Re: [fw-wiz] PIX 515 7.1 vs: 8.0


I don't see an address range defined for the inside. For example:
dhcpd address inside

Or the dhcpd enable:
dhcpd enable inside

On 9 March 2011 01:24, Brian Blater <brb.lists@xxxxxxxxx> wrote:
I was recently able to pick up another pix to play with. I currently
have a PIX 515e with 7.1, but this new one comes with 8.0. I'm
wondering if there is something new in the 8.0 version that is working
differently and has me stumped. One difference between the two PIXs I
have is that the new one has a 4 port card for a total of 6 ethernet
ports. I've setup DHCPD on two of the interfaces, but I can't get it
to assign an address to anything connected to those interfaces (dmz
and vonage). Also, if I manually assign an IP to a device on one of
those networks I can't even get out the internet. So, either some ACL
or static mapping is interfering there, but I can't see what I've
messed up. The DMZ port on the PIX 515e with 7.1 just works both with
DHCPD and internet access, but even if I try the same ACLs and statics
on the 8.0 PIX I"m still not getting anything working. Basically I'm

I've attached the 8.0 config below. If anyone can give me a hand and
let me know what I'm missing that would be great.

Thanks for your help.


PIX Version 8.0(4)32
hostname brb-pix
enable password xxxxxx encrypted
passwd xxxxxxx encrypted
interface Ethernet0
 nameif outside
 security-level 0
 ip address .
interface Ethernet1
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 nameif dmz
 security-level 50
 ip address
interface Ethernet3
 nameif vonage
 security-level 25
 ip address
interface Ethernet4
 no nameif
 no security-level
 no ip address
interface Ethernet5
 no nameif
 no security-level
 no ip address
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
access-list outside remark access list for outside
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any unreachable
access-list outside extended permit tcp any any eq https
access-list outside extended permit tcp any any eq 2525
access-list dmz remark access list for dmz
access-list dmz extended permit icmp echo-reply
access-list dmz extended permit icmp unreachable
access-list dmz extended permit udp host eq domain
access-list dmz extended permit ip any
access-list nonat remark nonat for dmz and inside interfaces
access-list nonat extended permit ip
access-list nonat extended permit ip
access-list nonat extended permit ip
access-list nonat extended permit ip
access-list vonage remark access list for vonage network
access-list vonage_access_in extended permit ip any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vonage 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1
nat (dmz) 0 access-list nonat
nat (dmz) 1
nat (vonage) 0 access-list nonat
nat (vonage) 1
static (dmz,outside) tcp interface https https netmask
static (inside,outside) tcp interface 2525 smtp netmask
static (inside,dmz) netmask
static (inside,vonage) netmask
access-group outside in interface outside
access-group dmz in interface dmz
access-group vonage_access_in in interface vonage
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh inside
ssh dmz
ssh timeout 60
console timeout 0
dhcpd dns
dhcpd lease 259200
dhcpd ping_timeout 750
dhcpd domain
dhcpd address dmz
dhcpd dns interface dmz
dhcpd lease 259200 interface dmz
dhcpd ping_timeout 750 interface dmz
dhcpd domain interface dmz
dhcpd enable dmz
dhcpd address vonage
dhcpd enable vonage
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username bblater password xxxxxxxxx encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect netbios
 inspect rsh
 inspect rtsp
 inspect skinny
 inspect esmtp
 inspect sqlnet
 inspect sunrpc
 inspect tftp
 inspect sip
 inspect xdmcp
service-policy global_policy global
prompt hostname context
firewall-wizards mailing list

firewall-wizards mailing list