Having found an old NFR PIX 501 from a previous employer in my basement, I decided the WPA-PSK encrypted WLAN I had based out of my home office just wasn't secure enough to hide my daughter's Barbie video games and my surfing history from the rest of the world. Of course I could spend $50.00 on a Linksys jobby running WPA2-AES, but that costs $50.00. I was going to make my measely little Netgear WGR614 responsible for my new DMZ, serving my work laptop on my couch. Everything else would sit behind the PIX, behind the Netgear.
Cisco was kind enough to include a browser based GUI in their PIX 501 firewalls, and you can typically reach it at https://192.168.1.1. I figured it would be helpful for a quick config, given my few demands. Wrong. Stay away.
Here's the network:
Cable based ISP DHCPing me one address ---> Netgear WGR614 at 10.10.10.1 broadcasting "SuperCrapNet" on b/g channel 1 ---> PIX501 at 10.10.10.2 (outside) and 192.168.1.1 (inside) ---> Me.
Here's my major changes via console, coutesy of Cisco.com with my site specific additions and changes:
!--- Enable error and more severe syslog messages
!--- to be saved to the local buffer.
logging buffered errors
!--- Send syslog messages to a syslog server
!--- on the inside interface if you want.
logging host inside 192.168.1.220
!--- define the interface addresses
ip address outside 10.10.10.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
!--- Using Pix version 5.2 or higher allows for a single
!--- outside IP address to be used the PIX and for PAT
global (outside) 1 interface
!--- If USING OLDER SOFTWARE:
!--- Define a Network Address Translation (NAT) pool that
!--- internal hosts use when going out to the Internet.
global (outside) 1 10.10.10.3-10.10.10.9
!--- Define a Port Address Translation (PAT) address that
!--- is used once the NAT pool is exhausted.
global (outside) 1 10.10.10.10
!--- END IF
!--- Allow all internal hosts to use
!--- the NAT or PAT addresses specified above.
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
!--- Apply access list 100 to the outside interface.
access-group 100 in interface outside
!--- Define a default route to the ISP's router,
!--- or in my case, the next router in line
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
!--- Allow the hosts on the 192.168.1.0 network
!--- to be able to Telnet to the inside of the PIX.
telnet 192.168.1.0 255.255.255.0 inside
!--- Setup DHCP DNS entry since outside interface is static
dhcpd dns 10.10.10.1
!--- Write configuration to the terminal for review
write term
!--- write to memory
write mem
No comments:
Post a Comment