Like most sysadmins, I have a boss who likes tight deadlines.
On wednesday I had to put the servers in to the co-location. The firewall would be delivered on the co-location, so I didn’t have the time or oppurtinuty to play around with it.
I just want to make some remarks and give some advice. For a complete initial setup,well, you’re basically on your own. Nobody exposes his or her complete setup scenario, neither do I.
I never had touched a PIX before,So I was a complete newbie on PIX’es.
Do your homework.
Do your homework.
Available from cisco.com are the PIX configuration guide and the PIX 6.3 command reference. Download them.
Decide your main configuration scenario. You basically have two options: PDM or CLI.
However, the Pix Device Manager is known to have some bugs end deliver buggy code. By entering the commands on the CLI you are forced to understand what you enter, instead of doing clickerdeclickerdie.
What I did was basically read through the config guide, and looked up every command I encountered in the command reference.
Along with reading I took notes, and was basically writing up my initial configuration. I printed this out (hardcopy rules when going to a unknown location) and took it with me to the co-location.
On the location, unpack the PIX from the box.
Flip it over and write down the serial number.
Go over to cisco.com and apply for a free 3DES certificate.
Out of the box, only the inside interface is enabled. Also the dhcp server is enabled, so if you hook up your laptop and do a dhcp request you’ll get an ip from the PIX. Note however, with this IP you can’t telnet or ssh to the PIX, only PDM is allowed. So if you want to configure by CLI you should use the console port for the initial setup.
Figure out how to connect to your PIX by console. I used the console server of the co-lo provider.
If you connect to the pix, you should see:
On this prompt, you can only perform a limited set of commands. You want to gain more privileges by entering:
This gives you the priviliged prompt:
Now you can enter the configure mode with:
Here you will do all your hacking.
FIRST OF ALL: Change the default passwords. both.
passwd -password- // for console and telnet login<br />
passwd enable -password- // for priviliged mode<br />
I started by viewing the default configuration with
write terminal and copied this to my ibook.
Give your pix a hostname.
Configure the network interfaces.
Note that you can’t give the inside inteface another name, and you can’t change the security level of the outside interface.
Bring the ethernet interfaces up, make an access list which allows ICMP and try to ping.
It should work.
Now enter the new license key which you should recieved from cisco by email, this enables the 3DES license. Enter the domain name, enable SSH from certain ip’s and try to login by ssh.
If this works, you half way through. Be very carefull with static and globals, en don’t forget to log.
logging buffered debugging<br />
logging on<br />
show logging<br />
will help you a lot.