In working with the PIX Firewall device, using the CLI is common because of its similarities to the CLI in Cisco routers and switches. The alternatives include two graphical interface tools: the PIX Firewall Manager (PFM) and the PIX Device Manager (PDM). PFM is the older of the two and is being retired.
The CLI commands are introduced and used in this section.
While similar to the IOS command set, the PIX are somewhat different. You might assume these differences will become less noticeable over time as Cisco moves toward an IOS interface for more and more devices. As with the IOS, it’s necessary to be in the correct mode. The four PIX modes are the following:
Unprivileged mode |
Like the User mode on the router, this is the first level in accessing a PIX Firewall. This is also called the User EXEC mode and offers a limited set of commands, none of which can change the configuration. The > symbol at the end of the prompt indicates Unprivileged mode. Prompt: Pixfirewall> |
Privileged mode |
Allows the user to change settings and access the Configuration mode. Use the enable command to get to this mode, and use disable, exit, or quit to return to the Unprivileged mode. All Unprivileged mode commands have a counterpart in this mode. The # symbol at the end of the prompt indicates Privileged mode. Prompt: Pixfirewall# |
Configuration mode |
Allows configuration changes. All Unprivileged and Privileged mode commands have a counterpart in this mode. Unlike the routers, returning to Privilege mode to see the results of configuration changes is unnecessary. The (config)# at the end of the prompt indicates Configuration mode. Prompt: Pixfirewall(config)# |
Monitor mode |
PIX devices that don’t have an internal floppy drive come with a ROM boot monitor program, which is used for upgrading the PIX Firewall’s image. Prompt: Monitor> |
PIX commands can be abbreviated, much like the IOS counterparts; but because of the command differences, the abbreviation might be different. For example, most routers require config t to change to Configuration mode, while co t will work on the firewall.
The following basic commands are important to know when you start to work with the PIX CLI. While many should be familiar, always be on the lookout for differences.
configure memory |
Merges the current configuration with that in Flash memory (startup config). Note, this doesn’t replace the copy in Flash, but merges with it. |
configure net |
Merges a configuration from a TFTP server and the path you specify into the current configuration. |
enable password |
Changes the Privileged (enable) Mode password. This password is encrypted by default. If no Privileged Mode password is set, press ENTER at the Password prompt. To restore the enable password (press ENTER at prompt), type the following: Pixfirewall#enable password. |
passwd |
Sets password for Telnet access to the PIX Firewall console (Privileged mode). The default is cisco. Passwords can be up to 16 characters. The clear passwd command resets the password back to cisco. |
show configure |
Displays Flash (startup) configuration on the terminal. |
show history |
Displays the previously entered commands, same as with routers. |
show ip address |
Displays the IP addresses that are assigned to interfaces. |
show xlate |
Displays current translations and connection slot information. Similar in concept to displaying the NAT translations. |
write erase |
Erases the configuration stored in Flash (startup config). |
write floppy |
Stores the current configuration on diskette for models with floppy. Not supported by current models. Floppy disk must be in DOS format. |
write memory |
Stores the current configuration in Flash memory, along with the activation key value and timestamp for when the configuration was last modified. Replaces the existing saved configuration. |
write server_ip |
Specifies the IP address of the TFTP server. If you specify the full path and filename in the tftp-server command, then use a “:” in the write command. |
write standby |
Writes the current configuration to the failover standby PIX unit from RAM to RAM. This occurs automatically when the Active PIX boots up. |
write terminal |
Displays current configuration on the terminal. |
Commands that are close enough to their IOS counterparts not to present serious problems include the following if you have trouble with abbreviations or optional parameters, the ? help feature works the same as in the IOS.
host name
ping
reload
show interface
show version
The next sections look at the basic commands required to configure a PIX Firewall device.
The nameif command can be used to assign a name to an interface if more than two network interfaces are in the PIX Firewall. The first two interfaces are named inside and outside by default. The inside interface has a default security level of 100, while the outside interface has a default security level of 0. The clear nameif command restores default interface names and security levels. The syntax is
nameif hardware_id if_name security_level
clear nameif
hardware_id |
Specifies the interface type and location on the PIX device. Like the interface designations on routers, the names can be spelled out or abbreviated, such as Ethernet 0 or e0. |
if_name |
Interface names can be up to 48 characters long, but then they must be used for all configuration references. So keep them short and easy to remember. Defaults: e1 is named inside, e0 is named outside, and any perimeter interface intfn where n is 2 through 5. |
security_level | ? |
The following example shows the use of the nameif command:
Pixfirewall(config)#nameif ethernet2 dmz1 sec50 Pixfirewall(config)#nameif ethernet3 dmz2 sec25
The inside interface can’t be renamed or given a different security level. You can rename the outside interface, but you can’t change the security level. After changing an interface name, use the clear xlate command.
