Basic PIX Firewall Configuration

Basic PIX Firewall Configuration

In this section, you will implement the commands introduced in Chapter 17, and add those commands that will be useful and/or necessary. The commands from Chapter 17 are used without further explanation because they were covered earlier. These commands make up the six basic commands for initial PIX Firewall configuration.

  • The nameif command

  • The interface command

  • The ip address command

  • The nat command

  • The global command

  • The route command

These commands are approached as if they were a series of steps to be followed each time a firewall needs configuration. This method ensures that you won’t overlook a basic step and have trouble implementing an advanced feature because of it.

Tip?

When I first started with routers, I developed a similar list that has since become a habit. And I have a similar list for switches and servers. The key is to identify those basic commands and to have an efficient order that’s required to get up and running (period). Once operating, you can take the time to add additional features. I learned this from my own mistakes, as well as watching the repeated and predictable mistakes of many others.

Step 1: Name the PIX Firewall, assign a privilege-level password, assign a Telnet password, and specify the IP addresses of a host that can Telnet to the PIX.

pixfirewall#config t
pixfirewall(config)#hostname Pix
Pix(config)# 
Pix(config)#enable password cisco ?????(privilege mode password)
Pix(config)#passwd letmein ?????????(Telnet password)
Pix(config)#telnet 192.168.1.10

Step 2: Name and define the DMZ interface. We’ll use the default settings for inside (e1 security100) and outside (e0 security0).

Pix(config)#nameif ethernet2 dmz sec50

Step 3: Assign IP addresses to the interfaces.

Pix(config)#ip address outside 1.1.1.1 255.255.255.0
Pix(config)#ip address inside 192.168.1.1 255.255.255.0
Pix(config)#ip address dmz 192.168.2.1 255.255.255.0

Step 4: By default, the interfaces on the PIX are administratively shut down. Use the interface command to enable the physical interfaces and set the interface speed and duplex mode. The following example sets the inside and outside to Autodetect mode and the DMZ to 100MB / full-duplex.

Pix(config)#interface e0 auto
Pix(config)#interface e1 auto
Pix(config)#interface e2 100full

Step 5: Now that you’ve configured IP addresses for the inside and outside interfaces, you need to specify a default route using the route command. The route outside command tells the PIX Firewall to send all outbound traffic to the next hop router. The numeral 1 specifies the router is one hop count away. The command could be abbreviated as route outside 0 0 2.1.1.2 1.

Pix(config)#route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

Step 6: To allow all inside hosts to initiate outbound connections using NAT, use the nat command, as shown here:

Pix(config)#nat (inside) 1 0 0
Pix(config)#nat (dmz) 1 0 0

Next, configure a global pool of addresses to be used by inside hosts. You must configure a pool for use when communicating with hosts on the outside and hosts on the DMZ.

Pix(config)#global (outside) 1 1.1.1.20-1.1.1.254 netmask 255.255.255.0

Step 7: To allow public access to the DMZ web server, create a static mapping between the web server address on the DMZ and the address to be used by outside hosts when they send connection requests to the PIX outside interface. This static command specifies the inside interface (dmz) and the outside interface (outside) used for this translation. The first IP specifies the address outside hosts will use, while the second IP address specifies the address to translate to.

Pix(config)#static (dmz,outside) 1.1.1.19 192.168.2.2

Step 8: Even with the static mapping, the PIX’s ASA won’t permit outside hosts to connect to the web server on the DMZ. This is because the DMZ’s security level (50) is higher than the outside interface’s security level (0). Also, ASA won’t permit ICMP by default.

IOS versions prior to v5.0.1 used the conduit command to get around this. The following conduit command permits any outside host to initiate a connection with the web server.

Pix(config)#conduit permit tcp host 1.1.1.19 eq www any

In PIX software versions 5.0.1 and later, ACLs with access groups can be used instead of conduits. Combining ACLs and conduits on the same configuration isn’t good practice. If both are configured, ACLs take preference over the conduits.

The following example shows an ACL entry that permits any outside host to initiate a connection with the web server. The second line applies the ACL to the outside interface.

Pix(config)#access-list 101 permit tcp any host 1.1.1.19 eq www
Pix(config)#access-group 101 in interface outside 

If any time changes are made to the PIX NAT configuration or conduits, a clear xlate command must be issued for ASA to apply this change (writing the configuration also applies the new settings).

Note?

Care must be taken when implementing commands that allow outside traffic into the firewall. It’s important not to allow more access than intended. The conduit permit ip any any or access-list 101 permit ip any any command would allow any host on the untrusted outside network to access any host on the trusted network using IP as long as an active translation exists.

Step 9: The final steps are to save the configuration by issuing the write memory command, checking the configuration by using the write terminal command, and then testing the network connectivity.

Verifying Configuration and Traffic

Pinging the different interfaces of the firewall and getting a response would be a good start in verifying network connectivity. The first four of the following commands check the configuration of the PIX firewall, while the last four confirm activity.

show ip address

Verify the ip address of each interface.

show nat

Verify network address translation.

show route

Verify the default route.

show global

Show the range of global addresses.

show xlate

Shows the current translations built through the PIX.

show interface

Show interface statistics.

show conn

Show the current connections through the PIX.

show traffic

Show how much traffic is passing through the PIX.

debug icmp trace

Show all ICMP echo requests and replies to or through the PIX.




Part III: Virtual Private Networks (VPNs)