PIX Configuration Overview

Before configuring the PIX Firewall, let's first introduce the physical features of the firewall. A firewall usually has at least three interfaces, but many early firewalls only have two interfaces. When a firewall with three interfaces is used, at least three networks are generated, as described below:

Internal area (Intranet): an internal area usually refers to an internal network of an enterprise or a part of the internal network of an enterprise. It is a trusted area of the interconnected network, which is protected by the firewall.

External area (Internet): an external area usually refers to the Internet or a non-enterprise internal network. It is a trusted area in the interconnected network. When the external area wants to access hosts and services in the internal area, it can implement restricted access through the firewall.

A ceasefire zone (DMZ) is an isolated network or several networks. Hosts or servers in the ceasefire zone are called bastion hosts. Generally, Web servers and Mail servers can be placed in the ceasefire zone. The ceasefire zone is generally accessible to external users, which allows external users to access the public information of the enterprise, but does not allow them to access the internal network of the enterprise.

Note: firewalls with two interfaces do not have a ceasefire zone.

Since PIX535 is not universal at the enterprise level, the following describes the application of PIX525 in the enterprise network.

The PIX Firewall provides four access management modes:

Non-Permission mode. It is in this mode after the PIX Firewall starts self-check. The system displays pixfirewall>

Privileged mode. Enter enable to enter the privileged mode to change the current configuration. Displayed as pixfirewall #

Configuration mode. Enter configure terminal to enter this mode. Most system configurations are performed here. Displayed as pixfirewall (config )#

Monitoring mode. When the PIX Firewall is started or restarted, press and hold the Escape key or send a "Break" character to enter the monitoring mode. Here we can update * for system image and password restoration. Show as monitor>

There are six basic commands for configuring the PIX Firewall: nameif, interface, ip address, nat, global, and route.

These commands are required when you configure the PIX. Follow these steps:

1. Configure the name of the firewall interface and specify the security level (nameif ).

Pix525 (config) # nameif ethernet0 outside security0 Pix525 (config) # nameif ethernet1 inside security100Pix525 (config) # nameif dmz security50

 

Tip: in the default configuration, Ethernet 0 is named as an external interface (outside), the security level is 0, Ethernet 1 is named as an internal interface (inside), and the security level is 100. security level value range: 1 ~ 99. The larger the number, the higher the security level. If a new interface is added, the statement can be written as follows:

Pix525 (config) # nameif pix/intf3 security40 (Security Level)

2. Configure Ethernet interface Parameters)

Pix525 (config) # interface ethernet0 auto (auto option indicates the System Adaptive Nic type) Pix525 (config) # interface ethernet1 100 full (100full option indicates 100 Mbit/s Ethernet full Duplex Communication) pix525 (config) # interface ethernet1 100 full shutdown (shutdown indicates that this interface is disabled. If the interface is enabled, shutdown is removed)

3. Configure the ip address of the internal and external network adapter (ip address)

Pix525 (config) # ip address outside 61.144.51.42 255.255.255.255.248 Pix525 (config) # ip address inside 192.168.0.1 255.255.255.0

Obviously, the IP address of the Pix525 firewall on the internet is 61.144.51.42, and the Intranet IP address is 192.168.0.1.

Example 1. Pix525 (config) # conducting it permit tcp host 192.168.0.8 eq www any

In this example, any external host is allowed to perform http access to this host whose global address is 192.168.0.8. An eq and a port are used to allow or deny access to this port. Eq ftp is to allow or deny access to ftp only.

Example 2. Pix525 (config) # conducting it deny tcp any eq ftp host 61.144.51.89

The external host 61.144.51.89 is not allowed to access any global address through ftp.

Example 3. Pix525 (config) # conducting it permit icmp any

Allow icmp messages to pass to internal and external sources.

Example 4. Pix525 (config) # static (inside, outside) 61.144.51.62 192.168.0.3

Pix525 (config) # conducting it permit tcp host 61.144.51.62 eq www any

This example describes the relationship between static and conduit. 192.168.0.3 is a web server on the Intranet. We hope that users on the internet can obtain web services through the pix Firewall. So do static ing: 192.168.0.3-> 61.144.51.62 (global) first, and then use the conductor command to allow any external host to perform http access to the global address 61.144.51.62.