To displays interface names, use the show nameif command. The syntax is
show nameif
Use the interface command to define the speed and duplex settings of the network interface boards. After changing an interface command, use the clear xlate command. The syntax is
interface hardware_id [hardware_speed] [shutdown]
hardware_id |
Specifies the interface type and location on the PIX device. Names can be spelled out or abbreviated, such as Ethernet 0 or e0. |
hardware_speed |
Network interface speed (optional). Possible Ethernet values include |
shutdown |
Disable an interface. |
Note? |
The previous auto keyword options aren’t recommended because of a lack of standards among vendors. Even though the default is the interface hardware_id auto command, specifying the speed of the network interfaces lets the PIX Firewall operate in network environments, which might include switches or other devices that don’t handle autosensing correctly. |
The shutdown option disables the interface. When installing a PIX Firewall, all interfaces are shut down by default. Interfaces must be explicitly enabled by using the command without the shutdown option.
To display detailed interface information, including the packet-drop count of Unicast RPF for each interface and buffer counters for Ethernet interfaces, use the show interface command. The clear interface command clears all interface statistics, except the number of input bytes. The command works with all interface types, except Gigabit Ethernet. This command no longer shuts down all system interfaces. The syntax for both commands is
show interface hardware_id [hardware_speed] [shutdown]
clear interface
Pixfirewall#show interface interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 00aa.0000.003b IP address 209.165.201.7, subnet mask 255.255.255.224 MTU 1500 bytes, BW 100000 Kbit half duplex ???????1184342 packets input, 1222298001 bytes, 0 no buffer ???????Received 26 broadcasts, 27 runts, 0 giants ???????4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort ???????1310091 packets output, 547097270 bytes, 0 underruns, 0 unicast rpf drops ???????0 output errors, 28075 collisions, 0 interface resets ???????0 babbles, 0 late collisions, 117573 deferred ???????0 lost carrier, 0 no carrier ???????input queue (curr/max blocks): hardware (128/128) software (0/1) ???????output queue (curr/max blocks): hardware (0/2) software (0/1)
The default address for an interface is 127.0.0.1. Use the ip address command to assign an IP address to each interface. If you make a mistake, reenter the command with the correct information. After changing an ip address command, use the clear xlate command. The syntax is
ip address if_name ip_address [netmask]
if_name |
The internal or external interface name designated by the nameif command |
ip_address |
PIX Firewall unit’s network interface IP address |
netmask |
Network mask of ip_address |
If a netmask isn’t specified, PIX Firewall assigns one of the following default classful network masks based on the IP address.
Class A—255.0.0.0
Class B—255.255.0.0
Class C—255.255.255.0
Note? |
If you’re using subnets, the best policy is to specify a network mask with this command. Otherwise, it’s possible that PIX using the classful mask could see another address you want to use as being a part of a previously defined network and prevent you from using it. |
To IP addresses on each interface, use the show ip command. The following is sample output from the show ip command:
Pixfirewall#show ip System IP Addresses: ???????ip address outside 209.165.201.2 255.255.255.224 ???????ip address inside 192.168.2.1 255.255.255.0 ???????ip address perimeter 192.168.70.3 255.255.255.0 Current IP Addresses: ???????ip address outside 209.165.201.2 255.255.255.224 ???????ip address inside 192.168.2.1 255.255.255.0 ???????ip address perimeter 192.168.70.3 255.255.255.0
NAT allows the network to have any IP addressing scheme, including private addresses, and the PIX Firewall hides these addresses from visibility on the external network. While the implementation is different, the purpose and result are much the same as NAT covered in Chapter 6. With address translation, when a host starts an outbound connection, the IP addresses of the internal network are translated into global addresses, which will be seen by the outside world. The syntax is
nat (if_name) nat_id local_ip [netmask]
if_name |
The internal network interface name. |
nat_id |
The ID number to match with the global address pool. |
local_ip |
Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0. |
netmask |
Network mask for local_ip. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool. The netmask 0.0.0.0 can be abbreviated as 0. |
In the following example, the nat command statement allows all the hosts on the 192.168.1.0 network to start outbound connections. The default netmask is being used. The nat_id 1 is a pool of global addresses created by the global command, in the next section.
