pixfirewall#show run
5 b5 a& B) T6 h, a" {: Saved1 z$ e9 j6 j1 v2 C4 g
:* D' v, ]8 R, X
PIX Version 6.3(3)5 Y' c# ^5 O& C' ? \; |% N
interface ethernet0 100full
, `6 [8 X3 u9 L$ [- ?3 ?interface ethernet1 100full
: L8 U4 {" ^0 Jnameif ethernet0 outside security0' `- T; a; N9 Y# m! Z
nameif ethernet1 inside security100
3 F% \5 n+ f# m+ nenable password 8Ry2YjIyt7RRXU24 encrypted6 a( L" G6 `; U, ]8 q" D; u
passwd 2KFQnbNIdI.2KYOU encrypted3 [" C; h6 q5 L7 U2 V3 r
hostname pixfirewall3 Q/ ^5 |, z ?0 o. ?( e/ k
fixup protocol dns maximum-length 512* g+ I) C& a; [/ c0 C- M
fixup protocol ftp 21
2 m4 _! l, e; h6 J2 wfixup protocol h323 h225 1720- m, V/ N! \$ ^5 _# m1 O2 o! z
fixup protocol h323 ras 1718-1719
" g+ d% C& J+ g$ ]# Qfixup protocol http 80* o" {9 b1 i4 k5 C5 |% U5 E4 D. o
fixup protocol rsh 514& T! Q' V6 O- s; A
fixup protocol rtsp 554
6 k6 i6 |- N+ c3 l6 C7 vfixup protocol sip 5060* m! Z2 S& q. o
fixup protocol sip udp 5060
8 \% q/ s0 y) U$ F2 N' zfixup protocol skinny 20001 b0 k7 G0 e) w Q0 E+ u5 P
fixup protocol smtp 25
R L1 v4 G! l5 lfixup protocol sqlnet 1521
% R; S# Y3 @- x# D" U( p2 Zfixup protocol tftp 69
) @( _* z* X" {+ unames) D3 p2 u7 b6 e
1 O. ?+ F. n# i7 h! K
!--- Do not use Network Address Translation (NAT) for inside-to-pool
/ q: V8 j" K7 p7 H [!--- traffic. This should not go through NAT.; L& f/ [5 _7 g. y2 q( J
. h1 g n) A: U4 [5 t7 H/ e3 h
access-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240
6 ~& b! w/ ?4 K% M7 i, k; {, j6 e ]! ?9 H# ~' G u1 G$ s6 ~/ C7 D
!--- Permits Internet Control Message Protocol (ICMP)6 z6 v# B$ L! T1 @% @6 b
!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
1 S Y ^: S/ \) B!--- traffic from any host on the Internet (non-VPN) to the web server.& ~1 Z c1 w( Q C1 ^5 O7 l) S
: ^: x7 z5 J5 _. m" {9 l
access-list 120 permit icmp any host 10.89.129.131
* f: I8 b9 t) ~access-list 120 permit tcp any host 10.89.129.131
4 I3 A+ ]6 S! {, o, [access-list 120 permit udp any host 10.89.129.1312 h8 p! l- [ J* H$ G& q
& t6 {/ X: b+ q" `: T5 O
pager lines 246 X& b1 Y& }* p/ O! D
mtu outside 1500
) Z4 S( H3 A% b- _mtu inside 1500
8 ~( L. W8 k' y. Vip address outside 192.168.1.1 255.255.255.0# \) ?2 a! ~. Z, Z; |' }4 W
ip address inside 10.89.129.194 255.255.255.240. w. s! J1 [" h$ i
ip audit info action alarm
( t' t/ R; K* Q+ rip audit attack action alarm; m0 T# b' y: V" E
; y, e$ M6 y( ^# B+ k
!--- Specifies the inside IP address range to be assigned6 Y) T) i# g [ g! L k
!--- to the VPN Clients./ m" D" X- A- c/ K
4 s5 X: e* ^% F* v- T
ip local pool VPNpool 10.89.129.200-10.89.129.204
5 L) E& y1 ]9 g- O" o# G$ rno failover
3 M# m, k, A% ^% G; V. |$ ?failover timeout 0:00:00
) S1 X9 P6 K* Y+ r: hfailover poll 15
! l/ u2 |# v3 A; H e! Vno failover ip address outside6 D) e; }5 L# f3 t0 G- O4 Y/ i: B
no failover ip address inside2 e- Z: c% P) J9 f, s8 p' h6 m: y
pdm history enable
% o! o7 V1 T* f' a6 z+ ?arp timeout 14400' s) n& }* E) g5 [4 N, G
3 O# u( T g8 f
!--- Defines a pool of global addresses to be used by NAT.5 {$ b3 B0 I0 R
" N" D9 o$ @9 }. L
global (outside) 1 192.168.1.6-192.168.1.10
5 d5 V' I/ I7 F3 n' [- i' i/ n' s1 p2 m, m/ ?* j+ z" g+ A# T" ?
nat (inside) 0 access-list 101
" ?8 F$ {% n" B: t9 G% ]& gnat (inside) 1 0.0.0.0 0.0.0.0 0 0
3 q6 U, X$ {1 Y1 U8 `% _8 P# r
! |( Q, i1 T6 ^9 F" Q# c' w+ F/ W7 V!--- Specifies which outside IP address to apply to the web server.
