Cisco PIX 520

Setup

  1. Connect a console terminal to the firewall, and hit Enter: PIX should display the default "pixfirewall>" prompt.
  2. Switch to privileged mode : enable <Enter>, and password = (MIS: See field below)
  3. Switch to configuration mode : configure terminal <Enter>
  4. Check the NICs default name and security level with show nameif. Use the nameif command to change them.
  5. Assign IP addresses to the outside NIC (by default, ethernet0) and inside NIC (by default, ethernet1) with eg. ip address inside 172.20.1.1 255.255.0.0 ip address outside 100.100.100.125 255.255.255.0. Use show ip to check your settings.
  6. nat (inside) 1 0 0 to enable NAT, and allow any inside host to use it
  7. To set up a pool of available public addresses to be used for NAT, and one address used last, in case the pool is empty (The 1 following (outside) is the NAT ID, and must match the one used in the nat (inside) command above):
  8. global (outside) 1 100.100.100.126 netmask 255.255.255.0
  9. global (outside) 1 100.100.100.127-100.100.100.129 netmask 255.255.255.0
  10. To force a mapping between a specific private address and a specific public address, use the static and conduit commands:
  11. static (inside,outside) 100.100.100.129 172.20.1.2 netmask 255.255.255.255
  12. conduit deny tcp host 100.100.100.129 any any
  13. Create a default route: route outside 0 0 100.100.100.254 1, where 100.100.100.254 is the address of the router that connects the whole LAN to the Internet
  14. Permit PING access with conduit permit icmp any any
  15. Store the image in Flash memory, and reboot: write memory <Enter> reload <Enter> y <Enter>

Sample configuration

# wr t
 
Building configuration...
: Saved
:
PIX Version 5.0(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password oKroi3K/PjdKC0cb encrypted
passwd Qsk.IjEXMTnDdvO0 encrypted
hostname mypix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
pager lines 24
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 100.100.100..253 255.255.255.0
ip address inside 172.20.1.253 255.255.0.0
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14
global (outside) 1 100.100.100..20-100.100.100..250 netmask 255.255.255.0
nat (inside) 0 200.200.200.0 255.255.255.0 0 0
nat (inside) 1 172.20.0.0 255.255.0.0 0 0
static (inside,outside) 100.100.100..3 172.20.1.125 netmask 255.255.255.255 0 0
static (inside,outside) 100.100.100..4 172.20.1.102 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 100.100.100..3 eq domain any
conduit permit udp host 100.100.100..3 eq domain any
conduit permit tcp host 100.100.100..3 gt 1023 any
conduit permit udp host 100.100.100..3 gt 1023 any
conduit permit tcp host 100.100.100..4 eq 6101 host 100.100.100..1
conduit permit tcp host 100.100.100..4 eq 6101 host 100.100.100..2
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 100.100.100..254 1
route inside 0.0.0.0 0.0.0.0 172.20.1.254 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet 172.20.1.99 255.255.255.255 inside
telnet timeout 5
terminal width 80

Upgrading the PIX firmware

When you get the firmware file, normally in the form of pixX.bin, use the DOS-based application RAWRITE.EXE to copy the new firmware on a floppy, insert the floppy in the PIX, connect a serial cable between PIX and a PC to act as console, reboot PIX, and follow the instructions.