Pixfirewall(config)#nat (inside) 1 192.168.1.0
In the next example, all internal users can use the 1 global address pool to start outbound connections.
Pixfirewall(config)#nat (inside) 1 0 0
The show nat command displays the nat command statements in the current configuration. Use the show xlate command to view translation slot information. The clear xlate command would clear the translation table.
The following is sample output from the show xlate command with three active PATs:
Pixfirewall(config)#show xlate 3 in use, 3 most used PAT Global 192.168.1.97(0) Local 172.16.205.49 ICMP id 340 PAT Global 192.168.1.97(1024) Local 172.16.205.49(1028) PAT Global 192.168.1.97(1024) Local 172.16.205.49(516)
Use the configuration mode global command to define a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for those inbound connections resulting from outbound connections. To use the global pool of addresses, the nat and global command statements must use the same nat_id. The PIX Firewall assigns the addresses from the beginning of the range (smallest address) to the largest.
The global command can’t use names with a dash (-) in them because the dash is used by the command to indicate a range of IP addresses. After changing or removing a global command statement, use the clear xlate command. The syntax is
global (if_name) nat_id interface | global_ip [-global_ip] [netmask global_mask]
if_name |
The external network where you use these global addresses. |
nat_id |
A positive integer shared with the nat command that links the nat and global command statements together. Valid ID numbers 1 to 2,147,483,647. |
interface |
Specifies PAT using the IP address of the interface. |
global_ip |
Single global IP address or the first in a range. |
-global_ip |
A range ending with global_ip. |
netmask |
(Optional) Reserved word that prefaces the network global_mask variable. |
global_mask |
(Optional) The network mask for global_ip. |
If subnetting is used, specify a subnet mask; for example, 255.255.255.128 will specify one half of a class C network. If a specified address range in the global_ip global_ip overlaps subnets defined by the netmask global_mask statement, the global pool won’t use any broadcast or network addresses included in the pool of global addresses.
For example, using the 255.255.255.128 and the 192.168.1.0 network would normally be used to define either the first half or the second half of the address pool 192.168.1.0 to 192.168.1.127 or 192.168.1.128 to 192.168.1.255. The following command seems correct.
global (outside) 1 192.168.1.0 - 192.168.1.127 netmask 255.255.255.128
The pool contains the network address 192.168.1.0 and the broadcast address 192.168.1.127. Both will be ignored by the pool. A better implementation of the command might be the following:
global (outside) 1 192.168.1.1 - 192.168.1.126 netmask 255.255.255.128
The following example specifies with nat command statements, which all the hosts on the 192.168.1.0 and 192.168.100.0 inside networks can use to start outbound connections. The global command statements create a pool of global addresses as follows:
nat (inside) 1 192.168.1.0 255.255.255.0 global (outside) 1 1.1.1.1-1.1.1.30 netmask 255.255.255.224 global (outside) 1 215.4.61.0 nat (inside) 3 192.168.100.0 255.255.255.0 global (outside) 3 1.1.11.15-1.1.11.27 netmask 255.255.255.224
To display the range of global addresses, use the show global command.
Use the configuration mode route command to define a default or a static route for an interface. To define a default route, set ip_address and netmask both to 0.0.0.0, or the shortened form of 0. All routes entered using the route command are stored in the configuration when it’s saved. The clear route command removes route command statements that don’t contain the CONNECT keyword from the configuration. The syntax is
route if_name ip_address netmask gateway_ip [metric]
if_name |
The internal or external network interface name. |
ip_address |
The internal or external network IP address. Use 0.0.0.0 to specify a default route, which can be abbreviated as 0. |
netmask |
Specify a network mask to apply to ip_address. Use 0.0.0.0 to specify a default route, which can be abbreviated as 0. |
gateway_ip |
Specify the IP address of the gateway router (the next hop address for this route). |
metric |
Specify the number of hops to gateway_ip. The default is 1. |
Static routes are conceptually the same as with the routers. Because PIX devices aren’t routers per se, static and default static routes are used to direct packets to their destination. In this example, the PIX Firewall will send all packets destined to the 192.168.12.0 network to the 192.168.0.2 router with this static route statement.
Pixfirewall(config)#route dmz1 192.168.12.0 255.255.255.0 192.168.0.2 1
To define a default route for the outside interface, use the following command to direct all traffic to the 192.168.44.1 interface on the perimeter router.
Pixfirewall(config)#route outside 0 0 192.168.44.1 1
Use the show route command to confirm static and default route configuration.