Scribd Logo
Upload

Welcome to Scribd!

  • Pix Firewall Configurations

    Uploaded by

    rafi_ismail
    44 views22 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    44 views22 pages

    Pix Firewall Configurations

    Uploaded by

    rafi_ismail

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    #1

    This PIX configuration resides on a PIX 501. Highlights: One static IP PPTP VPN PIX is acting as a DCHP server Very straight forward configuration

    To the best of my ability, this configuration is working fine on this PIX PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password yWu7BHEZZoMW/Dyb encrypted passwd 2KFQnbNIdI.2ZZOU encrypted hostname pixfirewall domain-name xxxxxx.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.192 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside XXX.XX.XXX.169 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool KDLS_VPN 192.168.1.30-192.168.1.39

    pdm location 192.168.1.0 255.255.255.192 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp isakmp nat-traversal 20 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0

    vpdn group KDLS_VPN accept dialin pptp vpdn group KDLS_VPN ppp authentication mschap vpdn group KDLS_VPN ppp encryption mppe 40 vpdn group KDLS_VPN client configuration address local KDLS_VPN vpdn group KDLS_VPN pptp echo 30 vpdn group KDLS_VPN client authentication local vpdn username bjones password ********* vpdn enable outside dhcpd address 192.168.1.11-192.168.1.42 inside dhcpd dns XXX.XXX.X.39 XXX.XX.XX.43 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:86246f4ccc475bd78xxxxxxx1a007399 : End

    #2
    This PIX configuration resides on a PIX 501. Highlights: Multiple static IP IPSec VPN Split Tunnel on VPN Static NAT for one server

    To the best of my ability, this configuration is working fine on this PIX:

    PIX Version 6.3(2) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RXXU24 encrypted passwd 2KFQnbNIdI.2XXOU encrypted hostname XXXXXPIX domain-name XXXXX.NET fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 access-list xxxxxxx_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit icmp any any unreachable access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168 .3.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.0 pager lines 24 icmp permit any outside icmp permit any inside

    mtu outside 1500 mtu inside 1500 ip address outside xxx.xx.x.226 255.255.255.248 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool xxpool 192.168.3.1-192.168.3.254 pdm location 192.168.1.30 255.255.255.255 inside pdm location 192.168.2.69 255.255.255.255 inside pdm location 192.168.3.0 255.255.255.0 inside pdm location 192.168.2.236 255.255.255.255 inside pdm location 192.168.3.0 255.255.255.0 outside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) xxx.xx.x.227 192.168.2.236 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.xx.x.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.2.0 255.255.255.0 inside http 192.168.3.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5

    isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup xxxxxxx address-pool xxpool vpngroup xxxxxxx dns-server 192.168.2.236 vpngroup xxxxxxx wins-server 192.168.2.236 vpngroup xxxxxxx default-domain xxxxxxx.net vpngroup xxxxxxx split-tunnel xxxxxxx_splitTunnelAcl vpngroup xxxxxxx idle-time 1800 vpngroup xxxxxxx password ******** telnet 192.168.2.0 255.255.255.0 inside telnet 192.168.3.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 management-access inside console timeout 0 terminal width 80 Cryptochecksum:b22bce4da837e90ac5XX4cc7bd967c7a : end

    #3
    This PIX configuration resides on a PIX 515. Highlights: Multiple static IP DMZ Configuration ACLs/Statics to allow Media Streaming from DMZ Object Groups for Media Streaming services ACLs/Statics to allow MS Exchange Outlook Web Access

    To the best of my ability, this configuration is working fine on this PIX:

    PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz1 security10 enable password 0v5sXPZZVCZ41p9U encrypted passwd 0v5sXPsoVCZ4ZZ9U encrypted hostname PIX domain-name xxxx.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names object-group service video-tcp tcp port-object eq 1755 port-object eq www port-object eq 7070 port-object eq 554 port-object eq 8080

    port-object eq 9090 port-object eq https object-group service video-udp udp port-object eq 1755 port-object range 34445 34459 access-list acl_out1 permit tcp any host xx.xx.xxx.126 eq smtp access-list acl_out1 permit tcp any host xx.xx.xxx.126 eq pop3 access-list acl_out1 permit tcp any host xx.xx.xxx.126 eq https access-list acl_out1 permit icmp any host xx.xx.xxx.126 access-list acl_out1 permit tcp any host xx.xx.xxx.126 eq www access-list acl_out1 permit tcp any any eq domain access-list acl_out1 permit udp any any eq domain access-list acl_out1 permit icmp any xx.xx.xxx.64 255.255.255.192 access-list acl_out1 permit tcp any host xx.xx.xxx.121 object-group video-tcp access-list acl_out1 permit tcp any host xx.xx.xxx.122 object-group video-tcp access-list acl_out1 permit tcp any host xx.xx.xxx.123 object-group video-tcp access-list acl_out1 permit tcp any host xx.xx.xxx.124 object-group video-tcp access-list acl_out1 permit tcp any host xx.xx.xxx.125 object-group video-tcp access-list acl_out1 permit udp any host xx.xx.xxx.121 object-group video-udp access-list acl_out1 permit udp any host xx.xx.xxx.122 object-group video-udp access-list acl_out1 permit udp any host xx.xx.xxx.123 object-group video-udp access-list acl_out1 permit udp any host xx.xx.xxx.124 object-group video-udp access-list acl_out1 permit udp any host xx.xx.xxx.125 object-group video-udp pager lines 24 logging on icmp permit any outside icmp permit host 0.0.0.0 outside icmp permit any inside icmp permit host 0.0.0.0 inside mtu outside 1500 mtu inside 1500 mtu dmz1 1500 ip address outside xx.xx.xxx.66 255.255.255.192 ip address inside 192.168.1.1 255.255.255.0 ip address dmz1 172.16.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.0 255.255.255.0 inside pdm location 192.168.1.8 255.255.255.255 inside pdm location 192.168.1.0 255.255.255.192 inside pdm location 172.16.1.21 255.255.255.255 dmz1 pdm location 172.16.1.22 255.255.255.255 dmz1 pdm location 172.16.1.23 255.255.255.255 dmz1 pdm location 172.16.1.24 255.255.255.255 dmz1 pdm location 172.16.1.25 255.255.255.255 dmz1 pdm history enable

