imherson
asked on
Configuring PIX 501 in reverse?
Got a PIX 501. I was told to use it to prohit potential intrusion from an inbound dialup connection to a PC on our network. Our company uses static IPs. Somehow I feel this isn't what we needed or it is to be used differently than I would normally expect a firewall to be used. We don't want to prevent access to this PC from other PCs on our network just from this PC to the rest of our network. How do I set this up??
ASKER
Which interface do I hook to the computer, which to the network? How do I make on our static network.
I'm sure if I did a lot more reading or took a course I would know what to do, but..
I'm sure if I did a lot more reading or took a course I would know what to do, but..
It does not really matter which interface you connect up as long as it matches your configuration.
I suggest you use Ethernet0 for the Internal network and Ethernet1 for the modem. You will see that on the configuration examples that the inside has a security level of 100 and the outside a level of 0.
This means that by default the internal network can talk to the modem but the modem cannot talk to the internal network.
You then just add an access-list to the Ethernet1 interface to permit in what you want.
I suggest you use Ethernet0 for the Internal network and Ethernet1 for the modem. You will see that on the configuration examples that the inside has a security level of 100 and the outside a level of 0.
This means that by default the internal network can talk to the modem but the modem cannot talk to the internal network.
You then just add an access-list to the Ethernet1 interface to permit in what you want.
ASKER
This first thing that throws me off is that this is dialup modem and connects to the PC via a phone line. I can't connect it directly to the firewall. The firewall has just RJ-45 ports
In that case you would need to connect the modem to a PC and connect that PC to the PIX.
ASKER
The modem is used by an outside vender to service the computer. Are you saying I have to connect the modem to a different PC than the one he needs to service?
ASKER
Our purpose is just to keep the outside vender out of our network. Our PC has to use a specific static IP to function on our network.
In that case leave the modem attached to the computer they service but put this computer on the other side of the PIX. That way the default security will permit you and all your employees to access the server as they currently do but the vendor if they connect to the server they wont be able to connect to any of your other internal machines.
ASKER
If I understand you correctly I would attach the PC with modem to Ethernet 0 and patch our network to Ethernet 1 and our people could access the PC with the same static IP they have always been using (Eg. 207.22.0.7) I don't want to use give it a private IP like 192.168.0.3
You will have to give the server a different IP address since it has to be on a different logical network. However you can configure a feature called NAT on the PIX to translate requests to 207.22.0.7 into 192.168.0.3 on the other interface so internal users can still access it using the same address they have always used.
ASKER
I'm not going to be able to try this out until Monday. I will let you know how it goes
Here is a config to start you off.
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 pc security0
nameif ethernet1 inside security100
enable password ************* encrypted
passwd ************* encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address pc 192.168.0.1
ip address inside 207.22.0.6 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (inside) 1 interface
nat (pc) 1 0.0.0.0 0.0.0.0 0 0
static (pc,inside) 207.22.0.7 192.168.0.3 netmask 255.255.255.255 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 pc security0
nameif ethernet1 inside security100
enable password ************* encrypted
passwd ************* encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address pc 192.168.0.1
ip address inside 207.22.0.6 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (inside) 1 interface
nat (pc) 1 0.0.0.0 0.0.0.0 0 0
static (pc,inside) 207.22.0.7 192.168.0.3 netmask 255.255.255.255 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
ASKER
Now I have figured out how to recover the password/ reset the password/ configuration with the TFTP server. I've done this each time I made a change and could not get back into the web interface. It seems like I need some sort of encryption client to interact with it because whenever I set a password and then get challenged for it, I can't get back in and I have to use TFTP to reset the configuration.
I want to try the script above but I cannot log in (I'm using Hyperterminal). I thought the default password for administrator was cisco.
I want to try the script above but I cannot log in (I'm using Hyperterminal). I thought the default password for administrator was cisco.
I don't think the web interface is enabled in my example.
The two lines with all the ******'s in them are the passwords to log in and go into 'enable' mode. You need to pick a password and change the script before applying it.
Once applied to a 'wti mem' to save the configuration.
The two lines with all the ******'s in them are the passwords to log in and go into 'enable' mode. You need to pick a password and change the script before applying it.
Once applied to a 'wti mem' to save the configuration.
ASKER
I've reset the pix to factory default, but when I try the first line of your example "interface ethernet0 auto", the feedback I get is " type help or '?' for a list of available commands"
Ignore the first 2 lines. The 501 does has 10Mbps interfaces and a hub at one end I believe.
when configureing the pix you need to been in enable mode
at the prompt type enable or en press enter
it may ask you for the enable password
if you want to configure a interface as above you need to :
at the promt type
interface ethernet0 (maybe fastethernet) enter
speed auto
exit
but as above this should be the default but just wated to show you how to configure the interface if you are not sure of a command press the ? and the pix will suggest the next statement
hope this helps
at the prompt type enable or en press enter
it may ask you for the enable password
if you want to configure a interface as above you need to :
at the promt type
interface ethernet0 (maybe fastethernet) enter
speed auto
exit
but as above this should be the default but just wated to show you how to configure the interface if you are not sure of a command press the ? and the pix will suggest the next statement
hope this helps
Go into enable mode as Blackduke77 said but you will also need to type 'conf t' to go into configuration mode aswell.
The interface configuration example Blackduke77 gave above is for routers. The PIX has a different command language.
ASKER
I'm able to get through some of the script. Here's where I'm having trouble:
pixfirewall(config)# nameif ethernet pc security0
Usage: nameif <hardware_id> <if_name> <security_lvl>
nameif <vlan_id> <if_name> <security_lvl>
no nameif
pixfirewall(config)# hostname pix
%Key pair with hostname pixfirewall.ciscopix.com will be invalid
Use this configuration and write to flash? yes
Interface address is not on same subnet as DHCP pool
Error setting inside IP address and mask
pix(config)# ip address pc 192.168.0.1
Usage: [no] ip address <if_name> <ip_address> [<mask>]
[no] ip address <if_name> <ip_address> <mask> pppoe [setroute]
[no] ip address <if_name> dhcp [setroute] [retry <retry_cnt>]
[no] ip address <if_name> pppoe [setroute]
ip local pool <poolname> <ip1>[-<ip2>]
ip verify reverse-path interface <if_name>
ip audit {info|attack} action [alarm] [drop] [reset]
ip audit name <audit_name> {info|attack} [action [alarm] [drop] [reset]]
ip audit interface <if_name> <audit_name>
ip audit signature <sig_number> disable
show|clear ip audit count [global] [interface <interface>]
show ip [address [<if_name> [pppoe|dhcp [lease|server]]]]
pix(config)#
pix(config)# ?
At the end of show <command>, use the pipe character '|' followed by:
begin|includ
e|exclude|grep [-v] <regular_exp>, to filter sho
w output.
aaa Enable, disable, or view TACACS+, RADIUS or LOCAL
user authentication, authorization and accounting
aaa-server Define AAA Server group
access-group Bind an access-list to an interface to filter inbound traffic
access-list Add an access list
activation-key Modify activation-key.
age This command is deprecated. See ipsec, isakmp, map, ca commands
alias Administer overlapping addresses with dual NAT.
apply Apply outbound lists to source or destination IP addresses
arp Change or view arp table, set arp timeout value, view statistics
auth-prompt Customize authentication challenge, reject or acceptance prompt
auto-update Configure auto update support
banner Configure login/session banners
ca CEP (Certificate Enrollment Protocol)
Create and enroll RSA key pairs into a PKI
(Public Key Infrastructure).
capture Capture inbound and outbound packets on one or more interfaces
clock Show and set the date and time of PIX
conduit Add conduit access to higher security level network or ICMP
configure Configure from terminal, floppy, memory, network, or
factory-default. The configuration will be merged with the
active configuration except for factory-default in which case
the active configuration is cleared first.
copy Copy image or PDM file from TFTP server into flash.
