Kindly I have got this configuration on our PIX at work, i want to clear all the unnecessary configuration, but I have to be careful because a production device (not lab one)


PIX Version 6.3(5)


interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
interface ethernet7 auto shutdown


nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
nameif ethernet6 intf6 security12
nameif ethernet7 intf7 security14

enable password S3MRnV/GTGf60fAH encrypted
passwd lHDYStuqSBB41oZj encrypted
hostname PIX
domain-name mycompany.net






fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names



name 192.168.101.253 exchange
name 192.168.101.3 mail_relay_pvt
name 192.168.101.4 web_outlook_pvt
name 192.168.5.100 gatin
name 192.168.2.23 exchange_pvt
name 192.168.101.6 webserver_dmz
name 192.168.101.8 redlineOWA
name 192.168.101.7 webredline
name 192.168.101.9 blackboard_vip
name 192.168.101.100 blackboard_dmz
name 192.168.101.99 Dns_Dmz
name 10.1.1.132 mail_relay
name 10.1.1.133 web_outlook
name 10.1.1.134 webserver
name 10.1.1.136 blackboard
name 10.1.1.138 intranet_web
name 10.1.1.137 Dns_Outside
name 192.168.101.21 intranet_vip
name 192.168.55.250 cv_inside
name 10.1.1.147 cv_outside
name 192.168.101.13 rees_redline
name 10.1.1.145 rees_out
name 192.168.101.249 ISADMZ




access-list outside permit tcp any host mail_relay eq smtp
access-list outside permit tcp any host webserver eq www
access-list outside permit tcp any host 10.1.1.135 eq www
access-list outside permit tcp any host webserver eq https
access-list outside permit tcp any host blackboard eq www
access-list outside permit tcp any host blackboard eq 8007
access-list outside permit tcp any host blackboard eq 8008
access-list outside permit tcp any host blackboard eq 7001
access-list outside permit tcp any host blackboard eq 7755
access-list outside permit tcp any host blackboard eq 8014
access-list outside permit tcp any host blackboard eq 8015
access-list outside permit tcp any host Dns_Outside eq domain
access-list outside permit udp any host Dns_Outside eq domain
access-list outside permit tcp any host 10.1.1.141 eq www
access-list outside permit tcp any host 10.1.1.142 eq www
access-list outside permit tcp any host 10.1.1.143 eq www
access-list outside permit tcp any host 192.168.101.250 eq www
access-list outside permit tcp any host blackboard eq 81
access-list outside permit tcp any host 192.168.101.250 eq 9443
access-list outside permit udp any host 192.168.101.250 eq 9443

access-list outside permit tcp host 22x.x.29.221 host 10.1.1.146 eq https
access-list outside permit udp host 22x.x.29.221 host 10.1.1.146 eq 443
access-list outside permit tcp host 22x.x.29.221 host 192.168.101.250 eq https
access-list outside permit udp host 22x.x.29.221 host 192.168.101.250 eq 443

