Pix Firewall Configuration 360! WOW


by Jeremy Cioara CBT Nuggets Cisco Instructor – way cool Cisco blog! Make it your favorite! I have been looking all over for a pix config like Jeremy’s man is he cool! clear and concise! Check it out.

Everyone needs a good, basic PIX Firewall configuration on-hand from time to time. Here is one I set up for a client that does the following:

1. NAT overload from an inside network to an outside network
2. Accept incoming PPTP VPN connections from ouside clients
3. Turns on the web-based GUI on the PIX
: Saved
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
:These two lines activate the outside (Ethernet0) and inside (Ethernet1) interfaces
nameif ethernet0 outside security0
nameif ethernet1 inside security100
:These two lines assign names to the interfaces
enable password —— encrypted
:Sets the password for privileged mode
passwd ——– encrypted
:Sets the telnet password
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
:Fixup protocols allow advanced applications to work through NAT. All the above fixup protocol configuration is in the PIX by default.
access-list 101 permit ip
access-list 102 permit icmp any any
access-list 102 permit ip
access-list 103 permit ip any any
:Same access-list syntax as a router. These are used below.
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x
:Sets the outside interface IP address
ip address inside
:Sets the inside interface IP address
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool
:Defines a local DHCP pool of addresses for the PIX to give to incoming PPTP VPN clients
pdm logging informational 100
pdm history enable
:This tracks access to the PDM (the web-based GUI) built-in to the PIX
arp timeout 14400
global (outside) 1 interface
:This is a HUGE command. It turns on NAT translation for all addresses matching NAT rule 1 (shown below) to be translated through the outside interface (to the Internet, in this case)
nat (inside) 0 access-list 101
:This creates NAT rule 0 which tells NAT not to translate addresses that are defined in access list 101 (shown above). This keeps NAT from translating any communication between internal clients ( and VPN clients (
nat (inside) 1 0 0
:This creates NAT rule 1 which matches ALL addresses coming from the inside interface
conduit permit icmp any any
:Conduits are the old form of access-lists. This one permits all ICMP messages to the PIX
route outside x.x.x.x
:Sets a default route to the ISP router (represented with x.x.x.x)
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
:Turns on the HTTP interface to the PIX, but only allows internal users ( to access it. This enables the PDM (the web-based GUI) on the PIX
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
:Also a very huge command. This allows PPTP connections to the PIX firewall without the need for an access-list permitting PPTP. You can also use commands like sysopt connection permit-ipsec to permit IPSEC VPN connections
telnet inside
:Allows telnet access to the PIX only from the internal subnet
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
:Allows PIX to accept PPTP connections
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
:Allows PPTP users to authenticate using any of the above methods (listed from weakest to strongest)
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
:Points the PIX to hand out IP addresses to incoming VPN clients from the DHCP pool called “pptp-pool” (shown above in the config)
vpdn group 1 client configuration dns
vpdn group 1 client configuration wins
:Points the VPN clients to the right DNS and WINS server addresses
vpdn group 1 pptp echo 60
:Sends an “echo” (kinda like a keepalive) once every 60 seconds. If a response is not heard, VPN is torn down
vpdn group 1 client authentication local
:Authenticates VPN users using a local user database (shown below)
vpdn username jonesr password *********
vpdn username cepa password *********
vpdn username bob password *********
:Three VPN users allowed to connect
vpdn enable outside
:Turns on VPN connectivity on the outside interface
dhcpd lease 3600
dhcpd ping_timeout 750
username cisco password ——– encrypted privilege 15
:If I telnet with this username/password, I go straight to privileged mode
terminal width 80
: end





2 Responses to “Pix Firewall Configuration 360! WOW”

  1. Hi,

    Very informative post.firstly saying thanks…

    I have an issue with PIX 501,which is having only 50 outside (internet ) access.It is acting like ,if one system is inactive for some time its IP getting realeased from the PIX table and some other system able to access internet.

    Issue is with the production servers,those should have internet access always,but some time its IP getting released and internet access denied .

    So kindly give me a solution for this issue..

    waiting for your reply.,if it is mail that will be really great .thanks again.

    • dude make another DHCP server. dont use the pix as a DHCP server. make it a firewall only
      inspection and work the basics, saved you configs to a tftp server when you play with it.
      I have and ASA. I went to asa cause i thought pix ssucked hahaah i had a pix 501 7.0. it just sucked
      but what I have learned from firewalls. is that is all they are a firewall. use other devices as DHCP servers
      and tftp server and dns server ect…and look on net t here are many site with the configs but pix is old school sorry not much help . i love my asa ;)found it on ebay for 300.00 bucks a steel 😉 keep looking for and asa 5505 on ebay daily till you find one you wont be sorry ios is like the router ios nice..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: