• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

Help understanding PiX 506 running config - 500 points for quick anwser

Good Morning experts

The company I work are changing their ISP which means I need to reconfigure our PIX 506 firewall I am complete novice with firewalls but I have knowledge of network, Cisco router and switches.

I need help understanding the running config of our Pix the print out is listed below.

I take it that when we change ISP our external IP address will change and this will need to be reflexed in the firewall configuration ?

1.) ip address outside "This is our ISP IP number"
     ip address inside "This is our internal network number"

2.) "What does this line mean" -  ip local pool pool2

3.) "What does this line mean" - global (outside) 1

4.) "What does this line mean" - - nat (inside) 1 0 0
 and why would it have asub net mask  of when our internal address range has a subnet mask of

5.) What does this line mean is our smtp\spam filter - - static (inside,outside) netmask 0 0
6.) What do these line mean - and are satalite office connected via a WAN
access-group mail in interface outside
route outside 1
route inside 1
route inside 1

7.) What does "access-list mail permit tcp any host eq smtp" mean

8.) any info on the rest of the config I know part of it is for VPN but we don't use that anymore..

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password lDQ1e86P2tr0BHxt encrypted
passwd B0xTh6IPomovnN3d encrypted
hostname manorpark
domain-name wisemanlee.co.uk
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
no fixup protocol h323 1720
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sqlnet 1521
no fixup protocol sip 5060
no fixup protocol skinny 2000
access-list mail permit tcp any host eq smtp
pager lines 24
logging on
logging buffered errors
logging trap notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool pool2
no pdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 1 0 0
static (inside,outside) netmask 0 0
access-group mail in interface outside
route outside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 50400
vpngroup wisevpn address-pool pool2
vpngroup wisevpn dns-server
vpngroup wisevpn wins-server
vpngroup wisevpn default-domain wisemanlee.co.uk
vpngroup wisevpn idle-time 1800
vpngroup wisevpn password ********
telnet inside
telnet timeout 5
ssh timeout 5
terminal width 80
1 Solution
1. you just need to replace existing IP's with new IP's. take backup of config and replace.
2. This is you local LAN IP range pool used for vpn
3.  Any LAN IP will be translated to this IP while going outside (to internet)
4. Translate internal LAN IP address. you can change it to that, just someone has allowed as it in class A
5. Internet SMTP server IP translated (NAT) to public IP. static nat.
6. Router to outside and branch offices to inside while connecting to LAN.
7. Rule to allow SMTP port 25 to that IP.
8. if not using then just disable isakmp, later can again be enabled if reuqired. keep configs.
ise438Author Commented:
Fantastic reply
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now