Cisco PIX 520


  1. Connect a console terminal to the firewall, and hit Enter: PIX should display the default "pixfirewall>" prompt.
  2. Switch to privileged mode : enable <Enter>, and password = (MIS: See field below)
  3. Switch to configuration mode : configure terminal <Enter>
  4. Check the NICs default name and security level with show nameif. Use the nameif command to change them.
  5. Assign IP addresses to the outside NIC (by default, ethernet0) and inside NIC (by default, ethernet1) with eg. ip address inside ip address outside Use show ip to check your settings.
  6. nat (inside) 1 0 0 to enable NAT, and allow any inside host to use it
  7. To set up a pool of available public addresses to be used for NAT, and one address used last, in case the pool is empty (The 1 following (outside) is the NAT ID, and must match the one used in the nat (inside) command above):
  8. global (outside) 1 netmask
  9. global (outside) 1 netmask
  10. To force a mapping between a specific private address and a specific public address, use the static and conduit commands:
  11. static (inside,outside) netmask
  12. conduit deny tcp host any any
  13. Create a default route: route outside 0 0 1, where is the address of the router that connects the whole LAN to the Internet
  14. Permit PING access with conduit permit icmp any any
  15. Store the image in Flash memory, and reboot: write memory <Enter> reload <Enter> y <Enter>

Sample configuration

# wr t
Building configuration...
: Saved
PIX Version 5.0(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password oKroi3K/PjdKC0cb encrypted
passwd Qsk.IjEXMTnDdvO0 encrypted
hostname mypix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
pager lines 24
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 100.100.100..253
ip address inside
no failover
failover timeout 0:00:00
failover ip address outside
failover ip address inside
arp timeout 14
global (outside) 1 100.100.100..20-100.100.100..250 netmask
nat (inside) 0 0 0
nat (inside) 1 0 0
static (inside,outside) 100.100.100..3 netmask 0 0
static (inside,outside) 100.100.100..4 netmask 0 0
conduit permit icmp any any
conduit permit tcp host 100.100.100..3 eq domain any
conduit permit udp host 100.100.100..3 eq domain any
conduit permit tcp host 100.100.100..3 gt 1023 any
conduit permit udp host 100.100.100..3 gt 1023 any
conduit permit tcp host 100.100.100..4 eq 6101 host 100.100.100..1
conduit permit tcp host 100.100.100..4 eq 6101 host 100.100.100..2
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 100.100.100..254 1
route inside 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet inside
telnet timeout 5
terminal width 80

Upgrading the PIX firmware

When you get the firmware file, normally in the form of pixX.bin, use the DOS-based application RAWRITE.EXE to copy the new firmware on a floppy, insert the floppy in the PIX, connect a serial cable between PIX and a PC to act as console, reboot PIX, and follow the instructions.