All Cisco-Network Study Notes: PIX Configuration for Atlanta

PIX Configuration for Atlanta
1. : Saved
2. :
3. PIX Version 6.3(3)
4. nameif ethernet0 outside security0
5. nameif ethernet1 inside security100
6. nameif ethernet2 DMZ security70
7. enable password ksjfglkasglc encrypted
8. passwd kjngczftglkacytiur encrypted
9. hostname Atlanta
10. domain-name www.Chapter11.com
11. fixup protocol ftp 21
12. fixup protocol http 80
13. fixup protocol smtp 25
14. fixup protocol skinny 2000
15. names
16. access-list inbound permit icmp any host 192.168.3.10
17. access-list inbound permit tcp any host 192.168.3.10 eq www
18. access-list inbound permit tcp any host 192.168.3.10 eq 443
19. access-list DMZ permit udp 172.16.3.0 255.255.255.0 host 10.10.3.240 eq ntp
20. access-list________________________________________________________________
21. access-list________________________________________________________________
22. access-list________________________________________________________________
23. access-list________________________________________________________________
24. pager lines 24
25. logging on
26. logging timestamp
27. interface ethernet0 auto
28. interface ethernet1 auto
29. interface ethernet2 auto
30. mtu outside 1500
31. mtu inside 1500
32. ip address outside 192.168.3.1 255.255.255.0
33. ip address inside 10.10.3.1 255.255.255.0
34. ip address DMZ 172.16.3.1 255.255.255.0
35. arp timeout 14400
36. global (outside) 1 192.168.3.20-200
37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
38. nat (inside) 0 access-list VPN
39. static (inside DMZ) 10.10.3.240 10.10.3.240 netmask 255.255.255.255 0 0
40. static (DMZ outside) 192.168.3.10 172.16.3.10 netmask 255.255.255.255 0 0
41. access-group inbound in interface outside
42. access-group DMZ in interface DMZ
43. route outside 0.0.0.0 0.0.0.0 192.168.3.254 1
44. timeout xlate 3:00:00
45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00

46. timeout uauth 0:05:00 absolute
47. aaa-server TACACS+ protocol tacacs+
48. aaa-server RADIUS protocol radius
49. no snmp-server location
50. no snmp-server contact
51. snmp-server community public
52. no snmp-server enable traps
53. floodguard enable
54. sysopt connection permit-ipsec
55. crypto ipsec transform-set_____________________________________________________
56. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
57. crypto map Chapter11 10 ipsec-isakmp
58. crypto map_____________________________________________________________________
59. crypto map_____________________________________________________________________
60. crypto map Chapter11 10 set transform-set Chapter11____________________________
61. crypto map_____________________________________________________________________
62. crypto map_____________________________________________________________________
63. crypto map_____________________________________________________________________
64. crypto map Chapter11 20 set transform-set Chapter11____________________________
65. crypto map_____________________________________________________________________
66. isakmp_________________________________________________________________________
67. isakmp key ********____________________________________________________________
68. isakmp key_____________________________________________________________________
69. isakmp identity address________________________________________________________
70. isakmp policy 20_______________________________________________________________
71. isakmp policy 20 encryption 3des
72. isakmp policy 20 hash md5
73. isakmp policy 20 group 2
74. isakmp policy 20 lifetime 86400
75. terminal width 80
76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5

Each line of the configuration is numbered, and certain lines have not been completed. Your
job is to complete the lines and verify each configuration against the configuration of the
VPN peer. The following sections give the blank lines for each configuration. The completed
configurations are listed at the end of the chapter, along with a full description of each
element from the configuration in Los Angeles. You will not find all the information needed
to complete the configuration on a single firewall. Remember that the configurations must
match on each end of the VPN.