Generated on Wed Mar 17 22:12:55 2004
| Summary | |
| Configuration File | c:\pixconfig-2004-03-17-220752.txt |
| Firmware version | 6.1(3) |
| FQDN | fwpix525.acme.com |
| System settings | |
| Interfaces | 2 |
| Access lists | 2 |
| NAT settings | |
| Redirections | 7 |
| Routes | 1 |
| HTTP Settings | |
| SNMP Settings | |
| Aliases | 1 |
| Logging settings | |
| Telnet settings | |
| SSH settings | |
| PDM settings | |
| Authentication settings | |
| Protocol fixups | |
| Comments in config file | |
| Number | Name | Security | Speed | MTU | IP Address | Subnet mask | Default Gateway | ISAKMP Enabled | Spoof Protection |
| ethernet0 | outside | 0 | auto-negotiated | 1500 | 208.72.200.226 | 255.255.255.240 | 208.72.200.225 (priority 1) | No | No (default) |
| ethernet1 | inside | 100 | auto-negotiated | 1500 | 172.17.3.15 | 255.255.255.0 | No | No (default) |
| Access list | Source | Destination | Operation | Protocol | Comments |
| acl_out | any ip address | any ip address | allowed | Any icmp | Applied on the outside interface using an "access_group" command |
| any ip address | host 208.72.200.227 | allowed | tcp/25 (smtp) | ||
| any ip address | host 208.72.200.227 | allowed | tcp/80 (www) | ||
| any ip address | host 208.72.200.227 | allowed | tcp/143 (imap) | ||
| any ip address | host 208.72.200.228 | allowed | tcp/25 (smtp) | ||
| any ip address | host 208.72.200.227 | allowed | tcp/110 (pop3) | ||
| host 69.19.34.66 | host 208.72.200.227 | allowed | tcp/23 (telnet) | ||
| host 69.19.34.66 | host 208.72.200.228 | allowed | tcp/23 (telnet) | ||
| acl_in | any ip address | any ip address | allowed | Any icmp | Applied on the inside interface using an "access_group" command |
| any ip address | any ip address | denied | udp/139 (netbios) | ||
| any ip address | any ip address | denied | tcp/139 (netbios) | ||
| any ip address | any ip address | allowed | any udp | ||
| any ip address | 69.6.0.0/16 | denied | any tcp | ||
| any ip address | any ip address | allowed | any tcp |
NAT settings (connections coming through the interface from source are translated using the NAT ip address): - Go to top
| Source Interface | Source IP Address | NAT IP Address(es) |
| inside | 172.17.3.0/24 | IP address of the "outside" interface (208.72.200.226) |
Redirections ("static" statements): - Go to top
| Original Request | Redirection | Access | |||||||
| IP Address | Protocol | Interface | IP Address | Protocol | Interface | Access | Protocol | Source | Access list |
| 208.72.200.227 | tcp/143 | outside | 172.17.3.40 | tcp/143 | inside | allowed | tcp/143 (imap) | Any ip address | acl_out |
| 208.72.200.227 | tcp/23 | outside | 172.17.3.40 | tcp/23 | inside | allowed | tcp/23 (telnet) | Host 69.19.34.66 | acl_out |
| 208.72.200.227 | tcp/110 | outside | 172.17.3.40 | tcp/110 | inside | allowed | tcp/110 (pop3) | Any ip address | acl_out |
| 208.72.200.227 | tcp/25 | outside | 172.17.3.40 | tcp/25 | inside | allowed | tcp/25 (smtp) | Any ip address | acl_out |
| 208.72.200.227 | tcp/80 | outside | 172.17.3.40 | tcp/80 | inside | allowed | tcp/80 (www) | Any ip address | acl_out |
| 208.72.200.228 | tcp/23 | outside | 172.17.3.70 | tcp/23 | inside | allowed | tcp/23 (telnet) | Host 69.19.34.66 | acl_out |
| 208.72.200.228 | tcp/25 | outside | 172.17.3.20 | tcp/25 | inside | allowed | tcp/25 (smtp) | Any ip address | acl_out |
| Destination | Gateway | Priority | Interface |
| 0.0.0.0 (default) | 208.72.200.225 | 1 | outside |
| Setting | Comment |
| HTTP Server Enabled | Yes |
| HTTP access allowed from | Subnet 172.17.3.0/24 via the "inside" interface Host 172.17.3.16 via the "inside" interface |
| Setting | Value |
| community | public |
| Setting | Value | Comment |
| Permit PPTP | Default | An access-list is required for inbound IPSEC sessions |
| Permit IPSec | Default | An access-list is required for inbound IPSEC sessions |
| Permit L2TP | Default | An access-list is required for inbound IPSEC sessions |
| ISAKMP Identity | hostname (default) | When participating in the IKE protocol, the PIX Firewall will use "hostname (default)" to identify the remote host. |
| TCP MSS | Default | 1380 bytes |
| Connection timewait | Default | Not used |
| IPSec PL Compatible | Default | Disabled |
| DNS Alias (inbound) | Default | Enabled |
| DNS Alias (outbound) | Default | Enabled |
| No proxy arp | Default | Responses for arp requests for the addresses in the static, global, and nat 0 are disabled |
| Radius ignore-secret | Default | Do not ignore the key |
| Uauth allow http cache | Default | Allows the web browser to supply a username and password from its cache for AAA authentication. |