C. Configure the fixup Protocol

The fixup command is used to enable or disable a service or protocol. The port specified by the fixup command is the service that the pix Firewall wants to listen. See the following example:

Example 1. pix525 (config) # fixup protocol FTP 21 enable the FTP protocol and specify the ftp port number as 21

Example 2. pix525 (config) # fixup protocol HTTP 80

Pix525 (config) # fixup protocol HTTP 1080 specifies port 80 and port 1080 for the HTTP protocol.

Example 3. pix525 (config) # No fixup protocol SMTP 80 disable the SMTP protocol.

D. Set Telnet

Telnet has a version change. Before the pix OS 5.0 (the version number of the PIX * system), you can only access the PIX from hosts on the internal network through Telnet. In pix OS 5.0 and later versions, you can enable telnet-to-pix access on all interfaces. When you need to telnet from an external interface to the PIX Firewall, the Telnet data stream must be protected by IPSec. That is to say, you must configure the PIX to establish an IPsec tunnel to another pix, router, or VPN Client. In addition, you can configure SSH on the PIX and then use the SSH client to telnet from the outside to the PIX Firewall. The pix supports SSH1 and SSH2, but SSH1 is free of charge, and SSH2 is commercial software. In contrast, Telnet on the Cisco router is not doing well.

Telnet configuration Syntax: Telnet local_ip [netmask] local_ip

Indicates the IP address authorized to access the PIX through Telnet. If this option is not set, the configuration of the PIX can only be performed by the console.

After talking about this, we will provide a configuration instance for your reference.

Welcome to the PIX firewall
Type help or? For a list of available commands. PIX525> en Password: PIX525 # sh config: Saved:

PIX Version 6.0 (1) ------ the current * operating system Version of the PIX is 6.0

Nameif ethernet0 outside security0

Nameif ethernet1 inside security100 ------ currently, only two interfaces are available in the pix.

Enable password 7Y051HhCcoiRTSQZ encrypted

Passed 7Y051HhCcoiRTSQZ encrypted ------ the pix firewall password is encrypted by default and is not displayed in plaintext in the configuration file. The default telnet password is cisco

Hostname PIX525 ------ the host name is PIX525

Domain-name 123.com ------ A Local Domain name Server 123.com, usually used as an external access

Fixup protocol ftp 21 Fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521

Fixup protocol sip 5060 ------ some services or protocols currently enabled. Note that the rsh service cannot change the port number.

Names ------ resolve the local host name to the IP address. In the configuration, you can replace the IP address with the name. Currently, the list is empty.

Pager lines 24 ------ one page per 24 rows

Interface ethernet0 auto

Interface ethernet1 auto ------ set the two NICs to adaptive

Mtu outgoing side 1500

Mtu inside 1500 ------ Ethernet standard MTU length is 1500 bytes

Ip address outside 61.144.51.42 255.255.255.248

Ip address inside 192.168.0.1 255.255.255.0 ------ ip address of the pix Internet 61.144.51.42, ip address of the Intranet 192.168.0.1

Ip audit info action alarm

Ip audit attack action alarm ------ two commands for pix intrusion detection. When a data packet has an attack or report pattern, the pix will take an alarm action (default action) to generate system log messages to the specified host; in addition, you can discard data packets and send tcp Connection Reset signals.

Pdm history enable ------ graphical monitoring by the PIX Device Manager

PIX arp timeout 14400 ------ arp table timeout

Global (outside) 1 61.144.51.46 ------ if you visit an external forum or chat via QQ, the ip shown above is

Nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside, outside) 61.144.51.43 192.168.0.8
Netmask limit 255 0 0 conducting it permit icmp any conducting it permit tcp host 61.144.51.43 eq www any

Conducting it permit udp host 61.144.51.43 eq domain any ------ use the 61.144.51.43 IP address to provide the domain-name service, and only allow external users to access the udp port of the domain

Route outside 0.0.0.0 0.0.0.0 61.144.51.61 1 ------ external gateway 61.144.51.61

Timeout xlate 3:00:00 ------ after an internal device sends an IP packet to an external device after translation (global), if the packet is not active three hours by default, previously created table items will be deleted from the translation table, releasing the global address occupied by the device

Timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout uauth 0:05:00 absolute ------ AAA authentication timeout time. absolute indicates that the uauth timer is run continuously. After the user times out, the user will force re-Authentication

Aaa-server TACACS + protocol tacacs +

Aaa-server RADIUS protocol radius ------ two Protocols of the AAA server. AAA indicates authentication, authorization, and audit. The Pix Firewall can enhance the security of the internal network through the AAA Server.

