In this section, you will implement the commands introduced in Chapter 17, and add those commands that will be useful and/or necessary. The commands from Chapter 17 are used without further explanation because they were covered earlier. These commands make up the six basic commands for initial PIX Firewall configuration.
The nameif command
The interface command
The ip address command
The nat command
The global command
The route command
These commands are approached as if they were a series of steps to be followed each time a firewall needs configuration. This method ensures that you won’t overlook a basic step and have trouble implementing an advanced feature because of it.
Tip? |
When I first started with routers, I developed a similar list that has since become a habit. And I have a similar list for switches and servers. The key is to identify those basic commands and to have an efficient order that’s required to get up and running (period). Once operating, you can take the time to add additional features. I learned this from my own mistakes, as well as watching the repeated and predictable mistakes of many others. |
Step 1: Name the PIX Firewall, assign a privilege-level password, assign a Telnet password, and specify the IP addresses of a host that can Telnet to the PIX.
pixfirewall#config t pixfirewall(config)#hostname Pix Pix(config)# Pix(config)#enable password cisco ?????(privilege mode password) Pix(config)#passwd letmein ?????????(Telnet password) Pix(config)#telnet 192.168.1.10
Step 2: Name and define the DMZ interface. We’ll use the default settings for inside (e1 security100) and outside (e0 security0).
Pix(config)#nameif ethernet2 dmz sec50
Step 3: Assign IP addresses to the interfaces.
Pix(config)#ip address outside 1.1.1.1 255.255.255.0 Pix(config)#ip address inside 192.168.1.1 255.255.255.0 Pix(config)#ip address dmz 192.168.2.1 255.255.255.0
Step 4: By default, the interfaces on the PIX are administratively shut down. Use the interface command to enable the physical interfaces and set the interface speed and duplex mode. The following example sets the inside and outside to Autodetect mode and the DMZ to 100MB / full-duplex.
Pix(config)#interface e0 auto Pix(config)#interface e1 auto Pix(config)#interface e2 100full
Step 5: Now that you’ve configured IP addresses for the inside and outside interfaces, you need to specify a default route using the route command. The route outside command tells the PIX Firewall to send all outbound traffic to the next hop router. The numeral 1 specifies the router is one hop count away. The command could be abbreviated as route outside 0 0 2.1.1.2 1.
Pix(config)#route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
Step 6: To allow all inside hosts to initiate outbound connections using NAT, use the nat command, as shown here:
Pix(config)#nat (inside) 1 0 0 Pix(config)#nat (dmz) 1 0 0
Next, configure a global pool of addresses to be used by inside hosts. You must configure a pool for use when communicating with hosts on the outside and hosts on the DMZ.
Pix(config)#global (outside) 1 1.1.1.20-1.1.1.254 netmask 255.255.255.0
Step 7: To allow public access to the DMZ web server, create a static mapping between the web server address on the DMZ and the address to be used by outside hosts when they send connection requests to the PIX outside interface. This static command specifies the inside interface (dmz) and the outside interface (outside) used for this translation. The first IP specifies the address outside hosts will use, while the second IP address specifies the address to translate to.
Pix(config)#static (dmz,outside) 1.1.1.19 192.168.2.2
Step 8: Even with the static mapping, the PIX’s ASA won’t permit outside hosts to connect to the web server on the DMZ. This is because the DMZ’s security level (50) is higher than the outside interface’s security level (0). Also, ASA won’t permit ICMP by default.
IOS versions prior to v5.0.1 used the conduit command to get around this. The following conduit command permits any outside host to initiate a connection with the web server.
Pix(config)#conduit permit tcp host 1.1.1.19 eq www any
In PIX software versions 5.0.1 and later, ACLs with access groups can be used instead of conduits. Combining ACLs and conduits on the same configuration isn’t good practice. If both are configured, ACLs take preference over the conduits.
The following example shows an ACL entry that permits any outside host to initiate a connection with the web server. The second line applies the ACL to the outside interface.
Pix(config)#access-list 101 permit tcp any host 1.1.1.19 eq www Pix(config)#access-group 101 in interface outside
If any time changes are made to the PIX NAT configuration or conduits, a clear xlate command must be issued for ASA to apply this change (writing the configuration also applies the new settings).
Note? |
Care must be taken when implementing commands that allow outside traffic into the firewall. It’s important not to allow more access than intended. The conduit permit ip any any or access-list 101 permit ip any any command would allow any host on the untrusted outside network to access any host on the trusted network using IP as long as an active translation exists. |
Step 9: The final steps are to save the configuration by issuing the write memory command, checking the configuration by using the write terminal command, and then testing the network connectivity.
Pinging the different interfaces of the firewall and getting a response would be a good start in verifying network connectivity. The first four of the following commands check the configuration of the PIX firewall, while the last four confirm activity.
show ip address |
Verify the ip address of each interface. |
show nat |
Verify network address translation. |
show route |
Verify the default route. |
show global |
Show the range of global addresses. |
show xlate |
Shows the current translations built through the PIX. |
show interface |
Show interface statistics. |
show conn |
Show the current connections through the PIX. |
show traffic |
Show how much traffic is passing through the PIX. |
debug icmp trace |
Show all ICMP echo requests and replies to or through the PIX. |