: : $Id: pix-config-template,v 1.10 2002/04/24 19:17:37 lf Exp $ : : Configuration template with hints for the Cisco PIX 501 with software : version 6.1 and up. : : Author: Lars Fenneberg : : Set hostname and domain : You need to regenerate the RSA keys below (with all consequences) : after changing hostname and domain! hostname domain-name : Set passwords : I would advise against using AAA with a RADIUS or TACACS+ : server here. passwd enable password : Time in *U*T*C* clock set

: Generate RSA keys (used for IPSec and SSH) : PDM setup generates a 768 bit key by default, but I'd recommend : 1024. : If your software version is <= 6.1(1), don't use special usage keys (see : CSCdw73433 SSL fails with RSA special key and self-signed certificate) ca generate rsa key 1024 ca save all : ^-- Don't forget this or the keys won't be save to flash. : Configure addresses ip address inside ip address outside : UP interfaces interface ethernet0 auto interface ethernet1 auto : Default route route outside 0 0 1 : Disable proxy ARP for inside interface sysopt noproxyarp inside : Anti-spoofing ip verify reverse-path interface inside ip verify reverse-path interface outside : Allow HTTP/SSL access from specific addresses (for PIX Device Manager) http http server enable : Allow SSH access from specific addresses ssh : Basic inbound access list : Needs to be augmented when other inbound services as needed (inside : mail-server, etc.) access-list inbound permit icmp any any echo-reply access-list inbound permit icmp any any source-quench access-list inbound permit icmp any any unreachable access-list inbound permit icmp any any time-exceeded access-group inbound in interface outside : Configure which ICMPs types the outside interface reacts to : See http://www.cisco.com/warp/customer/110/31.html. icmp permit any echo outside : ^-- Only add when ICMP replies are wanted (otherwise: "Stealth PIX") icmp permit any source-quench outside icmp permit any unreachable outside icmp permit any time-exceeded outside : NAT everything on the inside nat (inside) 1 0 0 : NAT specific network nat (inside) 1 : PAT to the interface address global (outside) 1 interface : PAT to extra address global (outside) 1 : NAT to pool global (outside) 1 - netmask : Don't NAT at all nat (inside) 0 0 0 : Don't NAT for specific network nat (inside) 0 : Cisco recommends a translation timeout of 1 hour (default is 3 hours) : for increased system performance timeout xlate 1:00:00 : Enable floodguard feature (prevents DoS attacks an uauth feature) floodgard enable : Allows ESMTP to work but makes your mail server more vunerable no fixup protocol smtp 25 : Add other fixups, for example: fixup protocol http 81 fixup protocol http 8080 fixup protocol http 3128 : Send TCP resets (for denied TCP packets, instead of just dropping them) : This can be a good idea when you want to terminate IDENT queries : right away. : For inbound connections going *through* the firewall service resetinbound : For connections terminating on the least secure firewall interface : (for example when using PAT) service resetoutside : Logging logging on logging buffered debugging logging trap debugging : local0 (16) to local7 (23) logging facility 23 logging host inside x.x.x.x : Intrusion Detection (aka Auditing) ip audit name inbound-a attack action alarm ip audit name inbound-i info action alarm : Apply to outside interface ip audit interface outside inbound-i ip audit interface outside inbound-a : : PPTP basic configuration : sysopt connection permit-pptp : ip local pool pptp-pool - : vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication mschap : ^-- For MPPE MSCHAP is required. vpdn group 1 ppp encryption mppe 40 required : ^-- 128bit encryption requires 3DES license vpdn group 1 client configuration address local pptp-pool vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn enable outside : ^-- Bind to outside interface. vpdn username password : ^-- Local user database (AAA is possible, too, of course) access-list no-nat permit ip

nat (inside) 0 access-list no-nat