console Set idle timeout for the serial console of the PIX
Crashinfo Read, write and configure crash write to flash. Force a crash.
crypto Configure IPsec, IKE, and CA
debug Debug packets or ICMP tracings through the PIX Firewall.
dhcpd Configure DHCP Server
dhcprelay Configure DHCP Relay Agent
disable Exit from privileged mode
domain-name Change domain name
dynamic-map Specify a dynamic crypto map template
eeprom show or reprogram the 525 onboard i82559 devices
enable Configure enable passwords
established Allow inbound connections based on established connections
failover Enable/disable PIX failover feature to a standby PIX
filter Enable, disable, or view URL, FTP, HTTPS, Java, and ActiveX filt
ering
fixup Add or delete PIX service and feature defaults
flashfs Show, destroy, or preserve filesystem information
fragment Configure the IP fragment database
global Specify, delete or view global address pools,
or designate a PAT(Port Address Translated) address
help Help list
hostname Change host name
http Configure HTTP server
icmp Configure access for ICMP traffic that terminates at an interfac
e
interface Set network interface paremeters and configure VLANs
ip Set the ip address and mask for an interface
Define a local address pool
Configure Unicast RPF on an interface
Configure the Intrusion Detection System
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
kill Terminate a telnet session
logout Exit from current user profile, and to unprivileged mode
logging Enable logging facility
mac-list Add a list of mac addresses using first match search
map Configure IPsec crypto map
memory System memory utilization
mgcp Configure the Media Gateway Control Protocol fixup
management-access Enable access to internal management interface
mroute Configure a multicast route
mtu Specify MTU(Maximum Transmission Unit) for an interface
multicast Configure multicast on an interface
name Associate a name with an IP address
nameif Assign a name to an interface
names Enable, disable or display IP address to name conversion
nat Associate a network with a pool of global IP addresses
ntp Configure Network Time Protocol
object-group Create an object group for use in 'access-list', 'conduit', etc
outbound Create an outbound access list
pager Control page length for pagination
passwd Change Telnet console access password
pdm Configure PIX Device Manager
ping Test connectivity from specified interface to <ip>
prefix-list Configure a prefix-list
privilege Configure/Display privilege levels for commands
quit Quit from the current mode, end configuration or logout
reload Halt and reload system
rip Broadcast default route or passive RIP
route Enter a static route for an interface
route-map Create a route-map.
router Create/configure OSPF routing process
routing Configure interface specific unicast routing parameters.
service Enable system services
setup Pre-configure PIX
shun Manages the filtering of packets from undesired hosts
snmp-server Provide SNMP and event information
ssh Add SSH access to PIX console, set idle timeout, display
list of active SSH sessions & terminate a SSH session
static Configure one-to-one address translation rule
sysopt Set system functional option
telnet Add telnet access to PIX console and set idle timeout
terminal Set terminal line parameters
tftp-server Specify default TFTP server address and directory
timeout Set the maximum idle times
url-cache Enable URL caching
url-block Enable URL pending block buffer and long URL support
url-server Specify a URL filter server
username Configure user authentication local database
virtual Set address for authentication virtual servers
vpdn Configure VPDN (PPTP, L2TP, PPPoE) Policy
vpnclient Configure Easy VPN Remote
vpngroup Configure group settings for Cisco VPN Clients and
Cisco Easy VPN Remote products
who Show active administration sessions on PIX
write Write config to net, flash, floppy, or terminal, or erase flash
pix(config)#
pixfirewall(config)# nameif ethernet pc security0
Usage: nameif <hardware_id> <if_name> <security_lvl>
nameif <vlan_id> <if_name> <security_lvl>
no nameif
pixfirewall(config)# hostname pix
%Key pair with hostname pixfirewall.ciscopix.com will be invalid
Use this configuration and write to flash? yes
Interface address is not on same subnet as DHCP pool
Error setting inside IP address and mask
pix(config)# ip address pc 192.168.0.1
Usage: [no] ip address <if_name> <ip_address> [<mask>]
[no] ip address <if_name> <ip_address> <mask> pppoe [setroute]
[no] ip address <if_name> dhcp [setroute] [retry <retry_cnt>]
[no] ip address <if_name> pppoe [setroute]
ip local pool <poolname> <ip1>[-<ip2>]
ip verify reverse-path interface <if_name>
ip audit {info|attack} action [alarm] [drop] [reset]
ip audit name <audit_name> {info|attack} [action [alarm] [drop] [reset]]
ip audit interface <if_name> <audit_name>
ip audit signature <sig_number> disable
show|clear ip audit count [global] [interface <interface>]
show ip [address [<if_name> [pppoe|dhcp [lease|server]]]]
pix(config)#
pix(config)# ?