    arp timeout 14400 global (outside) 1 xx.xx.xxx.68 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) xx.xx.xxx.126 192.168.1.8 netmask 255.255.255.255 0 0 static (dmz1,outside) xx.xx.xxx.121 172.16.1.21 netmask 255.255.255.255 0 0 static (dmz1,outside) xx.xx.xxx.122 172.16.1.22 netmask 255.255.255.255 0 0 static (dmz1,outside) xx.xx.xxx.123 172.16.1.23 netmask 255.255.255.255 0 0 static (dmz1,outside) xx.xx.xxx.124 172.16.1.24 netmask 255.255.255.255 0 0 static (dmz1,outside) xx.xx.xxx.125 172.16.1.25 netmask 255.255.255.255 0 0 access-group acl_out1 in interface outside route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.65 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:00:00 udp 0:01:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 2:00:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.1 255.255.255.255 inside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 192.168.1.0 255.255.255.0 inside telnet timeout 60 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:9ae8d95f5e27ddd07XX89bf3182cefc7 : end

    #4
    This PIX configuration resides on a PIX 501. Highlights: Multiple static IP PPPOE Configuration PPTP VPN Configuration Configured for SSH access for inside and outside PIX is acting as a DHCP server

    To the best of my ability, this configuration is working fine on this PIX: PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password NuLKvXXGg.x9HEKO encrypted passwd 2AnflCWX92XXTLuo encrypted hostname xxxxx domain-name xxxxx.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inside_outbound_nat0_acl permit ip any 10.5.10.192 255.255.255.224 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 10.5.10.101 255.255.255.0 ip audit info action alarm ip audit attack action alarm

    ip local pool remote-use-pool 10.5.10.200-10.5.10.220 mask 255.255.255.0 pdm location 10.5.5.0 255.255.255.0 inside pdm location 10.5.10.8 255.255.255.255 inside pdm location 10.5.10.192 255.255.255.224 outside pdm history enable arp timeout 14400 global (outside) 1 xx.xxx.xxx.188 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 10.5.10.0 255.255.255.0 0 0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.5.5.0 255.255.255.0 inside http 10.5.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 console timeout 0 vpdn group team request dialout pppoe vpdn group team localname xxxxxxx@xxxxxxx.net vpdn group team ppp authentication pap vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local remote-use-pool vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username xxxxxx@sxxxxx.net password ********* vpdn username joe password ********* dhcpd address 10.5.10.10-10.5.10.30 inside

    dhcpd dns xx.xx.xx.25 xx.xx.xx.30 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:0ecbd0fddb9cf60ZZ5d9db345d3c7333 : end

    #5
    This PIX configuration resides on a PIX 501. Highlights: Multiple static IP IPSec site to site VPN PPTP VPN Configuration Configured for SSH access for inside PIX is acting as a DHCP server

    To the best of my ability, this configuration is working fine on this PIX: PIX Version 6.3(3) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 2KFQXXNIdI.2KYOU encrypted passwd SEAddXXKsVr9ozym encrypted hostname PIX domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside xxx.xx.xxx.1 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm

    ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 xxx.xx.xxx.2 nat (inside) 0 access-list 101 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 xxx.xx.xxx.2 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set david esp-des esp-md5-hmac crypto map xxxx 1 ipsec-isakmp crypto map xxxx 1 match address 101 crypto map xxxx 1 set peer xxx.xx.xxx.21 crypto map xxxx 1 set transform-set xxxxx crypto map xxxx interface outside isakmp enable outside isakmp key cisco123 address xxx.xx.xxx.21 netmask 255.255.255.255 isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0

    dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:da32a4eeb7fed5600b48c2577e26551d

    #6
    This PIX configuration resides on a PIX 515. Highlights: Using 7.x Code IPSec site to site VPN (remote peer is config #7) IPSec Remote Access VPN Remote Access VPN users authenticated by Windows Domain Controller Configured for SSH access for out Remote Desktop Protocol (RDP) Servers Object Group and config for any incoming internet traffic to connect to RDP servers

