Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 341
  • Last Modified:

Cisco PiX firewall 525 - steps and procedure

Hi, thanks for yall who read this post. I would appreciate if someone would help me out on this.
Recently, i was configuring the Cisco PIX 525 firewall for VPN and it did not turn out good. The thing is i ACTUALLY left that piece of code that did not work well in the production firewall. And it cause the whole company not to function properly the next morning. I was mad at myself. I gotta admit that i was careless. I have no experience and this is my first time configuring it. So i really hope someone comes out with a step by step procedure that i can follow. Something like
1) show conf - to see the current startup config
2) write memory - to backup a copy of it first, just in case something goes wrong
'
'
'
'
and so on..
thanks i would give 250 points for it...
0
usanet21
Asked:
usanet21
  • 6
  • 6
1 Solution
 
grbladesCommented:
Hi usanet21,
A step by step procedure to do what?

Generally when configuring the PIX I always do the following:-
1) Have a TFTP server somewhere (You can download a free WIndows server from Cisco)
2) Type 'wri mem' to back up the running configuration to flash.
3) Type 'wri net' to save the configuration to the TFTP server.
4) Make the changes.
5) If it goes wrong reboot the firewall to load back in the old configuration.
6) If it does work then same the configuration (wri net)
7) Keep the old config on the TFTP server just incase.
0
 
usanet21Author Commented:
i need a step by step procedure to like how to configure the firewall safely to minimise unnecessary risk.
ok, wanna ask, if i do a 'wri mem' at the beginning, the running config is backup first right before any changes is made?? Then when i start the actual configurations on the firewall, do i have to  keep issuing the 'wri mem' command to save the configurations or it is 'LIVE' where, after u configure something, without 'wri mem' ocmmand, the changes will take effect?? So startup config is saved into NVRAM?? Lastly, if i reboot the firewall, it will load from the startup config isnt it???
0
 
grbladesCommented:
When you 'wri mem' the configuration is saved to NVRAM (the startup-config). When you reboot this is the configuration which is loaded into main memory. When you change the configuration it takes effect immediatly. There is no need to change it.
Therefore it is a good idea to save the current config before you start changing anything and don't save it again until you are sure everything is working. That way if things go wrong you can always power cycle the firewall to get things back the way they were.

If you post your current configuration I will have a look at it for you.
If you let me know what type of VPN you want etc... then I can give you the commands you need to enter to enable the VPN.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
usanet21Author Commented:
alright, thanks a lot. yes, i do need a VPN connection. I do know how to configure VPN in PIX but theres a problem. Currently, there is already a VPN connection in my company and i need to add another VPN. The thing with VPN is if there is a [nat (inside) 0 access-list no-nat] command issued, when u try to write the same command for another vpn access list, for example, [nat (inside) 0 access-list ipsecnonat], it will overwrite the [nat (inside) 0 access-list no-nat] command. Thats the first problem i have.

Second, The access list you specify with the nat 0 access-list command will not work with an access-list command statement that contains a port specification. The following sample command statements will not work.
access-list no-nat permit tcp host xx.xx.xx.xx host yy.yy.yy.yy
nat (inside) 0 access-list no-nat
i need to write an access list with port specification of ftp and vpn integrated together. How do i achieve that??

Because of that, i caused the whole company not to function the next morning. Well, i hope u can think abt this and get back to me by today. Cause i really headache over this. At least write a draft  
configurations for me...help appreciated.
thanks

 
0
 
usanet21Author Commented:
forget to add, i am using ipsec and the authentication is pre-shared keys..
so this would be easy.
0
 
grbladesCommented:
The 'nat (inside) 0' line normally just defines traffic which should not be NAT'd. This is generally all traffic between the internet network and the DMZ interface (if used) and the range of IP addresses allocated to VPN clients. There is no reason why you would ever want to define ports.
0
 
grbladesCommented:
I think the easiest way to continue would be for you to post your configuration (remove the passwords and your external IP address if you wish) and what you attempted to enter for the VPN configuration.
0
 
usanet21Author Commented:
i would love to, but i dont have that config wit me now...do u have msn or icq?
maybe i add u first, then i will call my boss to send me the config...this is top priority in my company and i need to hand in tmr..
0
 
grbladesCommented:
Sorry I don't have either on my work machine.
You can email it to me (address in my profile) but I will post a sanitised version here to make it fair on others wishing to participate in this question.
0
 
usanet21Author Commented:
yea...Can u post a draft configuratin for me?? I need only ftp and close other services. Maybe u might want to show me how u do an integration of ftp and vpn. thanks
0
 
grbladesCommented:
I have a couple of examples on my website:-
http://www.gbnetwork.co.uk/networking

This Cisco page is also very good :-
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

My Radius example is basically what you want if you ignore the initial Radius authentication. There are lots of variables whether you have a single external IP address or if you are allocated a range. Whether you want extended authentication or not.

With standard authentication all users share a group and group password and this is preconfigured in the client. With extended authentication you also have each user having their own username/password. This can be stored in the PIX itself or you can use an external Radius server as in my example. The benefit of Radius is that you can apply access lists to individual users and therefore limit what each of them is permitted to access over the VPN.
0
 
usanet21Author Commented:
yo thanks mate...will check it out and let u know tmr..its real late here....gotta sleep man..
thanks
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now