Avatar of X-quisite
X-quisite
 asked on

Cisco PIX 501 configuration

I need help to configure pix 501 from scratch, The pix is currently in factory default mode.

Static WAN IP
Ethernet modem in bridged mode with static IP 192.168.1.1 with DHCP
My internal network is 192.168.50.0 255.255.255.0

I have learned a lot from this forum and have managed to gain some little understanding of pix commands and what it does.

I have set out the configuration that I plan to carry out and require someone to verfiy/correct config and also suggest any other commands that I may have ommited
1) Configure interfaces
       interface ethernet0 10baset
              interface ethernet1 100full
             ip address inside 192.168.50.1 255.255.255.0
             ip address outside pppoe setroute
2) Connect to ISP
vpdn group ADSL request dialout pppoe
vpdn group ADSL localname user password password
vpdn group ADSL ppp authentication chap
3) Configure NAT for inside and outside clients
      nat (inside) 1 0.0.0.0 0.0.0.0 0 0
      global (outside) 1 interface
4) Configure NTP server
      ntp server 130.88.202.49 source outside prefer
5) IP spoofing protection
      ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
6) Configure Remote access to PDM via web browser from the inside interface
http server enable
http 0.0.0.0 0.0.0.0 inside
7) Configure telnet access to pix , so that I dont have connect to the pix with console
      telnet 192.168.50.0 255.255.255.0 inside
8) Deny SNMP access
      no snmp-server location
      no snmp-server contact
      snmp-server community public
      no snmp-server enable traps
9) Other security Commands
      icmp permit any unreachable outside
      flood guard
10) Open ports for inbound traffic
      Define rule
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq pptp
access-list inbound permit tcp any interface outside eq 1433
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq 4122
access-list inbound permit tcp any interface outside eq ftp
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq 444

Bind to outside interface
access-group inbound in interface outside

Forward Port traffic to Required server
static (inside,outside) tcp interface smtp 192.168.50.220 smtp netmask
255.255.255.255
static (inside,outside) tcp interface pptp 192.168.50.220 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.50.220 1433 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.50.220 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4122 192.168.50.220 4122 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.50.220 ftp netmask 255.255.255.255


Thanks
Nazmul
Cisco

Avatar of undefined
Last Comment
X-quisite

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
batry_boy

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
X-quisite

ASKER
batry_boy,

Thank you for the verification.
I will try the config and post you with the update.
 
"why you are issuing the command "icmp permit any unreachable outside"
I actually dont know what this does i just copied it from someone elses config
What does this do and what  would be its use?

thanks


I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck