Boston PIX Firewall Configuration
1. : Saved
2. :
3. PIX Version 7.0(2)
4. interface Ethernet 0
5. nameif outside
6. security-level 0
7. speed 100
8. duplex auto
9. ip address 192.168.2.1 255.255.255.0
10. interface Ethernet 1
11. nameif inside
12. security-level 100
13. speed 100
14. duplex auto
15. ip address 10.10.2.1 255.255.255.0
16. interface Ethernet 2
17. nameif dmz
18. security-level 70
19. speed 100
20. duplex auto
21. ip address 172.16.2.1 255.255.255.0
22. enable password ksjfglkasglc encrypted
23. passwd kjngczftglkacytiur encrypted
24. hostname Boston
25. domain-name www.BranchVPN.com
26. class-map inspection_default
27. match default-inspection-traffic
28. policy-map global_policy
29. class inspection_default
30. inspect dns maximum length 512
31. inspect ftp
32. inspect h323 h225
Example 20-9 Atlanta PIX Firewall Configuration (Continued)
continues
652 Chapter 20: Case Study and Sample Configuration
33. inspect h323 ras
34. inspect netbios
35. inspect sunrpc
36. inspect rsh
37. inspect rtsp
38. inspect sip
39. inspect skinny
40. inspect esmtp
41. inspect sqlnet
42. inspect tftp
43. inspect xdmcp
44. inspect icmp
45. service-policy global_policy global
46. access-list inbound permit icmp any host 192.168.2.10
47. access-list inbound permit tcp any host 192.168.2.10 eq www
48. access-list inbound permit tcp any host 192.168.2.10 eq 443
access-list DMZ permit tcp 192.168.1.13 255.255.255.255 192.168.2.11 eq 1521
49. access-list DMZ permit udp 172.16.2.0 255.255.255.0 host 10.10.2.240 eq ntp
50. access-list VPN permit ip 10.10.2.0 255.255.255.0 10.10.10.0 255.255.255.0
51. access-list VPN permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
52. access-list LosAngeles permit ip 10.10.2.0 255.255.255.0 10.10.10.0
255.255.255.0
53. access-list Atlanta permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
54. pager lines 24
55. logging on
56. logging timestamp
57. arp timeout 14400
58. global (outside) 1 192.168.2.20-200
59. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
60. nat (inside) 0 access-list VPN
61. static (DMZ,outside) 192.168.2.10 172.16.2.10 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.2.11 172.16.2.11 netmask 255.255.255.255 0 0
62. access-group inbound in interface outside
63. access-group DMZ in interface DMZ
64. route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
65. timeout xlate 3:00:00
66. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
67. timeout uauth 0:05:00 absolute
68. aaa-server TACACS+ protocol tacacs+
69. aaa-server RADIUS protocol radius
70. no snmp-server location
71. no snmp-server contact
72. snmp-server community public
73. no snmp-server enable traps
Example 20-10 Boston PIX Firewall Configuration (Continued)
What Is Wrong with This Picture? 653
74. crypto ipsec transform-set BranchVPN esp-3des esp-md5-hmac
75. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
76. crypto map BranchVPN 10 ipsec-isakmp
77. crypto map BranchVPN 10 match address LosAngeles
78. crypto map BranchVPN 10 set peer 192.168.1.1
79. crypto map BranchVPN 10 set transform-set BranchVPN
80. crypto map BranchVPN 20 ipsec-isakmp
81. crypto map BranchVPN 20 match address Atlanta
82. crypto map BranchVPN 20 set peer 192.168.3.1
83. crypto map BranchVPN 20 set transform-set BranchVPN
84. crypto map BranchVPN interface outside
85. isakmp enable outside
86. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
87. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
88. isakmp identity address
89. isakmp policy 20 authentication pre-share
90. isakmp policy 20 encryption 3des
91. isakmp policy 20 hash md5
92. isakmp policy 20 group 2
93. isakmp policy 20 lifetime 86400
94. terminal width 80
95. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5