After clear all things in part I, now we have to continue setting for our network's safe, but surely before concerning about getting to work first. Well, basically PIX 501, which has only 2 interfaces: ethernet0 & ethernet1, can have only outside and inside network. Security level has been fixed as 0-minimum and 100-highest respectively. This is fixed value for PIX 501. What we have to know next is configuration on the network; assume that we place PIX 501 behind router and we have 1 web server inside the network. Actually we should place web server on outside network, but for learning, we do this way first.

Here is our step to get things done:-

  1. Set hostname, password
  2. Configure IP addresses on interfaces, then enable them
  3. Configure a route
  4. Set firewall rules
  5. Port forwarding to web server

For setting hostname & password, we need to get into config shell; one thing which is so cool about CISCO IOS shell is no fixed command as long as you can type unambiguous command. For example, 'configure terminal' command can be substitue with 'config t' or 'conf t' or 'conf ter' or even 'con t' but only 'con' will not work since there is not enough information.

pixfirewall# config t 
pixfirewall(config)# hostname 10PIX 
10PIX(config)# password qwerty 
10PIX(config)# enable password qwerty 

After setting basic stuffs, we need to go on next step; IP addresses on each interfaces. First we set link speed, name, and set security which is fixed in this case anyway on each interface:-

10PIX(config)# interface ethernet0 100full
10PIX(config)# interface ethernet1 100full
10PIX(config)# nameif ethernet0 outside 0 
10PIX(config)# nameif ethernet1 inside 100

Next we have to set IP on each interface and set the route to our gateway ( to be able to access the Internet.

10PIX(config)# ip address outside 
10PIX(config)# ip address inside 
10PIX(config)# route outside 0 0 1

What we need next is associating a network with a pool of global IP address.

nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]] [norandomseq]
global [(if_name)] nat_id global_ip[-global_ip] [netmask global_mask] 

From these 2 commands: nat & global, nat will identify nat_id and global will provide an IP address for each outbound connection for a particular nat_id.

10PIX(config)# nat (inside) 1 0 0 
10PIX(config)# global (outside) 1 

0 0 at the end of nat command indicates no maximum connection and limit; all outbound connections will be represented by IP on outside. [it can be represented in a range too] After having the route ready, it's time to set DHCP server for inside network; it's pretty straight forward here.

10PIX(config)# dhcpd address inside 
10PIX(config)# dhcpd dns 
10PIX(config)# dhcpd lease 604800 
10PIX(config)# dhcpd ping_timeout 500 
10PIX(config)# dhcpd enable inside 

Up to this point, we almost ready to leave console behind and never have to use it again. There are 2 choices here: telnet or ssh. Telnet is much faster, but ssh is more secure. It's up to your decision what to pick. What we should do really is allowing only inside network to do this job, not outside. So we can make sure of security up to particular level. However, in this case, for study, let's try to allow ssh connection from outside network [which is still private network anyway.]

10PIX(config)# telnet inside 
10PIX(config)# telnet timeout 5 
10PIX(config)# ssh inside 
10PIX(config)# ssh outside 
10PIX(config)# ssh timeout 5

By the fact that, we allowed telnet and ssh connection. It works just fine with telnet since there is no security concern. ssh, however, is another story. ssh required to have RSA key to use secure connection. What we need is to generate an RSA key and save into flash memory; it takes you a while--about half an hour for me

10PIX(config)# domain-name
10PIX(config)# ca generate rsa key 2048
10PIX(config)# ca save all 

PIX obtaining RSA key

You may view newly created RSA public key by:-

10PIX(config)# sh ca mypubkey rsa

Now we are able to connect ssh session; if you have any trouble, then 'debug ssh' might be your friend. Next thing we have to do is setting port forwarding; since PIX 501 doesn't have any extra interface, DMZ is not a solution here. Our web and ftp server is on

static [(high_if, low_if)] [tcp| udp] low_if_ip high_if_ip [netmask][max_conns [em_limit]] [norandomseq]

Just remember a bit that, this is for NAT enabled; high is indicated higher security. interface == firewall IP on that interface

10PIX(config)# static (inside,outside) tcp interface www www netmask 0 0 
10PIX(config)# static (inside,outside) tcp interface ftp ftp netmask 0 0
10PIX(config)# access-list acl_in permit tcp any interface outside eq www 
10PIX(config)# access-list acl_in permit tcp any host eq ssh 
10PIX(config)# access-list acl_in permit tcp any interface outside eq ftp
10PIX(config)# access-group acl_in in interface outside

Now we put access-list on as well, just for sake of security because we allow what we shouldn't already. However, that's what firewall for, right? Once we create access-list, we have to apply that on the interface by:-

access-group acl_name in interface interface-name

So far we set all neccessary settings; you may have to play around a bit to understand deeper of how PIX works. To be able to solve a problem, we have to know what is going:-

10PIX(config)# show xlate
10PIX(config)# show conn
10PIX(config)# show access-host
10PIX(config)# show running-config

This allows you to check what is wrong, then you will be able to start solving from that; one more thing you need to know is to disable our commands. It's damn easy by putting 'no' in front of command we put. You may check by 'show run' which will show every single command you put in.

Have fun with manipulate PIX configuration and have a safe network, of course. =)

If you have trouble with PIX, just ask.

Note: very good command resource reference at