Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
329
Views
0
Helpful
2
Replies

Simple PIX Config

swilk
Level 1
Level 1

‎07-06-2005 12:43 PM - edited ‎02-21-2020 12:15 AM

I am trying to set up a PIX in a test environment and cannot get it to do what I am wanting. I have a PIX515E with 4 interfaces, outside, inside, Net1 and Net2. This is going to go in a branch location that has 2 vlan's 199.8.108.0 and 199.8.109.0. I am wanting to assign an ip address of 199.8.108.254 to Net1 and 199.8.109.254 to Net2. The outside interface IP address will be assigned by the ISP. For right now I will not have anything on the connected to he inside interface (I will be using this for future server protection). I basically want the firwall in place for vpn connections with my PIX525 at the main location. I want the PIX515E completly open between Net1 and Net2 as well as the outside world. Sounds simple .... but I cannot get it to work for the life of me. Could someone post a simple config that should do what I want it to do?

0 Helpful
2 Replies 2

tvanginneken
Level 4
Level 4

‎07-06-2005 11:52 PM

Hi,

are you already using PIX v7?

If you are, assign the outside, net1 and net2 the same security level.

Then apply this command:

same-security-traffic permit inter-interface.

This should allow the traffic. Please be aware of the fact this config open your firewall completely between the 3 networks. Don't forget to assign the inside interface a higher security level.

Hope this helps.

Kind Regards,

Tom

0 Helpful

swilk
Level 1
Level 1

‎07-07-2005 08:36 AM

Here is what I have for a configuration file:

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 Net1 security51

nameif ethernet3 Net2 security50

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

enable password XXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXX encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list Net1 permit ip any any

access-list Net1 permit icmp any any

access-list Net2 permit ip any any

access-list Net2 permit icmp any any

access-list outside permit ip any any

access-list outside permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu Net1 1500

mtu Net2 1500

mtu intf4 1500

mtu intf5 1500

ip address outside 159.x.x.x.255.255.0

ip address inside 159.x.x.x.255.255.0

ip address Net1 159.218.x.x 255.255.255.0

ip address Net2 159.218.x.x.255.255.0

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address Net1

no failover ip address Net2

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

static (Net1,outside) 159.x.x.0 159.218.42.0 netmask 255.255.255.0 0 0

static (Net2,outside) 159.x.x.x.218.44.0 netmask 255.255.255.0 0 0

access-group outside in interface outside

access-group Net1 in interface Net1

access-group Net2 in interface Net2

route outside 0.0.0.0 0.0.x.x.x.45.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxx

: end

If I ping from the outside interface I can ping the router (159.x.x.254) and internet addresses. But, I cannot ping the outside interface from Net1 or Net2, nor can I ping anything off of its network. I have 42.254 and 44.254 set up on my router and I cannot ping these from Net1 or Net2 either.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card