pixFirewall(config)# enable password techst0ck
Now we'll bring up those two interfaces, as out of the box, they're down.
pixFirewall(config)# interface ethernet0 auto
pixFirewall(config)# interface ethernet1 100full
You can see the status of these interfaces by typing:
pixFirewall(config)# show interfaces
Let's assume you assign your outside address dynamically (for instance, your ISP automatically assigns you an IP address). To let your ISP autoassign one, type:
pixfirewall(config)# ip address outside dhcp
If there is a DHCP server upstream from you that is properly configured to lease you an IP address, you'll get a message similar to this one:
Allocated IP address =12.110.110.91, netmask =255.255.252.0, gateway = 12.110.110.1
If this doesn't work, then you'll need to manually assign your IP address on ethernet0. If your ISP told you your IP address is, say, 12.110.110.91/24, then you'd type in this:
pixFirewall(config)# ip address
outside 12.110.110.91
255.255.255.0
Once you've finished, you'll need to set the IP addresses of the inside (ethernet1) interface as well.
pixFirewall(config)# ip address inside 10.1.1.1 255.255.255.0
The PIX 501 is the smallest model from Cisco, so we'll assume that your network isn't too large. In this example, we're only going to NAT your one public IP. Theoretically, you can NAT 254, although you're limited to 10 devices unless you buy an upgrade license.
If you use DHCP, then you'll need to configure the PIX to route outgoing traffic. Since it's DHCP, we don't really know where that is, as our ISP may very well decide to change our IP address without telling us. In this case, we'll need to type in the following line:
pixfirewall(config)# ip address
outside dhcp setroute
If all went well, you should see something like this:
Allocated IP address =
12.110.110.91, netmask =
255.255.252.0, gateway =
>12.110.110.1
If all didn't go as planned, you'll have to manually add your route:
pixFirewall(config)# route outside
0.0.0.0 0.0.0.0 12.110.110.1
To double-check that route, type:
pixFirewall(config)# sh route
Now that the PIX knows what to do with outgoing traffic (send it upstream to another router), we now need to give it specific instructions on how to translate traffic between the two interfaces. Use this command to make that happen:
pixfirewall(config)# nat (inside) 1
10.1.1.0 255.255.255.0
pixfirewall(config)# global
(outside) 1 interface
If you did this correctly, the second line will give the message:
outside interface address added to PAT pool
Now your PIX has been configured to translate traffic between your public (12.110.110.91) address and your private 10.1.1.0/24 network. The only thing left now is to configure the DHCP server on the internal interface. Doing so will allow the PIX to automatically assign IP addresses to those on your network; similar to the way an ISP automatically assigns IPs to its users. To do this, follow these instructions:
pixfirewall(config)# dhcpd address 10.1.1.32-10.1.1.63 inside
pixfirewall(config)# dhcpd dns 4.2.2.1 4.2.2.2
pixfirewall(config)# dhcpd lease 3600
pixfirewall(config)# dhcpd ping_timeout 750
pixfirewall(config)# dhcpd enable inside
No comments:
Post a Comment