access-list outside permit tcp any host cv_outside eq www
access-list outside permit tcp any host cv_outside eq https
access-list outside permit tcp any host cv_outside eq 4060
access-list outside permit tcp any host cv_outside eq 5055
access-list outside permit tcp any host cv_outside eq 4050
access-list outside permit udp any host cv_outside eq 4050
access-list outside permit udp any host cv_outside eq 5055
access-list outside permit udp any host cv_outside eq 4101
access-list outside permit udp any host cv_outside eq 4102
access-list outside permit udp any host cv_outside eq 4103
access-list outside permit udp any host cv_outside eq 4104
access-list outside permit udp any host cv_outside eq 4105
access-list outside permit udp any host cv_outside eq 4106
access-list outside permit udp any host cv_outside eq 4107
access-list outside permit udp any host cv_outside eq 4108
access-list outside permit udp any host cv_outside eq 4109
access-list outside permit udp any host cv_outside eq 4110
access-list outside permit udp any host cv_outside eq 4111
access-list outside permit udp any host cv_outside eq 4112
access-list outside permit udp any host cv_outside eq 4113
access-list outside permit udp any host cv_outside eq 4114
access-list outside permit udp any host cv_outside eq 4115
access-list outside permit udp any host cv_outside eq 4116
access-list outside permit tcp any host rees_out eq www
access-list outside permit tcp any host cv_outside eq 1301
access-list outside permit tcp host 22x.x.48.62 any eq 8050
access-list outside permit udp host 22x.x.48.62 any eq 8050
access-list outside permit udp host 22x.x.48.62 any eq 15000
access-list outside permit tcp host 22x.x.48.62 any eq 15000
access-list outside permit tcp host 22x.x.48.60 any eq 9050
access-list outside permit udp host 22x.x.48.60 any eq 9050
access-list outside permit udp host 22x.x.48.57 any eq 1571
access-list outside permit tcp host 22x.x.48.57 any eq 1571
access-list outside permit tcp host 22x.x.48.57 any eq 1676
access-list outside permit udp host 22x.x.48.57 any eq 1676
access-list outside permit tcp any host 10.1.1.146 eq www
access-list outside permit tcp host 22x.x.54.214 any eq https
access-list outside permit tcp any host 10.1.1.141 eq https
access-list outside permit tcp any host 10.1.1.142 eq https
access-list outside permit tcp any host intranet_web eq www
access-list outside permit tcp any host web_outlook eq www
access-list outside permit tcp any host web_outlook eq https
access-list dmz permit tcp host mail_relay_pvt host exchange eq smtp
access-list dmz permit ip host web_outlook_pvt host exchange
access-list dmz permit tcp host web_outlook_pvt host 192.168.101.210 eq domain
access-list dmz permit tcp host web_outlook_pvt host 192.168.101.211 eq domain
access-list dmz permit udp host web_outlook_pvt host 192.168.101.211 eq domain
access-list dmz permit udp host web_outlook_pvt host 192.168.101.210 eq domain
access-list dmz permit tcp host web_outlook_pvt host 192.168.101.210 eq ldap
access-list dmz permit tcp host web_outlook_pvt host 192.168.101.211 eq ldap
access-list dmz permit udp host web_outlook_pvt host 192.168.101.211 eq 3
access-list dmz permit udp host web_outlook_pvt host 192.168.101.211 eq 389
access-list dmz permit udp host web_outlook_pvt host 192.168.101.210 eq 389
access-list dmz permit tcp host web_outlook_pvt host 192.168.101.210 eq 3268
access-list dmz permit tcp host web_outlook_pvt host 192.168.101.211 eq 3268
access-list dmz permit tcp host web_outlook_pvt host 192.168.101.210 eq 88
access-list dmz permit tcp host web_outlook_pvt host 192.168.101.211 eq 88
access-list dmz permit udp host web_outlook_pvt host 192.168.101.211 eq 88
access-list dmz permit tcp host webserver_dmz host 192.168.101.33 eq imap4
access-list dmz permit udp host web_outlook_pvt host 192.168.101.210 eq 88
access-list dmz permit tcp host webserver_dmz host 192.168.101.33 eq 152
access-list dmz permit tcp host webserver_dmz host 192.168.101.33 eq 1433
access-list dmz permit tcp host webserver_dmz host 192.168.101.33 eq sqlnet
access-list dmz permit tcp host webserver_dmz host 192.168.101.33 eq 1523


access-list dmz permit tcp any host 192.168.101.33 eq 1433
access-list dmz permit tcp any host 192.168.101.33 eq 1434

