If you have any problems configuring your PIX based on this example or you
have any other technical problem then I recommend you post on 
as it is an excellent resource. My username is 'grblades' so I might even be
the one answering your question :)
This document describes how to configure a Cisco PIX firewall with a home DSL connection which uses either DHCP or PPOE. Port forwarding is used so that a couple of webservers and a mail server can be accessed from the Internet.
Most home DSL connections use a dynamic IP address and there are services available such as DynDNS which can be used so that you don't have to remember your IP address and if it changes so does the name. For this example I will assume you use dyndns and your name is myname.dyndns.org. Two webservers are being run on the internal network and because you can only redirect http to a single webserver we have to setup the other webserver so that it is accessible on a different port. In this example webserver1 is accessible using http://myname.dyndns.org/ and webserver 2 is accessible using http://myname.dyndns.org:81/.
DHCP configuration
interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ************* encrypted passwd ************* encrypted hostname homepix fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names !--- define the names and ip addresses of out webservers and email server !--- which makes the following configuration a little easier to read name 192.168.50.2 webserver1 name 192.168.50.3 webserver2 name 192.168.50.4 mailserver !--- define an access list to permit incoming connections from the internet !--- permit incoming to port 80 for webserver1 access-list outside_in permit tcp any any eq www !--- permit incoming to port 81 for webserver2 access-list outside_in permit tcp any any eq 81 !--- permit mail to be sent to internal mailserver access-list outside_in permit tcp any any eq smtp !--- permit people to download their email remotely via pop3 access-list outside_in permit tcp any any eq pop3 !--- permit people to download their email remotely via imap access-list outside_in permit tcp any any eq imap4 pager lines 24 logging on logging console errors logging monitor debugging logging buffered debugging mtu outside 1500 mtu inside 1500 !--- get an IP address from the ISP using DHCP ip address outside dhcp setroute !--- set the internal interface IP address ip address inside 192.168.50.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 !--- perform network address translation using the outside interface address global (outside) 1 interface !--- perform network translation for all packets nat (inside) 1 0.0.0.0 0.0.0.0 0 0 !--- redirect connections to port 80 to webserver1 standard web port static (inside,outside) tcp interface www webserver1 www netmask 255.255.255.255 0 0 !--- redirect connections to port 81 to webserver2 standard web port static (inside,outside) tcp interface 81 webserver2 www netmask 255.255.255.255 0 0 !--- redirect connections to smtp, pop3 and imap to mailserver static (inside,outside) tcp interface smtp mailserver smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface pop3 mailserver pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface imap4 mailserver imap4 netmask 255.255.255.255 0 0 !--- apply the previously defined access list to the outside interface access-group outside_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 60 !--- enable CLI access from all internal machines ssh 192.168.50.0 255.255.255.0 inside ssh timeout 60 console timeout 0 !--- allocate the specified range of addresses to machines on the internal network via DHCP dhcpd address 192.168.50.100-192.168.50.199 inside dhcpd lease 3600 dhcpd ping_timeout 750 !--- automatically assign the DNS server to use as specified via ISP DHCP server dhcpd auto_config outside !--- enable DHCP server on internal interface dhcpd enable inside terminal width 100 |
If you connect via PPOE then use the above configuration but instead of the line shown in purple above use the following lines in its place. Replace the username and password shown here in red with your username and password.
!--- get an IP address from the ISP using PPOE ip address outside pppoe setroute vpdn group ISP request dialout pppoe vpdn group ISP localname dsl-username vpdn group ISP ppp authentication pap vpdn username dsl-username password dsl-password |
