Basic PIX Firewall Configuration

Basic PIX Firewall Configuration

In working with the PIX Firewall device, using the CLI is common because of its similarities to the CLI in Cisco routers and switches. The alternatives include two graphical interface tools: the PIX Firewall Manager (PFM) and the PIX Device Manager (PDM). PFM is the older of the two and is being retired.

The CLI commands are introduced and used in this section.

PIC Command-Line Interface

While similar to the IOS command set, the PIX are somewhat different. You might assume these differences will become less noticeable over time as Cisco moves toward an IOS interface for more and more devices. As with the IOS, it’s necessary to be in the correct mode. The four PIX modes are the following:

Unprivileged mode

Like the User mode on the router, this is the first level in accessing a PIX Firewall. This is also called the User EXEC mode and offers a limited set of commands, none of which can change the configuration. The > symbol at the end of the prompt indicates Unprivileged mode. Prompt: Pixfirewall>

Privileged mode

Allows the user to change settings and access the Configuration mode. Use the enable command to get to this mode, and use disable, exit, or quit to return to the Unprivileged mode. All Unprivileged mode commands have a counterpart in this mode. The # symbol at the end of the prompt indicates Privileged mode. Prompt: Pixfirewall#

Configuration mode

Allows configuration changes. All Unprivileged and Privileged mode commands have a counterpart in this mode. Unlike the routers, returning to Privilege mode to see the results of configuration changes is unnecessary. The (config)# at the end of the prompt indicates Configuration mode. Prompt: Pixfirewall(config)#

Monitor mode

PIX devices that don’t have an internal floppy drive come with a ROM boot monitor program, which is used for upgrading the PIX Firewall’s image. Prompt: Monitor>

PIX commands can be abbreviated, much like the IOS counterparts; but because of the command differences, the abbreviation might be different. For example, most routers require config t to change to Configuration mode, while co t will work on the firewall.

The following basic commands are important to know when you start to work with the PIX CLI. While many should be familiar, always be on the lookout for differences.

configure memory

Merges the current configuration with that in Flash memory (startup config). Note, this doesn’t replace the copy in Flash, but merges with it.

configure net

Merges a configuration from a TFTP server and the path you specify into the current configuration.

enable password

Changes the Privileged (enable) Mode password. This password is encrypted by default. If no Privileged Mode password is set, press ENTER at the Password prompt. To restore the enable password (press ENTER at prompt), type the following: Pixfirewall#enable password.


Sets password for Telnet access to the PIX Firewall console (Privileged mode). The default is cisco. Passwords can be up to 16 characters. The clear passwd command resets the password back to cisco.

show configure

Displays Flash (startup) configuration on the terminal.

show history

Displays the previously entered commands, same as with routers.

show ip address

Displays the IP addresses that are assigned to interfaces.

show xlate

Displays current translations and connection slot information. Similar in concept to displaying the NAT translations.

write erase

Erases the configuration stored in Flash (startup config).

write floppy

Stores the current configuration on diskette for models with floppy. Not supported by current models. Floppy disk must be in DOS format.

write memory

Stores the current configuration in Flash memory, along with the activation key value and timestamp for when the configuration was last modified. Replaces the existing saved configuration.

write server_ip

Specifies the IP address of the TFTP server. If you specify the full path and filename in the tftp-server command, then use a “:” in the write command.

write standby

Writes the current configuration to the failover standby PIX unit from RAM to RAM. This occurs automatically when the Active PIX boots up.

write terminal

Displays current configuration on the terminal.

Commands that are close enough to their IOS counterparts not to present serious problems include the following if you have trouble with abbreviations or optional parameters, the ? help feature works the same as in the IOS.

  • host name

  • ping

  • reload

  • show interface

  • show version

The next sections look at the basic commands required to configure a PIX Firewall device.

The nameif Command

The nameif command can be used to assign a name to an interface if more than two network interfaces are in the PIX Firewall. The first two interfaces are named inside and outside by default. The inside interface has a default security level of 100, while the outside interface has a default security level of 0. The clear nameif command restores default interface names and security levels. The syntax is

nameif hardware_id if_name security_level
clear nameif


Specifies the interface type and location on the PIX device. Like the interface designations on routers, the names can be spelled out or abbreviated, such as Ethernet 0 or e0.


