Le Gia Vinh’s Blog

PIX-501 Summary

PIX: Private Internet Exchange The CISCO PIX-501 was released in Sep 2001. It has 133MHz Am5×6 CPU, 16MB RAM and is designed for remote offices or the SOHO market, no DMZ port. This box has 10-user, 50-user, or unlimited user license. My PIX box has 10, and I like to upgrade and configure it to see if I can use it for my test lab. The configuration of the CISCO PIX firewall can be done using:

Command Line as accessed throught the serial console port.
The PIX Device Manager (PDM) GUI program.
Telnet accessed through the outside interface.

In this entry I prefer the first one, but I will mention to the second one at the end of this entry.

Configuration

The main security rules Cisco use:

Once the firewall is configured data may enter the firewall through an interface with higher security level, pass through the firewall, and exit through an interface with a lower security level.
Conversely data that enter the firewall through an interface with a lower security level can not pass through the firewall to an interface with a higher security level and exit through that interface.
Security levels can range from 0 to 100 on a Cisco firewall.
In Cisco devices 100 is the default setting for an inside interface (this may or may not have anything to do with the physical location).
For the physical inside interface - the one that connects the LAN to the firewal - the setting is 100 and can not be changed.
For the outside interface the default is 0.
Again for the actual physical interface - that comes the WAN - the setting can not be changed.
Other interface, such as the DMZ interface, can be changed over a range of 1 to 99.
As configuration is planned the following should be kept in mind:
- For data to travel through the firewall from a more secure interface to a less secure interface a translation either static or dynamic is required
- Then traffic will move from the higher security interface to the lower security interface
- Unless such a thing is restricted by an access list or some outside authorization procedure, for data to travel through the firewall from a less secure interface to a more secure interface two things a required either
  - A static translation and a conduit (this notion is obsolete now) or
  - An access list permitting it
- Data can not travel between two interfaces at the same security level

Cabling

cable from the DSL/cable router to the PIX is type of crossover
cable(s) from devices are regular CAT-5 ethernet cables
console cable is Cisco serial

IP Addressing Plan

For the sake of simplicity, my inside network IPs will be 192.168.1.x, and the outside IP will be dynamic one from my ISP. With this plan we don’t have the perimeter (for DMZs), neither other router(s) for inside because we have only one subnet, as a result, we ignore the routing configuration (route command).

Preliminary Checkingn

Connect this box to my PC, that running Windows, via the Cisco serial cable. Run Hyperterminal and check it previous status:

CISCO SYSTEMS PIX-501

Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08

Compiled by morlee

16 MB RAM

PCI Device Table.
 Bus Dev Func VendID DevID Class              Irq
 00  00  00   1022   3000  Host Bridge
 00  11  00   8086   1209  Ethernet           9
 00  12  00   8086   1209  E

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
 Platform PIX-501
 Flash=E28F640J3 @ 0x3000000

Use BREAK or ESC to interrupt flash boot.
 Use SPACE to begin flash boot immediately.
 Reading 1921536 bytes of image from flash.
 ################################################################################
 ##########################
 16MB RAM
 mcwa i82559 Ethernet at irq  9  MAC: 000a.b747.91e6
 mcwa i82559 Ethernet at irq 10  MAC: 000a.b747.91e7
 Flash=E28F640J3 @ 0x3000000
 BIOS Flash=E28F640J3 @ 0x

-----------------------------------------------------------------------
 ||        ||
 ||        ||
 ||||      ||||
 ..:||||||:..:||||||:..
 c i s c o S y s t e m s
 Private Internet eXchange
 -----------------------------------------------------------------------
 Cisco PIX Firewall

Cisco PIX Firewall Version 6.3(1)
 Licensed F
 Failover:           Disabled
 VPN-DES:            Enabled
 VPN-3DES-AES:       Enabled
 Maximum Interfaces: 2
 Cut-through Proxy:  Enabled
 Guards:             Enabled
 URL-filtering:      Enabled
 Inside Hosts:       10
 Throughput:         Unlimited
 IKE peers:          10

This PIX has a Restricted (R) license.

 ****************************** Warning *******************************
 Compliance with U.S. Export Laws and Regulations - Encryption.

This product performs encryption and is regulated for export
 by the U.S. Government.

This product is not authorized for use by persons located
 outside the United States and Canada that do not have prior
 approval from Cisco Systems, Inc. or the U.S. Government.