6 W" k. b! a4 u' U: [
; @4 _! r+ ?( ]- Q) I# }+ dstatic (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0
* U6 ~9 s/ G& x" O R' g8 u& e4 g( B( q5 j; N
!--- Apply ACL 120 to the outside interface in the inbound direction.
; ~9 Y6 l: W9 u G! Y% m9 K0 _8 I7 E' K2 f: I
access-group 120 in interface outside# W. H) g& Q, z) L4 \5 o7 ?' s
7 j$ p. E9 G# S2 U" ~4 r: w!--- Defines a default route for the PIX.
, q1 ^# [7 }: X) q1 W. N8 U8 a- L4 v/ v- W4 O2 z$ r
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
# _. [; r5 G0 D' o; J
& e, Q, O; u) D: o! J; |!--- Defines a route for traffic within the PIX's6 V4 [6 c! B0 d y! M1 ]0 \
!--- subnet to reach other inside hosts.# z& M9 Q$ I/ o0 ?* {! v; i! o
" s% w( I0 F3 [2 ]route inside 10.89.129.128 255.255.255.128 10.89.129.193 14 A5 V( b+ g$ O8 G9 h
( s; T! \+ k: Q) Y2 u b
timeout xlate 3:00:00; n8 m( X+ d( R! g
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
; ~) c0 R9 X0 [" otimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
( E) F7 P" m) dtimeout uauth 0:05:00 absolute
5 X* I" C e5 V5 I" }% taaa-server TACACS+ protocol tacacs+
! p8 U4 b: E% t1 j) y% |aaa-server RADIUS protocol radius: V7 h; M" ], k9 h
aaa-server LOCAL protocol local
7 h3 N `$ N7 D( x; [2 V
8 v* N# d; s l+ J1 `" F3 {- {!--- Authentication, authorization, and accounting (AAA)" q! y, x4 c9 V: ^7 @+ t
!--- statements for authentication. Method AuthInbound uses TACACS+.2 e8 Y: s6 ~. j- X! _; ~. J4 P7 a$ A
4 t/ G& H, o6 J: F* I: Raaa-server AuthInbound protocol tacacs+. D* G8 b5 z! I) K1 Y/ L
5 i; z# L. {9 @+ i; g7 I o r!--- Specify the TACACS+ server and key., p! J, T8 r! C% z3 v
( r7 E8 ?! U9 M4 q
aaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10/ M! |$ Y, E- [" |
- q5 s$ n, }8 G6 v |!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.
+ m1 l& {7 u) w N) y
, E" ]7 l- r( E+ daaa authentication include http outside
7 @0 E7 X9 B; b5 g' c6 V* ^) V10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
3 l! V0 T+ b1 |- H1 A1 |
0 C4 Z7 |$ I& V" m; |& xaaa authentication include ftp outside, l/ P) t% T4 P* l
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound* ~0 ^' u3 O, U6 q$ t4 L/ K
3 d4 _& S% t% V9 g
aaa authentication include telnet outside
0 v% c% Q2 }) n# h. c3 g* i10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
+ e" Y, p, [% l, l
( v _6 M. |3 E2 R6 w* Lno snmp-server location
7 m4 w# Q$ d; s* Bno snmp-server contact
! p2 U/ n! c: ], d8 y" P- c' csnmp-server community public
! N/ m$ u" ]; E9 ]no snmp-server enable traps
! c3 e. R0 I" \6 z( ifloodguard enable7 k) u6 z+ J+ ?) `6 u/ J2 h) E7 t( ~
4 S2 t- J& s% N2 z! g9 M# m!--- Trust IPSec traffic and avoid going through ACLs/NAT., n% z: I9 p! h' n' C
* X9 ?; |8 u) Z$ A9 `8 psysopt connection permit-ipsec* L1 f3 {, }5 `+ h. [' k
8 g$ M5 c6 W5 U& T( z! C!--- IPSec and dynamic map configuration.
