Sample of Cisco PIX 515E Configuration
-
Upload
hunterhead2 -
Category
Documents
-
view
225 -
download
0
Transcript of Sample of Cisco PIX 515E Configuration
-
8/2/2019 Sample of Cisco PIX 515E Configuration
1/19
Sample of Cisco PIX 515E Configuration
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
hostname CHICAGOTECH
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
-
8/2/2019 Sample of Cisco PIX 515E Configuration
2/19
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
-
8/2/2019 Sample of Cisco PIX 515E Configuration
3/19
fixup protocol tftp 69
names
name 172.254.0.4 OWA
name 10.0.0.3 MAIL
name 10.0.0.19 DATA
name 10.0.0.29 DC
name 10.0.0.28 001109
name 10.0.0.25 Bob
name 10.0.0.7 Runit
name 10.0.2.57 001288
object-group service TCP-DCs tcp
port-object eq ldaps
port-object eq 3268
-
8/2/2019 Sample of Cisco PIX 515E Configuration
4/19
port-object eq ldap
port-object eq domain
port-object eq 88
port-object eq 135
port-object range 137 netbios-ssn
port-object range 1024 65535
port-object eq 445
object-group service TCP-Mail tcp
port-object eq 691
port-object eq www
port-object eq https
port-object eq smtp
-
8/2/2019 Sample of Cisco PIX 515E Configuration
5/19
port-object eq 135
port-object eq 445
port-object eq ftp
object-group service UDP-DCs udp
port-object eq 389
port-object eq domain
port-object eq 88
port-object eq 135
port-object range netbios-ns 139
port-object range 1024 65535
object-group network DCs_ref
network-object DATA 255.255.255.255
network-object DC 255.255.255.255
-
8/2/2019 Sample of Cisco PIX 515E Configuration
6/19
object-group network DCs
network-object DATA 255.255.255.255
network-object DC 255.255.255.255
object-group network DCs_ref_1
network-object DATA 255.255.255.255
network-object DC 255.255.255.255
object-group service OWA_Ports tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
object-group service TCP_OWA_DCs tcp
-
8/2/2019 Sample of Cisco PIX 515E Configuration
7/19
port-object range 1024 65535
port-object eq domain
port-object eq ldap
port-object eq 135
port-object eq 88
port-object eq 3268
object-group service UDP_OWA_DCs udp
port-object eq domain
port-object eq 88
port-object eq 389
object-group service TCP_OWA_MAIL tcp
port-object eq www
port-object eq 691
-
8/2/2019 Sample of Cisco PIX 515E Configuration
8/19
port-object eq ftp
port-object eq https
port-object eq smtp
object-group service TCP_OWA_INSIDE tcp
port-object eq www
port-object eq ftp
port-object eq pop3
port-object eq https
port-object eq 123
port-object eq smtp
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
-
8/2/2019 Sample of Cisco PIX 515E Configuration
9/19
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host x.x.x.195 object-group OWA
_Ports
access-list outside_access_in permit tcp any host x.x.x.202 eq pcanywhere-da
ta
access-list outside_access_in deny udp any host x.x.x.197 eq isakmp log
access-list outside_access_in deny ah any host x.x.x.197
access-list outside_access_in deny esp any host x.x.x.197
access-list outside_access_in deny udp any host x.x.x.197 eq 4500
access-list outside_access_in deny udp any host x.x.x.202 eq isakmp
access-list outside_access_in deny ah any host x.x.x.204
access-list outside_access_in deny esp any host x.x.x.202
access-list outside_access_in deny tcp any host x.x.x.204 eq 3389
-
8/2/2019 Sample of Cisco PIX 515E Configuration
10/19
access-list outside_access_in permit tcp any host x.x.x.205 eq pcanywhere-da
ta
access-list DMZ_access_in permit tcp host OWA object-group DCs_ref_1 object-g
roup TCP_OWA_DCs
access-list DMZ_access_in permit udp host OWA object-group DCs_ref_1 object-g
roup UDP_OWA_DCs
access-list DMZ_access_in permit icmp host OWA object-group DCs_ref_1
access-list DMZ_access_in permit tcp host OWA host MAIL object-group TCP_O
WA_MAIL
access-list DMZ_access_in permit tcp host OWA any object-group TCP_OWA_INSIDE
access-list DMZ_access_in permit icmp host OWA any echo-reply
-
8/2/2019 Sample of Cisco PIX 515E Configuration
11/19
access-list DMZ_access_in permit icmp host OWA any unreachable
access-list DMZ_access_in permit icmp host OWA any time-exceeded
access-list VPN_splitTunnelAcl permit ip 10.0.0.0 255.255.0.0 any
access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.192
access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.192
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside 10.0.1.29
logging host inside 10.0.0.11
-
8/2/2019 Sample of Cisco PIX 515E Configuration
12/19
logging host inside MAIL
logging host outside 192.168.254.3
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside x.x.x.194 255.255.255.224
ip address inside 10.0.0.2 255.255.0.0
ip address DMZ 172.254.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool POOL 192.168.254.1-192.168.254.50
no failover
-
8/2/2019 Sample of Cisco PIX 515E Configuration
13/19
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
pdm location 172.16.100.0 255.255.255.0 inside
pdm location OWA 255.255.255.255 DMZ
pdm location 001109 255.255.255.255 inside
pdm location 10.0.1.29 255.255.255.255 inside
pdm location MAIL 255.255.255.255 inside
pdm location DATA 255.255.255.255 inside
pdm location DC 255.255.255.255 inside
pdm location Bob 255.255.255.255 inside
-
8/2/2019 Sample of Cisco PIX 515E Configuration
14/19
pdm location 10.0.0.11 255.255.255.255 inside
pdm location apps 255.255.255.255 inside
pdm location 192.168.254.3 255.255.255.255 outside
pdm location x.x.x.111 255.255.255.255 outside
pdm location 70.131.123.103 255.255.255.255 outside
pdm location 001288 255.255.255.255 inside
pdm group DCs inside
pdm group DCs_ref_1 DMZ reference DCs
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.222
-
8/2/2019 Sample of Cisco PIX 515E Configuration
15/19
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 OWA 255.255.255.255 0 0
static (inside,DMZ) 001109 001109 netmask 255.255.255.255 0 0
static (inside,DMZ) 172.16.100.0 172.16.100.0 netmask 255.255.255.0 0 0
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.255.0.0 0 0
static (DMZ,outside) x.x.x.195 OWA netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.197 Bob netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.204 001109 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.202 001288 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.205 apps netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.199 10.0.0.11 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
-
8/2/2019 Sample of Cisco PIX 515E Configuration
16/19
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
route inside 172.16.100.0 255.255.255.0 10.0.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
-
8/2/2019 Sample of Cisco PIX 515E Configuration
17/19
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
-
8/2/2019 Sample of Cisco PIX 515E Configuration
18/19
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
-
8/2/2019 Sample of Cisco PIX 515E Configuration
19/19
vpngroup VPN address-pool POOL
vpngroup VPN dns-server DC DATA
vpngroup VPN wins-server DC DATA
vpngroup VPN default-domain chicgaobotanic.org
vpngroup VPN split-tunnel VPN_splitTunnelAcl
vpngroup VPN idle-time 1800
telnet x.x.x.103 255.255.255.255 outside
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0