Usually contributors on mailing-lists shouldn't answers that are TOO
obvious. It's YOUR job to get the firewall running and not ours. If you're
not able to create a basic installation then you'll be in trouble to
understand what's running and how INsecure it is. However here you've got a
couple of pointers.
You'll find everything here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/
Basic steps:
- Attach network cables
- Attach serial cable
- Open the terminal emulation wiht 9600 baud, 8databits no parity, 1 stop
bit. Usually this is default
- set interfaces, set ip's, tftp etc. to update software
- ...
And then... you'll have to put in something similar like this:
-----------------------------------------------------------------
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable SomePassword
passwd Somepassword2
hostname PIX
interface ethernet0 auto
interface ethernet1 auto
ip address outside 200.200.200.2 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
global (outside) 1 200.200.200.3 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
rip outside passive version 1
rip inside default version 1
route outside 0.0.0.0 0.0.0.0 200.200.200.1 1
timeout xlate 0:05:00
floodguard enable
telnet 192.168.100.0 255.255.255.0 inside
-----------------------------------------------------------------
At the end type
WRITE MEM
RELOAD
Y
Certainly every config is different. By default all internal clients can get
onto the internet (unless you use access-group to bind an access-list to a
net interface). No external hosts can get into the lan. In this example I
used:
external router: 200.200.200.1
external interface of firewall 200.200.200.2
global PAT address for internal clients going onto the internet:
200.200.200.3
internal network-id: 192.168.100.0
internal default gateway: 192.168.100.1
Later if you want to have some more control you could put in commands such
as these:
access-list ACL_IN permit icmp any any
access-list ACL_OUT permit icmp any any
access-list ACL_OUT permit tcp 192.168.100.0 255.255.255.0 any
access-list ACL_OUT permit udp 192.168.100.0 255.255.255.0 any
access-group ACL_IN in interface outside
access-group ACL_OUT in interface inside
You always need to bind an access-list to an interface using the
access-group command.
The ruleset above allows all LAN-hosts from 192.168.100.0 to get TCP and UDP
traffic onto the internet.
Cheers
--------------------------------------
Boris Pavalec
Gesch�ftsf�hrer, VRP
Network / System Engineer MCSE & MCT
HCS - Highend Computing Systems AG
Hohlstrasse 216
CH-8004 Z�rich
Phone: + 41-1 240 29 50
Fax: + 41-1 240 29 59
eMail: [EMAIL PROTECTED]
--------------------------------------
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Neil H.
Sent: Thursday, September 20, 2001 2:41 AM
To: [EMAIL PROTECTED]
Subject: Passing Traffic through a Pix
Could someone please help me to put a PIX on my network and pass normal
traffic through it. I want to use no filters at this point. I also want
all the addresses on the server to be available on the other side (outside)
of the pix.
Thanks,
Neil
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