access-list dmz permit ip 192.168.101.0 255.255.255.0 any
access-list dmz permit tcp any host 192.168.2.12 eq netbios-ssn
access-list dmz permit tcp any host 192.168.2.12 range 2967 2968
access-list dmz permit tcp any host 192.168.2.12 range 1024 4999
access-list dmz permit ip any host 192.168.101.30
access-list dmz permit ip host 192.168.101.11 host 192.168.2.34
access-list dmz permit tcp any host 192.168.101.33 eq sqlnet
access-list dmz permit icmp any any
access-list dmz permit tcp host 192.168.101.20 any eq 445
access-list dmz permit tcp host intranet_vip any eq 445
access-list dmz permit udp host intranet_vip any eq 445
access-list dmz permit udp host 192.168.101.20 any eq 445
access-list dmz permit udp host 192.168.101.20 any eq 88
access-list dmz permit udp host intranet_vip any eq 88
access-list dmz permit tcp host intranet_vip any eq 88
access-list dmz permit tcp host 192.168.101.20 any eq 88
access-list dmz permit udp host 192.168.101.20 any eq 389
access-list dmz permit udp host intranet_vip any eq 389
access-list dmz permit udp host intranet_vip any eq domain
access-list dmz permit udp host 192.168.101.20 any eq domain
access-list dmz permit tcp host 192.168.101.20 any eq domain
access-list dmz permit tcp host Dns_Dmz host 192.168.2.21 range 8400 840
access-list dmz permit tcp host Dns_Dmz host 192.168.2.21 range 8600 862
access-list dmz permit tcp host intranet_vip any eq domain
access-list dmz permit tcp host intranet_vip host 192.168.2.21 range 8400 8403
access-list dmz permit tcp host intranet_vip host 192.168.2.21 range 8600 8620
access-list dmz permit tcp host Dns_Dmz host 192.168.2.21 range 8400 8403
access-list dmz permit tcp host Dns_Dmz host 192.168.2.21 range 8600 8620
access-list dmz permit tcp host 192.168.101.30 host 192.168.2.21 range 8400 8403
access-list dmz permit tcp host 192.168.101.30 host 192.168.2.21 range 8600 8620
access-list dmz permit tcp host 192.168.101.11 host 192.168.2.21 range 8400 8403
access-list dmz permit tcp host 192.168.101.11 host 192.168.2.21 range 8600 8620
access-list dmz permit tcp host 192.168.101.250 host 192.168.2.21 range 8400 8403
access-list dmz permit tcp host 192.168.101.250 host 192.168.2.21 range 8600 8620

access-list inside permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside permit ip 192.168.4.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 2186
access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq 2187
access-list inside deny ip 192.168.1.0 255.255.255.0 any
access-list inside deny ip 192.168.4.0 255.255.255.0 any
access-list inside permit tcp host 192.168.1.1 any
access-list inside permit tcp host 192.168.1.2 any
access-list inside permit tcp host 192.168.1.3 any
access-list inside permit tcp host 192.168.1.15 any
access-list inside permit tcp host 192.168.1.100 any
access-list inside permit tcp host 192.168.100.1 any
access-list inside permit tcp host 192.168.100.2 any
access-list inside permit tcp host 192.168.100.3 any
access-list inside permit tcp host 192.168.2.11 any
access-list inside permit tcp host 192.168.2.10 any
access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq 8080
access-list inside permit tcp 192.168.0.0 255.255.0.0 any eq domain
access-list inside permit tcp any 192.168.101.0 255.255.255.0
access-list inside permit ip any any

pager lines 24
logging timestamp
logging monitor notifications
logging buffered notifications
logging trap debugging
logging host inside 192.168.1.201
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu intf7 1500




ip address outside 10.1.1.130 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip address dmz 192.168.101.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
no ip address intf6
no ip address intf7
ip audit info action alarm
ip audit attack action alarm




failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 192.168.105.2
failover ip address inside 192.168.100.2
failover ip address dmz 192.168.101.2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
no failover ip address intf6
no failover ip address intf7


