Versions Compared

Old Version 12

changes.mady.by.user Adam Melong

Saved on

compared with

New Version 13

changes.mady.by.user Adam Melong

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Define a host name:
    Code Block
    hostname NewYork
  2. Configure an ISAKMP policy:
    Code Block
    isakmp enable outside isakmp policy 9 authentication pre-share isakmp policy 9 encrypt 3des
  3. Configure a pre-shared key and associate with the peer:
    Code Block
    crypto isakmp key cisco1234 address 209.165.200.229
  4. Configure the supported IPSec transforms:
    Code Block
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
  5. Create an access list:
    Code Block
    access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0
    This access list defines traffic from network 192.168.12.0 to 10.0.0.0. Both of these networks use unregistered addresses.
    Note Steps 5 and 6 are not required if you want to enable NAT for all traffic.
  6. Exclude traffic between the intranets from NAT:
    Code Block
    nat 0 access-list 90
    This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.
  7. Enable NAT for all other traffic:
    Code Block
    nat (inside) 1 0 0
  8. Assign a pool of global addresses for NAT and PAT:
    Code Block
    global (outside) 1 209.165.201.9-209.165.201.30
global (outside) 1 209.165.201.8
    The pool of registered addresses are only used for connections to the public Internet.
  9. Define a crypto map:c
    Code Block
    rypto map toSanJose 20 ipsec-isakmp crypto map toSanJose 20 match address 90 crypto map toSanJose 20 set transform-set strong crypto map toSanJose 20 set peer 209.165.200.229
  10. Apply the crypto map to the outside interface:
    Code Block
    crypto map toSanJose interface outside
  11. Specify that IPSec traffic be implicitly trusted (permitted):
    Code Block
    sysopt connection permit-ipsec

Password Recovery

Performing password recovery on the security appliance erases the login password, enable password, and aaa authentication console commands. To erase these commands so you can log in with the default passwords, perform the following steps:

...

Code Block
langxml
-------------------------------------------------------------------------------
The following example shows the PIX password recovery with the TFTP server on the outside interface:

monitor> interface 0
0: i8255X @ PCI(bus:0 dev:13 irq:10)
1: i8255X @ PCI(bus:0 dev:14 irq:7 )
Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9
monitor> address 10.21.1.99
address 10.21.1.99
monitor> server 172.18.125.3
server 172.18.125.3
monitor> file np70.bin
file np52.bin
monitor> gateway 10.21.1.1
gateway 10.21.1.1
monitor> ping 172.18.125.3
Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds:
!!!!!
Success rate is 100 percent (5/5)
monitor> tftp
tftp np52.bin@172.18.125.3 via 10.21.1.1...................................
Received 73728 bytes
Cisco PIX password tool (4.0) #0: Tue Aug 22 23:22:19 PDT 2005
Flash=i28F640J5 @ 0x300
BIOS Flash=AT29C257 @ 0xd8000
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
Rebooting....

Disabling Password Recovery

You might want to disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the security appliance. To disable password recovery, enter the following command:

...