Sample Security Appliance Configuration
Examples 6-15 and 6-16 show sample output for a Security Appliance configuration in
routed and transparent mode. Included are some of the commands discussed in this chapter.
Example 6-15 Sample PIX Configuration in Routed Mode
pix# show config
: Saved
: Written by deguc at 11:29:39.859 EDT Fri Aug 8 2005
PIX Version 7.0(4)
interface Ethernet 0
nameif outside
security-level 0
speed 100
duplex full
ip address 192.168.1.1 255.255.255.224
interface Ethernet 1
nameif inside
security-level 100
speed 100
duplex full
interface Ethernet 2
nameif dmz
security-level 20
speed 100
duplex full
enable password GgtfiV2tiXAndr3w encrypted
passwd kP3Eex5gnkza7.lan encrypted
Sample Security Appliance Configuration 171
hostname pix
domain-name axum.com clock timezone EST -5
clock summer-time EDT recurring
class-map ips_class
match access-list IPS
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect sunrpc
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
inspect xdmcp
inspect icmp
class ips-class
ips promiscuous fail-close
service-policy global_policy global
Hyphenate in command, as for “service-policy”?
access-list IPS permit ip any any
pager lines 24
no logging on
ip audit info action alarm
ip audit attack action alarm no failover
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip-media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.14 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
Example 6-16 Sample PIX Configuration in Transparent Mode
pix# show config
: Saved
: Written by deguc at 11:49:39.859 EDT Fri Aug 8 2005
PIX Version 7.0(4)
interface Ethernet 0
nameif outside
security-level 0
speed 100
duplex full
interface Ethernet 1
nameif inside
security-level 100
speed 100
duplex full
interface Ethernet 2
speed 100
duplex full
shutdown
enable password GgtfiV2tiXAndr3w encrypted
passwd kP3Eex5gnkza7.lan encrypted
firewall transparent
hostname pix
domain-name axum.com clock timezone EST -5
clock summer-time EDT recurring
ip address 192.168.1.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
telnet 10.10.10.14 255.255.255.255 inside
arp outside 198.168.1.1 0009.7cbe.2100
arp-inspection outside enable
access-list ACLIN permit icmp 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ETHER ethertype permit ipx
access-group ETHER in interface inside
access-group ETHER in interface outside
access-group ACLIN in interface inside
access-group ACLIN in interface outside
pager lines 24
no logging on
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip-media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
Cryptochecksum:62a73076955b1060644fdba1da64b15f
Example 6-16