Interface names can be up to 48 characters long, but then they must be used for all configuration references. So keep them short and easy to remember. Defaults: e1 is named inside, e0 is named outside, and any perimeter interface intfn where n is 2 through 5.



The following example shows the use of the nameif command:

Pixfirewall(config)#nameif ethernet2 dmz1 sec50
Pixfirewall(config)#nameif ethernet3 dmz2 sec25

The inside interface can’t be renamed or given a different security level. You can rename the outside interface, but you can’t change the security level. After changing an interface name, use the clear xlate command.

The show nameif Command

To displays interface names, use the show nameif command. The syntax is

show nameif

The interface Command

Use the interface command to define the speed and duplex settings of the network interface boards. After changing an interface command, use the clear xlate command. The syntax is

interface hardware_id [hardware_speed] [shutdown]


Specifies the interface type and location on the PIX device. Names can be spelled out or abbreviated, such as Ethernet 0 or e0.


Network interface speed (optional). Possible Ethernet values include
10baset—10 Mbps Ethernet half-duplex
10full—10 Mbps Ethernet full-duplex
100basetx—100 Mbps Ethernet half-duplex
100full—100 Mbps Ethernet full-duplex
1000sxfull—1000 Mbps Gigabit Ethernet full-duplex
1000basesx—1000 Mbps Gigabit Ethernet half-duplex
1000auto—1000 Mbps Gigabit Ethernet to autonegotiate full- or half-duplex
aui—10 for Mbps Ethernet half-duplex with an AUI cable interface
auto—Set Ethernet speed automatically
bnc—10 Mbps Ethernet half-duplex with a BNC cable interface


Disable an interface.


The previous auto keyword options aren’t recommended because of a lack of standards among vendors. Even though the default is the interface hardware_id auto command, specifying the speed of the network interfaces lets the PIX Firewall operate in network environments, which might include switches or other devices that don’t handle autosensing correctly.

The shutdown Option

The shutdown option disables the interface. When installing a PIX Firewall, all interfaces are shut down by default. Interfaces must be explicitly enabled by using the command without the shutdown option.

The show interface Command

To display detailed interface information, including the packet-drop count of Unicast RPF for each interface and buffer counters for Ethernet interfaces, use the show interface command. The clear interface command clears all interface statistics, except the number of input bytes. The command works with all interface types, except Gigabit Ethernet. This command no longer shuts down all system interfaces. The syntax for both commands is

show interface hardware_id [hardware_speed] [shutdown]
clear interface

Pixfirewall#show interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 00aa.0000.003b
IP address, subnet mask
MTU 1500 bytes, BW 100000 Kbit half duplex
???????1184342 packets input, 1222298001 bytes, 0 no buffer
???????Received 26 broadcasts, 27 runts, 0 giants
???????4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort
???????1310091 packets output, 547097270 bytes, 0 underruns, 0 unicast rpf drops
???????0 output errors, 28075 collisions, 0 interface resets
???????0 babbles, 0 late collisions, 117573 deferred
???????0 lost carrier, 0 no carrier
???????input queue (curr/max blocks): hardware (128/128) software (0/1)
???????output queue (curr/max blocks): hardware (0/2) software (0/1)

The ip address Command

The default address for an interface is Use the ip address command to assign an IP address to each interface. If you make a mistake, reenter the command with the correct information. After changing an ip address command, use the clear xlate command. The syntax is

ip address if_name ip_address [netmask]


The internal or external interface name designated by the nameif command


PIX Firewall unit’s network interface IP address


Network mask of ip_address

If a netmask isn’t specified, PIX Firewall assigns one of the following default classful network masks based on the IP address.

  • Class A—

  • Class B—

  • Class C—


    If you’re using subnets, the best policy is to specify a network mask with this command. Otherwise, it’s possible that PIX using the classful mask could see another address you want to use as being a part of a previously defined network and prevent you from using it.

The show ip Command

To IP addresses on each interface, use the show ip command. The following is sample output from the show ip command:

Pixfirewall#show ip
System IP Addresses:
???????ip address outside
???????ip address inside
???????ip address perimeter
Current IP Addresses:
???????ip address outside
???????ip address inside
???????ip address perimeter

The nat Command

NAT allows the network to have any IP addressing scheme, including private addresses, and the PIX Firewall hides these addresses from visibility on the external network. While the implementation is different, the purpose and result are much the same as NAT covered in Chapter 6. With address translation, when a host starts an outbound connection, the IP addresses of the internal network are translated into global addresses, which will be seen by the outside world. The syntax is

nat (if_name) nat_id local_ip [netmask]


The internal network interface name.


