I finally got myself a PIX 501 to play with (the price was right – $20 🙂 ). Here are some useful commands I used to configure it. Special thanks to Juniperr on DevShed for posting some of the most accessible information on this topic:
To reset the password on your PIX
Follow the instructions here. Make sure you note that the version of the PIX software on your PIX is NOT the version of the PIX BIOS (my BIOS is 4.2 and my PIX runs PIX OS 6.3).
Reset the configuration of a PIX 501
Basic PIX 501 home setup behind a cable modem
First, the wiring setup:
- [Cable modem] – The net connection from the cable modem is connected to the outside port on the PIX. Because my ISP gives me a WAN address via DHCP, the PIX will need to be setup to acquire the outside address via DHCP.
- [PIX 501] The PIX’s outside port is connected to the cable modem, one of the inside port is connected to the WAN port on the Linksys wireless router. As we will see below the PIX will be setup as a NAT (a router) and I will keep the inside IPs on the PIX to 10.0.0.0/24
- [Linksys wireless router (WRT)] The WAN port on the WRT is connected to one of the PIX’s inside port. Because the WRT is also a NAT, I will keep its inside IP range to 192.168.1.0/24
Now for the configuration of the PIX:
config terminal to get into configuration mode.
ip address outside dhcp setroute this is to set the outside interface to get its info from a dhcp request to the cable modem.
ip address inside 10.0.0.1 255.255.255.0 this is to set the IP address for the inside interface of the PIX
global (outside) 1 interface to NAT/PAT all inside addresses to the outside address
nat (inside) 1 10.0.0.0 255.255.255.0 to restrict what IPs can NAT through the inside interface
dhcpd auto_config outside the easy way to setup the PIX’s dhcpd to use the info from the dhcp request on the outside interface
hostname <a host name> to give your PIX a hostname
domain-name <a domain name> to give your PIX a domain name (e.g. mydomain.com)
ca gene rsa key 1024 this will create RSA keys based on the above parameters. If keys exist from a previous configuration it will let you know and confirm that you want to replace them.
ca save all to save the keys. *warning* this operation can take some time to complete
ssh 0 0 outside to allow ssh access to your PIX from the outside (any IP)
ssh 0 0 inside to allow ssh access to your PIX from the inside (any IP)
username <a username> password <a password> priv 15 this will create a LOCAL user with top level access (level 15) to the PIX
The following is to set the authentication source (all using LOCAL, and therefore the user you just setup):
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
write mem to save the configuration
reload to reboot the PIX with the new configuration (you may also need to reboot your cable modem in case the PIX does not get an IP from its dhcp request outside).
Voila! it should work. Machines connected to the WRT should be able to see the Internet. Your PIX in the middle allows you to do all sorts of fun things (firewall, VPN, monitoring traffic, etc.)
Other useful commands
en password <new password> to change the ‘enable’ password
config factory-default 10.0.0.1 255.255.255.0 to reset the PIX to factory defaults and use the provided IP as inside IP. Be sure to do a
write mem following this to make sure it is saved in the flash.
show ca mypubkey rsa this will give you the detail of your RSA key is any exist
ca zeroize rsa this will clear the RSA key
show tech to see a whole slew of detailed info on the PIX
show proc to see what processes are running on the PIX
debug dhcpc detail to get debug info for the dhcp client (in my case what I use to get an IP on the outside interface). And you use
no debug dhcpc detail to stop the debugging.