No snmp-server location no snmp-server contact snmp-server community public ------ because no snmp workstation is set, no snmp workstation location and contact are available.

No snmp-server enable traps ------ send snmp Trap floodguard enable ------ prevent someone from forging a large number of authentication requests and use up the AAA resources of the pix

No sysopt route dnat telnet timeout 5 ssh timeout 5 ------ timeout for accessing the pix Using ssh

Terminal width 80 Cryptochecksum: a9f03ba4ddb72e1ae6a543292dd4f5e7

PIX525 #

PIX525 # write memory ------ Save the Configuration

The above configuration instance should be noted that the pix Firewall is directly placed at the interface with the internet, where there are more than a dozen public ip addresses in the network environment, some may ask what if my public ip address is very limited? You can add a router to the front of the pix, or use a single IP address in global, which is the same as the IP address of the external interface. In addition, several maintenance commands are also useful. show interface can view the port status, show static can view the static address ing, show ip can view the interface ip address, and ping outside | inside ip_address to determine the connectivity.

Steps to implement VPN on the PIX

Configuring IPSec Encryption with a pre-shared key in the firewall on the PIX involves four key tasks:

1. Preparing for IPSec

Preparing for IPSec involves determining detailed encryption policies, including determining the host and network we want to protect, and selecting an authentication method to determine detailed information about the IPSec peer, determine the IPSec features we need, and confirm that the existing access control list allows the IPSec data stream to pass;

Step 1: determine an IKE (IKE Phase 1, or master mode) policy between IPSec peers based on the number and location of the peer;

Step 2: Determine the IPSec (IKE Phase 2, or express mode) policy, including the details of the IPSec peer, such as the IP address and the IPSec conversion set and mode;

Step 3: Use the "Write terminal", "Show ISAKMP", "Show ISAKMP policy", "Show crypto map", and other "show" commands to check the current configuration;

Step 4: Make sure that the network works properly before encryption is used. Run the "ping" command and run the test data stream before encryption to eliminate basic route faults;

Step 5: confirm that the existing access control list in the VBR and the PIX Firewall allows the IPsec data flow to pass through, or the desired data flow can be filtered out.

2. configuring Ike involves enabling IKE (and ISAKMP are synonyms), creating Ike policies, and verifying our configurations;

Step 1: use the "ISAKMP enable" command to enable or disable Ike;

Step 2: Use the "ISAKMP policy" command to create an Ike policy;

Step 3: Use the "ISAKMP key" command and related commands to configure the pre-shared key;

Step 4: run the "show ISAKMP [policy]" command to verify the IKE configuration.

3. Configure IPSec

IPSec configuration includes creating an access control list for encryption, defining a conversion set, creating an encryption graph entry, and applying the encryption set to the interface;

Step 1: Use the access-LIST command to configure the access control list for encryption. For example: access-list ACL-name {permit | deny} protocol src_addr src_mask [operator port [port] dest_addr dest_mask [operator prot [port]

Step 2: Use the crypto ipsec transform-set command to configure the transformation set. For example, crypto ipsec transform-set-name transform1 [transform2 [transform3] 3. step 3: (optional) use the crypto ipsec security-association lifetime command to configure the lifetime of the global IPSec security association;

Step 4: Use the crypto map command to configure the encryption graph;

Step 5: Use the interface command and crypto map-name interface to apply to the interface; 6. Step 6: use various available show commands to verify the IPSec configuration.

Iv. test and verify IPSec

This task involves using "show", "debug", and related commands to test and verify whether the IPSec Encryption works properly, and to troubleshoot the problem.

Example:

Configuration of PIX 1:

! Configure the IP address for each PIX Firewall interface ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.1.1.3 255.255.255.0 ip address dmz 192.168.11.1 255.255.255.255.0 global (outside) 1 192.168.1.10-192.168.1.254 netmask 255.255.255.0! Creates a global pooll on the outside interface, enables NAT .! Windows NT server static (inside, outside) 192.168.1.10 10.1.1.4 netmask 255.255.255.0! Crypto access list specifiles between the global and the inside
Server beind PIX firewils is encrypted, The source and destination
IP address are the global IP addresses of the statics. Access-list 101 permit ip host 192.168.1.10 host 192.168.2.10! The conducting it permit ICMP and web access for testing. Conducting it permit icmp any conducting it permit tcp host 192.168.1.10 eq www any route outside 0.0.0.0 0.0.0 192.168.1.2 1! Enable IPSec to bypass access litst, access, and confuit restrictionssyspot connnection permit ipsec! Defines a crypto map transform set to user esp-des crypto ipsec transform-set pix2 esp-des crypto map peer2 10 ipsec-isakmp!