pdm location 10.1.1.135 255.255.255.255 outside
pdm location 192.168.2.12 255.255.255.255 inside
pdm location 192.168.2.21 255.255.255.255 inside
pdm location 192.168.2.34 255.255.255.255 inside
pdm location 192.168.101.30 255.255.255.255 dmz
pdm location 192.168.101.250 255.255.255.255 dmz
pdm location 10.2.2.0 255.255.255.0 inside
pdm location 172.168.1.0 255.255.255.0 inside
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.15 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 192.168.1.201 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.2.10 255.255.255.255 inside
pdm location 192.168.2.11 255.255.255.255 inside
pdm location exchange_pvt 255.255.255.255 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location cv_inside 255.255.255.255 inside
pdm location 192.168.100.2 255.255.255.255 inside
pdm location 192.168.100.3 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location mail_relay_pvt 255.255.255.255 dmz
pdm location web_outlook_pvt 255.255.255.255 dmz
pdm location webserver_dmz 255.255.255.255 dmz
pdm location webredline 255.255.255.255 dmz
pdm location redlineOWA 255.255.255.255 dmz
pdm location 192.168.101.11 255.255.255.255 dmz
pdm location rees_redline 255.255.255.255 dmz
pdm location 192.168.101.14 255.255.255.255 dmz
pdm location 192.168.101.15 255.255.255.255 dmz
pdm location 192.168.101.16 255.255.255.255 dmz
pdm location 192.168.101.20 255.255.255.255 dmz
pdm location intranet_vip 255.255.255.255 dmz
pdm location Dns_Dmz 255.255.255.255 dmz
pdm location blackboard_dmz 255.255.255.255 dmz
pdm location 192.168.101.210 255.255.255.255 dmz
pdm location 192.168.101.211 255.255.255.255 dmz
pdm location 22x.x.29.221 255.255.255.255 outside
pdm location 22x.x.48.57 255.255.255.255 outside
pdm location 22x.42.48.60 255.255.255.255 outside
pdm location 22x.x.48.62 255.255.255.255 outside
pdm location 22x.x.54.214 255.255.255.255 outside
pdm location ISADMZ 255.255.255.255 dmz
pdm history enable
arp timeout 14400


10.1.1.150-10.1.1.155 .
global (outside) 1 10.1.1.150-10.1.1.155
global (outside) 1 10.1.1.156

global (dmz) 1 interface


nat (inside) 1 10.2.2.0 255.255.255.0 0 0
nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,this is wrong because it is public ip address
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (dmz) 1 192.168.101.0 255.255.255.0 0 0


alias (dmz) 192.168.101.210 192.168.2.10 255.255.255.255
static (inside,dmz) exchange exchange_pvt netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.211 192.168.2.11 netmask 255.255.255.255 0 0
static (dmz,outside) mail_relay mail_relay_pvt netmask 255.255.255.255 0 0
static (dmz,outside) webserver webredline netmask 255.255.255.255 0 0
static (dmz,outside) blackboard blackboard_dmz netmask 255.255.255.255 0 0
static (dmz,outside) Dns_Outside Dns_Dmz netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.33 192.168.2.34 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.141 192.168.101.16 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.142 192.168.101.15 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.143 192.168.101.14 netmask 255.255.255.255 0 0
static (dmz,outside) 10.1.1.146 192.168.101.250 netmask 255.255.255.255 0 0
static (dmz,outside) intranet_web intranet_vip netmask 255.255.255.255 0 0
static (dmz,outside) rees_out rees_redline netmask 255.255.255.255 0 0
static (inside,outside) cv_outside cv_inside netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.212 192.168.2.12 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.210 192.168.2.10 netmask 255.255.255.255 0 0

static (dmz,inside) 192.168.2.10 192.168.101.210 dns netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.2.11 192.168.101.211 dns netmask 255.255.255.255 0 0

static (dmz,outside) web_outlook redlineOWA netmask 255.255.255.255 0 0



access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz



route outside 0.0.0.0 0.0.0.0 10.1.1.129 1
route inside 10.2.2.0 255.255.255.0 192.168.55.254 1
route inside 172.168.1.0 255.255.255.0 192.168.100.3 1
route inside 192.168.0.0 255.255.0.0 192.168.100.3 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local



http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community mycompany2004pub
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 dmz
ssh 0.0.0.0 0.0.0.0 intf3
ssh 0.0.0.0 0.0.0.0 intf4
ssh 0.0.0.0 0.0.0.0 intf5
ssh timeout 5
console timeout 0
terminal width 80