Last Updated:
Friday, 27 February 2009 By: Steve Warner

Home | About Us | Standards | Cisco IOS® | Cisco CCNA® | Cisco CCNP® | Cisco CCIE® | Security | VoIP | Configs | Links

Search

Example Configs

Cisco PIX Firewall Config Example 6.3(1)

 


 

PIX (520)

: Saved
:
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 auto
interface ethernet3 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 server security20
nameif ethernet3 lab security60
enable password PASSWD encrypted
passwd PASSWD encrypted
hostname pix
domain-name cdcentre.demon.co.uk
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.16.0.0 BDSLTD_LAN
name 172.16.0.10 BDSLTD
name 172.16.0.11 SONIC
name 194.42.224.0 NETCOM
name 194.42.224.130 NETCOM_DNS1
name 158.152.0.0 DEMON
name 158.152.1.65 DEMON_DNS1
name 172.16.0.54 DRAWBRIDGE
name 194.42.236.3 NETCOM_MAIL1
name 194.42.236.2 NETCOM_MAIL0
name 172.16.0.28 BACKUP
name 172.16.0.254 GATEWAY
name 172.18.0.40 RICHARD
name 198.108.1.26 MERIT_SMTP
name 172.18.0.21 SIMON1
name 172.16.0.27 GONZO
name 172.18.0.100 DARREN
name 172.18.0.110 TREV_LAPTOP
name 172.20.0.0 LAB_LAN
name 172.18.0.0 WIRELESS_LAN
name 172.17.0.0 SERVER_LAN
name 172.18.0.130 CHUMLEY
name 172.24.0.0 DARREN_LAN1
name 192.168.200.0 TREV_LAN
name 172.24.148.0 DARREN_LAN3
name 172.24.1.0 DARREN_LAN2
name 172.20.0.252 WIRELESS_AP
name 194.168.8.100 NTL_DNS2
name 194.168.4.100 NTL_DNS1
name 192.168.100.0 CABLEMODEM_LAN
name 213.162.97.77 JTN_SMTP1
name 213.162.97.76 JTN_SMTP2
name 213.162.97.75 JTN_SMTP3
name 10.152.62.210 CABLEMODEM
name 66.220.63.9 GROUPSTUDY_SMTP
name 216.91.57.132 ISPLISTS_SMTP
name 172.16.0.157 EDONKEY
name 172.16.0.33 ESP
name 172.17.0.20 WWW.MUSIC
object-group service EXTERNAL_ACCESS tcp
  description Access from external sites
  port-object eq ftp
  port-object eq ssh
  port-object eq ftp-data
  port-object eq pop3
  port-object eq nntp
  port-object eq www
object-group service TERMINAL_SERVICES tcp
  description Microsoft Terminal Services
  port-object eq 3389
object-group service NETBIOS udp
  port-object eq netbios-ns
  port-object eq netbios-dgm
  port-object eq 139
object-group service SMTP tcp
  description SMTP access
  port-object eq ident
  port-object eq smtp
object-group network DNS
  network-object host NETCOM_DNS1
  network-object host BDSLTD
  network-object host NTL_DNS1
  network-object host NTL_DNS2
object-group service MSN tcp
  port-object eq 1863
object-group network MAIL
  network-object host NETCOM_MAIL0
  network-object host NETCOM_MAIL1
  network-object host MERIT_SMTP
  network-object host JTN_SMTP1
  network-object host JTN_SMTP2
  network-object host JTN_SMTP3
  network-object host LARABEE
  network-object host GROUPSTUDY_SMTP
  network-object host ISPLISTS_SMTP
access-list outside_in permit tcp any any eq h323 
access-list outside_in permit tcp any any eq 7777 
access-list outside_in permit tcp any any eq 7778 
access-list outside_in permit udp any any eq 7777 
access-list outside_in permit tcp any any eq www 
access-list outside_in permit tcp host LARABEE any object-group EXTERNAL_ACCESS 
access-list outside_in permit udp any any eq 1718 
access-list outside_in permit udp any any eq 1719 
access-list outside_in permit tcp object-group MAIL any object-group SMTP 
access-list outside_in permit icmp any any echo-reply 
access-list outside_in permit icmp any any echo 
access-list outside_in permit icmp any any time-exceeded 