Full configuration: ip address outside 202.105.113.194 255.255.255.0/* Check the IP address provided by China Telecom

Ip address inside 192.168.1.1 255.255.255.0! Global (outside) 1 202.105.113.195-202.105.113.200 global (outside) 1 202.105.113.201 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside, outside) 202.105.113.203 192.168.1.10
Netmask 255.255.255.255 0 0 static (inside, outside) 202.105.113.205 192.168.1.
11 netmask limit 255 0 0 conducting it permit icmp any conducting it permit tcp
Host 202.105.113.203 eq www any conducting it permit tcp host 202.105.113.203 eq ftp any conducting it permit tcp host 202.105.113.205 eq smtp any conducting it permit tcp host 202.105.113.205 eq pop3 any! Route outside 0.0.0.0 0.0.0.0 202.105.113.193 1 route inside 0.0.0.0 0.0.0.0 192.168.1.1

Specify the internal address (nat) to be converted)

Network Address Translation (nat) is used to convert private ip addresses of the Intranet to public ip addresses of the Internet. the Nat command is always used with the global command because the nat command can specify a host or a range of hosts to access the Internet. when accessing the internet, you need to use the address pool specified by global for external access.
Nat command configuration Syntax:

Nat (if_name) nat_id local_ip [netmark]

(If_name) indicates the name of the Intranet interface, for example, inside. Nat_id is used to identify the global address pool and match it with the corresponding global command. local_ip indicates the IP address allocated by the Intranet. For example, 0.0.0.0 indicates that all hosts on the Intranet can access the Internet. [Netmark] indicates the subnet mask of the Intranet IP address.

Example 1. Pix525 (config) # nat (inside) 1 0 0

Enable nat. All hosts in the Intranet can access the Internet, and 0 can represent 0.0.0.0.

Example 2. Pix525 (config) # nat (inside) 1 172.16.5.0 255.255.255.0.0

Indicates that only hosts in the network segment 172.16.5.0 can access the Internet.

5. Specify the external address range (global) Global Command to translate the Intranet IP address into an Internet IP address or an address range.

Configuration syntax for the Global Command: Global (if_name) nat_id ip_address-ip_address [netmark global_mask]

(If_name) indicates the name of the Internet interface, for example, outside .. Nat_id is used to identify the global address pool so that it matches the corresponding Nat command, the ip_address-ip_address represents a single translated IP address or a range of IP addresses. [Netmark global_mask] indicates the network mask of the Global IP address.

Example 1. pix525 (config) # global (outside) 1 61.144.51.42-61.144.51.48

Indicates that when an intranet host accesses the Internet through the PIX Firewall, the PIX Firewall uses the IP address pool 61.144.51.42-61.144.51.48 to assign a Global IP address to the host to access the Internet.

Example 2. pix525 (config) # global (outside) 1 61.144.51.42 indicates that when the Intranet accesses the Internet, the PIX Firewall uses the single IP address 61.144.51.42 for all hosts accessing the Internet.

Example 3. pix525 (config) # No global (outside) 1 61.144.51.42 indicates deleting this global table item.

6. Set a static route pointing to the Intranet and Internet (route) to define a static route.

Route command configuration Syntax: Route (if_name) 0 0 gateway_ip [metric]

(If_name) indicates the interface name, such as inside and outside. Gateway_ip indicates the IP address of the Gateway Router. [Metric] indicates the number of hops to gateway_ip. The default value is 1.

Example 1. pix525 (config) # route outside 0 0 61.144.51.168 1

A default route pointing to the VBR (IP address 61.144.51.168.

Example 2. pix525 (config) # route inside 10.1.1.0 255.255.255.0 172.16.0.1 1

Pix525 (config) # route inside 10.2.0.0 255.255.0.0 172.16.0.1 1

If the internal network has only one CIDR Block, set a default route as in Example 1. If there are multiple internal networks, configure more than one static route. The above command indicates that a static route is created to 10.1.1.0, And the IP address of the next router in the static route is 172.16.0.1.

OK. If you understand these six basic commands, you can go to some advanced configurations of the PIX Firewall.

A. Configure static IP address translation (static)

If a session is initiated from the Internet, the destination address of the session is an intranet IP address, and the static address translates the internal address into a specified Global Address, allowing the session to be established.

