Cisco PIX 515E config

dklewe · 03-02-2009, 05:42 PM

I'm having some troubles setting up a new firewall. (I'm new to firewalls)I've got the unit up with configured IP addresses on inside and outside. Downloaded and installed ASDM software. I can't seem to get it to pass traffic.
The unit is being used to secure one network from the rest of our company network.
Inside interface is 10.50.241.1/24
The PIX will be the gateway on this network.
Outside interface is 10.48.16.2/20
Gateway on the outside network is a Cisco 6500 MSFC 10.48.16.10 which connects to the rest of the company.

Thanks, Dave

I have included a show run:

PIX Version 7.2(2)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 10.48.0.0 GAC
name 10.48.16.0 Plant
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.48.16.2 255.255.240.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.50.241.1 255.255.255.0
!
interface Ethernet2
shutdown
nameif intf2
security-level 4
no ip address
!
passwd 0aywtm/YUv1U3jNB encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list ping_acl extended permit icmp Plant 255.255.240.0 any
access-list outside_access_in extended permit icmp Plant 255.255.240.0 10.50.241.0 255.255.255.0
access-list outside_access_in extended permit icmp GAC 255.255.240.0 10.50.241.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image flash:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 10.50.241.0 255.255.255.0
access-group ping_acl in interface outside
route outside 0.0.0.0 0.0.0.0 10.48.16.10 1
!
router rip
network 10.0.0.0
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.50.241.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
telnet Plant 255.255.240.0 outside
telnet GAC 255.255.240.0 outside
telnet 10.50.241.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
dhcpd dns 10.50.1.46 171.74.105.58
dhcpd wins 171.74.162.21 171.74.105.58
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcpd address 10.50.241.101-10.50.241.199 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d8ad1ad3a52aec150a71ccd959a2681a
: end
asdm image flash:/asdm-524.bin
asdm location GAC 255.255.240.0 inside
asdm history enable

03-02-2009, 05:42 PM	#1 (permalink)
dklewe Registered User Join Date: Mar 2009 Posts: 1 OS: xp	Cisco PIX 515E config I'm having some troubles setting up a new firewall. (I'm new to firewalls)I've got the unit up with configured IP addresses on inside and outside. Downloaded and installed ASDM software. I can't seem to get it to pass traffic. The unit is being used to secure one network from the rest of our company network. Inside interface is 10.50.241.1/24 The PIX will be the gateway on this network. Outside interface is 10.48.16.2/20 Gateway on the outside network is a Cisco 6500 MSFC 10.48.16.10 which connects to the rest of the company. Thanks, Dave I have included a show run: PIX Version 7.2(2) ! hostname pixfirewall domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names name 10.48.0.0 GAC name 10.48.16.0 Plant dns-guard ! interface Ethernet0 nameif outside security-level 0 ip address 10.48.16.2 255.255.240.0 ! interface Ethernet1 nameif inside security-level 100 ip address 10.50.241.1 255.255.255.0 ! interface Ethernet2 shutdown nameif intf2 security-level 4 no ip address ! passwd 0aywtm/YUv1U3jNB encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid same-security-traffic permit intra-interface object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list ping_acl extended permit icmp Plant 255.255.240.0 any access-list outside_access_in extended permit icmp Plant 255.255.240.0 10.50.241.0 255.255.255.0 access-list outside_access_in extended permit icmp GAC 255.255.240.0 10.50.241.0 255.255.255.0 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu intf2 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside asdm image flash:/asdm-524.bin asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 10.50.241.0 255.255.255.0 access-group ping_acl in interface outside route outside 0.0.0.0 0.0.0.0 10.48.16.10 1 ! router rip network 10.0.0.0 version 2 ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 10.50.241.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart no sysopt connection permit-vpn telnet Plant 255.255.240.0 outside telnet GAC 255.255.240.0 outside telnet 10.50.241.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 ssh version 1 console timeout 0 dhcpd dns 10.50.1.46 171.74.105.58 dhcpd wins 171.74.162.21 171.74.105.58 dhcpd ping_timeout 750 dhcpd auto_config outside ! dhcpd address 10.50.241.101-10.50.241.199 inside dhcpd enable inside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:d8ad1ad3a52aec150a71ccd959a2681a : end asdm image flash:/asdm-524.bin asdm location GAC 255.255.240.0 inside asdm history enable