Where can I find a cram guide to configuring Cisco PIX firewalls, specifically the 515e?

Ok, here is the deal.  I have never touched a PIX firewall before.  I work for a small company (300-400 users approx.)  We are changing ISP's in two weeks.  This means our external ip's are changing, and those that point to the vpn, mail server, dns servers etc.  Anywho, I need to find some cram material to help me understand the config file.  It doesn't even need be cram material, just clear, descriptions of what does what.  I got two weeks to figure this out, and I want it to go as smooth as possible.
I appreciate ANY help whatsoever!
Thanks,
-chipTM
corphealthAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
lrmooreConnect With a Mentor Commented:
\\-- fairly old version. Most current for 515e is 7.21
\\-- Most recent 6.x is 6.3(5)
PIX Version 6.1(4)                  

\\-- name "inside | outside | dmz" used throughout to refer to the interfaces. Can be changed
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
nameif ethernet2 dmz security50

\\-- default fixups that inspect specified traffic for layer 4+ protection (deep packet inspection)                              
fixup protocol ftp 21                    
fixup protocol http 80                      
fixup protocol h323 1720                        
fixup protocol rsh 514                      
fixup protocol rtsp 5                  
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol sip 5060                      
fixup protocol skinny 2000                          

\\-- access-list to define traffic to be encrypted (applied to crypto map below)
access-list ipsec permit ip <local subnet> mask <remote subnet> mask

\\-- access-list to permit unsolicited inbound traffic to internal/dmz hosts
access-list 101 permit tcp any host <public host>  eq smtp                                                      
access-list 101 permit tcp any host  <public host> eq www                                                      
access-list 101 permit tcp any host  <public host> eq 443                                                      
access-list 101 permit tcp any host  <public host> eq ftp                                                      
access-list 101 permit tcp any host  <public host> eq www                                                      
access-list 101 permit tcp any host  <public host> eq 443                                                      
access-list 101 permit tcp any host  <public host> eq domain                                                        
access-list 101 permit udp any host  <public host> eq domain                                                        
access-list 101 permit tcp any host  <public host> eq 1723                                                      
access-list 101 permit gre any host  <public host>
access-list 101 permit tcp any host  <public host> eq 3389                                                        
access-list 101 permit tcp any host  <public host> eq 3389                                                        
access-list 101 permit tcp any host  <public host> eq 3389                                                        
access-list 101 permit tcp any host  <public host> eq domain                                                        
access-list 101 permit udp any host  <public host> eq domain                                                        

\\-- define traffic that will bypass nat (vpn trafic)
access-list nonat permit ip <local subnet> mask <remote subnet> mask
access-list nonat permit ip <local subnet> mask <remote subnet> mask

\\-- define traffic that is allowed from dmz
access-list dmz permit gre host any                                              
access-list dmz permit tcp host any eq 1723                                                      
access-list dmz permit udp host any eq domain                                                        
access-list dmz permit tcp host any eq domain                                                        
access-list dmz permit udp host any eq domain                                                        
access-list dmz permit tcp host any eq domain                                                        
access-list dmz permit icmp                                                                              
access-list dmz permit tcp eq 88    
access-list dmz permit udp eq 88    
access-list dmz permit udp  eq ntp    
access-list dmz permit tcp q 135    
access-list dmz permit tcp eq 389    
access-list dmz permit udp 0 eq 389    
access-list dmz permit tcp eq 445    
access-list dmz permit tcp eq 3268      
access-list dmz permit tcp eq 69    

\\-- set the interfaces enabled | shutdown | auto neg speed/duplex
interface ethernet0 auto                        
interface ethernet1 auto                        
interface ethernet2 auto

\\-- assign ip addresses to interfaces                      
ip address outside <public ip> <mask>
ip address inside 172.16.16.x <mask>
ip address dmz a.b.c.d <mask>

\\-- set up a global nat pool (public IP's to service internal NAT clients)
global (outside) 1  <ip address-ip address> netmask <mask>

\\-- apply the no-nat acl to the nat process "0" to bypass nat for the VPN's                                                                  
nat (inside) 0 access-list nonat

\\-- define which inside hosts can use global group "1"                              
nat (inside) 1
nat (inside) 1

\\-- define which dmz hosts can use global nat group 1
nat (dmz) 1

\\-- individual 1-to-1 static public ip -->private IP NAT mappings
static (inside,outside) <public ip> <private ip> netmask 255.255.255.255 0 0                                                                            
static (inside,outside) netmask
static (inside,outside) netmask 0 0                                                                            
static (inside,outside) netmask 0 0                                                                            
static (inside,outside) netmask  0 0                                                                          
static (dmz,outside) netmask 0                                                                        
static (dmz,outside) netmask 0 0      

\\-- apply the acls to the interfaces                                                                
access-group 101 in interface outside                                    
access-group dmz in int                    

\\-- set up static routing
route outside 0.0.0.0 0.0.0.0 a.b.c.d  <== default route
route inside
route inside

\\-- define inside tftp server where config will be written with "write net" command
tftp-server inside 172.16.18.6 pix.bin                                      

\\-- default
floodguard enable                

\\-- allow IPSEC vpn and PPTP traffic to bypass outside acls (acl 101)
sysopt connection permit-ipsec                              
sysopt connection permit-pptp
no sysopt route dnat

\\-- define VPN traffic and encryption algorithm to be used
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map rtpmap 10 ipsec-isakmp
crypto map rtpmap 10 match address ipsec <== defined above
crypto map rtpmap 10 set peer <peer IP>
crypto map rtpmap 10 set transform-set myset
crypto map rtpmap 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map rtpmap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

\\-- allow any host on inside this subnet to telnet to this PIX
telnet 172.16.16.0 255.255.240.0 inside

What else do you need to know?


0
 
Pete LongTechnical ConsultantCommented:
Hello m8

Your best bet is to mask out the IP addresses (and anything identifyable) - and post the config here, one of the Experts will explain what each line/section is doing
0
 
lrmooreCommented:
Here's the best place to start:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63qsg/515quick.pdf

It really depends on what version PIX OS you have 6.x or 7.x
There is a HUGE difference between the two
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
corphealthAuthor Commented:
Here is the config with ip and encrypted pass removed.  
http://chipthamac.onlinestoragesolution.com/PIX.Version.6.for.EE.doc
the password to open is Experts@900
0
 
corphealthAuthor Commented:
Let me mull over that to see if I have any questions.  Thanks for all your help so far!
-chipTM
0
 
bilbusCommented:
why not use the PDM GUI?
0
 
corphealthAuthor Commented:
bilbus, well I was going to ask what PDM GUI was, but I called my good friend google instead, I see that this is PIX Device Manager, and of course gui is 'what you look at'
In any case, I will still need to understand the settings.  This does look pretty good, but I always here its good to know the cmd line parameters as well.
Thanks, I will look into this gui right now.  
Oh, PS  I have like one week to figure this all out.
Wish me luck, (and be on standby Friday night. ha jp)
0
 
corphealthAuthor Commented:
ok, so how do i get to this PDM?  I go to https://pix_inside_ip and it says page can not be displayed.  I have made sure its enabled via http server enable cmd, and still nothing.
on a show ver
i have

Cisco PIX Device Manager Version 1.1(2)

That should be good enough to use the PDM right?
its a 515E btw
0
All Courses

From novice to tech pro — start learning today.