pixfirewall#show run: O, o1 C$ |+ c, {2 D
: Saved* @0 B) N& h% B" X4 `( A' O
:
* \6 e2 A' b4 l* X+ Y1 y: Z# n0 GPIX Version 6.3(3)
$ \$ x2 b) [. N" w# b2 G6 C/ Pinterface ethernet0 100full& y3 Q% q& p! Z1 j1 G6 g
interface ethernet1 100full
0 U" b/ U0 l3 p0 d6 e! E, a$ _nameif ethernet0 outside security0$ C0 E# J8 D/ H' _- ]% Z
nameif ethernet1 inside security100
( w/ W) o! G4 Y" Senable password 8Ry2YjIyt7RRXU24 encrypted( w h j# S8 {( a1 }
passwd 2KFQnbNIdI.2KYOU encrypted
1 d) Z# o" _' shostname pixfirewall& v& w# q+ f0 e6 L, b
fixup protocol dns maximum-length 512
6 q. K: x5 V) k J5 nfixup protocol ftp 211 R+ K3 p( y3 X
fixup protocol h323 h225 1720
* v. ?+ e! p) u, Dfixup protocol h323 ras 1718-1719" b( |2 k0 [ G# M; [
fixup protocol http 80# v* `: K# I% `7 N% r2 `5 X( T0 g
fixup protocol rsh 514
$ _. Z# ~9 `1 C$ Ifixup protocol rtsp 554
( p5 g9 l9 g2 [ \; s0 M1 w9 Lfixup protocol sip 5060
3 C3 D N# w: v9 f4 J7 |3 B. p+ T& Xfixup protocol sip udp 5060
" a9 t9 p: X0 x+ {1 X) Ofixup protocol skinny 20001 y! {+ _+ R8 ~- I4 U U
fixup protocol smtp 25
) m: b2 m) a( z7 B9 pfixup protocol sqlnet 1521. h2 n3 b+ G l( i6 r2 }4 N
fixup protocol tftp 69, B& t4 e3 D7 `* h: s2 K9 A
names
1 D5 W ?9 r& h9 n" I: m6 g" {& F* S' r% w
!--- Do not use Network Address Translation (NAT) for inside-to-pool3 _( b3 I8 s" w; f" U/ {/ e7 q) G! l
!--- traffic. This should not go through NAT.
* r5 t, p: r9 }# h8 k* V4 @9 C& |0 G% J* b- {9 F, ^
access-list 101 permit ip 10.89.129.128 255.255.255.240 10.89.129.192 255.255.255.240
* {: j, b8 [: R$ R% _% X
$ z( H% j N4 h1 t# G!--- Permits Internet Control Message Protocol (ICMP)
8 ^" P0 K9 `6 Q: _$ J f!--- Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
+ ^8 G C$ @# p/ q* e!--- traffic from any host on the Internet (non-VPN) to the web server.. u. o2 D* t; l l( N$ U
0 h* Q8 C. f; F1 @2 g8 X( ]access-list 120 permit icmp any host 10.89.129.131
. c4 w, m9 `$ W0 ^access-list 120 permit tcp any host 10.89.129.131
# q9 m4 B* M `8 Faccess-list 120 permit udp any host 10.89.129.1317 v9 S9 {( B" f/ D* }+ {
- u! T; [1 K/ U$ @5 [pager lines 24
# l: ~) s ~2 Q. Omtu outside 1500& j$ ^* |" R9 m8 I1 I
mtu inside 15003 m0 q8 z9 Y" z8 H
ip address outside 192.168.1.1 255.255.255.0
6 l' z+ V p" m1 ~' Y2 t# {ip address inside 10.89.129.194 255.255.255.240
' o5 `3 M6 S% w; |ip audit info action alarm
% u8 j4 C5 t' n: L+ F. i' qip audit attack action alarm
, W* L) c! v! d( p: F9 o2 x+ M5 `: e* `# M: ^3 H, H. \: T- K
!--- Specifies the inside IP address range to be assigned8 q8 x& h3 t& S1 b5 P; ]
!--- to the VPN Clients./ z+ i" `% x& L* ?- o9 E
! V3 Z7 ~* W4 J9 f# T! S
ip local pool VPNpool 10.89.129.200-10.89.129.204% e) u: q/ ?% W& _) ?
no failover
% {. R+ G* l2 _9 Hfailover timeout 0:00:00
$ W# ]1 }4 f( X7 W+ n* \failover poll 15
; `2 w, L) d; l. d% e% b$ g) |! qno failover ip address outside
6 F2 r# A4 {: s7 B, Q: Kno failover ip address inside* R2 u, O* s& [ D3 n; `/ {
pdm history enable" _% u* P0 M5 E6 q8 R6 Z5 R9 b
arp timeout 14400
1 t& G$ W, N1 Z) z) T( D9 c& z( |/ U! |+ |9 c& ]( f2 i
!--- Defines a pool of global addresses to be used by NAT. M8 U7 c! e0 K3 }9 @
0 F8 @$ n( {. E* i; g. \
global (outside) 1 192.168.1.6-192.168.1.10
( j; m6 \9 G) n- ]/ m, ]' U( r, } {6 E# O7 p' v
nat (inside) 0 access-list 101
( V9 B- a; n/ Nnat (inside) 1 0.0.0.0 0.0.0.0 0 0
2 v' C" i/ Z: V6 D2 u
; O+ z* r4 f u7 P2 @$ y( D!--- Specifies which outside IP address to apply to the web server.
