All Cisco-Network Study Notes: Atlanta PIX Firewall Configuration

Atlanta PIX Firewall Configuration
1. : Saved
2. :
3. PIX Version 7.0(2)
4. interface Ethernet 0
5. nameif outside
6. security-level 0
7. speed 100
8. duplex aito
9. ip address 10.10.3.1 255.255.255.0
10. interface Ethernet 1
11. nameif outside
12. security-level 100
13. speed 100
14. duplex auto
15. ip address 192.168.3.1 255.255.255.0
16. interface Ethernet 2
17. nameif outside
18. security-level 70
19. speed 100
20. duplex auto
21. ip address 172.16.3.1 255.255.255.0
22. enable password ksjfglkasglc encrypted
23. passwd kjngczftglkacytiur encrypted
24. hostname Atlanta
25. domain-name www.BranchVPN.com
26. class-map inspection_default
27. match default-inspection-traffic
28. policy-map global_policy
29. class inspection_default
30. inspect dns maximum length 512
31. inspect ftp
32. inspect h323 h225
33. inspect h323 ras
34. inspect netbios
35. inspect sunrpc
36. inspect rsh
37. inspect rtsp
38. inspect sip
39. inspect skinny
40. inspect esmtp
continues
650 Chapter 20: Case Study and Sample Configuration
41. inspect sqlnet
42. inspect tftp
43. inspect xdmcp
44. inspect icmp
45. service-policy global_policy global
46. access-list inbound permit icmp any host 192.168.3.10
47. access-list inbound permit tcp any host 192.168.3.10 eq www
48. access-list inbound permit tcp any host 192.168.3.10 eq 443
49. access-list DMZ permit udp 172.16.3.0 255.255.255.0 host 10.10.3.240 eq ntp
50. access-list VPN permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
51. access-list VPN permit ip 10.10.3.0 255.255.255.0 10.10.10.0 255.255.255.0
52. access-list LosAngeles permit ip 10.10.3.0 255.255.255.0 10.10.10.0
255.255.255.0
53. access-list Boston permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
54. pager lines 24
55. logging on
56. logging timestamp
57. arp timeout 14400
58. global (outside) 1 192.168.3.20-200
59. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
60. nat (inside) 0 access-list VPN
61. static (DMZ,outside) 192.168.3.10 172.16.3.10 netmask 255.255.255.255 0 0
62. access-group inbound in interface outside
63. access-group DMZ in interface DMZ
64. route outside 0.0.0.0 0.0.0.0 192.168.3.254 1
65. timeout xlate 3:00:00
66. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
67. timeout uauth 0:05:00 absolute
68. aaa-server TACACS+ protocol tacacs+
69. aaa-server RADIUS protocol radius
70. no snmp-server location
71. no snmp-server contact
72. snmp-server community public
73. no snmp-server enable traps
74. sysopt connection permit-ipsec
75. crypto ipsec transform-set BranchVPN esp-3des esp-md5-hmac
76. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
77. crypto map BranchVPN 10 ipsec-isakmp
78. crypto map BranchVPN 10 match address LosAngeles
79. crypto map BranchVPN 10 set peer 192.168.1.1
80. crypto map BranchVPN 10 set transform-set BranchVPN
81. crypto map BranchVPN 20 ipsec-isakmp
82. crypto map BranchVPN 20 match address Boston
83. crypto map BranchVPN 20 set peer 192.168.2.1
84. crypto map BranchVPN 20 set transform-set BranchVPN
Example 20-9 Atlanta PIX Firewall Configuration (Continued)
What Is Wrong with This Picture? 651
85. crypto map BranchVPN interface DMZ
86. isakmp enable outside
87. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
88. isakmp key ******** address 192.168.2.1 netmask 255.255.255.255
89. isakmp identity address
90. isakmp policy 20 authentication pre-share
91. isakmp policy 20 encryption 3des
92. isakmp policy 20 hash md5
93. isakmp policy 20 group 2
94. isakmp policy 20 lifetime 86400
95. terminal width 80
96. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5