Basic PIX Firewall Configuration

Basic PIX Firewall Configuration

In this section, you will implement the commands introduced in Chapter 17, and add those commands that will be useful and/or necessary. The commands from Chapter 17 are used without further explanation because they were covered earlier. These commands make up the six basic commands for initial PIX Firewall configuration.

• The nameif command

• The interface command

• The ip address command

• The nat command

• The global command

• The route command

These commands are approached as if they were a series of steps to be followed each time a firewall needs configuration. This method ensures that you won’t overlook a basic step and have trouble implementing an advanced feature because of it.

Step 1: Name the PIX Firewall, assign a privilege-level password, assign a Telnet password, and specify the IP addresses of a host that can Telnet to the PIX.

pixfirewall#config t
pixfirewall(config)#hostname Pix
Pix(config)# 
Pix(config)#enable password cisco ?????(privilege mode password)
Pix(config)#passwd letmein ?????????(Telnet password)
Pix(config)#telnet 192.168.1.10

Step 2: Name and define the DMZ interface. We’ll use the default settings for inside (e1 security100) and outside (e0 security0).

Pix(config)#nameif ethernet2 dmz sec50

Step 3: Assign IP addresses to the interfaces.

Pix(config)#ip address outside 1.1.1.1 255.255.255.0
Pix(config)#ip address inside 192.168.1.1 255.255.255.0
Pix(config)#ip address dmz 192.168.2.1 255.255.255.0

Step 4: By default, the interfaces on the PIX are administratively shut down. Use the interface command to enable the physical interfaces and set the interface speed and duplex mode. The following example sets the inside and outside to Autodetect mode and the DMZ to 100MB / full-duplex.

Pix(config)#interface e0 auto
Pix(config)#interface e1 auto
Pix(config)#interface e2 100full

Step 5: Now that you’ve configured IP addresses for the inside and outside interfaces, you need to specify a default route using the route command. The route outside command tells the PIX Firewall to send all outbound traffic to the next hop router. The numeral 1 specifies the router is one hop count away. The command could be abbreviated as route outside 0 0 2.1.1.2 1.

Pix(config)#route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

Step 6: To allow all inside hosts to initiate outbound connections using NAT, use the nat command, as shown here:

Pix(config)#nat (inside) 1 0 0
Pix(config)#nat (dmz) 1 0 0

Next, configure a global pool of addresses to be used by inside hosts. You must configure a pool for use when communicating with hosts on the outside and hosts on the DMZ.

Pix(config)#global (outside) 1 1.1.1.20-1.1.1.254 netmask 255.255.255.0

Step 7: To allow public access to the DMZ web server, create a static mapping between the web server address on the DMZ and the address to be used by outside hosts when they send connection requests to the PIX outside interface. This static command specifies the inside interface (dmz) and the outside interface (outside) used for this translation. The first IP specifies the address outside hosts will use, while the second IP address specifies the address to translate to.

Pix(config)#static (dmz,outside) 1.1.1.19 192.168.2.2

Step 8: Even with the static mapping, the PIX’s ASA won’t permit outside hosts to connect to the web server on the DMZ. This is because the DMZ’s security level (50) is higher than the outside interface’s security level (0). Also, ASA won’t permit ICMP by default.

IOS versions prior to v5.0.1 used the conduit command to get around this. The following conduit command permits any outside host to initiate a connection with the web server.

Pix(config)#conduit permit tcp host 1.1.1.19 eq www any

In PIX software versions 5.0.1 and later, ACLs with access groups can be used instead of conduits. Combining ACLs and conduits on the same configuration isn’t good practice. If both are configured, ACLs take preference over the conduits.

The following example shows an ACL entry that permits any outside host to initiate a connection with the web server. The second line applies the ACL to the outside interface.

Pix(config)#access-list 101 permit tcp any host 1.1.1.19 eq www
Pix(config)#access-group 101 in interface outside 

If any time changes are made to the PIX NAT configuration or conduits, a clear xlate command must be issued for ASA to apply this change (writing the configuration also applies the new settings).

Step 9: The final steps are to save the configuration by issuing the write memory command, checking the configuration by using the write terminal command, and then testing the network connectivity.