Static command configuration Syntax:

Static (internal_if_name, external_if_name) outside_ip_address inside _ ip_address

Internal_if_name indicates the internal network interface, which has a high security level, such as inside. External_if_name is an external network interface with a low security level, such as outside. Outside_ip_address is the IP address of the interface with lower security level being accessed. Inside _ ip_address is the local IP address of the internal network.

Example 1. pix525 (config) # static (inside, outside) 61.144.51.62 192.168.0.8

Indicates the host whose IP address is 192.168.0.8. For each session created through the PIX firewall, it is translated into the global address 61.144.51.62, the static command also creates a static ing between the internal IP address 192.168.0.8 and the external IP address 61.144.51.62.

Example 2. pix525 (config) # static (inside, outside) 192.168.0.2 10.0.1.3

Example 3. pix525 (config) # static (DMZ, outside) 211.48.16.2 172.16.10.8

Note Example 1.

The preceding examples show that the static command allows us to set a permanent Global IP address for a specific internal IP address. In this way, you can create an entry for a specified interface with a lower security level so that they can enter a specified interface with a higher security level.

B. Pipeline commands)

As mentioned earlier, the static command can be used to create a static ing between a local IP address and a global IP address, however, the connection from the external interface to the internal interface is still blocked by the Adaptive Security Algorithm (ASA) of the PIX Firewall.

The conductor command is used to allow data streams to flow from interfaces with lower security levels to interfaces with higher security levels, for example, to allow inbound sessions from the external to DMZ or internal interfaces. For connections to internal interfaces, the static and conductor commands are used together to specify session creation.

Conductor command configuration Syntax:

Conducting it permit | deny global_ip port [-port] Protocol foreign_ip [netmask]

Permit | deny allowed | access denied to global_ip refers to the global IP address previously defined by the global or static command. If global_ip is 0, use any instead of 0. If global_ip is a host, use the host command parameter.

Port refers to the port used by the Service, such as WWW Using 80, SMTP using 25, etc. We can specify the port through the service name or port number.

Protocols refer to connection protocols, such as TCP, UDP, and ICMP.

Foreign_ip indicates the external IP address that can access global_ip. Any host can be expressed as any. If foreign_ip is a host, use the host command parameter.

Example 1. pix525 (config) # conducting it permit TCP host 192.168.0.8 eq www any

In this example, any external host is allowed to perform HTTP access to this host whose global address is 192.168.0.8. An EQ and a port are used to allow or deny access to this port. Eq ftp is to allow or deny access to ftp only.

Example 2. pix525 (config) # conducting it deny TCP any eq ftp host 61.144.51.89

The external host 61.144.51.89 is not allowed to access any global address through FTP.

Example 3. pix525 (config) # conducting it permit ICMP any

Allow ICMP messages to pass to internal and external sources.

Example 4. pix525 (config) # static (inside, outside) 61.144.51.62 192.168.0.3

Pix525 (config) # conducting it permit TCP host 61.144.51.62 eq www any

This example describes the relationship between static and conduit. 192.168.0.3 is a web server on the Intranet. We hope that users on the internet can obtain web services through the pix Firewall. So do static ing: 192.168.0.3-> 61.144.51.62 (global) first, and then use the conductor command to allow any external host to perform http access to the global address 61.144.51.62.

C. Configure the fixup Protocol

The fixup command is used to enable or disable a service or protocol. The port specified by the fixup command is the service that the pix Firewall wants to listen. See the following example:

Example 1. Pix525 (config) # fixup protocol ftp 21 enable the ftp protocol and specify the ftp port number as 21

Example 2. Pix525 (config) # fixup protocol http 80

Pix525 (config) # fixup protocol http 1080 specifies port 80 and port 1080 for the http protocol.

Example 3. Pix525 (config) # no fixup protocol smtp 80 disable the smtp protocol.

D. Set telnet

Telnet has a version change. Before the pix OS 5.0 (the version number of the pix * system), you can only access the pix from hosts on the internal network through telnet. In pix OS 5.0 and later versions, you can enable telnet-to-pix access on all interfaces. When you need to telnet from an external interface to the pix Firewall, the telnet data stream must be protected by ipsec. That is to say, you must configure the pix to establish an ipsec tunnel to another pix, router, or vpn Client. In addition, you can configure SSH on the PIX and then use the SSH client to telnet from the outside to the PIX Firewall. The PIX supports SSH1 and SSH2, but SSH1 is free of charge, and SSH2 is commercial software. In contrast, telnet on the cisco router is not doing well.