At the end of show <command>, use the pipe character '|' followed by:
begin|includ
e|exclude|grep [-v] <regular_exp>, to filter sho
w output.
aaa Enable, disable, or view TACACS+, RADIUS or LOCAL
user authentication, authorization and accounting
aaa-server Define AAA Server group
access-group Bind an access-list to an interface to filter inbound traffic
access-list Add an access list
activation-key Modify activation-key.
age This command is deprecated. See ipsec, isakmp, map, ca commands
alias Administer overlapping addresses with dual NAT.
apply Apply outbound lists to source or destination IP addresses
arp Change or view arp table, set arp timeout value, view statistics
auth-prompt Customize authentication challenge, reject or acceptance prompt
auto-update Configure auto update support
banner Configure login/session banners
ca CEP (Certificate Enrollment Protocol)
Create and enroll RSA key pairs into a PKI
(Public Key Infrastructure).
capture Capture inbound and outbound packets on one or more interfaces
clock Show and set the date and time of PIX
conduit Add conduit access to higher security level network or ICMP
configure Configure from terminal, floppy, memory, network, or
factory-default. The configuration will be merged with the
active configuration except for factory-default in which case
the active configuration is cleared first.
copy Copy image or PDM file from TFTP server into flash.
console Set idle timeout for the serial console of the PIX
Crashinfo Read, write and configure crash write to flash. Force a crash.
crypto Configure IPsec, IKE, and CA
debug Debug packets or ICMP tracings through the PIX Firewall.
dhcpd Configure DHCP Server
dhcprelay Configure DHCP Relay Agent
disable Exit from privileged mode
domain-name Change domain name
dynamic-map Specify a dynamic crypto map template
eeprom show or reprogram the 525 onboard i82559 devices
enable Configure enable passwords
established Allow inbound connections based on established connections
failover Enable/disable PIX failover feature to a standby PIX
filter Enable, disable, or view URL, FTP, HTTPS, Java, and ActiveX filt
ering
fixup Add or delete PIX service and feature defaults
flashfs Show, destroy, or preserve filesystem information
fragment Configure the IP fragment database
global Specify, delete or view global address pools,
or designate a PAT(Port Address Translated) address
help Help list
hostname Change host name
http Configure HTTP server
icmp Configure access for ICMP traffic that terminates at an interfac
e
interface Set network interface paremeters and configure VLANs
ip Set the ip address and mask for an interface
Define a local address pool
Configure Unicast RPF on an interface
Configure the Intrusion Detection System
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
kill Terminate a telnet session
logout Exit from current user profile, and to unprivileged mode
logging Enable logging facility
mac-list Add a list of mac addresses using first match search
map Configure IPsec crypto map
memory System memory utilization
mgcp Configure the Media Gateway Control Protocol fixup
management-access Enable access to internal management interface
mroute Configure a multicast route
mtu Specify MTU(Maximum Transmission Unit) for an interface
multicast Configure multicast on an interface
name Associate a name with an IP address
nameif Assign a name to an interface
names Enable, disable or display IP address to name conversion
nat Associate a network with a pool of global IP addresses
ntp Configure Network Time Protocol
object-group Create an object group for use in 'access-list', 'conduit', etc
outbound Create an outbound access list
pager Control page length for pagination
passwd Change Telnet console access password
pdm Configure PIX Device Manager
ping Test connectivity from specified interface to <ip>
prefix-list Configure a prefix-list
privilege Configure/Display privilege levels for commands
quit Quit from the current mode, end configuration or logout
reload Halt and reload system
rip Broadcast default route or passive RIP
route Enter a static route for an interface
route-map Create a route-map.
router Create/configure OSPF routing process
routing Configure interface specific unicast routing parameters.
service Enable system services
setup Pre-configure PIX
shun Manages the filtering of packets from undesired hosts
snmp-server Provide SNMP and event information
ssh Add SSH access to PIX console, set idle timeout, display
list of active SSH sessions & terminate a SSH session
static Configure one-to-one address translation rule
sysopt Set system functional option
telnet Add telnet access to PIX console and set idle timeout
terminal Set terminal line parameters
tftp-server Specify default TFTP server address and directory
timeout Set the maximum idle times
url-cache Enable URL caching
url-block Enable URL pending block buffer and long URL support
url-server Specify a URL filter server
username Configure user authentication local database
virtual Set address for authentication virtual servers
vpdn Configure VPDN (PPTP, L2TP, PPPoE) Policy
vpnclient Configure Easy VPN Remote
vpngroup Configure group settings for Cisco VPN Clients and
Cisco Easy VPN Remote products
who Show active administration sessions on PIX
write Write config to net, flash, floppy, or terminal, or erase flash
pix(config)#
> pixfirewall(config)# nameif ethernet pc security0
You just have 'ethernet' and not 'ethernet0' which is incomplete. This missing command is causing the other problems.
You just have 'ethernet' and not 'ethernet0' which is incomplete. This missing command is causing the other problems.
ASKER
0ops
ASKER
ip address inside 207.2.0.6 255.255.255.0
Interface address is not on same subnet as DHCP pool
We don't use DHCP
Interface address is not on same subnet as DHCP pool
We don't use DHCP
opps sry about my slip ups glad there are those out there who spot these thangs hows it going
It sounds as though there is some old configuration already present.
Make sure you are connected via the console (serial cable) and then erase and reload the router so you are starting with a blank configuration :-
enable
write erase
reload
Make sure you are connected via the console (serial cable) and then erase and reload the router so you are starting with a blank configuration :-
enable
write erase
reload
ASKER
OK I'm past that:
pix(config)# nat (pc) 1 0.0.0.0 0.0.0.0 0 0
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
pix(config)# nat (pc) 1 0.0.0.0 0.0.0.0 0 0
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
OK. Dont bother trying to rename the interfaces. Just use the standard interface names as in this configuration. Erase the config as before and paste in this one.
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************* encrypted
passwd ************* encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1
ip address inside 207.22.0.6 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (inside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 207.22.0.7 192.168.0.3 netmask 255.255.255.255 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************* encrypted
passwd ************* encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1
ip address inside 207.22.0.6 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (inside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 207.22.0.7 192.168.0.3 netmask 255.255.255.255 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
ASKER
I didn't set the password now [I'd rather do that later if its OK] and I didn't set the the speed to auto on ethernet1 [the reply was 100Full only option] I did set the ethernet 0 to auto. Here's the rest:
pixfirewall> enable
Password:
pixfirewall# conft
Type help or '?' for a list of available commands.
