pixfirewall#show run7 w$ [9 H8 \: H) e. ]: ]+ N
: Saved2 I) U- p4 V" W& h6 }
:
7 S; s, q' D4 q8 O3 y UPIX Version 6.3(3)& y# W0 k* K9 Q: Z
interface ethernet0 100full
5 o* f6 B) ^% ?, l; s0 Kinterface ethernet1 100full
! s8 `# \7 |+ K% ^/ Xnameif ethernet0 outside security0
2 H7 @! Q7 N* f. jnameif ethernet1 inside security100
Q) |8 t% c0 fenable password 8Ry2YjIyt7RRXU24 encrypted( A9 U5 K, s- S2 t
passwd 2KFQnbNIdI.2KYOU encrypted
) _3 V' I2 n9 ^) P( `& g5 G+ Whostname pixfirewall
! d* y( [4 F0 t3 J- I, N2 jfixup protocol dns maximum-length 512; Y2 N- `/ Y3 {) _6 ]0 D v9 ~: I+ X
fixup protocol ftp 21
0 S1 j6 r* m: F+ I* T; efixup protocol h323 h225 17208 Q* _6 E6 w. Z# B# w/ c7 G ^5 Q! T
fixup protocol h323 ras 1718-1719
+ {8 n: b5 C. R6 ~$ Bfixup protocol http 80/ X* `' q. ]3 O, e6 W
fixup protocol rsh 514
, V. d; w( B8 s: b! Ffixup protocol rtsp 554 K# ^9 p* Z4 F- o/ C
fixup protocol sip 5060
/ ]" r P) |9 ?, H9 P( p+ Zfixup protocol sip udp 5060
0 h F* K/ W+ }3 ~6 K3 l7 jfixup protocol skinny 2000% |! l& E k% j: w8 d
fixup protocol smtp 25
; ^! T6 G! R, w5 @fixup protocol sqlnet 1521/ B! M, I8 A: N- I) M. N
fixup protocol tftp 699 m- y5 r `; F
names. Y: K% ?* x4 J- a1 O
$ i4 V/ B) n* e$ L7 J N
!--- Do not use Network Address Translation (NAT) for inside-to-pool( W2 i- g9 Y) t& h0 x
!--- traffic. This should not go through NAT.
, U4 M$ Y' g$ |1 u5 Y$ J6 ^; c
9 e8 |* ~2 {. Raccess-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240* K5 K' K* K4 y, t( X4 D
9 X/ t$ {) s) Y+ E5 w: M3 j) z" [6 Q- ~
!--- Permits Internet Control Message Protocol (ICMP)
' N4 G" m6 f& y1 [/ u; M) R!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)& c( l6 |- U& ^4 q( C
!--- traffic from any host on the Internet (non-VPN) to the web server.
: ~ Q) f, W+ t' @
6 J6 I" a0 C" Q: f) Faccess-list 120 permit icmp any host 10.89.129.1311 H' f, C2 T4 Q# U4 ~1 n0 }
access-list 120 permit tcp any host 10.89.129.131
6 d+ @% U; \ j4 ?' H3 T0 ]access-list 120 permit udp any host 10.89.129.131- }$ k. `; F. w. ?3 D" W. Q
3 d/ j7 L. o/ I) H5 k. B5 S
pager lines 24; a, n# d: B( H) X$ @( n$ N/ A7 d8 @: O, R
mtu outside 1500
. X8 N, u6 A% |0 s& ~mtu inside 1500
0 _1 ]9 d6 b. w7 Aip address outside 192.168.1.1 255.255.255.0
, d \- p* z' [2 \4 f0 Sip address inside 10.89.129.194 255.255.255.240
4 u+ x0 O0 c, w7 nip audit info action alarm
$ G3 \. M; F# ]ip audit attack action alarm/ j8 L) d+ g) B: I$ {7 a
5 V5 h4 {/ h( q) m$ ~!--- Specifies the inside IP address range to be assigned, [' V; a4 Y1 Y- a3 K
!--- to the VPN Clients.
8 @" O3 a; u* a' ^% _5 r
. R$ d3 r+ H3 ^& m6 Gip local pool VPNpool 10.89.129.200-10.89.129.204
" Q8 I8 C m, w! y. Bno failover
) p& x, ?5 z$ V( o4 i% k* Cfailover timeout 0:00:00
! S5 p; U- d- L u- Nfailover poll 15) M G! H0 d8 ?; Y0 K/ g g
no failover ip address outside
$ _7 a1 x7 @% j# Gno failover ip address inside1 x1 U, y' u$ \' p0 V4 N: b. R
pdm history enable" ^+ v, n8 c, {+ R( S K
arp timeout 14400
& ~1 S: @" }9 W" E. u+ n) J5 q ?+ w! O6 B: x2 I, ^
!--- Defines a pool of global addresses to be used by NAT.
