PIX 506e installation

[mbvales]

---

Dear All Istoryans,

Hope someone can help me on setting up Cisco PIX firewall.

ISP (202.124.141.19) DNS
|
RCST Router (202.124.141.73)
|
PIX Firewall (has 2 NIC)
| |
| ----- (202.124.141.74) - Outside
__ (192.168.1.1) - Inside
|
|
ISA2000 (with 3 NICs)
| | |
| | |
| | ---- (192.168.1.2) Gateway: 192.168.1.1 DNS: 202.124.141.19
| ---- (192.168.0.20) Gateway: Nil DNS: 192.168.0.1 (DC) -----
---- (10.10.1.100) WiFi Gateway: 202.124.141.74 |
| DNS: 202.124.141.19 Switch
|
Switch

From my ISA, I can't browse to the internet nor pinging the DNS and the outside IP of my PIX; dnt know yet if there is any settings on the PIX that I need to set like setting up rules to allow the port or etc or do I neet to make NAT or routing. Dont know also if my configuration above is correct.

Any idea? thanks in advance...

[ridney]

mbvales, you need to specify rules on your pix because by default everything is blocked on the less secured network (outside interface). did you specify default route on the pix? you also need to do nat on the pix. if you can post your pix configuration without the confidential information, maybe we could help you with this.

[sunyats3n]

ACL?

[mbvales]

mbvales, you need to specify rules on your pix because by default everything is blocked on the less secured network (outside interface). did you specify default route on the pix? you also need to do nat on the pix. if you can post your pix configuration without the confidential information, maybe we could help you with this.

No ddn't specify any default route on the PIX; honestly this is my 1st time to setup PIX, dunno where to start. I used PDM for easy GUI configuration but im not sure with my diagram above is correct.

Could you please tell me what I will going to do 1st on the PIX considering the given configuration above if there is no changes on it.

For my PIX configuration,I ddn't set anything this is a new one with the default settings. Thanks a lot.

[mbvales]

FYI - I used my ISA as proxy & firewall
I dont know what are basic steps/ports that I need to make/open on the PIX - Help would be greatly appreciated.
Many Thanks.

[ridney]

hi mbvales, here's what we are going to do. you need to console or telnet to the pix from your terminal emulator and capture the configuration to a text file and post it here and we'll start from there.

Consoling the pix:

1. to console to the pix, you need a console cable attached to your pc's com (DB-9) and the RJ-45 end to the console port of the pix.

2. from your pc, set the terminal emulator (hypertrm, teraterm or secureCRT) to 9600 bps, 8 data bits, None for parity, 1 stopbits.

3. from the terminal enter your username and password when prompted

4. go to configuration mode
pix> enable
password: (press enter if none)
pix# config t
pix(config)#

5. check your running configuration and the FOS version
pix(config)# sh run
press space bar until all the configuration has been displayed

6. copy the output and post it here so that we can start from where you are at

NOTE: you don't need to specify the public ip addresses on this message board for security reasons, just modify the ouput with x.x.x.1 for example (modify your post and hide your public ip address)

OR you can telnet to the inside interface (192.168.1.1) of your pix and do the same procedure with the above.

Since you have already a pix firewall, you can off-load the ISA server from its firewall duties and use the pix instead.

[Tamblot]

@mbvales:
Maybe you can start with the running config as suggested by ridney.
If this set up is related to your previous topic, will you still be channeling all traffic through the ISA for possible AV/Malware protection? If not then you can offload the ISA from the firewalling role as per ridney.

@ridney, It seems the ISA server is still doin some NAT/PAT to the internal network. Can you confirm this mbvales?

192.168.1.x (ISA/PIX) <---> 192.168.0.x and 10.10.1.x (Internal)

[mbvales]

Thanks Bro Ridney...Here's my PIX config & dnt worry about my public IP that one is not my real one and once this pix up..I will do remove the firewall service on my ISA

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password hbNy3ju8pQKZ0U57 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone PKT 5
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 202.124.141.74 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username admin password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.2-192.168.1.10 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password AULMP2pyBpRZ4Zva encrypted privilege 15
username mbvales password SHCeMeoGZJ.cTeqt encrypted privilege 15
terminal width 80
Cryptochecksum:2ba6dd89e3c363c0ffe9ee5a4da3c0a2
: end

[mbvales]

Bro Tamblot,

Yeah this is still related with my previous topic about designing my network diagram and now im about to configure the pix to integrate with my current setup and I used my ISA to make routing for my internal network. Thanks

[ridney]

mbvales, add a default route pointing to 202.124.141.73 rcst router and static routes for return traffic to your local subnets.

pix(config)# route outside 0.0.0.0 0.0.0.0 202.124.141.73
pix(config)# route inside 192.168.0.0 255.255.255.0 192.168.1.2

don't you want your wifi traffic to pass the firewall? if you do just add a static route also pointing to the ISA server. once you can access the internet, transfer all your policies to the pix from the isa server (opening/closing ports)

please also try to confirm Tamblot's suggestion on the ISA server doing PAT. the pix is doing already this basing from your configuration output.

let me know if this helps.