pixfirewall# conf t
pixfirewall(config)# nameif ethernet0 outside security0
pixfirewall(config)# nameif ethernet1 inside security100
pixfirewall(config)# hostname pix
pix(config)# fixup protocol dns maximum-length 512
pix(config)# fixup protocol ftp 21
pix(config)# fixup protocol h323 h225 1720
pix(config)# fixup protocol h323 ras 1718-1719
pix(config)# fixup protocol http 80
pix(config)# fixup protocol ils 389
pix(config)# fixup protocol rsh 514
pix(config)# fixup protocol rtsp 554
pix(config)# fixup protocol sip 5060
pix(config)# fixup protocol sip udp 5060
pix(config)# fixup protocol skinny 2000
pix(config)# fixup protocol smtp 25
pix(config)# fixup protocol sqlnet 1521
pix(config)# fixup protocol tftp 69
pix(config)# pager lines 24
pix(config)# logging on
pix(config)# logging console errors
pix(config)# logging monitor debugging
pix(config)# logging buffered debugging
pix(config)# mtu outside 1500
pix(config)# mtu inside 1500
pix(config)# ip address outside 192.168.0.1
pix(config)# ip address inside 207.22.0.6 255.255.255.0
pix(config)# ip audit info action alarm
pix(config)# ip audit attack action alarm
pix(config)# pdm history enable
pix(config)# arp timeout 14400
pix(config)# global (inside) 1 interface
inside interface address added to PAT pool
pix(config)# nat (outside) 1 0.0.0.0 0.0.0.0 0 0
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
pix(config)# static (outside,inside) 207.22.0.7 192.168.0.3 netmask 255.255.25$
pix(config)# timeout xlate 3:00:00
pix(config)# timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 $
pix(config)# timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
pix(config)# timeout uauth 0:05:00 absolute
pix(config)# aaa-server TACACS+ protocol tacacs+
pix(config)# aaa-server RADIUS protocol radius
pix(config)# aaa-server LOCAL protocol local
pix(config)# no snmp-server location
pix(config)# no snmp-server contact
pix(config)# snmp-server community public
pix(config)# no snmp-server enable traps
pix(config)# floodguard enable
pix(config)# telnet timeout 60
pix(config)# ssh timeout 60
pix(config)# console timeout 0
pix(config)# terminal width 100
pixfirewall> enable
Password:
pixfirewall# conft
Type help or '?' for a list of available commands.
pixfirewall# conf t
pixfirewall(config)# nameif ethernet0 outside security0
pixfirewall(config)# nameif ethernet1 inside security100
pixfirewall(config)# hostname pix
pix(config)# fixup protocol dns maximum-length 512
pix(config)# fixup protocol ftp 21
pix(config)# fixup protocol h323 h225 1720
pix(config)# fixup protocol h323 ras 1718-1719
pix(config)# fixup protocol http 80
pix(config)# fixup protocol ils 389
pix(config)# fixup protocol rsh 514
pix(config)# fixup protocol rtsp 554
pix(config)# fixup protocol sip 5060
pix(config)# fixup protocol sip udp 5060
pix(config)# fixup protocol skinny 2000
pix(config)# fixup protocol smtp 25
pix(config)# fixup protocol sqlnet 1521
pix(config)# fixup protocol tftp 69
pix(config)# pager lines 24
pix(config)# logging on
pix(config)# logging console errors
pix(config)# logging monitor debugging
pix(config)# logging buffered debugging
pix(config)# mtu outside 1500
pix(config)# mtu inside 1500
pix(config)# ip address outside 192.168.0.1
pix(config)# ip address inside 207.22.0.6 255.255.255.0
pix(config)# ip audit info action alarm
pix(config)# ip audit attack action alarm
pix(config)# pdm history enable
pix(config)# arp timeout 14400
pix(config)# global (inside) 1 interface
inside interface address added to PAT pool
pix(config)# nat (outside) 1 0.0.0.0 0.0.0.0 0 0
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
pix(config)# static (outside,inside) 207.22.0.7 192.168.0.3 netmask 255.255.25$
pix(config)# timeout xlate 3:00:00
pix(config)# timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 $
pix(config)# timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
pix(config)# timeout uauth 0:05:00 absolute
pix(config)# aaa-server TACACS+ protocol tacacs+
pix(config)# aaa-server RADIUS protocol radius
pix(config)# aaa-server LOCAL protocol local
pix(config)# no snmp-server location
pix(config)# no snmp-server contact
pix(config)# snmp-server community public
pix(config)# no snmp-server enable traps
pix(config)# floodguard enable
pix(config)# telnet timeout 60
pix(config)# ssh timeout 60
pix(config)# console timeout 0
pix(config)# terminal width 100
ASKER
Is this a problem?
pix(config)# nat (outside) 1 0.0.0.0 0.0.0.0 0 0
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
pix(config)# nat (outside) 1 0.0.0.0 0.0.0.0 0 0
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
Sorry. I changed the configuration and put the wrong keyword in.
