This sample configuration demonstrates how to configure the Cisco Security Appliances (PIX/ASA) with three internal networks. Static routes are used on the routers for simplicity.
There are no specific requirements for this document.
The information in this document is based on the PIX 515 with PIX Software version 6.x and above.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This configuration can also be used with the Cisco 5500 Series Adaptive Security Appliance that runs version 7.x and above.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool ( registered customers only) to find more information on the commands used in this document.
This document uses this network setup.
Note: The default gateway of the hosts on the 10.1.1.0 network points to RouterA. A default route on RouterB is added that points to RouterA. RouterA has a default route that points to the PIX inside interface.
Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses that have been used in a lab environment.
This document uses these configurations.
If you have the output of a write terminal command from your Cisco device, you can use Output Interpreter ( registered customers only) to display potential issues and fixes.
| RouterA Configuration |
RouterA#show running-config
Building configuration...
Current configuration : 1151 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname RouterA
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
memory-size iomem 25
no network-clock-participate slot 1
no network-clock-participate wic 0
no network-clock-participate wic 1
no network-clock-participate wic 2
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
no crypto isakmp enable
!
!
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.2.1.1 255.255.255.0
duplex auto
speed auto
!
interface IDS-Sensor1/0
no ip address
shutdown
hold-queue 60 out
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 10.3.1.0 255.255.255.0 10.1.1.3
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
line con 0
line 33
no activation-character
no exec
transport preferred none
transport input all
transport output all
line aux 0
line vty 0 4
password ww
login
!
!
end
RouterA# |
| RouterB Configuration |
RouterB#show running-config
Building configuration...
Current configuration : 1132 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname RouterB
!
boot-start-marker
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no network-clock-participate wic 1
no network-clock-participate wic 2
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!
!
!
!
no crypto isakmp enable
!
!
!
interface FastEthernet0/0
ip address 10.1.1.3 255.255.255.0
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 10.3.1.1 255.255.255.0
duplex auto
speed auto
!
interface IDS-Sensor1/0
no ip address
shutdown
hold-queue 60 out
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
line con 0
stopbits 1
line 33
no activation-character
no exec
transport preferred none
transport input all
transport output all
line aux 0
line vty 0 4
password cisco
login
!
!
end
RouterB# |
| PIX 6.3 Configuration |
pixfirewall(config)#write terminal
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
!--- Output Suppressed
!--- Enable logging.
logging on
!--- Output Suppressed
!--- All interfaces are shutdown by default.
mtu outside 1500
mtu inside 1500
mtu pix/intf2 1500
ip address outside 10.165.200.225 255.255.255.224
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm history enable
arp timeout 14400
!--- Output Suppressed
!--- Define a Network Address Translation (NAT) pool that
!--- internal hosts use when going out to the Internet.
global (outside) 1 10.165.200.228-10.165.200.254 netmask 255.255.255.224
global (outside) 1 10.165.200.227
!--- Allow all internal hosts to use
!--- the NAT or PAT addresses specified previously.
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
!--- Output Suppressed
!--- Define a default route to the ISP router.
route outside 0.0.0.0 0.0.0.0 10.165.200.226 1
!--- Define a route to the ISP router with network 10.2.1.0.
route inside 10.2.1.0 255.255.255.0 10.1.1.2 1
!--- Define a route to the ISP router with network 10.3.1.0.
route inside 10.3.1.0 255.255.255.0 10.1.1.3 1
!--- Output Suppressed
: end
[OK]
!--- Output Suppressed
|
Note: Nondefault commands are shown in bold.
| PIX/ASA |
pixfirewall#show run
: Saved
:
PIX Version 8.0(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.165.200.225 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
!--- Output Suppressed
!--- Enable logging.
logging enable
!--- Define a Network Address Translation (NAT) pool that
!--- internal hosts use when going out to the Internet.
global (outside) 1 10.165.200.228-10.165.200.254 netmask 255.255.255.224
global (outside) 1 10.165.200.227
!--- Allow all internal hosts to use
!--- the NAT or PAT addresses specified previously.
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
!--- Output Suppressed
!--- Define a default route to the ISP router.
route outside 0.0.0.0 0.0.0.0 10.165.200.226 1
!--- Define a route to the ISP router with network 10.2.1.0.
route inside 10.2.1.0 255.255.255.0 10.1.1.2 1
!--- Define a route to the ISP router with network 10.3.1.0.
route inside 10.3.1.0 255.255.255.0 10.1.1.3 1
: end |
Note: For more information on how to configure NAT and PAT on PIX/ASA, refer to PIX/ASA 7.x NAT and PAT Statements.
For more information on how to configure access lists on PIX/ASA, refer to PIX/ASA 7.x : Port Redirection (Forwarding) with nat, global, static and access-list Commands.
There is currently no verification procedure available for this configuration.