Here is a basic PIX configuration, which achieves the following:<\/p>\n
–\u00a0 NAT overload from an inside network to an outside network
\n–\u00a0 Accept incoming PPTP VPN connections from ouside clients
\n–\u00a0 Turns on the web-based GUI on the PIX<\/p>\n
\n: Saved
\n:
\nPIX Version 6.3(4)
\ninterface ethernet0 auto
\ninterface ethernet1 100full
\n:These two lines activate the outside (Ethernet0) and inside (Ethernet1) interfaces
\nnameif ethernet0 outside security0
\nnameif ethernet1 inside security100
\n:These two lines assign names to the interfaces
\nenable password —— encrypted
\n:Sets the password for privileged mode
\npasswd ——– encrypted
\n:Sets the telnet password
\nhostname pixfirewall
\ndomain-name ciscopix.com
\nfixup protocol dns maximum-length 512
\nfixup protocol ftp 21
\nfixup protocol h323 h225 1720
\nfixup protocol h323 ras 1718-1719
\nfixup protocol http 80
\nfixup protocol rsh 514
\nfixup protocol rtsp 554
\nfixup protocol sip 5060
\nfixup protocol sip udp 5060
\nfixup protocol skinny 2000
\nno fixup protocol smtp 25
\nfixup protocol sqlnet 1521
\nfixup protocol tftp 69
\n:Fixup protocols allow advanced applications to work through NAT. All the above fixup protocol configuration is in the PIX by default.
\nnames
\naccess-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
\naccess-list 102 permit icmp any any
\naccess-list 102 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
\naccess-list 103 permit ip any any
\n:Same access-list syntax as a router. These are used below.
\npager lines 24
\nmtu outside 1500
\nmtu inside 1500
\nip address outside x.x.x.x 255.255.255.248
\n:Sets the outside interface IP address
\nip address inside 192.168.1.1 255.255.255.0
\n:Sets the inside interface IP address
\nip audit info action alarm
\nip audit attack action alarm
\nip local pool pptp-pool 192.168.2.10-192.168.2.50
\n:Defines a local DHCP pool of addresses for the PIX to give to incoming PPTP VPN clients
\npdm logging informational 100
\npdm history enable
\n:This tracks access to the PDM (the web-based GUI) built-in to the PIX
\narp timeout 14400
\nglobal (outside) 1 interface
\n:This is a HUGE command. It turns on NAT translation for all addresses matching NAT rule 1 (shown below) to be translated through the outside interface (to the Internet, in this case)
\nnat (inside) 0 access-list 101
\n:This creates NAT rule 0 which tells NAT not to translate addresses that are defined in access list 101 (shown above). This keeps NAT from translating any communication between internal clients (192.168.1.0\/24) and VPN clients (192.168.2.0\/24).
\nnat (inside) 1 0.0.0.0 0.0.0.0 0 0
\n:This creates NAT rule 1 which matches ALL addresses coming from the inside interface
\nconduit permit icmp any any
\n:Conduits are the old form of access-lists. This one permits all ICMP messages to the PIX
\nroute outside 0.0.0.0 0.0.0.0 x.x.x.x
\n:Sets a default route to the ISP router (represented with x.x.x.x)
\ntimeout xlate 0:05:00
\ntimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
\ntimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
\ntimeout uauth 0:05:00 absolute
\naaa-server TACACS+ protocol tacacs+
\naaa-server TACACS+ max-failed-attempts 3
\naaa-server TACACS+ deadtime 10
\naaa-server RADIUS protocol radius
\naaa-server RADIUS max-failed-attempts 3
\naaa-server RADIUS deadtime 10
\naaa-server LOCAL protocol local
\nhttp server enable
\nhttp 192.168.1.0 255.255.255.0 inside
\n:Turns on the HTTP interface to the PIX, but only allows internal users (192.168.1.0\/24) to access it. This enables the PDM (the web-based GUI) on the PIX
\nno snmp-server location
\nno snmp-server contact
\nsnmp-server community public
\nno snmp-server enable traps
\nfloodguard enable
\nsysopt connection permit-pptp
\n:Also a very huge command. This allows PPTP connections to the PIX firewall without the need for an access-list permitting PPTP. You can also use commands like sysopt connection permit-ipsec to permit IPSEC VPN connections
\ntelnet 192.168.1.0 255.255.255.0 inside
\n:Allows telnet access to the PIX only from the internal subnet
\ntelnet timeout 5
\nssh timeout 5
\nconsole timeout 0
\nvpdn group 1 accept dialin pptp
\n:Allows PIX to accept PPTP connections
\nvpdn group 1 ppp authentication pap
\nvpdn group 1 ppp authentication chap
\nvpdn group 1 ppp authentication mschap
\n:Allows PPTP users to authenticate using any of the above methods (listed from weakest to strongest)
\nvpdn group 1 ppp encryption mppe auto
\nvpdn group 1 client configuration address local pptp-pool
\n:Points the PIX to hand out IP addresses to incoming VPN clients from the DHCP pool called “pptp-pool” (shown above in the config)
\nvpdn group 1 client configuration dns 192.168.1.252
\nvpdn group 1 client configuration wins 192.168.1.251
\n:Points the VPN clients to the right DNS and WINS server addresses
\nvpdn group 1 pptp echo 60
\n:Sends an “echo” (kinda like a keepalive) once every 60 seconds. If a response is not heard, VPN is torn down
\nvpdn group 1 client authentication local
\n:Authenticates VPN users using a local user database (shown below)
\nvpdn username jonesr password *********
\nvpdn username cepa password *********
\nvpdn username bob password *********
\n:Three VPN users allowed to connect
\nvpdn enable outside
\n:Turns on VPN connectivity on the outside interface
\ndhcpd lease 3600
\ndhcpd ping_timeout 750
\nusername cisco password ——– encrypted privilege 15
\n:If I telnet with this username\/password, I go straight to privileged mode
\nterminal width 80
\n: end<\/p><\/blockquote>\n