Listen to CNN News Live!

http://gadgets.boingboing.net/2009/04/17/submarine-cable-maps.html

http://www.cisco.com/en/US/products/sw/voicesw/ps5662/products_configuration_example09186a0080725c15.shtml

http://www.blindhog.net/gns3-use-pemu-as-your-personal-firewall/

This tutorial will provide the basic configuration for cisco pix firewalls running ver 7.X software. The configuration assumes the ISP is providing a static IP address and this is a new pix configuration.

:::::Get into config mode:::::
Pixfirewall>enable
Password:
Pixfirewall#config t
Pixfirewall(config)#
::::::::::Configure Pix Hostname & domain name:::::::::::
hostname blindhog-pix
domain-name blindhog.net
Configure Passwords:
enable password 3nableP4ssword
passwd 55hP4ssword
:::::::::::Configure Interfaces::::::::::::

interface Ethernet0
nameif outside
security-level 0
ip address 66.111.88.200 255.255.255.224

interface Ethernet1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0

interface Ethernet2
nameif dmz
security-level 50
ip address 10.1.0.254 255.255.255.0

:::::::::Configure Access-Lists to control traffic::::::::::::::
!– Access-lists are defined to permit or deny traffic based on source, destination,
!– protocol or port.
access-list acl_outside extended permit udp any host 66.111.88.193 eq 53
access-list acl_outside extended permit udp any host 66.111.88.194 eq 53
access-list acl_outside extended permit tcp any host 66.111.88.193 eq 53
access-list acl_outside extended permit tcp any host 66.111.88.194 eq 53
access-list acl_outside extended permit tcp any host 66.111.88.195 eq 25
access-list acl_outside extended permit tcp any host 66.111.88.195 eq 443

::::::::::Apply Access-list to outside interface:::::::::::::::
!– This activates the access-lists created earlier on the outside interface.
access-group acl_outside in interface outside

::::::::::::Configure nat0 to disable translation for VPN tunnels::::::::
nat (inside) 0 access-list nat0

::::::::::Configure logging parameters:::::::::::
logging enable
logging buffer-size 10000
logging buffered debugging
logging trap debugging !– Defines the level of debug to be sent to syslog
logging host inside 192.168.0.12 !– Defines the syslog host

:::::::::Configure icmp parameters::::::::::
!– Permits or deny’s icmp traffic
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo dmz
icmp permit any echo-reply dmz

:::::::::Configure outgoing nat / global combination for outgoing traffic::::::::
!– This global configuration translates outgoing traffic in the matching nat statement
!– Below to the ip address of the outside interface.
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 1 10.1.0.0 255.255.255.0

::::::Configure static nat statements for incoming traffic:::::::::
!– Static statements translate public addresses to private addresses
!– This can also be narrowed down to the port level if necessary.
static (inside,outside) 66.111.88.193 192.168.0.10 netmask 255.255.255.255
static (inside,outside) 66.111.88.194 192.168.0.11 netmask 255.255.255.255
static (inside,outside) 66.111.88.195 192.168.0.12 netmask 255.255.255.255

:::::::::Configure routing:::::::
!– This pix only has a default route defined.
route outside 0.0.0.0 0.0.0.0 66.111.88.254

::::::::Configure ssh access to pix firewall:::::::::
!– This is a list of networks that are allowed to use the
!– SSH protocol to configure the pix
ssh 12.34.56.224 255.255.255.224 outside
ssh 192.168.0.0 255.255.255.0 inside

:::::::Question (Scenario)::::::
If vlan 20 has an ‘Email Server’ and I want an ACL to vlan 20, accepts ‘POP3′ and ‘SMTP’ traffic from any vlan, and deny any other ports. What is the easiest way to do this?

::::::Answer::::::
You have to configure an inbound ACL on VLAN20 to accept smtp and vlan traffic.

conf t
access-list 20 permit tcp any any eq smtp
access-list 20 permit tcp any any eq pop3
access-list 20 deny any
vlan 20
access-group 20 in