Configuring the Cisco Secure PIX Firewall with a Single Intern

Table of Contents

Configuring the Cisco Secure PIX Firewall with a Single Internal Network...1

Interactive: This document offers customized analysis of your Cisco device...1

Introduction...1

Before You Begin...1

Configuring the Cisco Secure PIX Firewall with a

Single Internal Network

Interactive: This document offers customized analysis of your Cisco

device.

Introduction Before You Begin

Conventions Prerequisites Components Used Configure Network Diagram Configurations Verify Troubleshoot Troubleshooting Commands Related Information

Introduction

This sample configuration demonstrates how to set up the Cisco Secure PIX Firewall for use on a single internal network.

Before You Begin

Conventions

For more information on document conventions, see the Cisco Technical Tips Conventions.

Prerequisites

There are no specific prerequisites for this document.

Components Used

The information in this document is based on the software and hardware versions below.

•

Cisco IOS® Software Release 12.0

•

Cisco PIX Firewall Software Release 5.1.2

•

Cisco 3640 router

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup

Tool ( registered customers only) .

Network Diagram

This document uses the network setup shown in the diagram below.

Configurations

This document uses the configurations shown below.

If you have the output of a write terminal command from your Cisco device, you can use to display potential issues and fixes. To use, you must be a registered customer, be logged in, and have JavaScript enabled. You can use Output Interpreter to display potential issues and fixes. To use Output Interpreter, you must be a registered customer, be logged in, and have JavaScript enabled.

•

PIX Firewall Configuration

•

Router Configuration

PIX Firewall Configuration PIX Version 5.1(2)

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10

enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted

fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor

logging buffered debugging no logging trap

no logging history logging facility 20 logging queue 512

interface ethernet0 auto interface ethernet1 auto interface ethernet2 100full mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 209.165.200.226 255.255.255.224 ip address inside 10.1.1.1 255.255.255.0 ip address intf2 127.0.0.1 255.255.255.255 no failover failover timeout 0:00:00

failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address intf2 0.0.0.0 arp timeout 14400

global (outside) 1 209.165.200.227−209.165.200.254 netmask 255.255.255.224 nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

timeout xlate 3:00:00 conn 1:00:00 half−closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute aaa−server TACACS+ protocol tacacs+ aaa−server RADIUS protocol radius no snmp−server location

no snmp−server contact snmp−server community public no snmp−server enable traps floodguard enable

isakmp identity hostname telnet timeout 5 terminal width 80 Cryptochecksum:adffa2c4ed9043ce3e54e959acacd8d8 : end [OK] Router Configuration Building configuration... Current configuration: ! version 12.0

service timestamps debug uptime service timestamps log uptime no service password−encryption !

hostname R3640_out !

!

username cisco password 0 cisco ! ! ! ! ip subnet−zero ip domain−name cisco.com ! isdn voice−call−failure 0 ! ! ! ! ! ! ! ! ! interface Ethernet0/1 ip address 209.165.200.225 255.255.255.224 no ip directed−broadcast ! ip classless no ip http server ! ! line con 0 exec−timeout 0 0 length 0

transport input none line aux 0 line vty 0 4 password ww login ! end

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

Certain show commands are supported by the Output Interpreter Tool ( registered customers only_{) , which allows}

you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands.

debug icmp trace − Shows whether ICMP requests from the hosts reach the PIX. To run this debug,

you need to add the conduit permit icmp any any command to your configuration. However, when you have finished debugging, remove conduit permit icmp any any command to avoid security risks.

Related Information

Documentation for PIX Firewall

•

PIX Command Reference

•

PIX Product Support Page

•

Requests for Comments (RFCs)

•

Technical Support − Cisco Systems

•

All contents are Copyright © 1992−2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Updated: Jan 06, 2003 Document ID: 10136