. E6 o/ j/ D6 l! N5 y+ R& P$ ?' a- ]
static (inside,outside) 192.168.1.11 10.89.129.131 netmask 255.255.255.255 0 0) S* m* x* f: z- l. [
% ^! ]# K. ]# @
!--- Apply ACL 120 to the outside interface in the inbound direction.
5 K( c9 O5 ^. E% ]$ F6 U# P j; M) u+ p
access-group 120 in interface outside
) J/ X. @& x: T; b* b2 k" ^- p$ T$ M8 ^/ o1 X
!--- Defines a default route for the PIX.
* @" K) ~2 i0 E4 ~0 U+ y+ N7 J) }5 W4 F0 j& _/ S' P
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
! `* a x$ J! M. Q& ?# u( s& v6 w! m% \* B) V
!--- Defines a route for traffic within the PIX's
; t/ b2 s: t9 [1 Z!--- subnet to reach other inside hosts.7 ]- Z+ P ]* R% ]- I
# h, B4 {8 H! O9 C y( sroute inside 10.89.129.128 255.255.255.128 10.89.129.193 1
2 n R+ M0 W0 A4 p0 D, ~$ Y* D& B3 v+ E a" u8 D5 ]7 R
timeout xlate 3:00:00
2 @* Q& M: n9 V/ ?; t( atimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00$ _8 u! A& \# Z/ j# ~" ~- {
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:003 d4 P2 d( I" T; h- X
timeout uauth 0:05:00 absolute* B; A3 R) Y" x" X! W g J6 c
aaa-server TACACS+ protocol tacacs+2 q" z# i$ F& x% M0 c
aaa-server RADIUS protocol radius
7 p. N3 Q8 L% Xaaa-server LOCAL protocol local, z( X8 d5 D1 r, f0 F) x( T, B# L* v
5 y. c( R9 K, K6 N8 x!--- Authentication, authorization, and accounting (AAA)2 Y3 b/ T7 G! t) l
!--- statements for authentication. Method AuthInbound uses TACACS+.4 w6 C `: m/ o4 J C# u
& \ n m5 y* l/ Paaa-server AuthInbound protocol tacacs+9 C) w% g! b T0 G: M5 [
3 e# T! S+ p3 c% n!--- Specify the TACACS+ server and key.
2 }: ~' m/ A+ G* `( I. f' b
: O* t {. _1 b' V7 D6 h8 F( Oaaa-server AuthInbound (inside) host 10.89.129.134 <deleted> timeout 10# y$ [% e/ S5 h" }
: u o" Y0 z8 t
!--- Authenticate HTTP, FTP, and Telnet traffic to the web server.
! Y' J8 _2 @$ i# g8 N% @: i. W' A
aaa authentication include http outside
0 e7 C: Q9 u; X10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound( t, s& \0 u$ g! n
* l- j8 t; j% E! z% Aaaa authentication include ftp outside# v3 O$ C0 `) P0 M8 h
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound$ \) k5 X$ Q9 U8 y# w
7 ]) |4 t; S4 xaaa authentication include telnet outside + n7 X; J0 T- Z G
10.89.129.131 255.255.255.255 0.0.0.0 0.0.0.0 AuthInbound3 k9 t, z2 Q/ s5 p! G
( R$ j9 y% @$ q: R* Q
no snmp-server location+ K* k# A! K! H: Q) \
no snmp-server contact
7 M4 g+ I$ p% ~8 O, | _3 ~snmp-server community public/ V. D2 Z" u* |. l: Y+ z% K! Y
no snmp-server enable traps7 F% N. `3 c% b) w* ?
floodguard enable
9 B7 s7 ]! n3 \. D& F
) q' h/ @. U' i) w; ?!--- Trust IPSec traffic and avoid going through ACLs/NAT.
