I need help to configure pix 501 from scratch, The pix is currently in factory default mode.
Static WAN IP
Ethernet modem in bridged mode with static IP 192.168.1.1 with DHCP
My internal network is 192.168.50.0 255.255.255.0
I have learned a lot from this forum and have managed to gain some little understanding of pix commands and what it does.
I have set out the configuration that I plan to carry out and require someone to verfiy/correct config and also suggest any other commands that I may have ommited
1) Configure interfaces
interface ethernet0 10baset
interface ethernet1 100full
ip address inside 192.168.50.1 255.255.255.0
ip address outside pppoe setroute
2) Connect to ISP
vpdn group ADSL request dialout pppoe
vpdn group ADSL localname user password password
vpdn group ADSL ppp authentication chap
3) Configure NAT for inside and outside clients
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 interface
4) Configure NTP server
ntp server 130.88.202.49 source outside prefer
5) IP spoofing protection
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
6) Configure Remote access to PDM via web browser from the inside interface
http server enable
http 0.0.0.0 0.0.0.0 inside
7) Configure telnet access to pix , so that I dont have connect to the pix with console
telnet 192.168.50.0 255.255.255.0 inside
8) Deny SNMP access
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
9) Other security Commands
icmp permit any unreachable outside
flood guard
10) Open ports for inbound traffic
Define rule
access-list inbound permit tcp any interface outside eq smtp
access-list inbound permit tcp any interface outside eq pptp
access-list inbound permit tcp any interface outside eq 1433
access-list inbound permit tcp any interface outside eq 3389
access-list inbound permit tcp any interface outside eq 4122
access-list inbound permit tcp any interface outside eq ftp
access-list inbound permit tcp any interface outside eq https
access-list inbound permit tcp any interface outside eq 444
Bind to outside interface
access-group inbound in interface outside
Forward Port traffic to Required server
static (inside,outside) tcp interface smtp 192.168.50.220 smtp netmask
255.255.255.255
static (inside,outside) tcp interface pptp 192.168.50.220 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.50.220 1433 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.50.220 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4122 192.168.50.220 4122 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.50.220 ftp netmask 255.255.255.255
Thanks
Nazmul
Thank you for the verification.
I will try the config and post you with the update.
"why you are issuing the command "icmp permit any unreachable outside"
I actually dont know what this does i just copied it from someone elses config
What does this do and what would be its use?
thanks