All Cisco-Network Study Notes: Los Angeles PIX Firewall Configuration

Los Angeles PIX Firewall Configuration
1. : Saved
2. :
3. PIX Version 7.0(2)
4. interface Ethernet 0
5. nameif outside
6. security-level 0
7. speed 100
8. duplex auto
9. ip address 192.168.1.1 255.255.255.0
10. interface Ethernet 1
11. nameif inside
12. security-level 100
13. speed 100
14. duplex auto
15. ip address 10.10.10.1 255.255.255.0
16. interface Ethernet 2
17. nameif dmz
18. security-level 70
19. speed 100
20. duplex auto
21. ip address 172.16.1.1 255.255.255.0
22. enable password HtmvK15kjhtlyfvcl encrypted
23. passwd Kkjhlkf1568Hke encrypted

24. hostname LosAngeles
25. domain-name www.BranchVPN.com
26. class-map inspection_default
27. match default-inspection-traffic
28. policy-map global_policy
29. class inspection_default
30. inspect dns maximum length 512
31. inspect ftp
32. inspect h323 h225
33. inspect h323 ras
34. inspect netbios
35. inspect sunrpc
36. inspect rsh
37. inspect rtsp
38. inspect sip
39. inspect skinny
40. inspect esmtp
41. inspect sqlnet
42. inspect tftp
43. inspect xdmcp
44. inspect icmp
45. service-policy global_policy global
access-list inbound permit tcp any host 192.168.1.9 eq ftp
46. access-list inbound permit icmp any host 192.168.1.10
47. access-list inbound permit tcp any host 192.168.1.10 eq www
48. access-list inbound permit tcp any host 192.168.1.10 eq 443
49. access-list inbound permit tcp any host 192.168.1.11 eq www
50. access-list inbound permit tcp any host 192.168.1.11 eq 443
51. access-list inbound permit tcp any host 192.168.1.12 eq www
52. access-list inbound permit tcp any host 192.168.1.12 eq 443
53. access-list inbound permit tcp any host 192.168.1.13 eq ftp
54. access-list Exchange permit tcp any host 192.168.1.14 eq 25
access-list Exchange permit tcp any host 192.168.1.14 eq 443
access-list DMZ permit tcp 172.16.1.13 255.255.255.255 10.10.11.221 eq 1521
55. access-list DMZ permit udp 172.16.1.0 255.255.255.0 host 10.10.10.240 eq ntp
56. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
57. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.3.0 255.255.255.0
58. access-list Boston permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
59. access-list Atlanta permit ip 10.10.10.0 255.255.255.0 10.10.3.0 255.255.255.0
60. pager lines 24
61. logging on
62. logging timestamp
63. failover
64. failover timeout 0:00:00
65. failover poll 15
66. failover ip address outside 192.168.1.2
67. failover ip address inside 10.10.10.2
Example 20-11 Los Angeles PIX Firewall Configuration (Continued)
What Is Wrong with This Picture? 655
68. failover ip address DMZ 172.16.1.2
69. arp timeout 14400
70. global (outside) 1 192.168.1.20-250
71. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
72. nat (inside) 0 access-list VPN
73. static (DMZ,outside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255 0 0
74. static (DMZ,outside) 192.168.1.11 172.16.1.11 netmask 255.255.255.255 0 0
75. static (DMZ,outside) 192.168.1.12 172.16.1.12 netmask 255.255.255.255 0 0
76. static (DMZ,outside) 192.168.1.13 172.16.1.13 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.1.14 172.16.1.14 netmask 255.255.255.255 0 0
77. access-group inbound in interface outside
access-group Exchange in interface outside
78. access-group DMZ in interface DMZ
79. route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
80. timeout xlate 3:00:00
81. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip-media 0:02:00
82. timeout uauth 0:05:00 absolute
83. aaa-server TACACS+ protocol tacacs+
84. aaa-server RADIUS protocol radius
85. no snmp-server location
86. no snmp-server contact
87. snmp-server community public
88. no snmp-server enable traps
89. sysopt connection permit-ipsec
90. no sysopt route dnat
91. crypto ipsec transform-set BranchVPN esp-3des esp-md5-hmac
92. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
93. crypto map BranchVPN 10 ipsec-isakmp
94. crypto map BranchVPN 10 match address Boston
95. crypto map BranchVPN 10 set peer 192.168.2.1
96. crypto map BranchVPN 10 set transform-set BranchVPN
97. crypto map BranchVPN 20 ipsec-isakmp
98. crypto map BranchVPN 20 set peer 192.168.3.1
99. crypto map BranchVPN 20 set transform-set BranchVPN
100. crypto map BranchVPN interface outside
101. isakmp enable outside
102. isakmp key ******** address 192.168.2.1 netmask 255.255.255.255
103. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
104. isakmp identity address
105. isakmp policy 20 authentication pre-share
106. isakmp policy 20 encryption 3des
107. isakmp policy 20 hash md5
108. isakmp policy 20 group 2
109. isakmp policy 20 lifetime 86400
110. terminal width 80
111. Cryptochecksum:e0clmj3546549637cbsFds54132d5
Example 20-11 Los Angeles PIX Firewall Configuration (Continued)
656 Chapter 20: Case Study and Sample Configuration
After you have reviewed the configuration files for the three PIX Firewalls, answer the
following questions. (The answers appear in Appendix A, “Answers to the ‘Do I Know This
Already?’ Quizzes and Q&A Sections.”)