& \( u8 ]) m3 ]# S
2 w" @0 v) w: t m! m/ c5 K5 E' jsysopt connection permit-ipsec$ r6 v9 t: d9 \) H/ L6 C
% J4 G8 p N- O* t! A, p5 P
!--- IPSec and dynamic map configuration.- p# e' q! v% G9 X- k. \3 p
* x, _, U: _7 x+ q* f9 @! ?* Wcrypto ipsec transform-set myset esp-des esp-md5-hmac
$ n2 z4 c# g* Q$ M! Z+ W" qcrypto dynamic-map dynmap 10 set transform-set myset
4 q) a+ W) _; U& a' _" Rcrypto map mymap 10 ipsec-isakmp dynamic dynmap
( \* |* G. r: X! N2 \% l+ J
- Q5 y& e4 n, x) k6 k!--- Assign IP address for VPN 1.1 Clients.0 o$ C3 i! G# n9 i2 d
6 o: W2 L) o `. S" {6 }crypto map mymap client configuration address initiate8 x. f) ^, `$ O
crypto map mymap client configuration address respond
" h5 I2 _2 H3 `+ _
/ x- Y; I$ Q7 `3 g+ t) j!--- Use the AAA server for authentication (AuthInbound).) o! x1 e* I( [7 R
+ Q8 G% k" X$ a. Tcrypto map mymap client authentication AuthInbound
5 e. V6 |% J7 p I; ~! c2 Y
\9 W5 R& M9 N; `$ P# Q; A0 F# ~!--- Apply the IPSec/AAA/ISAKMP configuration to the outside interface./ Y3 _& T: h4 Y0 u% {/ a* S
5 W w9 J3 r* @7 r- N
crypto map mymap interface outside
$ A( [/ E2 _- w5 Kisakmp enable outside
4 X$ S. H2 B9 |. p# }) _! D( }- O) U1 v
!--- Pre-shared key for VPN 1.1 Clients.0 s" w4 i* T9 |' M. Y" @ e
; s$ X5 B% g; b5 Gisakmp key ******** address 0.0.0.0 netmask 0.0.0.0
# Z' X$ r9 v# Eisakmp identity address
& F$ F) O7 u; s! L9 X4 T2 x7 P, ^7 s5 ?
!--- Assign address from "VPNpool" pool for VPN 1.1 Clients.
+ }- Y3 [) A: [- I J
7 j2 x4 k# ?5 s& N! b2 Z: \- Misakmp client configuration address-pool local VPNpool outside. p" b+ Y2 g: v# B9 z4 ]
* ]6 w7 p- B' Z% f3 j
!--- ISAKMP configuration for VPN Client 3.x/4.x.) J( m6 ^! F2 q' l3 u
. J4 }! X) b% o3 T6 U. D1 C
isakmp policy 10 authentication pre-share1 ^6 [6 [9 p" O2 A) { k
isakmp policy 10 encryption des, B8 ~, B0 L" V
isakmp policy 10 hash md5
; }/ y; X2 }9 Xisakmp policy 10 group 2
; J1 v, R4 v. }9 F4 N( Z# [* D( Wisakmp policy 10 lifetime 86400) @& M+ F p5 p, i
0 @; f* t, [0 A# b8 s
!--- ISAKMP configuration for VPN Client 1.x.$ ~: j7 B. U7 q1 F
1 K- l! v" t# B+ {
isakmp policy 20 authentication pre-share
6 R9 {+ a( E; t: nisakmp policy 20 encryption des$ x5 g5 b8 Z7 a. F( n
isakmp policy 20 hash md5
8 O& c; Y5 i- Y, |5 w! S" D; Bisakmp policy 20 group 13 p. g$ I- e4 r
isakmp policy 20 lifetime 86400+ t( u2 P6 `% a' U3 E# }2 m' p% T
9 z7 [. C: _, W0 h
!--- Assign addresses from "VPNpool" for VPN Client 3.x/4.x.& t& Y$ w {; t( V' \: o o
& B% |9 R! q) D- r4 J& B! l* evpngroup vpn3000 address-pool VPNpool
, V- Z! P2 p3 g- M
$ u/ @* Y5 y6 ?. G3 W" wvpngroup vpn3000 idle-time 1800
) @3 c3 ^+ O+ P3 j' d5 v, L d) Q7 B; Z7 M3 ~) e6 m% b
4 N) o5 E! w9 N7 F0 z; e!--- Group password for VPN Client 3.x/4.x (not shown in configuration).
6 Z% v( }# q, A! E, ]
; c9 Z+ L! [3 E$ L8 dvpngroup vpn3000 password ********
0 _( n! C; ~0 K+ ?telnet timeout 5; p" ?( U0 b5 i+ l8 S
ssh timeout 50 g) E; Y0 }5 p: c" o
console timeout 08 t2 ?( [$ d4 n) C/ n0 r! _( B
terminal width 80
4 b( ]* R' b! o# K% }3 SCryptochecksum:ba54c063d94989cbd79076955dbfeefc9 t6 N( ]5 A) z8 k$ `$ n/ s
: end
% |4 O$ H+ t0 Y# M, [. u, }pixfirewall# |