This product may not be exported outside the U.S. and Canada
 either by physical or electronic means without PRIOR approval
 of Cisco Systems, Inc. or the U.S. Government.

Persons outside the U.S. and Canada may not re-export, resell
 or transfer this product by either physical or electronic means
 without prior approval of Cisco Systems, Inc. or the U.S.
 Government.
 ******************************* Warning *******************************

Copyright (c) 1996-2003 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
 subject to restrictions as set forth in subparagraph
 (c) of the Commercial Computer Software - Restricted
 Rights clause at FAR sec. 52.227-19 and subparagraph
 (c) (1) (ii) of the Rights in Technical Data and Computer
 Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.
 170 West Tasman Drive
 San Jose, California 95134-1706

outside interface address added to PAT pool
 .
 Cryptochecksum(changed): 4367e8b9 b2c45171 7e990454 3cbde002
 Type help or '?' for a list of available commands.
 PIX-Sunrise>show ver

Cisco PIX Firewall Version 6.3(1)
 Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee
 PIX-Sunrise up 4 hours 39 mins

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
 Flash E28F640J3 @ 0x3000000, 8MB
 BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 000a.b747.91e6, irq 9
 1: ethernet1: address is 000a.b747.91e7, irq 10
 Licensed Features:
 Failover:           Disabled
 VPN-DES:            Enabled
 VPN-3DES-AES:       Enabled
 Maximum Interfaces: 2
 Cut-through Proxy:  Enabled
 Guards:             Enabled
 URL-filtering:      Enabled
 Inside Hosts:       10
 Throughput:         Unlimited
 IKE peers:          10

This PIX has a Restricted (R) license.
 Serial Number: 8xxxxxxxx (0xxxxxxxxx)
 Running Activation Key: 0x7e483418 0x22f4436c 0xdb9b6e74 0xc55ee380
 Configuration last modified by  at 06:28:16.000 UTC Thu Feb 7 2036
 PIX-Sunrise>

This box has 10-user license, PIX version is 6.3(1) and its PDM version is 3.0(1).

Due to this PIX box has been configured by unknown people, I can’t retrieve their passwords. I need to reset the passwords of the box and upgrade the firmware to the latest version(s). First of all, I need to set up a tftp server.

Prepare the TFTP server

The tftp server is normally set up on your PC workstation. I have been using the tftp server from Avocent DSVIEW for long time, it works well for upgrading firmware of DSVIEW appliances, but unfortunately it doesn’t work at all for this Cisco box. I tried some other tftp servers and finally got the free tftp from Solarwinds software, it is very suitable for this CISCO PIX box. You can try the TFTP server coming from 3COM (file 3cdv2r10.zip).

Reset passwords

The first challenge is to reset the passwords set in this box. There are two passwords: telnet and console. It wasn’t difficult as thought. Google and got this doc “Password Recovery Procedure for the PIX“. Just download the file np63.bin and follow step-by-step to reset the password. This is the capture of the password reset:

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001

Platform PIX-501

Flash=E28F640J3 @ 0x3000000

 Use BREAK or ESC to interrupt flash boot.       ---> Press ESC

Use SPACE to begin flash boot immediately.

Flash boot interrupted.

0: i8255X @ PCI(bus:0 dev:17 irq:9 )

1: i8255X @ PCI(bus:0 dev:18 irq:10)

 Using 1: i82557 @ PCI(bus:0 dev:18 irq:10), MAC: 000a.b747.91e7

Use ? for help.

monitor>

monitor> address 192.168.1.201

address 192.168.1.201

monitor> server 192.168.1.44

server 192.168.1.44

monitor> gateway 192.168.1.254

gateway 192.168.1.254

monitor> file np63.bin

file np63.bin

monitor> ping 192.168.1.44

Sending 5, 100-byte 0x1af2 ICMP Echoes to 192.168.1.44, timeout is 4 seconds

!!!!!

Success rate is 100 percent (5/5)

monitor> tftp

tftp np63.bin@192.168.1.44 via 192.168.1.254....................................

................................................................................

.................................................................

Received 92160 bytes

 Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003

Flash=E28F640J3 @ 0x3000000

BIOS Flash=E28F640J3 @ 0xD8000

 Do you wish to erase the passwords? [yn] y

The following lines will be remov

        enable password ztjuWcGqS7lBLluM encrypted

        passwd UhvRWfdVFwG/CZN7 encrypted

 Do you want to remove the commands listed above from the configuration? [yn] y

Passwords and aaa commands have been erased.

