Cisco makes for some of the most difficult configuration and setup of equipment on the market. Over time I’ve worked to streamline the setup of the PIX device, given the number of clients who have had to purchase them, either by force due to a software vendor they are working with or because they were “smooth talked” into the purchase, with no help after the fact.
First, connect your firewall to your PC with the blue console cable.
Next, open HyperTerminal (or Putty), and create a new connection to your COM port (9600,8,0,1).
Now, fire up the PIX firewall.
NOTE: From here on out, you will need to follow each command in bold by pressing Enter to commit the command.
Once it brings you to the pixfirewall prompt, type en, then conf t
Type clear dhcpd (to disable the DHCP server)
Save these changes to memory – type wri m
Now, type setup. Step through the prompts to run the quick setup wizard.
Once complete, type enable httpd to allow administration via the web.
Type http followed by your subnet address. For example, if your firewall IP is 10.0.0.1, then type:
http 10.0.0.0 255.255.255.0 inside
This will allow any PC on your network access to PIX Device Manager (PDM)
To fine tune this to a few specific PCs, for example a server with the IP of 10.0.0.2, type:
http 10.0.0.2 255.255.255.255 inside
Now, lets setup the internet connection!
Type ip address outside x.x.x.x y.y.y.y
x.x.x.x represents your external IP address, y.y.y.y represents your subnet mask.
With your public IP set, now you need to specify your default gateway. Type:
route outside 0.0.0.0 0.0.0.0 z.z.z.z 1
where z.z.z.z is your default gateway.
Additionally, by default the quick setup wizard creates the internal NAT rules, so at this point you should be able to perform a wri m, then reload to reboot the device. You should now have internet access!
So what good is an internet connection without being able to allow traffic inbound!
Lets create some basic port forwarding rules.
First, create an access group. Type:
access-group outside_access_in in interface outside
Second, lets create a static translations to open ports in the firewall. Type:
access-list outside_access_in permit tcp any host x.x.x.x eq aaaa
Where x.x.x.x is your external IP address, and aaaa is the port number.
Third, you need to specify how to route traffic to the right internal IP. Type:
static (inside,outside) tcp x.x.x.x aaaa y.y.y.y aaaa netmask 255.255.255.255 0 0
where x.x.x.x is your external IP address, aaaa is the port number, and y.y.y.y is the internal IP address of the device you wish to route traffic to.
Once you’ve completed this, repeat steps 2 and 3 for each additional port you wish to allow traffic on.
When you’re all done, type wri m to save the configuration, and you’re done!