HQ PIX Firewall Configuration (Continued)
interface Ethernet 0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
speed 100
duplex full
interface Ethernet 1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
speed 100
duplex full
interface Ethernet 2
nameif DMZ
security-level 80
ip address 172.16.31.1 255.255.255.0
speed 100
duplex full
interface Ethernet 3
nameif failover
security-level 90
ip address 1.1.1.1 255.255.255.0
speed 100
duplex full
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KPPU encrypted
hostname HQ-PIX
access-list IPS permit ip any any
access-list acl-out permit tcp any host 192.168.1.4 eq smtp
access-list acl-out permit tcp any host 192.168.1.5 eq www
access-list acl-out permit tcp any host 192.168.1.6 eq ftp
!--- Traffic to HOU-PIX:
access-list 130 permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0
access-list 130 permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0
!--- Traffic to MN-PIX:
access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0
!--- Do not Network Address Translate (NAT) traffic to other branches:
access-list VPN permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0
access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list VPN permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0
access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap
no logging history
logging facility 20
logging queue 512
logging host DMZ 172.16.31.7
ip audit info action alarm
ip audit attack action alarm no failover
failover timeout 0:00:00
failover poll 15
class-map ips_class
match access-list IPS
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect sunrpc
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
inspect xdmcp
inspect icmp
class ips-class
ips promiscuous fail-close
service-policy global_policy global
failover ip address outside 192.168.1.3
failover ip address inside 10.10.10.2
failover ip address DMZ 172.16.31.2
arp timeout 14400
global (outside) 1 192.168.1.12-192.168.1.150 netmask 255.255.255.0
global (outside) 1 192.168.1.152 netmask 255.255.255.0
nat (inside) 1 10.10.10.0 255.255.255.0
!--- Do not NAT traffic to other PIXes:
nat (inside) 0 access-list VPN
static (DMZ,outside) 192.168.1.4 172.16.31.4 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.1.5 172.16.31.5 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.1.6 172.16.31.6 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00
sip-media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server TACACS+ (inside) host 10.10.10.7 tacpass
aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+
aaa authentication include telnet inside 0.0.0.0 0 0.0.0.0 TACACS+
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- Traffic to HOU-PIX:
crypto map Dukem-Map 20 ipsec-isakmp
crypto map Dukem-Map 20 match address 120
crypto map Dukem-Map 20 set peer 192.168.3.2
crypto map Dukem-Map 20 set transform-set myset
!--- Traffic to MN-PIX:
crypto map Dukem-Map 30 ipsec-isakmp
crypto map Dukem-Map 30 match address 130
crypto map Dukem-Map 30 set peer 192.168.2.2
crypto map Dukem-Map 30 set transform-set myset
crypto map Dukem-Map interface outside
isakmp enable outside
isakmp key ******** address 192.168.3.2 netmask 255.255.255.255
isakmp key ******** address 192.168.2.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5 ssh timeout 5 terminal width 80
Cryptochecksum:fb446986bcad922ec40de6346e9e2729
: end