Rebooting....

Now the two passwords are reset. Reboot the PIX and enter the privileged mode (level 15) with the en or enable command to reconfigure this box.

pix-fw>ena

Password:

pix-fw#conf t

pix-fw(config)#

But first of all, I need back up the old configuration to TFTP server for further reference. From config terminal.

pix-fw>(config)write net 192.168.1.44:pixconfig_old.txt

PIX Firewall Software Upgrade Procedure

Log into the PIX Command Line Interface (CLI)
Enter enable mode by typing enable, then configure mode by conf t (configure terminal)
Copy the updated operating system image from TFTP server to the PIX

pix-fw(config)# copy tftp flash
Address or name of remote host [0.0.0.0]? 192.168.1.201
Source file name [cdisk]? pix635.bin
copying tftp://192.168.1.201/pix635.bin to flash:image
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
Received 2101248 bytes
Erasing current image
Writing 1978424 bytes of image
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image installed

Copy the latest PIX Device Manager (PDM) image from TFTP server to the PIX

pix-fw(config)# copy tftp flash:pdm
Address or name of remote host [0.0.0.0]? 192.168.1.201
Source file name [cdisk]? pdm-304.bin
copying tftp://192.168.1.201/pdm-304.bin to flash:pdm
[yes|no|again]? yes
Erasing current PDM file
Writing new PDM file
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!

Reboot the PIX
```
pix-fw(config)# reload
```
Verify if the the upgrade succeeded

pix-fw# show version
Cisco Secure PIX Firewall System 6.3(5)
PIX Device Manager Version 3.0(4)
.
.

Enable password

from configuration mode

pix-fw (config)# enable password whateverpasswordhere

Telnet password

pix-fw (config) # passwd whateverpasswordhere

to be continued….

Configuring Dynamic Address Translation

Configuration of NAT/PAT is two-step process:

Identify the local addresses that will be translated (nat command).
Define the global addresses to translate to (global command).

We permit all inside users to start outbound connections using the translated IP addresses from the global pool.

#nat (inside) 1 0 0

The syntax for the global command is as:

global [(<if_name>)] <id> { {<global_ip> [-<global_ip>] [netmask
 <global_mask>]} | interface}

The if_name parameter defines the interface on which traffic will exit after being translated. If it is not specified, the outside interface is assumed. Here the IP outside interface is coming from DHCP server of our ISP, so the short command of global is enough for our case:

#global (outside) 1 interface

Access List

ACL Syntax

We’ve assumed you might already be able to understand ACL syntax, since it is so much like Cisco IOS syntax. In general, you configure:

access-list aclname action protocol source_address port destination_address port

where action is permit or deny. I establish the ACL for inbound and outbound like following:

access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any unreachable
access-list acl_out permit icmp any any time-exceeded
access-list acl_out permit icmp any any traceroute
access-list acl_out permit tcp any interface outside eq smtp
access-list acl_out permit tcp any interface outside eq pop3
access-list acl_out permit tcp any interface outside eq www
access-list acl_out permit tcp any interface outside eq https
access-list acl_out permit tcp any interface outside eq ftp
access-list acl_out permit tcp any interface outside eq pptp
access-list acl_out permit tcp any interface outside eq 4125
access-list acl_out permit tcp any interface outside eq 3389
access-list acl_out permit tcp any interface outside eq domain
access-list acl_out permit tcp any interface outside eq ssh
access-list acl_out permit udp any interface outside eq domain
access-list acl_out permit udp any interface outside eq ntp
access-list acl_out deny tcp any any eq 1863
access-list acl_out deny tcp any any eq 138
access-list acl_out deny tcp any any eq netbios-ssn
access-list acl_out deny udp any any eq netbios-ns
access-list acl_out deny udp any any eq netbios-dgm
access-list acl_out deny udp any any eq 139
access-list acl_out deny udp any any eq 445
access-list acl_out deny tcp any any eq 445
access-list acl_out deny tcp any any eq 135
access-list acl_out deny tcp any any eq 137
access-list acl_in permit icmp any any echo
access-list acl_in permit icmp any any echo-reply
access-list acl_in permit icmp any any unreachable
access-list acl_in permit icmp any any time-exceeded
access-list acl_in permit icmp any any traceroute
access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq ftp
access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq ssh
access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq https
access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq pop3
access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq smtp
access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq 8080
access-list acl_in permit udp 192.168.0.0 255.255.0.0 any eq domain
access-list acl_in permit udp 192.168.0.0 255.255.0.0 any eq ntp

