Re: New PIX 506 - suggestions

rdehn · ‎02-06-2001

We have just purchased a PIX 506 firewall. It will be connected to an ISP through a DSL connection. I am looking for any suggestions and "hind" sight that anyone might have in the configuration. There will be less than 20 users behind it.

lisa.hall · ‎02-12-2001

Here a few tips that should help you out:

Reserve some network addresses for statics. Don’t put all your addresses in the global pool. It makes it easier to administer later.

Turn on Port Address Translation (PAT). Add another global one with just a single address for PAT. When you run out of addresses in your global pool, PAT will takeover and allow basic web, ftp, mail, etc. functionality. Even if you think you have enough addresses now, just turn it on in case your company grows.

Keep it as tight as possible. Any time you open conduits through the firewall, you are opening up vulnerabilities to the network.

Hard set your interface speed. Auto detect can cause problems with some routers and switches.

Use the latest “General Deployment” PIX code. Avoid “Early Deployment” unless you have to have a feature in that particular code. On the download site, these are listed as GD and ED. I am a strong believer in “if it’s not broken, don’t fix it.” Don’t just upgrade code without having a specific reason to do so.

Hope this helps…Did I miss any?

millerv · ‎02-12-2001

Let me know if you get mail working thru the dsl/506.

I have an implementation that is giving me fits.

we can send mail, but not receive. the other suggestions all make sense, espically the global pool

config. have fun