Below is a sample config for 2 site to site vpns from a PIX running 8.0(4)16. One peer being 192.168.2.100, and the other 192.168.1.100. Please note : This isn’t a tutorial but merely just a sample config that can be used as a reference point. isakmp enable outside isakmp policy 10 encryption des … Read more
Below is a list of the main Instant Messenger applications (including ports and destinations) for the denial of use via policy based rules. Please note : With creating policy based rules the following rules will be required, Destination any with a service port of the below ports (excluding http and https) Destination of the below … Read more
Background PIX or ASA running 7.0 later introduce a security feature in which any packets containing an MSS larger then the announced size during the 3 way handshake will be dropped.During the 3 way hand shake both sides announce their MSS (Maximum Segment Size). The MSS is the largest TCP payload that the host can … Read more
Below you will find a bunch of commands that can be used to gain a clear picture of a PIX/ASA`s system health, sh resource usage system sh memory sh cpu sh service-policy sh asp drop sh logging | i -1- sh fail | i This
Below shows you how to upgrade your ASA to verson 8.04. 1. Enable scopy on your ASA firewall(config)#ssh scopy enable 2. Copy the image from your PC to the ASA, the command below is done on your PC via “Start / Run / CMD”. Download pscp here. pscp [image].bin [user]@[asa_ip]:[image].bin 3 .Change the boot order, … Read more
Below provides the nessecary steps required to create an a packet capture on an ASA/PIX, and the relevant download method. Note : You will requre pscp (putty pscp) installed onto your PC. Download pscp here. This is only available in the later versions of PIX & ASA. First of all start the capture. capture capturefile … Read more
Below will configure you interface with vlan50, ip address 1.1.1.1 with a name of outside. This will also bring up the interface. nameif ethernet0 outside security0ip address outside 1.1.1.1 255.255.255.0interface ethernet0 autointerface outside vlan50
To enable ssh on your PIX (6.3) run the following, hostname myfw domain-name home.net ca gen rsa key 1024 ssh 0 0 inside ssh timeout 60 passwd 123 ca save all When you go to log in your username will be pix and the password 123.
The following command will allow you to add a default route to your PIX device: route [interface name] 0 0 [default gw ip] Example route outside 0 0 1.1.1.1
Below provide sample configurations required for building a site to site VPN between a Cisco PIX and a Check Point Firewall. PIX Configuration (config)#isakmp enable outside (config)#isakmp policy 10 (config-isakmp-policy)# encryption aes-256 (config-isakmp-policy)# hash sha (config-isakmp-policy)# authentication pre-share (config-isakmp-policy)# group 1 (config-isakmp-policy)# lifetime 86400 (config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth (config)#access-list ED … Read more
Heres a few PIX commands that may come in useful. Performance / Usage sh mem Shows memory used and amount free sh cpu Shows % of CPU used sh perfmon Show the performance of various connections sh traffic Show the traffic stats sh resource usage system Shows the system utilization sh service-policy Shows the amount … Read more
Introduction This is a guide on how to install a Free pix emulator / simulator onto a linux platform. You can also obtain the windows version, which you can find (along with other tutorials and forum) at the ariscahyadi blog. This software was written by mmm123, and is called PEMU, which is based on the … Read more
Below is an example of static NAT for FTP when using the outside interface with a DHCP address assigned to it. static (dmz,outside) tcp interface ftp 172.16.1.50 ftp netmask 255.255.255.255 static (dmz,outside) tcp interface ftp-data 172.16.1.50 ftp-data netmask 255.255.255.255
When using a “inspect policy map” you need to add it to a “standard policy-map” to allow you to add it to the service policy.For each policy map there would be a class map, the inspect would match the FTP command, and then use the classmap “inspection-default” in the standard policy map. Running Config policy-map … Read more
Below shows the configuration syntax for configuring a Site to Site VPN on a Cisco PIX firewall. Configuration (config)#isakmp enable outside(config)#isakmp policy 10(config-isakmp-policy)# encryption aes-256(config-isakmp-policy)# hash sha(config-isakmp-policy)# authentication pre-share(config-isakmp-policy)# group 1(config-isakmp-policy)# lifetime 86400(config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth(config)#access-list ED permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0(config)#access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0(config)#nat (inside) … Read more
Below are the steps involved in configuring protocol handling, Create the class-map – Tell the class-map which traffic to match Create Policy-map – Assign class-map to policy map. Tell the class-map what to do to the matched traffic Assign policy map globally or to interface Below will inspect http traffic on port 801 using, and … Read more
If you need to view the logs on your pix, as you haven’t got a syslog server, or you haven’t got access to it, you can access the logs on the pix itself and grep your way through, by using and enabling the logging buffer. Below shows you how to enable and disable the logging … Read more
Below shows you the commands for creating a read only account on a Cisco PIX firewall. hostname(config)# username client password 123 privilege 5hostname(config)# privilege show level 5 command running-confighostname(config)# privilege show level 5 command startup-confighostname(config)# privilege show level 5 command access-listhostname(config)#aaa authentication ssh console LOCAL
Static To send all traffic to 192.168.0.1 out the outside interface.To send any traffic in 10.0.1.0/24 to 10.0.0.1 out the inside interface (config)#Route outside 0 0 192.168.0.1(config)#Route inside 10.0.1.0 255.255.255.0 10.0.0.1 RIP Allow RIP updates to be received on the outside interface with a key of cisco and id of 2.Pass RIP updates out the … Read more
Below shows you how to enable ASDM upon your PIX. First of all you will need to copy the ASDM image to you PIX firewall. I find the easiest way to do this is to enable scopy (scp) on your pix using the command ssh scopy enable. And then using the putty tool pscp to … Read more
Below shows you how to configure stateful LAN based failover. Primary (config)#interface eth0(config-if)#nameif inside(config-if)#ip add 10.1.1.10 255.255.255.0 standby 10.1.1.20 (config)#interface eth1(config-if)#no nameif(config-if)#no shut (config)#interface eth2(config-if)#no nameif(config-if)#no shut (config)#failover(config)#failover lan unit primary(config)#failover lan interface failover eth1(config)#failover lan enable(config)#failover key <key>(config)#failover link state eth2(config)#failover interface ip failover 172.16.50.10 255.255.255.0 standby 172.16.50.20(config)#failover interface ip state 172.16.51.10 255.255.255.0 standby … Read more
Below shows you the commands to enable SNMP (polls or traps) on PIX/ASA v7.x or later….. pix(config)# snmp-server host [interface_name] [ip_address] trap community [community string] pix(config)# snmp-server host [interface_name] [ip_address] poll community [community string]