Eli Fulkerson .com HomeArticlesPix-506e-dhcp-config
 

DHCP config for Cisco Pix 506E Firewall

This is an extremely stripped down example configuration for a Cisco Pix506E.  It is intended as a base setup for a DHCP environment, for instance at a site where internet access is provided by DSL or cable modem.  It implements the following:
- an inside network of x.y.z.0/24, with the inner gateway at x.y.z.1
- functioning ping & traceroute from the inside network
- both incoming and outgoing spoof prevention of the inside network range
- determines its outside address and necessary routing settings via DHCP from the upstream network

You will of course want to replace x.y.z.0 etc with the appropriate information for your local network.

: Saved
: Written by enable_15 at 13:58:11.256 UTC Thu Jan 19 2006
: PIX Version 6.3(1)

interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

: If you expect "ping" and "traceroute" to  work from behind the pix, these are the icmp types you need...
object-group icmp-type icmp-grp
 description ICMP Types allowed into the PIX
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object time-exceeded

: allow ping, traceroute to work
access-list outside_in permit icmp any any object-group icmp-grp
: prevent packets which spoof our inside ip address from entering the outside interface,
access-list outside_in deny ip x.y.z.0 255.255.255.0 any
access-list outside_in deny icmp x.y.z.0 255.255.255.0 any

: prevent any spoofed packets from leaving our network..
access-list inside_in permit ip x.y.z.0 255.255.255.0 any
access-list inside_in permit icmp x.y.z.0 255.255.255.0 any
access-list inside_in deny ip any any
access-list inside_in deny icmp any any

: This line instructs the pix to use DHCP to determine the ip address for this interface, and to add a
: corresponding 'route' entry once this has been determined.
ip address outside dhcp setroute

ip address inside x.y.z.1 255.255.255.0

: Use whatever the 'ip address outside' ends up being as the global address for this nat rule pair
global (outside) 1 interface
nat (inside) 1 x.y.z.0 255.255.255.0 0 0

access-group outside_in in interface outside
access-group inside_in in interface inside
© 2024 Eli Fulkerson. All rights reserved. Sitemap.