The line should be:-
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
The line should be:-
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
So you can just paste the following in :-
no nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
no nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
ASKER
The config took. I wrote it to memory (write mem) and reloaded. Now I was going to hook it up to the PC & the network.
I'm hooking a PC with IP 192.168.0.3 255.255.255.0 to the Ethernet0 (this only works with a crossover cable) and
Ethernet1 I'm plugging into our network (normal cable)
I've tried pinging 207.22.0.7 207.22.0.6 from another PC on the network but the hosts areunreachable
From the PC connected to ethernet0. I can ping the pix (192.168.0.1, not 207.22.0.6) but I cannot telnet to the IP. Also I cannot open the browser interface anymore.
I'm hooking a PC with IP 192.168.0.3 255.255.255.0 to the Ethernet0 (this only works with a crossover cable) and
Ethernet1 I'm plugging into our network (normal cable)
I've tried pinging 207.22.0.7 207.22.0.6 from another PC on the network but the hosts areunreachable
From the PC connected to ethernet0. I can ping the pix (192.168.0.1, not 207.22.0.6) but I cannot telnet to the IP. Also I cannot open the browser interface anymore.
There are no access-lists applied yet so the PC wont be able to be pinged as the replies will be blocked. You should be able to connect to the website running on it for example.
From the PC you wont be able to contact anything the other side of the PIX unless you specifically configure it. This is the point of the firewall to stop people who have connected to the server for administration from being able to them connect to the rest of your network.
If you tell me what services you need this PC to connect to and on what machines I will give you an access-list you can apply.
In the meantime if you apply the following two lines to the config you should be able to ping the PC from the rest of the network and the PC should be able to ping everything.
access-list outside_in permit icmp any any
access-group outside_in in interface outside
From the PC you wont be able to contact anything the other side of the PIX unless you specifically configure it. This is the point of the firewall to stop people who have connected to the server for administration from being able to them connect to the rest of your network.
If you tell me what services you need this PC to connect to and on what machines I will give you an access-list you can apply.
In the meantime if you apply the following two lines to the config you should be able to ping the PC from the rest of the network and the PC should be able to ping everything.
access-list outside_in permit icmp any any
access-group outside_in in interface outside
ASKER
symantec virus definitions from a parent server: 207.22.0.10
windows updates from a windows updates server 207.22.0.10
I will apply the last 2 lines now
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I applied the last 2 lines and entered the command "write me" and "reload" but I still cannot ping 207.22.0.6 or 207.22.0.7 from anywhere inside or outside. I can only ping the pix (192.168.0.1) from the PC outside (Ethernet0, 192.168.0.3)
I'm not sure its relevant but I included the text I see when it boots up:
Cisco PIX Firewall Version 6.3(3)
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10
I'm not sure its relevant but I included the text I see when it boots up:
Cisco PIX Firewall Version 6.3(3)
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 10
Throughput: Unlimited
IKE peers: 10
On the PC can you bring up a DOS window and type "ipconfig /all" and paste the output here.
ASKER
Grblades,
I'm oblized to conceal the actual IPs I'm using. but I can say that we are a class B network, (not a class C network as I originally indicated) and I have substitued only equivalent class B network ID and Domain names below. Of course I have been substituting the IP in the config.
