I inherited a Cisco Pix 501 firewall recently and have to say I’m not near as educated on Cisco equipment yet as I feel I should be. After a good amount of searching along the way I started getting the hang of things. I had worked in Cisco’s Pix Device Manager (PDM) and found it to be more of a pain trying to navigate than to setup through command line. So, for this tutorial I will focus only on the CLI for setup of the device.
Here is how I was able to get things setup. Note that this is just a basic setup using the CLI with the following:
LAN: Enable NAT, and enable DHCP
After configuration the firewall will be accessible at 192.168.3.1 (and netmask 255.255.255.0) and DHCP leases available will be 192.168.3.50 – 192.168.3.80. You can change these accordingly while going through the commands.
First of all, you need to connect to the device using your Cisco console cable which is an RJ45 to DB9. Connect the RJ45 end to the 501, and the DB9 end to a machine with the connector. In my case this was a Linux machine running Ubuntu. If you are on a Windows machine you can simply use HyperTerminal to connect. I issued the following commands to get connected to the 501:
Sudo apt-get install cu cu -l /dev/ttyS0 -s 9600
ttyS0 was what worked for me, but yours may need to be changed to ttyS1, etc. depending on your setup.
Once things are connected I issued the following commands:
First press no to the guided install (if you plan to follow the tutorial below).
You will be prompted here for a password. The Enter key is the default password.
This will allow access to the configuration menu. Press “?” to find all commands available.
username USER password ***** privilege 15 enable password ****** passwd ******
Replace USER with the username you wish to create. This allows you to create an administrator account for the system.
interface ethernet0 auto interface ethernet1 100full ip address outside dhcp
Make sure your WAN connection is live when issuing the command above. It will try to assign a DHCP address when it’s issued.
ip address inside 192.168.3.1 255.255.255.0 show ip address
The above command just shows the current setup. I used it to double check I entered everything properly.
ip address outside dhcp setroute nat (inside) 1 192.168.3.1 255.255.255.0 global (outside) 1 interface telnet 192.168.3.50
This was an optional command. This allowed telnet access to the client at 192.168.3.50. This was added so I didn’t need the console cable connected after the initial setup, and could merely telnet in from the client as needed.
no banner exec no banner login no banner motd
The banner commands are also optional. I wanted to cut out any extra information at logins. You can leave these, or change them as you desire.
Replace YOURHOST with the hostname you wish to give the 501.
domain local dhcpd address 192.168.3.50-192.168.3.80 inside dhcpd dns 184.108.40.206 220.127.116.11
These were test DNS servers I used during setup. I believe they are Level3’s, and they are rather stable. You can change to your local ISP’s DNS servers or others as desired.
dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside
The above command assigns the 501 as the DHCP server for the inside interface (LAN). If you wish to use a different DHCP server or don’t care to enable DHCP, simply disregard this command.
access-list ping_acl permit icmp any any access-group ping_acl in interface outside
These two commands are added to allow ping requests. Ping is disabled by default on the 501 and annoyed me when trying to run diagnostics. These are optional.
This finalizes your setup by writing all changes to memory.
These are the commands I found to work for me – and don’t have this in production. I don’t claim for this method of setup to be secure for your environment and highly recommend you study up on the device more before placing it in a production environment. If anyone has some modifications or additions to this guide please feel free to contact me. Hopefully this tutorial can serve as a first step in becoming familiar with setup for the Pix 501, thanks for reading.
Source Image: cisco.com