Filter

Filter group of internal host ip address from access to external www access To block 192.168.1.100 from www but all other host will have access to internet.

access-list acl_in deny tcp host 192.168.1.100 any eq www
access-list acl_in permit tcp any any
access-group acl_in in interface inside

AAA configuration

…. Final configuration

: Saved
 : Written by enable_15 at 22:15:06.510 GMT/BST Sun Jan 13 2008
 PIX Version 6.3(5)
 interface ethernet0 auto
 interface ethernet1 100full
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 enable password xxxxxxxxx encrypted
 passwd xxxxxxxxxxxxxx encrypted
 hostname pix-fw
 domain-name vcomtech.net
 clock timezone GMT/BST 0
 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
 fixup protocol dns maximum-length 512
 fixup protocol ftp 21
 fixup protocol h323 h225 1720
 fixup protocol h323 ras 1718-1719
 fixup protocol http 80
 fixup protocol ils 389
 fixup protocol rsh 514
 fixup protocol rtsp 554
 fixup protocol sip 5060
 fixup protocol sip udp 5060
 fixup protocol skinny 2000
 fixup protocol smtp 25
 fixup protocol sqlnet 1521
 fixup protocol tftp 69
 names
 name 192.168.1.0 LAN
 name 192.168.1.10 slx002.vcomtech.net
 object-group service yahoo-messenger tcp-udp
 description Yahoo Messenger
 port-object range 5000 5050
 port-object eq www
 access-list acl_out permit tcp any interface outside eq smtp
 access-list acl_out permit tcp any interface outside eq pop3
 access-list acl_out permit tcp any interface outside eq https
 access-list acl_out permit tcp any interface outside eq ftp
 access-list acl_out permit tcp any interface outside eq pptp
 access-list acl_out permit tcp any interface outside eq 4125
 access-list acl_out permit tcp any interface outside eq 3389
 access-list acl_out permit tcp any interface outside eq ssh
 access-list acl_out deny tcp any any eq 1863
 access-list acl_out deny tcp any any eq 138
 access-list acl_out deny tcp any any eq netbios-ssn
 access-list acl_out deny udp any any eq netbios-ns
 access-list acl_out deny udp any any eq netbios-dgm
 access-list acl_out deny udp any any eq 139
 access-list acl_out deny udp any any eq 445
 access-list acl_out deny tcp any any eq 445
 access-list acl_out deny tcp any any eq 135
 access-list acl_out deny tcp any any eq 137
 access-list acl_out permit tcp any interface outside eq www
 access-list acl_out permit tcp any object-group yahoo-messenger any object-group yahoo-messenger
 access-list acl_in permit icmp any any echo
 access-list acl_in permit icmp any any echo-reply
 access-list acl_in permit icmp any any unreachable
 access-list acl_in permit icmp any any time-exceeded
 access-list acl_in permit icmp any any traceroute
 access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq www
 access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq ftp
 access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq ssh
 access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq https
 access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq pop3
 access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq smtp
 access-list acl_in permit udp 192.168.0.0 255.255.0.0 any eq domain
 access-list acl_in permit udp 192.168.0.0 255.255.0.0 any eq ntp
 access-list acl_in deny tcp any any eq 1863
 access-list acl_in permit ip any any
 access-list acl_in permit tcp 192.168.0.0 255.255.0.0 any eq domain
 pager lines 24
 logging on
 logging timestamp
 logging buffered errors
 logging trap warnings
 logging history warnings
 mtu outside 1500
 mtu inside 1500
 ip address outside dhcp setroute
 ip address inside 192.168.1.1 255.255.255.0
 ip verify reverse-path interface outside
 ip audit info action alarm
 ip audit attack action alarm
 pdm location 192.168.0.0 255.255.0.0 inside
 pdm logging informational 100
 pdm history enable
 arp timeout 14400
 global (outside) 1 interface
 nat (inside) 1 LAN 255.255.255.0 0 0
 static (inside,outside) interface slx002.vcomtech.net netmask 255.255.255.255 0 0
 access-group acl_out in interface outside
 access-group acl_in in interface inside
 timeout xlate 0:05:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
 timeout sip-disconnect 0:02:00 sip-invite 0:03:00
 timeout uauth 0:05:00 absolute
 aaa-server TACACS+ protocol tacacs+
 aaa-server TACACS+ max-failed-attempts 3
 aaa-server TACACS+ deadtime 10
 aaa-server RADIUS protocol radius
 aaa-server RADIUS max-failed-attempts 3
 aaa-server RADIUS deadtime 10
 aaa-server LOCAL protocol local
 aaa authentication ssh console LOCAL
 ntp authenticate
 ntp server 192.43.244.18 source outside prefer
 http server enable
 http LAN 255.255.255.0 inside
 snmp-server location Canada
 snmp-server contact Vinh Le, 123-456-7895
 snmp-server community publicp
 no snmp-server enable traps
 floodguard enable
 crypto ipsec transform-set CBL1 esp-des esp-sha-hmac
 crypto dynamic-map dyn1 100 set transform-set CBL1
 crypto map map1 20 ipsec-isakmp dynamic dyn1
 crypto map map1 interface outside
 isakmp policy 10 authentication rsa-sig
 isakmp policy 10 encryption des
 isakmp policy 10 hash sha
 isakmp policy 10 group 1
 isakmp policy 10 lifetime 86400
 telnet LAN 255.255.255.0 inside
 telnet timeout 5
 ssh LAN 255.255.255.0 inside
 ssh timeout 60
 management-access inside
 console timeout 0
 dhcpd address 192.168.1.211-192.168.1.242 inside
 dhcpd dns slx002.vcomtech.net 64.59.135.133
 dhcpd lease 604800
 dhcpd ping_timeout 750
 dhcpd domain vcomtech.net
 dhcpd auto_config outside
 username vinhle password xxxxxxxxxxx encrypted privilege 15
 terminal width 80
 banner login Welcome to VCOMTech!
 Cryptochecksum:b5122c9dd7a6c0bb161e615c2fdf5d85
 : end
 to VCOMTech!
 Cryptochecksum:b5122c9dd7a6c0bb161e615c2fdf5d85
 : end

