topic Re: Cisco PIX 515E Configuration in Network Security

Cisco PIX 515E Configuration

sothearith.chanty — Fri, 21 Feb 2020 08:05:23 GMT

Dear All,

I got one problem with new Cisco PIX515E with 2 Fast Ethernet. Let me explain about my scenario:

LAN->Switch->PIX515E->Internet(DSL)

-LAN: Private IP (192.168.1.0/24)

-Switch: Private IP (192.168.1.253/24)

-PIX515E: (outside)registered ip address: xxx.xxx.xxx.xxx & (inside)private ip address: 192.168.1.254/24

With these above scenario, I've 500 users behind my PIX and all those 500 users need to access to internet, mail, and ftp.

I've already configured with the PDM v3.0 with IOS v.6.3(4) but it is not working.

So anybody can help me by explain me step-by-step about this above issue?

Thank you in advanced,

Sothearith Chanty.

Re: Cisco PIX 515E Configuration

jmia — Mon, 18 Apr 2005 10:15:56 GMT

Sothearith,

Can you post your current pix config please, make sure to take out any sensitive info.

Jay

Re: Cisco PIX 515E Configuration

sothearith.chanty — Tue, 19 Apr 2005 01:29:14 GMT

Hi Jay,

Thank you for your help, here is my pix config.

===============================================

PIX Version 6.3(4)

interface ethernet0 auto shutdown

interface ethernet1 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx encrypted

passwd xxxx

encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.yyy xxx.xxx.xxx.xxx

ip address inside 192.168.1.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

timeout xlate

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.5 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

===============================================

Actually, I got only one registerd ip address and now already assigned to the outside interface of my pix.

Thank you,

Sothearith Chanty.

Re: Cisco PIX 515E Configuration

mhussein — Tue, 19 Apr 2005 02:38:05 GMT

Hi,

What is missing here is the translation configuration. Use "nat" command to tell the pix what private ip addresses should be translated to access the internet; and the "global" command to specify the public ip address used for translation. In this case the pix outside ip address will be used for translation. Configure:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

# here, any inside ip address (0.0.0.0 0.0.0.0) is translated to the public ip address of the outside interface.

Also, you need a default route. Configure:

route outside 0.0.0.0 0.0.0.0 x.x.x.x

where x.x.x.x is the ip address of the dsl router.

Please let us know if that helped or if you have questions.

Regards,

Mustafa

Re: Cisco PIX 515E Configuration

jmia — Tue, 19 Apr 2005 06:35:55 GMT

Sothearith,

As per Mustafa's post, you need the 'nat' and 'global' statements plus the route outside command.

If you only have the one public IP address and need to allow SMTP or other service access to the inside interface you can do so as follows:

(in config mode)

> access-list smtp permit tcp any host eq smtp

> access-group smtp in interface outside

> static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0

Save with : write mem and also issue command: clear xlate

NOTE: That public ip address for smtp should correspond to your mail MX record ip address!!

Hope this helps and please rate post if it does.

Jay

Re: Cisco PIX 515E Configuration

sothearith.chanty — Tue, 19 Apr 2005 08:13:11 GMT

Hi All,

Thanks all of you, but I'm thinking that you are confusing with my explaination, let me explain you again about my scenario:

-I got only one registered ip address which is provided by my local ISP.

-The connection from my office to my ISP is using ADSL (connected with line phone with ADSL modem, and from that ADSL modem there is one UTP port which I can connect cross-cable to my Fast Ethernet 0 (outside) of my Cisco PIX 515E)

-From the Fast Ethernet 1 (inside) of my Cisco PIX 515E is connected to my LAN's Switch and all my internal users are connected to this switch too.

-I have no routing device

-Here is my registered ip address configuration which have to assign to the outside interface of my current Cisco PIX (Fast Ethernet0):

IP: 203.144.66.144/26

Default Gateway: 203.144.66.129 (server of my ISP)

DNS1: 203.144.65.2

DNS2: 210.80.58.66

-The inside ip's address of Cisco PIX 515E (Fast Ethernet 1) will assign with the private network address:

IP: 192.168.0.1/24

With the above configuration I have to allow the internal clients access to internet, mail and ftp.

I'm new to manage this cisco pix, I've read some book only and then I start configure it. I'm very serious with this work, because I must get it done otherwise will be big problem for me.

Please help me if you can.

Thank you again.

Sothearith Chanty.

Re: Cisco PIX 515E Configuration

mhussein — Tue, 19 Apr 2005 10:07:38 GMT

Hi Sothearith,

The configs above should work with your requirements. Have you tried configuring:

pix(config)#nat (inside) 1 0.0.0.0 0.0.0.0

pix(config)#global (outside) 1 interface

pix(config)#route outside 0.0.0.0 0.0.0.0 x.x.66.129 <-- replace this ip with the ISP default gateway

This config allows internet access for all local hosts on 192.168.0.1/24, using a single public ip address.

Moreover, as per Jay's suggestion above, you can add smtp, web, and http servers all utilizing the same single public ip address.

Does that help at all?

Re: Cisco PIX 515E Configuration

matjing — Tue, 19 Apr 2005 11:07:17 GMT

Hey,

start by changing:

interface ethernet0 auto shutdown

interface ethernet1 auto shutdown

to:

interface ethernet0 auto

interface ethernet1 auto

By default the interfaces are shutdown.

Then do what every one else has been telling you to do namely:

global (outside) 1

netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.x.x.x <= IP of your dsl device.

The global outside can also be implemented like mhussein put it a while back.

---

pdm is fairly straight forward. To access it from your network, try the following commands:

http server enable

http 192.168.1.0 255.255.255.0 inside

pdm location 192.168.1.0 255.255.255.0 inside

then access https://192.168.1.254

That should work for the PDM. Infact its probably working but you're not using (ssl) https to access it.

Have fun.

**J.G