, v4 g9 S6 |. Q9 G" s" q
0 ] O( s) j1 Rglobal (outside) 1 192.168.1.6-192.168.1.109 t! T; E, m* |8 B g
7 G& W# a* ^. K2 W# e) _& X
nat (inside) 0 access-list 101
. w7 x6 Q/ D; x3 Ynat (inside) 1 0.0.0.0 0.0.0.0 0 0' V. x7 o) I6 u1 G. @
6 r O% o/ p+ ^) `6 g$ g
!--- Specifies which outside IP address to apply to the web server.9 v! ^' r# Q/ q {$ C
0 z: } d {6 T1 [) ustatic (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0
2 ]4 I& E7 G4 e$ i2 b
7 I6 S, ]8 u5 }# \# H1 h! X# ^!--- Apply ACL 120 to the outside interface in the inbound direction.! d- L# F* s5 ~% y7 ]) M# [- Y- S
" _2 [$ z( f E, S( o0 D' g6 P$ Iaccess-group 120 in interface outside: v o+ y- }0 b* o% \ H! L3 a
: u" n! P% m9 H5 m+ E& a!--- Defines a default route for the PIX.
, ~6 n( ?: N! v7 B4 V
. A# t2 A3 |# L2 broute outside 0.0.0.0 0.0.0.0 192.168.1.3 1
& t9 r* \0 G% l t* `0 e$ \/ e5 P0 A$ r% P9 ?5 _& X" u
!--- Defines a route for traffic within the PIX's$ J/ O4 K9 r3 s& Q# r
!--- subnet to reach other inside hosts.
: e. l7 K' Z$ u, @2 u3 O
" F ?+ s/ ]6 t- c3 Lroute inside 10.89.129.128 255.255.255.128 10.89.129.193 1
5 c' @6 t/ `, h) E+ d9 x, G4 J8 C% D6 W" D+ q5 m+ I
timeout xlate 3:00:003 V9 }4 A4 I2 p; M. H" y6 \
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
0 ~9 O% Z, m5 q# K2 n+ z* `# w( ]1 |6 ntimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
* v4 O* h; N7 z j3 btimeout uauth 0:05:00 absolute
2 J; ~! x- t( g( daaa-server TACACS+ protocol tacacs+
/ h, M' W3 T( |: |7 L" \5 k% ?! ?aaa-server RADIUS protocol radius- s$ Q! V7 ?4 P8 C* L# A ?
aaa-server LOCAL protocol local3 Z2 v N- Y5 w. p- y! ]
( m. h7 A/ L% [0 h. m8 m5 }, W! k
!--- Authentication, authorization, and accounting (AAA)
* |: K1 q6 ^" n!--- statements for authentication. Method AuthInbound uses TACACS+.5 R1 B9 k* q# ~) e R) u
. R2 a3 V5 H6 R; i" jaaa-server AuthInbound protocol tacacs+
7 k5 E, N/ w* _5 x
, A1 m( m b2 H!--- Specify the TACACS+ server and key." C/ Z& u/ [7 n* h# _$ b3 d, f
; [0 b& Q( l% N* g' s
aaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10! H8 A3 @8 |9 e
9 c! d; C4 |1 ^& P" J0 C
!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.5 p% P4 W6 Q; D$ G0 g+ a
1 x$ u) [& p* O: @( J4 ?
aaa authentication include http outside
# F. }: H( |& z! t10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound2 ?! ?5 L0 Q- ]3 }1 m; o/ q- x
& i$ S3 Z/ p6 Zaaa authentication include ftp outside
$ y7 ?/ x& n: T N 10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound; W( X9 {/ C3 G* g$ P' x( P
: J: H* W1 ~$ \aaa authentication include telnet outside
. C7 S6 L6 M6 Z3 j10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound
7 \0 k7 p t3 s( R6 Z
6 m# d- ^8 y% x! e4 o5 V" z( eno snmp-server location
4 T M7 [$ @# `; l8 Z& V1 Bno snmp-server contact
$ g7 {% ?+ E8 S0 ^4 Z0 i: w1 |snmp-server community public
; B0 k- r$ H k5 zno snmp-server enable traps
% m; W" d& n m! f8 K' G9 \# m+ Vfloodguard enable+ ^4 N4 V3 X: x
{* y t1 q( [9 y: G1 Q!--- Trust IPSec traffic and avoid going through ACLs/NAT.