Some useful commands Show XLATE and CON tables’ output

pix-fw(config)# show xlate
 20 in use, 125 most used
 PAT Global xx.xx.xx.207(22) Local slx002.vcomtech.net(22)
 PAT Global xx.xx.xx.207(10) Local slx002.vcomtech.net(53)
 PAT Global xx.xx.xx.207(80) Local slx002.vcomtech.net(80)
 PAT Global xx.xx.xx.207(1627) Local 192.168.1.201(50404)
 PAT Global xx.xx.xx.207(1613) Local 192.168.1.201(50383)
 PAT Global xx.xx.xx.207(1696) Local 192.168.1.201(50514)
 PAT Global xx.xx.xx.207(1697) Local 192.168.1.201(50516)
 PAT Global xx.xx.xx.207(1686) Local 192.168.1.201(50500)
 PAT Global xx.xx.xx.207(1687) Local 192.168.1.201(50501)
 PAT Global xx.xx.xx.207(1692) Local 192.168.1.201(50508)
 PAT Global xx.xx.xx.207(1693) Local 192.168.1.201(50509)

   ....
 PAT Global xx.xx.xx.207(1285) Local 192.168.1.201(4212)
 pix-fw(config)# show conn
 7 in use, 38 most used
 TCP out 68.142.233.170:443 in 192.168.1.201:49491 idle 0:05:13 Bytes 5648 flags UIO
 TCP out 192.139.27.18:53995 in slx002.vcomtech.net:22 idle 0:00:00 Bytes 31464 flags UIOB
 TCP out 216.155.193.134:80 in 192.168.1.201:49484 idle 0:00:09 Bytes 9729 flags UIO

TCP out 69.63.184.11:80 in 192.168.1.201:50383 idle 0:00:28 Bytes 102702 flags UIO
 TCP out 69.63.184.11:80 in 192.168.1.201:50404 idle 0:00:30 Bytes 42844 flags UIO
 TCP out 209.191.106.109:80 in 192.168.1.201:50516 idle 0:00:13 Bytes 1350 flags UIO
 TCP out 207.46.109.87:1863 in 192.168.1.201:49492 idle 0:00:27 Bytes 27091 flags UIO
 pix-fw(config)#

Troubleshooting

Problem:After an upgrade, the user receives the Cannot select private key error when the PIX reboots. Workaround/Solution: Re-generate the rsa key for SSH:

ca zero rsa
ca generate rsa key 1024
ca save all

write mem
reload

References

1. Basic Firewall Configuration from CISCO

Setup and configure an used Cisco PIX-501 for SOHO with dynamic IP from ISP