The ID number to match with the global address pool.


Internal network IP address to be translated. You can use to allow all hosts to start outbound connections. The local_ip can be abbreviated as 0.


Network mask for local_ip. You can use to allow all outbound connections to translate with IP addresses from the global pool. The netmask can be abbreviated as 0.

In the following example, the nat command statement allows all the hosts on the network to start outbound connections. The default netmask is being used. The nat_id 1 is a pool of global addresses created by the global command, in the next section.

Pixfirewall(config)#nat (inside) 1

In the next example, all internal users can use the 1 global address pool to start outbound connections.

Pixfirewall(config)#nat (inside) 1 0 0

The show nat and show xlate Commands

The show nat command displays the nat command statements in the current configuration. Use the show xlate command to view translation slot information. The clear xlate command would clear the translation table.

The following is sample output from the show xlate command with three active PATs:

Pixfirewall(config)#show xlate
3 in use, 3 most used
PAT Global Local ICMP id 340
PAT Global Local
PAT Global Local

The global Command

Use the configuration mode global command to define a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for those inbound connections resulting from outbound connections. To use the global pool of addresses, the nat and global command statements must use the same nat_id. The PIX Firewall assigns the addresses from the beginning of the range (smallest address) to the largest.

The global command can’t use names with a dash (-) in them because the dash is used by the command to indicate a range of IP addresses. After changing or removing a global command statement, use the clear xlate command. The syntax is

global (if_name) nat_id interface | global_ip [-global_ip] [netmask global_mask]


The external network where you use these global addresses.


A positive integer shared with the nat command that links the nat and global command statements together. Valid ID numbers 1 to 2,147,483,647.


Specifies PAT using the IP address of the interface.


Single global IP address or the first in a range.


A range ending with global_ip.


(Optional) Reserved word that prefaces the network global_mask variable.


(Optional) The network mask for global_ip.

If subnetting is used, specify a subnet mask; for example, will specify one half of a class C network. If a specified address range in the global_ip global_ip overlaps subnets defined by the netmask global_mask statement, the global pool won’t use any broadcast or network addresses included in the pool of global addresses.

For example, using the and the network would normally be used to define either the first half or the second half of the address pool to or to The following command seems correct.

global (outside) 1 - netmask 

The pool contains the network address and the broadcast address Both will be ignored by the pool. A better implementation of the command might be the following:

global (outside) 1 - netmask 

Using nat and global Commands Together

The following example specifies with nat command statements, which all the hosts on the and inside networks can use to start outbound connections. The global command statements create a pool of global addresses as follows:

nat (inside) 1
global (outside) 1 netmask
global (outside) 1

nat (inside) 3
global (outside) 3 netmask

The show global Command

To display the range of global addresses, use the show global command.

The route Command

Use the configuration mode route command to define a default or a static route for an interface. To define a default route, set ip_address and netmask both to, or the shortened form of 0. All routes entered using the route command are stored in the configuration when it’s saved. The clear route command removes route command statements that don’t contain the CONNECT keyword from the configuration. The syntax is

route if_name ip_address netmask gateway_ip [metric]


The internal or external network interface name.


The internal or external network IP address. Use to specify a default route, which can be abbreviated as 0.


Specify a network mask to apply to ip_address. Use to specify a default route, which can be abbreviated as 0.


Specify the IP address of the gateway router (the next hop address for this route).


Specify the number of hops to gateway_ip. The default is 1.

Static routes are conceptually the same as with the routers. Because PIX devices aren’t routers per se, static and default static routes are used to direct packets to their destination. In this example, the PIX Firewall will send all packets destined to the network to the router with this static route statement.

Pixfirewall(config)#route dmz1 1

To define a default route for the outside interface, use the following command to direct all traffic to the interface on the perimeter router.

Pixfirewall(config)#route outside 0 0 1

The show route Command

Use the show route command to confirm static and default route configuration.

Part III: Virtual Private Networks (VPNs)