Telnet configuration Syntax: telnet local_ip [netmask] local_ip

Indicates the IP address authorized to access the pix through telnet. If this option is not set, the configuration of the pix can only be performed by the console.

After talking about this, we will provide a configuration instance for your reference.

Welcome to the PIX firewall
Type help or? For a list of available commands. PIX525> en Password: PIX525 # sh config: Saved:

PIX Version 6.0 (1) ------ the current * operating system Version of the PIX is 6.0

Nameif ethernet0 outside security0

Nameif ethernet1 inside security100 ------ currently, only two interfaces are available in the pix.

Enable password 7Y051HhCcoiRTSQZ encrypted

Passed 7Y051HhCcoiRTSQZ encrypted ------ the pix firewall password is encrypted by default and is not displayed in plaintext in the configuration file. The default telnet password is cisco

Hostname PIX525 ------ the host name is PIX525

Domain-name 123.com ------ A Local Domain name Server 123.com, usually used as an external access

Fixup protocol ftp 21 Fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521

 

Fixup protocol sip 5060 ------ some services or protocols currently enabled. Note that the rsh service cannot change the port number.

Names ------ resolve the local host name to the IP address. In the configuration, you can replace the IP address with the name. Currently, the list is empty.

Pager lines 24 ------ one page per 24 rows

Interface ethernet0 auto

Interface ethernet1 auto ------ set the two NICs to adaptive

Mtu outgoing side 1500

Mtu inside 1500 ------ Ethernet standard MTU length is 1500 bytes

Ip address outside 61.144.51.42 255.255.255.248

Ip address inside 192.168.0.1 255.255.255.0 ------ ip address of the pix Internet 61.144.51.42, ip address of the Intranet 192.168.0.1

Ip audit info action alarm

Ip audit attack action alarm ------ two commands for pix intrusion detection. When a data packet has an attack or report pattern, the pix will take an alarm action (default action) to generate system log messages to the specified host; in addition, you can discard data packets and send tcp Connection Reset signals.

Pdm history enable ------ graphical monitoring by the PIX Device Manager

PIX arp timeout 14400 ------ arp table timeout

Global (outside) 1 61.144.51.46 ------ if you visit an external forum or chat via QQ, the ip shown above is

Nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside, outside) 61.144.51.43 192.168.0.8
Netmask limit 255 0 0 conducting it permit icmp any conducting it permit tcp host 61.144.51.43 eq www any

Conducting it permit udp host 61.144.51.43 eq domain any ------ use the 61.144.51.43 IP address to provide the domain-name service, and only allow external users to access the udp port of the domain

Route outside 0.0.0.0 0.0.0.0 61.144.51.61 1 ------ external gateway 61.144.51.61

Timeout xlate 3:00:00 ------ after an internal device sends an IP packet to an external device after translation (global), if the packet is not active three hours by default, previously created table items will be deleted from the translation table, releasing the global address occupied by the device

Timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

Timeout uauth 0:05:00 absolute ------ AAA authentication timeout time. absolute indicates that the uauth timer is run continuously. After the user times out, the user will force re-Authentication

Aaa-server TACACS + protocol tacacs +

Aaa-server RADIUS protocol radius ------ two Protocols of the AAA server. AAA indicates authentication, authorization, and audit. The Pix Firewall can enhance the security of the internal network through the AAA Server.

No snmp-server location no snmp-server contact snmp-server community public ------ because no snmp workstation is set, no snmp workstation location and contact are available.

No snmp-server enable traps ------ send snmp Trap floodguard enable ------ prevent someone from forging a large number of authentication requests and use up the AAA resources of the pix

No sysopt route dnat telnet timeout 5 ssh timeout 5 ------ timeout for accessing the pix Using ssh

Terminal width 80 Cryptochecksum: a9f03ba4ddb72e1ae6a543292dd4f5e7 PIX525 #
PIX525 # write memory ------ Save the Configuration

The above configuration instance should be noted that the pix Firewall is directly placed at the interface with the internet, where there are more than a dozen public ip addresses in the network environment, some may ask what if my public ip address is very limited? You can add a router to the front of the pix, or use a single IP address in global, which is the same as the IP address of the external interface. In addition, several maintenance commands are also useful. show interface can view the port status, show static can view the static address ing, show ip can view the interface ip address, and ping outside | inside ip_address to determine the connectivity.