Solved

How to configure a PIX 501

Posted on 2007-03-19
7
444 Views
Last Modified: 2010-04-09
I have a PIX 501 that I was told was set back to default configuration. I want to set it up to use as my local firewall. It dosn't have the DHCP server enabled and I can't seem to get the syntax correct to set it up. I also am unable to log into it thru IP even when I set the computer to the correct class C IP address to log into the PIX. I am freely able to get in thru the console port. Here is the sho conf:

Home-firewall> en                
Password:        
Home-firewall# sho conf                      
: Saved      
: Written by enable_15 at 11:09:52.754 UTC Thu Mar 15 2007                                                          
PIX Version 6.3(4)                  
interface ethernet0 auto shutdown                                
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password 8Ry2YjIyt7RRXU24 encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname Home-firewall                      
domain-name distmirr.com                        
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
pager lines 24              
mtu outside 1500                
mtu inside 1500              
no ip address outside                    
ip address inside 192.168.200.1 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
pdm history enable                  
arp timeout 14400                
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.200.106 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:3eb512d1fe8396aaa0895310893aa740
0
Comment
Question by:psd_steve
  • 4
  • 3
7 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18753525
You're going to have to submit more information in order for us to give you any meaningful input.  Describe your network topology, IP addressing scheme, what type of traffic you want to allow in/out, and please do this without giving away any sensitive info about your company or environment, i.e. don't post your REAL public IP addresses, pre-shared keys, passwords, etc.
0
 

Author Comment

by:psd_steve
ID: 18753536
Sorry I was having issues when I initially sent the question. I think that should help a bit?
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18753581
To get in through telnet, add the following lines from the command line:

telnet 192.168.200.0 255.255.255.0 inside

This will allow you to telnet to it from any host on the 192.168.200.0/24 network.  You can do the same for ssh with:

ca generate rsa key 1024
ca save all
ssh 192.168.200.0 255.255.255.0 inside

The first two lines generate an RSA key needed for ssh to work and then the last line does the same thing as the telnet command above did.

When you telnet to it, you will use the "access" password configured on the PIX.  By default it is "cisco".  Then you can go to enable by typing "enable" and submitting the enable password.  I assume you already know this since you're able to make config changes.

For DHCP, here is a list of the commands you will need to set it up:

dhcpd address 192.168.200.50-192.168.200.70 inside
dhcpd dns 192.168.200.100
dhcpd wins 192.168.200.100
dhcpd domain whatever.com
dhcpd enable inside

This will set your DHCP scope to give out 192.168.200.50-70 for hosts on the inside interface and will set the DNS and WINS servers to 192.168.200.100.  The next command sets the client's DNS domain name.  The last command turns it on on the inside interface.

Hope this helps...
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 28

Expert Comment

by:batry_boy
ID: 18753587
I forgot to add a link that will show you the entire syntax of the "dhcpd" command:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1025497

0
 

Author Comment

by:psd_steve
ID: 18753602
This looks like what I need. I am trying to get it up now as soon as I do the points and my gratitude are yours.
0
 

Author Comment

by:psd_steve
ID: 18753679
Excellent! Thank you very much. I greatly appreciate it

Home-firewall(config)# sho dhcpd stat

Address pools        1
Automatic bindings   1
Expired bindings     0
Malformed messages   0

Message              Received
BOOTREQUEST          0
DHCPDISCOVER         3
DHCPREQUEST          1
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0

Message              Sent
BOOTREPLY            0
DHCPOFFER            3
DHCPACK              1
DHCPNAK              0
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18753688
You're welcome...good luck with it!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now