Cisco

Configure a Cisco PIX Firewall with this template

Configuring a new Cisco PIX Firewall can be challenging and time-consuming. Why not automate the process with an Excel template? We've done most of the work for you by creating a downloadable template. David Davis has the details in this edition of Cisco Routers and Switches.

Configuring a new Cisco PIX Firewall can be challenging and time-consuming. Why not automate the process with an Excel template? We've created an Excel template that will help you automate the configuration of a new Cisco PIX 501 Firewall.

What this template does

This template will generate the configuration for a Cisco PIX 501 Firewall according to the information you supply. The template contains two worksheets.

The first worksheet is a reference, which offers a sample configuration that lists the various commands and their purposes. This sample configuration performs the following actions for the firewall:

  • Configures a hostname for the PIX.
  • Creates a password to control who can log in to the PIX.
  • Creates an enable password to control who can administer the PIX.
  • Enables the HTTP Web server for remote administration using the PIX Device Manager (PDM).
  • Configures the proper time zone, and points the switch to a local NTP time server for date and time synchronization.
  • Configures IP addresses on the inside and outside interfaces, and enables both of them.
  • Creates a default gateway on the PIX.
  • Configures NAT Overload (Port Address Translation, or PAT) so all inside network devices can access the outside network (usually the Internet).
  • Creates an access control list on the PIX so inside clients can only use the Internet for Web browsing and FTP.
  • Saves the new configuration, which preserves the configuration during rebooting.

You can input your configuration information for your network on the second worksheet. If there's a setting you don't need, you can remove it.

What you need to know

Here's a list of things you need to know before you download the template:

  • Click the Enable Macros button when you open the Excel workbook.
  • This template performs basic setup commands. You can add your custom PIX configurations to create a fast configuration template that does much more.
  • This template assumes you want to use the firewall to allow all inside devices to access the Internet through the firewall. If preferable, you can disable this and instead set up individual NAT entries for certain servers.
  • This template assumes you have a local NTP server on your internal LAN. If this is not the case, you can use the clock command to set the time manually or point the PIX to retrieve its NTP updates from the Internet.

Get the template

Now that you know what the template can do for you and how to use it, you can get started. Follow these steps:

  1. Download the template.
  2. Open the Excel file, and fill in the yellow sections on the Variables worksheet.
  3. Click the Replace button; it will generate the appropriate configuration on a new worksheet called PIX - 1.
  4. Copy the configuration from the Excel file, and paste it into the Cisco CLI when connected to the PIX's console port.

For more information, see Cisco's documentation for Cisco PIX Firewall, Version 6.3.

We want your feedback

What do you think of this template? Would you like to see other templates covering different topics or products? Share your opinions in this article's discussion.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

10 comments
slothbrain
slothbrain

Hello, I am wondering if anyone can help me out? I have set up my PIX with NATed internal IP Addresses and I am able to access my servers from the outside. I cannot browse out to the internet when on the inside machines. For sake of an example, my gateway is 8.8.8.1 with a subnet 255.255.224.0 and my PIX is given 8.8.8.2. My servers have internal IPs of 192.168.1.3 on up and are NATed to 8.8.8.3 on up. I am able to ping the PIX using the internal 192.168.1.1 address, but not the public 8.8.8.2 address. I cannot ping the gateway, but I believe my ISP has ping response disabled. Any ideas what I can try? Some examples of config entries already include: ip address outside 8.8.8.2 255.255.224.0 ip address inside 192.168.1.1 255.255.255.0 global (outside) 1 8.8.8.1 global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 8.8.8.3 192.168.1.3 netmask 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 8.8.8.1 1 Thanks in advance for any help you can provide.

cpga
cpga

i want configure new pix

djdawson
djdawson

I've been working with PIX devices since they came out, and one thing I *always* do is enable the local logging buffer, since the PIX is pretty good about letting you know if it's not happy about something. The two commands I use are "logging enable" and "logging buffered notifications" (you can also use the "warnings" level if you want fewer messages). If you have the new 7.x software in a PIX or ASA, you can also set the size of the buffer, just like in IOS routers: "logging buffer-size 50000" HTH

lrmoore
lrmoore

By not allowing UDP/53 DNS outbound, the result is that nobody can browse the Internet. By not allowing https/443, Windows Update will fail.

glenn22
glenn22

I've set up my pix using the template and have added the ACLs for the DNS as well.... still can't get outside to the internet with internal lan devices... any ideas?

ddavis
ddavis

Hi, Thanks for your post! Adding DNS would have been logical, thanks for pointing that out. The ACL was really just meant as an example. Adding DNS and HTTPS are logical additions to the ACL. By using the Excel template, you can copy one of the existing ACL lines and just replace the port number at the end with 53 (for DNS), or whaterver Internet applications to would like to add. Thanks for taking time to comment! David

rob
rob

i'd think you should change your default route statement. Now your are using the public IP from the outside interface and not the next hop from your provider. Did the ISP give an fixed public IP if not you should using DHCP on your outside interface and set the add route option so that the PIX autom. makes a default route. Rob

ddavis
ddavis

Hi Glen22, I am sorry you are having trouble with getting your PIX configuration working. As these configurations are a bit complex with you mix with with your internal LAN, your ISP, and potentially a router - let me ask a few questions. 1. Are you still having this issue? 2. How is the PC configured (IPCONFIG /ALL)? Is the PCs default gateway pointing to the PIX? Can you ping the PIX? Can you ping your ISP's default gateway? 3. can you ping by IP but not by name? 4. what is the PIX connected to on the Internet side? Let me know and I am sure we can get it worked out. Thanks David