| Route dnat | Disabled | |
| Floodguard | Yes | Protection against flood attacks. |
| IPSec Lifetime | Not defined |
| Setting | Value | Comment |
| Xlate timeout | 3:00:00 hours | IP address translation slots (xlates) will be kept for 3:00:00 hours |
| Uauth timeout | 0:05:00 hours | Duration before authentication and authorization cache times out. |
| Console timeout | Not defined | |
| TCP connection timeout | 1:00:00 hours | |
| TCP half-close connection timeout | 0:10:00 hours | |
| UDP slot timeout | 0:02:00 hours | |
| RPC slot timeout | 0:10:00 hours | |
| H.323 media connection timeout | 0:05:00 hours | |
| SIP timer timeout | 0:30:00 hours | |
| SIP RTP/RTCP media timer timeout | 0:02:00 hours | Media Gateway Control Protocol inactivity timer | Default - 0:05:00 hours | Address Resolution Protocol | 14400 seconds |
| Source | Interface |
| 172.17.3.0/24 | inside |
| Telnet timeout: 5 minutes | |
| Source | Interface |
| 172.17.3.0/24 | inside |
| SSH timeout: 5 minutes | |
| Source | Interface |
| No IP address is allowed to connect to the firewall via PDM. | |
PDM settings: - Go to top
| Setting | Value |
| PDM history | Enabled |
| PDM logging level | Not defined |
| PDM logging messages | Not defined |
| Setting | Value |
| Logging status | Enabled |
| Logging level | Debugging |
| Logging timestamp | Applied |
| Console logging level | Not set |
| Logging buffered | Not set |
| Logging queue size | 512 messages (default) |
| Logging facility | 20 |
| Logging history level | Debugging |
| Logging host(s) | 172.17.3.40 (through the inside interface), using UDP/514 (standard syslog) |
| Interface | External IP Address | Internal IP Address | Comment |
| inside | 208.72.200.227 | 172.17.3.40 |
| Protocol | Option | Status |
| sqlnet | port 1521 | Enabled |
| sip | port 5060 | Enabled |
| smtp | port 25 | Disabled |
| h323 | port 1720 | Enabled |
| skinny | port 2000 | Enabled |
| http | port 80 | Enabled |
| rsh | port 514 | Enabled |
| ftp | port 21 | Enabled |
| rtsp | port 554 | Enabled |
Authentication settings: - Go to top
| Setting | Value |
| RADIUS | radius |
| TACACS+ | tacacs+ |
Comments found in the configuration file: - Go to top
| Comment |
| : Saved : |
The analyzed configuration: - Go to top
| : Saved
: PIX Version 6.1(3) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ************ passwd ************ hostname fwpix525 domain-name acme.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 names access-list acl_out permit icmp any any access-list acl_out permit tcp any host 208.72.200.227 eq smtp access-list acl_out permit tcp any host 208.72.200.227 eq www access-list acl_out permit tcp any host 208.72.200.227 eq 143 access-list acl_out permit tcp any host 208.72.200.228 eq smtp access-list acl_out permit tcp any host 208.72.200.227 eq pop3 access-list acl_out permit tcp host 69.19.34.66 host 208.72.200.227 eq 23 access-list acl_out permit tcp host 69.19.34.66 host 208.72.200.228 eq 23 access-list acl_in permit icmp any any access-list acl_in deny udp any any eq 139 access-list acl_in deny tcp any any eq 139 access-list acl_in permit udp any any access-list acl_in deny tcp any 69.6.0.0 255.255.0.0 access-list acl_in permit tcp any any pager lines 100 logging on logging timestamp logging trap debugging logging history debugging logging host inside 172.17.3.40 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 208.72.200.226 255.255.255.240 ip address inside 172.17.3.15 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 172.17.3.0 255.255.255.0 0 0 alias (inside) 172.17.3.40 208.72.200.227 255.255.255.255 static (inside,outside) tcp 208.72.200.227 smtp 172.17.3.40 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp 208.72.200.227 www 172.17.3.40 www netmask 255.255.255.255 0 0 static (inside,outside) tcp 208.72.200.227 143 172.17.3.40 143 netmask 255.255.255.255 0 0 static (inside,outside) tcp 208.72.200.227 23 172.17.3.40 23 netmask 255.255.255.255 0 0 static (inside,outside) tcp 208.72.200.228 23 172.17.3.70 23 netmask 255.255.255.255 0 0 static (inside,outside) tcp 208.72.200.227 pop3 172.17.3.40 pop3 netmask 255.255.255.255 0 0 static (inside,outside) tcp 208.72.200.228 smtp 172.17.3.20 smtp netmask 255.255.255.255 0 0 access-group acl_out in interface outside access-group acl_in in interface inside route outside 0.0.0.0 0.0.0.0 208.72.200.225 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http 172.17.3.16 255.255.255.255 inside http 172.17.3.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet 172.17.3.0 255.255.255.0 inside telnet timeout 5 ssh 172.17.3.0 255.255.255.0 inside ssh timeout 5 terminal width 50 |