access-list outside_in permit icmp any any unreachable 
access-list inside_out deny udp any any eq netbios-ns 
access-list inside_out permit ip any any 
access-list NoNat permit ip BDSLTD_LAN 255.248.0.0 DARREN_LAN3 255.255.255.0 
access-list NoNat permit ip BDSLTD_LAN 255.248.0.0 DARREN_LAN1 255.255.255.240 
access-list NoNat permit ip BDSLTD_LAN 255.248.0.0 DARREN_LAN2 255.255.255.248 
access-list NoNat permit ip BDSLTD_LAN 255.248.0.0 TREV_LAN 255.255.254.0 
access-list NoNat permit ip BDSLTD_LAN 255.248.0.0 CABLEMODEM_LAN 255.255.255.0 
access-list NoNat permit ip BDSLTD_LAN 255.248.0.0 BDSLTD_LAN 255.248.0.0 
access-list 2 permit ip BDSLTD_LAN 255.248.0.0 TREV_LAN 255.255.254.0 
access-list 3 permit ip BDSLTD_LAN 255.248.0.0 DARREN_LAN3 255.255.255.0 
access-list 3 permit ip BDSLTD_LAN 255.248.0.0 DARREN_LAN1 255.255.255.240 
access-list 3 permit ip BDSLTD_LAN 255.248.0.0 DARREN_LAN2 255.255.255.248 
access-list oustside_in permit ip host CHUMLEY host SONIC 
access-list oustside_in permit tcp any host SONIC object-group TERMINAL_SERVICES 
access-list NoNatLab permit ip BDSLTD_LAN 255.248.0.0 BDSLTD_LAN 255.248.0.0 
access-list NoNatServer permit ip BDSLTD_LAN 255.248.0.0 BDSLTD_LAN 255.248.0.0 
pager lines 24
logging on
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging host inside GONZO
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo-reply inside
icmp permit any echo inside
icmp permit any echo-reply server
icmp permit any echo server
icmp permit any echo lab
icmp permit any echo-reply lab
mtu outside 1500
mtu inside 1500
mtu server 1500
mtu lab 1500
ip address outside dhcp setroute
ip address inside GATEWAY 255.255.255.0
ip address server 172.17.0.254 255.255.255.0
ip address lab 172.20.0.253 255.255.255.0
ip audit name idsinfo info action alarm
ip audit name idsattack attack action alarm drop reset
ip audit interface outside idsinfo
ip audit interface outside idsattack
ip audit info action alarm
ip audit attack action alarm drop reset
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address server
no failover ip address lab
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNat
nat (inside) 1 BDSLTD_LAN 255.255.255.0 0 0
nat (server) 0 access-list NoNatServer
nat (server) 1 SERVER_LAN 255.255.255.0 0 0
nat (lab) 0 access-list NoNatLab
nat (lab) 1 WIRELESS_LAN 255.255.255.0 0 0
nat (lab) 1 LAB_LAN 255.255.0.0 0 0
alias (inside) 80.5.156.246 WWW.MUSIC 255.255.255.255
alias (lab) 80.5.156.246 WWW.MUSIC 255.255.255.255
static (inside,outside) tcp interface 7777 172.16.0.52 7777 netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface 7778 172.16.0.52 7778 netmask 255.255.255.255 0 0 
static (inside,outside) udp interface 7777 172.16.0.52 7777 netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface h323 172.16.0.253 h323 netmask 255.255.255.255 0 0 
static (inside,outside) udp interface 1718 172.16.0.253 1718 netmask 255.255.255.255 0 0 
static (inside,outside) udp interface 1719 172.16.0.253 1719 netmask 255.255.255.255 0 0 
static (server,outside) tcp interface ftp WWW.MUSIC ftp netmask 255.255.255.255 0 0 
static (server,outside) tcp interface pop3 172.17.0.10 pop3 netmask 255.255.255.255 0 0 
static (server,outside) tcp interface smtp 172.17.0.10 smtp netmask 255.255.255.255 0 0 
static (server,outside) tcp interface ident 172.17.0.10 ident netmask 255.255.255.255 0 0 
static (server,outside) tcp interface nntp 172.17.0.30 nntp netmask 255.255.255.255 0 0 
