Critique my PIX 501 config

J

jocooper

Limp Gawd
Joined
Mar 28, 2003
Messages
367
Hey guys, I was hoping you could critique my PIX config. I am playing with this at home. Just basic internet and email. No games, file sharing, etc. Just basic home use.

Thanks!


Code: 
Building configuration...                         
: Saved       
: 
PIX Version 6.3(3)                  
interface ethernet0 100full                           
interface ethernet1 100full                           
nameif ethernet0 outside security                               
nameif ethernet1 inside security100                                   
enable password ??????? encrypted                                          
passwd ??????? encrypted                                 
hostname KPIX             
domain-name kpix                
fixup protocol dns maximum-length 512                                     
fixup protocol ftp 21                     
fixup protocol h323 h225 1720                             
fixup protocol h323 ras 1718-1719                                 
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                       
fixup protocol sip 5060                       
fixup protocol sip udp 5060                           
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names     
pager lines 24              
logging on          
logging timestamp                 
logging buffered debugging                          
logging trap warnings                     
logging history warnings                        
mtu outside 1500                
mtu inside 1500               
ip address outside dhcp setroute                                
ip address inside 192.168.1.1 255.255.255.0                                           
ip audit info action alarm                          
ip audit attack action alarm                            
pdm location 192.168.1.1 255.255.255.255 inside                                               
pdm logging informational 100                             
pdm history enable                  
arp timeout 144000                  
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
timeout xlate 0:05:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10                                                           
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                               
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                   
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
http server enable
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password ???????? encrypted privilege 15
terminal width 80
Cryptochecksum:????????
: end
[OK]
 
DNS entry for outside or inside?

Everything appears to be working as far as I can tell. Correct me if I am wrong, but the outside interface obtains DNS info from my ISP. And clients connected inside have their DNS pointing at the PIX.
 
yes, dhcpd auto_config should automatically get dns/wins from the outside interface.

what are you using for managemnt? dont use telnet (even though its not allowed on an outside interface) and enable ssh. generate an rsa key and set the inside/outside accessible networks.

ca gen rsa key 2048
ssh 192.168.1.1 255.255.255.255 inside
ssh timeout 60
ca save all
 
I was doing everything thru the console cable.

I will scope out the settings you recommended.
 
jocooper said:
I was doing everything thru the console cable.

I will scope out the settings you recommended.
Click to expand...


Good, then kill the http enable for the GUI.

Any access lists?
 
jvlazzar said:
yes, dhcpd auto_config should automatically get dns/wins from the outside interface.

what are you using for managemnt? dont use telnet (even though its not allowed on an outside interface) and enable ssh. generate an rsa key and set the inside/outside accessible networks.

ca gen rsa key 2048
ssh 192.168.1.1 255.255.255.255 inside
ssh timeout 60
ca save all
Click to expand...


I don't think telnet is enabled, it just has the timeout setting.
When I do a "show telnet" it doesnt return. When I do "no telnet" it says the host is not configured.
 
You must log in or register to reply here.
Back
Top