1>Connect the PIX515E to any PC’s com port using the supplied console cable.
2>Start Hyper terminal program using default settings for the selected com port. Ensure the status window as “connected” at the bottom left hand corner.
3>Boot the firewall by switching it off and on (incase it is on).
4>Allow the boot process to complete to bring the command prompt.
5>type “enable” to log into the firewall.
6>Enter the password previously set.(factory configuration is blank so pls press enter to proceed)
7>After entering the password, the password enters configuration mode(#).
8>As the firewall will be configured through hyper terminal, type “config t”
9>Enter the following commands as shown below in the configuration mode.
10>The commands shown below are space specific. Maintain exact syntax for the command to get applied without error.
11>Successful application of command returns no character on the succeeding line.
Inside PC to be accessed=172.16.0.51 1=Inside Port of Firewall=172.16.0.241 (Experion Server) 255.255.248.0 255.255.248.0 Outside PC access required=192.168.0.15 0=Outside Port of Firewall=192.168.0.11 (Third Party PC) 255.255.0.0 255.255.0.0
interface Command interface hardware_ id hardware_speed interface ethernet0 100full interface ethernet1 100full This command sets the speed for the interface. In the example speed has been set to 100Mbps Full Duplex.
nameif command
nameif hardware_id if_name security_level
nameif ethernet0 outside security0
nameif ethernet1 inside security100
This command configures the security levels for your pix. By default, the interfaces have their hardware ID. Ethernet 0 is the outside interface, and Ethernet 1 is the inside interface. The outside and inside interfaces are named by default and have default security values of 0 and 100.
0 means the least secured interface which is the outside WAN and 100 means the most secured interface which is LAN.
Ip address command
Ip address if_name ip_address [netmask]
Ip address inside 172.16.0.241 255.255.255.0
Ip address outside 192.168.0.11 255.255.0.0
This command specifies the ip addresses for the inside and the outside ports respectively. Inside port is on the LAN side which is the most secured interface and the outside port is the WAN side which is the least secured interface.
Static NAT(Network Address Translation) command.
static (inside,outside) 192.168.0.51 172.16.0.51 netmask 255.255.255.255 0 0
Outside Dumy IP Inside PC IP to be accessed
In Out
172.16.0.51 192.168.0.51
As the above syntax exemplifies, the ip address of the web server (172.16.0.51) is getting converted into 192.168.0.51.The netmask as specified 255.255.255.255 means we are pointing at a host, else if it is 255.255.255.0 means we are pointing at a network. With this the original IP address of the web server is hidden. For applying the command follow the same syntax with equal spaces.
Setting accesslists for data transfer
Access list for outside interface(outbound to inbound traffic direction)
access-list acl_out permit tcp any any access-list acl_out permit icmp any any access-list acl_out permit tcp any host 172.16.12.18 eq www (Outside Dumy IP)
Access list for inside interface(inbound to outbound traffic direction)
access-list acl_in permit tcp any any access-list acl_in permit icmp any any access-list acl_in permit tcp 172.16.0.51 255.255.255.255 any eq www (Inside PC IP) OR ( One of the command should run successfully ) access-list acl_in permit tcp 172.16.0.51 255.255.255.0 any eq www (Inside PC IP) The above command sets the permission for the data transfer from WAN port to LAN port which hosts the web server. “acl_out” is the identification given to the new access-list. Permit or deny can be one of the commands to permit data transfer. “tcp” is the protocol for data transfer. First “any” is any host on the inside interface (LAN) port and second “any” is any host on the outside interface. If data transfer has to be permitted from outside specific host to inside “any” network then see the third example in “access list for outside interface”. For web access tcp port (80) is enabled. For the ping command to operate “icmp” is enabled. In the similar fashion, for the setting access-list for the inside interface see the examples given in “access list for inside interface” .
Access groups
access-group acl_out in interface outside access-group acl_in in interface inside
For activating the access-lists created, one has to give access-group command which enables the access-lists on the specific interfaces. In the above example “acl_out” is enabled on the outside interface i.e WAN port and “acl_in” is enabled on the inside interface i.e LAN port.
Writing the configuration to flash
write memory
In the configuration mode itself type the following command which writes the configuration to the flash memory of firewall.
With this firewall is configured
Settings to be made at eserver ( Experion server )side:
From the network connections window open TCP/IP properties, in the default gatway pls enter firewall’s Inside port ip address-172.16.0.241
Update the host file with 192.168.0.15 TESTPC
Settings to be made at client PC/Third Party side: From the network connections window open TCP/IP properties, in the default gatway pls enter firewall’s Outside port ip address-192.168.0.11 Update the host file with 192.168.0.51 ESERVER (in this case 192.168.0.51 is the dummy ip address for eserver)
After this type http://172.16.12.18/eserver in URL of client computer for ESERVER
Erasing the flash
write erase
In the configuration mode type the following command to erase all the configuration stored in flash. Switch off the firewall and on again for the boot process to begin. After this erase, the firewall prompts for reconfiguration for the following: Host name,Domain name, password ,inside,outside interface ip addresses and ip address of the host which will be supporting PDM (PIX Device manager,a internet explorer based interface for programming firewall).
Removing the applied commands
With reference to all the commands shown in the procedure e.g access-list ,static a “no” before any of the commands removes the applied command from the firewall. For example
no static (inside,outside) 192.168.0.51 172.16.0.51 netmask 255.255.255.255 0 0
In the above example no is applied to remove the static NAT(Network Address Translation) applied. After any change is made in the command ensure at the end to type “write memory” to write the configuration to flash.
Viewing the configuration
Type sho run to view the running configuration Type sho xlate to view the translation tables.(These are generated by the firewall when any host on the WAN calls a web server’s(located on LAN) ip address in the URL. In the above example the ip address of web server 172.16.0.51 is translated to 172.16.12.18. After typing http://172.16.12.18/eserver in URL, run xlate in hyper terminal to view the following “domain 172.16.12.18 local 172.16.0.51” Type sho ip to view the addresses of the outside and inside interfaces. Type sho access-list to view the access-list configured
From external PC ------> Ping192.168.0.11 —ok (Third Part) Ping192.168.0.51 —ok From internal PC -------> Ping172.16.0.241 —ok (Experion) Ping192.168.0.15 —ok
Netstat –a To check which port are open Arp –a which nodes accessing.
Refer the practical running configuration below for reference
PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 enable password K2e34OFITEn5cvo9 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname Cisco.pix domain-name cisco.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 <— More —>fixup protocol tftp 69 names access-list acl_out permit icmp any any access-list acl_out permit tcp any any access-list acl_out permit udp any any access-list acl_out permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 192.168.0.11 255.255.0.0 ip address inside 172.16.0.241 255.255.248.0 no ip address intf2 ip audit info action alarm ip audit attack action alarm pdm location 200.0.0.50 255.255.255.255 inside pdm location 172.16.0.51 255.255.255.255 inside pdm history enable arp timeout 14400 static (inside,outside) 192.168.0.51 172.16.0.51 netmask 255.255.255.255 0 0 access-group acl_out in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 200.0.0.50 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:a397a072a0aa6c111ee76c1079998def : end Cisco.pix(config)#