MY PC'S Windows IP Configuration
Host Name . . . . . . . . . . . . : beachIIIVII
Primary Dns Suffix . . . . . . . : beach.ch
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : beach.ch
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : beach.ch
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
ion
Physical Address. . . . . . . . . : 00-0D-56-C3-AF-7A
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 138.187.32.7
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 138.187.1.1
DNS Servers . . . . . . . . . . . : 138.187.1.2
PC outside on Ethernet0
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : beachXXXIxcVII
Primary DNS Suffix . . . . . . . : beach.ch
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Outside:
Connection-specific DNS Suffix . : beach.ch
Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Ad
LA8470B)
Physical Address. . . . . . . . . : 00-90-27-B6-B8-3C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
I'm oblized to conceal the actual IPs I'm using. but I can say that we are a class B network, (not a class C network as I originally indicated) and I have substitued only equivalent class B network ID and Domain names below. Of course I have been substituting the IP in the config.
MY PC'S Windows IP Configuration
Host Name . . . . . . . . . . . . : beachIIIVII
Primary Dns Suffix . . . . . . . : beach.ch
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : beach.ch
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : beach.ch
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connect
ion
Physical Address. . . . . . . . . : 00-0D-56-C3-AF-7A
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 138.187.32.7
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 138.187.1.1
DNS Servers . . . . . . . . . . . : 138.187.1.2
PC outside on Ethernet0
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : beachXXXIxcVII
Primary DNS Suffix . . . . . . . : beach.ch
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Outside:
Connection-specific DNS Suffix . : beach.ch
Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Ad
LA8470B)
Physical Address. . . . . . . . . : 00-90-27-B6-B8-3C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . :
The default gateway should be defined as 192.168.0.1.
The DNS server should also be configured with the standard DNS you use.
Add the following line to permit the PC to make DNS queries:-
access-list outside_in permit udp any any eq domain
> DNS Servers . . . . . . . . . . . :
The default gateway should be defined as 192.168.0.1.
The DNS server should also be configured with the standard DNS you use.
Add the following line to permit the PC to make DNS queries:-
access-list outside_in permit udp any any eq domain
ASKER
I added the Gatewaythe last line but now its stuck. Even after I powered it off and on:
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst insi
de:138.187.1.2/53
305005: No translation group found for udp src outside:192.168.0.3/1243 dst
Can you do a 'show run' and paste the complete config here so I check it again.
ASKER
pix> enable
Password:
pix# show config
: Saved
: Written by enable_15 at 13:35:28.903 UTC Wed Dec 1 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any
access-list outside_in permit udp any any eq domain
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1 255.255.255.0
ip address inside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (inside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
Cryptochecksum:1ce40a5fd25 47ac5e578f 3ab6e9f749 1
Password:
pix# show config
: Saved
: Written by enable_15 at 13:35:28.903 UTC Wed Dec 1 2004
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any
access-list outside_in permit udp any any eq domain
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1 255.255.255.0
ip address inside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (inside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
Cryptochecksum:1ce40a5fd25
Sorry about this. I was trying to be clever by calling the interface the 'PC' was on the outside interface but just ended up confusing myself and causing complications.
Here is another PIX configuration with the interfaces renamed (no need to move cables) that should hopefully work.
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 inside security0
nameif ethernet1 outside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host 138.187.31.97
access-list outside_in permit icmp any any
access-list inside_in permit udp any any eq domain
access-list inside_in permit icmp any any
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address inside 192.168.0.1 255.255.255.0
ip address outside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
Here is another PIX configuration with the interfaces renamed (no need to move cables) that should hopefully work.
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 inside security0
nameif ethernet1 outside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip any host 138.187.31.97
access-list outside_in permit icmp any any
access-list inside_in permit udp any any eq domain
access-list inside_in permit icmp any any
pager lines 24
logging on
logging console errors
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address inside 192.168.0.1 255.255.255.0
ip address outside 138.187.32.47 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 138.187.31.97 192.168.0.3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 60
ssh timeout 60
console timeout 0
terminal width 100
ASKER
I haven't tried this yet, but we've been at it for a while so I gave you points for this question and I posted the question again and pasted the show config there as well. You can pickup there if you like.
Here are a few links for you to have a look at.
PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html
In your situation You would connect one interface to the PC/hardware accepting dial-in connections and the other to your internal network. Then define an access-list to permit only the traffic you want between the modem and your internal network.