' k7 \* m: m" s% c& a; K2 M( `
+ O3 r6 C+ i9 ~0 k. Lcrypto ipsec transform-set myset esp-des esp-md5-hmac
6 l1 j+ f, [, f+ ?+ g( mcrypto dynamic-map dynmap 10 set transform-set myset/ E, H6 Y5 b; F$ H/ _/ Z# V: D
crypto map mymap 10 ipsec-isakmp dynamic dynmap1 Y2 ^( R+ Z8 S R
: a# P: i$ ]) J" ?1 N9 s; i. Q!--- Assign IP address for VPN 1.1 Clients.
/ @/ p' E* I1 _# U+ l7 p
7 C Q' z; [- k5 E; `/ w/ G, w* tcrypto map mymap client configuration address initiate
: F# c: m; e+ ^) pcrypto map mymap client configuration address respond
" c( ~ ]/ B- w+ g' f3 ~( _) i' _& u* X2 Y
!--- Use the AAA server for authentication (AuthInbound).2 }; a7 ^. g6 j1 ~
7 Q3 Z1 @" X6 Q V+ k$ O1 A
crypto map mymap client authentication AuthInbound
3 J7 M. u% |4 ]# B" s0 R2 X; ^6 z0 B( h
!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.. o2 ^( C- n9 q$ C1 i
& [% j- X; ~1 Lcrypto map mymap interface outside6 P$ H6 C# Q/ q. x7 s
isakmp enable outside0 ^& P" Y3 R1 y) ~, P+ b' _
) c) K8 ]9 l% Q, s
!--- Pre-shared key for VPN 1.1 Clients.
' c9 z3 z" R3 @, y/ H) p
) Y" F/ i2 \ p" Q" ]" z {. bisakmp key ******** address 0.0.0.0 netmask 0.0.0.0( z* p3 p8 J1 o0 H: B
isakmp identity address
$ x/ J* h. T, I# O2 r2 j1 l" b) m) R! j- w) k- N
!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.
! G% @/ U3 X' p9 @2 b( U2 T
* n( w8 k5 [6 N$ s. pisakmp client configuration address-pool local VPNpool outside
7 F) P% R H. @# ]/ g8 C
6 G% \+ i8 q, e!--- ISAKMP configuration for VPN Client 3.x/4.x.
9 ?& @% w7 q# s& B( w
' W9 P. {, ?; g. P3 k; b$ x# a" s, Zisakmp policy 10 authentication pre-share
9 }. |* c R0 J8 t9 z. w2 [2 Yisakmp policy 10 encryption des" r! b7 o) i9 k+ Y* r7 `) `* Y
isakmp policy 10 hash md5. ?/ S ?/ v* Q$ \
isakmp policy 10 group 2* z, R$ {! n( N4 ]) H7 L
isakmp policy 10 lifetime 86400
9 O$ Z& M2 i# L1 e2 {- p8 P7 A# p9 I0 q3 y) d2 p8 g
!--- ISAKMP configuration for VPN Client 1.x.9 E/ n$ ^# P8 b/ A- a
$ w+ K0 {* e* T
isakmp policy 20 authentication pre-share
: Y6 |9 C2 T9 `7 z6 E! Yisakmp policy 20 encryption des' a; z9 B4 V1 Z# b' r
isakmp policy 20 hash md5
& \# H0 s+ ? I+ Y0 aisakmp policy 20 group 1
4 W# a1 }4 U, B3 v" S- B$ \1 Z$ x7 Sisakmp policy 20 lifetime 86400, i0 P3 F7 Z4 R8 O; `$ n( }: r% Y
( I' v, m2 v: k' l' c. i& l0 u5 b!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.
+ p* I2 W/ h' y- j4 h0 u1 v/ |. w% H r6 l {9 b- z
vpngroup vpn3000 address-pool VPNpool
. \1 T+ |* f! U+ U
3 {1 d$ }) X$ Z2 o) [vpngroup vpn3000 idle-time 1800
2 R" h1 E, o; }# t- V. r
5 V/ h( X/ T% O" w. R% s8 |8 A6 X/ B2 D; t
!--- Group password for VPN Client 3.x/4.x (not shown in configuration).
/ G3 n% k5 c: p' V9 A) Z e k f" E2 b& F
vpngroup vpn3000 password ********% o4 Q' d j& w o8 {% ?9 M, Z
telnet timeout 5: f+ J7 s& s* ?3 ?
ssh timeout 5( j w( z0 M2 b6 \; }6 _ Q$ |' C5 A/ T
console timeout 0
9 c! M. I2 p# \& \0 [2 }terminal width 80
8 d+ k$ M# A7 h+ }1 r/ lCryptochecksum:ba54c063d94989cbd79076955dbfeefc N1 {$ D; `4 j b- W
: end
^; Y* o; Y9 N. J$ Zpixfirewall# |