& P: ?, M8 O$ R0 ~. p
' A# U" E9 `8 U# Jsysopt connection permit-ipsec" |7 b2 n2 K) r6 M1 U' c1 g
7 D, z. T3 h) q!--- IPSec and dynamic map configuration.' D' D* d4 k& K, K+ C& N' z
$ Z+ Q5 N7 }) W2 n9 C. lcrypto ipsec transform-set myset esp-des esp-md5-hmac
9 |- x+ b9 T, b$ i5 Y+ ecrypto dynamic-map dynmap 10 set transform-set myset; u% w# Q+ s7 O8 R
crypto map mymap 10 ipsec-isakmp dynamic dynmap
/ }' ~- r* l, N3 A) B0 t5 H
/ ^. `7 e6 p5 H5 w4 m7 x4 J!--- Assign IP address for VPN 1.1 Clients.
' U$ b1 W8 p' f0 `" {$ P7 s" R S8 f0 ]- V
crypto map mymap client configuration address initiate
7 ^, L! D7 c3 Z Dcrypto map mymap client configuration address respond4 g; V1 }& m- S1 @4 G
! a g' @" u- @!--- Use the AAA server for authentication (AuthInbound).
/ v E: s) p5 A5 b5 p, u, h/ J
- f, O& z' N& U! Ycrypto map mymap client authentication AuthInbound
" o( [6 _ j! X& t7 I; G( k5 J/ r- P5 q4 k6 K% @
!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface.! m/ Q4 R! t, F4 F
( S- s, n8 {/ b# U2 Ncrypto map mymap interface outside
0 W% P* g: k8 H+ i, L" n9 n$ {! Qisakmp enable outside
2 i0 z! y) D4 P! z5 m
3 C/ ~$ N, @: S/ ?" r0 f!--- Pre-shared key for VPN 1.1 Clients.
! f% Z: p/ c b, v0 {3 W4 M- i6 N4 J- B; ?* `, {
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0! Y# J; ?6 b9 K7 j. g- q- {
isakmp identity address
: _# O: K/ K& |' L# G: T8 T
9 b" Y- B0 v6 j! h0 ]' h* |. j, h!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.
; [$ E& d' {% V2 q) {! {- m' C1 Z( ?" U" H( B2 D7 b6 [( G
isakmp client configuration address-pool local VPNpool outside. F1 J1 e# \& _7 S9 h+ B1 v( z: v) U
8 W3 P# K- @8 f7 S7 J
!--- ISAKMP configuration for VPN Client 3.x/4.x.; D, A% s; L4 j1 t9 x9 [9 }
) ]$ I7 ~( h8 Q1 Z, pisakmp policy 10 authentication pre-share7 a( i3 o' A& l8 |/ G
isakmp policy 10 encryption des
: Q* L% T* `/ w3 a0 D- ?7 }' n0 Nisakmp policy 10 hash md5
5 ?4 V7 g: _4 h* visakmp policy 10 group 2
! h# R5 \9 U* R2 Jisakmp policy 10 lifetime 864007 J5 S6 @" n9 `- Z
- b3 w4 A' P2 _
!--- ISAKMP configuration for VPN Client 1.x.. s% X; G: v V- l6 j# {& r
4 |. U6 ~4 _- A( X" `$ c1 D$ ]isakmp policy 20 authentication pre-share! R0 z# j- x3 b% [! N/ b
isakmp policy 20 encryption des2 [8 k) M* I, K" b) e, w4 V' a# b
isakmp policy 20 hash md5
2 D" x( {8 B3 Tisakmp policy 20 group 1
2 s: F# z3 \ n& D' B4 \isakmp policy 20 lifetime 86400+ l" S( W) q& z* Z- Q
, v# H% G4 ]# T# F!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.
0 D! J) j m" U/ L+ f1 u- R3 L t1 ?$ W
vpngroup vpn3000 address-pool VPNpool
% s- h, _& K4 P% _2 U; Q# h/ ~: P, S( q& D5 B" ]- i
vpngroup vpn3000 idle-time 1800
9 T4 t) z* [: P
# R4 W( Y2 [* ]8 `4 M. w
% E/ Y% D* Q# R3 E, @!--- Group password for VPN Client 3.x/4.x (not shown in configuration).+ _9 b; |* u5 _1 H$ R
; r0 R" R1 L% |; svpngroup vpn3000 password ********' \( K, l/ G: Y, Z" x
telnet timeout 5+ r1 \9 i8 W$ h: V; \' E
ssh timeout 5
; c5 `7 Q( E9 \1 gconsole timeout 0
2 {+ k: h) }+ I% L# ?( S/ Sterminal width 80+ C" u" i5 A4 D9 D1 ^9 H* b; E/ s
Cryptochecksum:ba54c063d94989cbd79076955dbfeefc
" h0 i( @( k0 m4 @3 |9 I: end# X* T8 ?4 E! ^) N
pixfirewall# |