static (server,outside) udp interface 139 WWW.MUSIC 139 netmask 255.255.255.255 0 0 
static (server,outside) udp interface netbios-dgm WWW.MUSIC netbios-dgm netmask 255.255.255.255 0 0 
static (server,outside) udp interface netbios-ns WWW.MUSIC netbios-ns netmask 255.255.255.255 0 0 
static (server,outside) tcp interface 2000 172.17.0.200 www netmask 255.255.255.255 0 0 
static (server,outside) tcp interface ssh WWW.MUSIC ssh netmask 255.255.255.255 0 0 
static (server,outside) tcp interface www WWW.MUSIC www netmask 255.255.255.255 0 0 
access-group outside_in in interface outside
route outside CABLEMODEM 255.255.255.255 192.168.100.1 1
route lab BDSLTD_LAN 255.248.0.0 172.20.0.254 1
route lab WIRELESS_LAN 255.255.255.0 172.20.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ (inside) host BDSLTD r0ckwe11 timeout 5
aaa-server TACACS+ (server) host 172.17.0.10 r0ckwe11 timeout 5
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
aaa-server Auth protocol tacacs+ 
aaa authentication telnet console TACACS+
aaa authentication http console TACACS+
ntp server BDSLTD source inside
ntp server DRAWBRIDGE source inside
ntp server 195.40.0.250 source outside
ntp server GONZO source inside
ntp server 195.40.1.250 source outside
http server enable
http SONIC 255.255.255.255 inside
http ESP 255.255.255.255 inside
http CHUMLEY 255.255.255.255 lab
snmp-server host inside BDSLTD
snmp-server host inside GONZO poll
snmp-server host inside ESP poll
snmp-server host inside DRAWBRIDGE poll
snmp-server host server WWW.MUSIC poll
snmp-server location -STEVE WARNER- UK - 07966 425252
snmp-server contact Steve Warner
snmp-server community public
no snmp-server enable traps
tftp-server inside GONZO bdsltd.pix
floodguard enable
sysopt connection timewait
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp server
sysopt noproxyarp lab
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto map bdsltd 2 ipsec-isakmp
crypto map bdsltd 2 match address 2
crypto map bdsltd 2 set peer Trev_Pix
crypto map bdsltd 2 set transform-set ESP-DES-SHA
crypto map bdsltd 3 ipsec-isakmp
crypto map bdsltd 3 match address 3
crypto map bdsltd 3 set peer Darren_Pix
crypto map bdsltd 3 set transform-set ESP-DES-SHA
crypto map bdsltd client configuration address initiate
crypto map bdsltd client configuration address respond
crypto map bdsltd interface outside
isakmp enable outside
isakmp key ******** address Darren_Pix netmask 255.255.255.255 
isakmp key ******** address Trev_Pix netmask 255.255.255.255 
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 600
telnet SONIC 255.255.255.255 inside
telnet BDSLTD 255.255.255.255 inside
telnet GONZO 255.255.255.255 inside
telnet WWW.MUSIC 255.255.255.255 server
telnet 172.17.0.30 255.255.255.255 server
telnet CHUMLEY 255.255.255.255 lab
telnet timeout 15
ssh GONZO 255.255.255.255 inside
ssh BDSLTD 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 172.16.0.128-172.16.0.240 inside
dhcpd dns NTL_DNS1 NTL_DNS2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain cdcentre.demon.co.uk
terminal width 80
banner exec OK, I'll let you in. But I'm watching you
banner login *****************************************
banner login Unauthorised Access is Prohibited
banner login *****************************************
Cryptochecksum:
: end
5.3(1)

 

 

Valid HTML 4.01!

ExamPointers.com Top

Copyright © 2001 - 2017. All trademarks acknowledged.
Hosted by NETconf Limited