Help understanding PiX 506 running config - 500 points for quick anwser

Posted on 2008-10-08
Last Modified: 2008-10-08
Good Morning experts

The company I work are changing their ISP which means I need to reconfigure our PIX 506 firewall I am complete novice with firewalls but I have knowledge of network, Cisco router and switches.

I need help understanding the running config of our Pix the print out is listed below.

I take it that when we change ISP our external IP address will change and this will need to be reflexed in the firewall configuration ?

1.) ip address outside "This is our ISP IP number"
     ip address inside "This is our internal network number"

2.) "What does this line mean" -  ip local pool pool2

3.) "What does this line mean" - global (outside) 1

4.) "What does this line mean" - - nat (inside) 1 0 0
 and why would it have asub net mask  of when our internal address range has a subnet mask of

5.) What does this line mean is our smtp\spam filter - - static (inside,outside) netmask 0 0
6.) What do these line mean - and are satalite office connected via a WAN
access-group mail in interface outside
route outside 1
route inside 1
route inside 1

7.) What does "access-list mail permit tcp any host eq smtp" mean

8.) any info on the rest of the config I know part of it is for VPN but we don't use that anymore..

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lDQ1e86P2tr0BHxt encrypted
passwd B0xTh6IPomovnN3d encrypted
hostname manorpark
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
no fixup protocol h323 1720
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol skinny 2000
access-list mail permit tcp any host eq smtp
pager lines 24
logging on
logging buffered errors
logging trap notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool pool2
no pdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 1 0 0
static (inside,outside) netmask 0 0
access-group mail in interface outside
route outside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 50400
vpngroup wisevpn address-pool pool2
vpngroup wisevpn dns-server
vpngroup wisevpn wins-server
vpngroup wisevpn default-domain
vpngroup wisevpn idle-time 1800
vpngroup wisevpn password ********
telnet inside
telnet timeout 5
ssh timeout 5
terminal width 80
Question by:ise438

Accepted Solution

callyp earned 500 total points
ID: 22667519
1. you just need to replace existing IP's with new IP's. take backup of config and replace.
2. This is you local LAN IP range pool used for vpn
3.  Any LAN IP will be translated to this IP while going outside (to internet)
4. Translate internal LAN IP address. you can change it to that, just someone has allowed as it in class A
5. Internet SMTP server IP translated (NAT) to public IP. static nat.
6. Router to outside and branch offices to inside while connecting to LAN.
7. Rule to allow SMTP port 25 to that IP.
8. if not using then just disable isakmp, later can again be enabled if reuqired. keep configs.

Author Comment

ID: 22667756
Fantastic reply

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 PACL 9 93
Can Cisco resolve internet address internally 4 31
Cisco vlan question 12 63
DHCP on ASA 3 51
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now