for the
    !--- webserver to be accessible from the Internet.
    static (inside,outside)
    netmask 0 0

    !--- Apply access list 100 to the outside interface.
    access-group 100 in interface outside

    !--- Define a default route to the ISP's router.
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
    h323 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    isakmp identity hostname

    !--- Allow the host to be able to
    !--- Telnet to the inside of the PIX.
    telnet inside
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    : end
    Dave, Feb 10, 2006
    1. Advertisements

  2. Dave

    Peter Guest

    Why not use the GUI??
    Peter, Feb 10, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.