    To the best of my ability, this configuration is working fine on this PIX:

    PIX Version 7.1(4) ! hostname PIX515 domain-name yourdomain.com enable password b72RFgPHFlcU/R12 encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address xx.xx.xx.115 255.255.255.240 ! interface Ethernet1 nameif inside security-level 100 ip address 10.1.3.16 255.255.255.0 ! interface Ethernet2 shutdown nameif intf2 security-level 4 no ip address ! passwd b72RFgPHFlcU/css encrypted ftp mode passive

    object-group network rdp_srv network-object host x.x.x.116 network-object host x.x.x.117 network-object host x.x.x.118 access-list outside_acl extended permit tcp any object-group rdp_srv eq 3389 access-list l2l_list extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list nonat extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list nonat extended permit ip any 10.2.3.0 255.255.255.0 access-list ra_crypto_acl extended permit ip any 10.2.3.0 255.255.255.0 pager lines 24 logging enable logging buffered warnings logging asdm informational mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip local pool a_vpn 10.2.3.0-10.2.3.254 mask 255.255.255.0 asdm image flash:/asdm-502.bin asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list nonat nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside) x.x.x.116 10.1.3.3 netmask 255.255.255.255 static (inside,outside) x.x.x.117 10.1.3.2 netmask 255.255.255.255 static (inside,outside) x.x.x.118 10.1.3.44 netmask 255.255.255.255 access-group outside_acl in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.114 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server Windows_NT protocol nt aaa-server Windows_NT host 10.1.3.3 nt-auth-domain-controller ITDC1 username eric password hpzN9tuFDiPoxxxx encrypted http server enable http 0.0.0.0 0.0.0.0 outside http 192.168.1.0 255.255.255.0 inside http 10.1.3.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public

    snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ASet esp-des esp-md5-hmac crypto ipsec transform-set ra1_set esp-des esp-md5-hmac crypto dynamic-map ra1_dyn 10 match address ra_crypto_acl crypto dynamic-map ra1_dyn 10 set transform-set ra1_set crypto map amap 1 match address l2l_list crypto map amap 1 set peer x.x.x.243 crypto map amap 1 set transform-set ASet crypto map amap 2 ipsec-isakmp dynamic ra1_dyn crypto map amap interface outside isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 43200 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 11 authentication pre-share isakmp policy 11 encryption des isakmp policy 11 hash md5 isakmp policy 11 group 2 isakmp policy 11 lifetime 86400 tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key * tunnel-group x.x.x.243 type ipsec-l2l tunnel-group x.x.x.243 ipsec-attributes pre-shared-key * tunnel-group avpn type ipsec-ra tunnel-group avpn general-attributes address-pool a_vpn authentication-server-group Windows_NT tunnel-group avpn ipsec-attributes pre-shared-key * telnet 10.1.3.0 255.255.255.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 20 ssh version 1 console timeout 0 management-access inside dhcpd lease 3600 dhcpd ping_timeout 750

    dhcpd auto_config outside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum:2530f0786afb8ab09d79ea2279ff714b : end

    #7
    This PIX configuration resides on a PIX 515. Highlights: Using 7.x Code IPSec site to site VPN (remote peer is config #6) PIX is acting as a DHCP server Configured for ASDM for inside network Configured for SSH access for outside

    To the best of my ability, this configuration is working fine on this PIX:

    PIX Version 7.2(2) ! hostname tpix domain-name yourdomain.com enable password b72RFgPHFlcUxxxx encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address x.x.x.243 255.255.255.240 ! interface Ethernet1 nameif inside security-level 100 ip address 10.1.1.17 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! passwd b72RFgPHFlcsxssxx encrypted ftp mode passive access-list l2l_list extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0 access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0

    pager lines 24 logging enable logging console debugging logging monitor warnings logging buffered debugging logging asdm informational mtu outside 1500 mtu inside 1500 asdm image flash:/asdm-502.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list nonat nat (inside) 10 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 x.x.x.242 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 10.1.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set BSet esp-des esp-md5-hmac crypto map bmap 1 match address l2l_list crypto map bmap 1 set peer x.x.x.115 crypto map bmap 1 set transform-set BSet crypto map bmap interface outside isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 43200 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key * tunnel-group x.x.x.115 type ipsec-l2l tunnel-group x.x.x.115 ipsec-attributes pre-shared-key *

    telnet 10.1.1.0 255.255.255.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 20 console timeout 0 management-access inside dhcpd address 10.1.1.18-10.1.1.254 inside dhcpd lease 3600 dhcpd ping_timeout 50 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:dd4754af74db04e5ca3834c3220dc06f : end -----------------------------------------------------------------------------------------------------Be sure to also visit the following sites for other tutorials and products to add to your network tool belt: PIX/ASA Firewall Keys - www.firewallkeys.com Cisco Router Keys One - www.routerkeys.com Subnetting Keys Ebook and Video Series - www.routerkeys.com/ip Cisco Router NAT Tutorial www.routerkeys.com/nat

    And be sure to join the free mailing list by sending a blank email to fwkeysnews@firewallkeys.com

    You might also like