(Very Basic Configuration. Part 1)
Many of our readers are now pursuing the Cisco Security Specialist 1 certificate, and still others are simply wondering how to configure the mighty PIX Firewall. The PIX Firewall is without a doubt the way to secure enterprise networks. Used in conjunction with the IOS Firewall Feature Set (now known as Cisco Secure Integrated Software) running on a Cisco router, Cisco’s security solution is far superior to weak software applications that run on Unix or NT. RouterGod Online Magazine reporter John Riehl sought out beautiful Denise Richards to help us learn how to configure the PIX Firewall. John is a Cisco instructor and holds the CCSP and CISSP certificates. When not teaching Cisco, John likes to tell wild stories about his days in the circus where he was known as the Polish Invisible Man. When not being beautiful, Denise practices kickboxing and enjoys watching American Chopper on TV. Let’s join JR as he interviews Denise about the PIX Firewall. RFC 1918 Addresses are used to protect the innocent.
|
|
JR
Well hello Denise, thanks for agreeing to help us learn how to configure the PIX Firewall. Denise It’s my pleasure Yuriy, let’s cut right to the chase and talk about the PIX. The PIX is not a router, it can not participate in dynamic routing protocols. The PIX in it’s most basic form is simply a box with 2 Ethernet interfaces. One interface is “inside” and one interface is “outside”. Traffic can not flow from the outside interface to the inside interface unless you specifically allow it. Traffic can not flow from the inside interface to the outside interface unless you configure Network Address Translation. Traffic initiated from the inside may return through the outside interface. JR So the PIX is really just a couple of NIC cards? Denise Not so fast Comrade! The PIX uses the Adaptive Security Algorithm to perform Stateful Packet Inspection on traffic leaving the Firewall. The PIX uses a real time, embedded operating system to track the propriety of thousands of simultaneous connections. |
JR
Oh My God! This sounds too complicated! Let’s forget about it, maybe you should tell us how a console cable works or maybe which end of a power cord plugs into the wall…
Denise
Ha Ha! Don’t be such a baby! The PIX is easy! It uses a Command Line Interface, not one of those complicated GUI’s like Checkpoint! The PIX has 3 command modes: User Mode, Privileged Mode and “Global” Config Mode. There is no concept of Interface Config Mode and the cool thing is that SHOW commands can be used at Global Config! By default the PIX interfaces are shutdown. To do a “no shut” on the outside interface you would use the following command: interface ethernet0 auto. To give it an IP address you would use a command like this: ip address outside 192.168.1.1 255.255.255.0
PIX Facts
PIX 535 - 500,000 Connections
PIX 525 - 280,000 Connections
PIX 515 - 125,000 Connections
| JR
Wow! You really know your PIX Firewalls! Denise What do you think, I’m just a hot babe? Now lets configure Network Address Translation. It consists of 2 steps, defining the inside users eligible for outbound connections and defining the pool of global IP addresses to be translated into. If you wanted all your users to use NAT the command would be: nat (inside) 1 0.0.0.0 0.0.0.0 The “1″ in this command is the “NAT ID”, it must match the NAT ID in the global command, which I’ll show you in a minute. The fields 0.0.0.0 and 0.0.0.0 are IP Address and Netmask respectively. The PIX will let you abbreviate a default field with a single zero Here is an example: The next step is to define the pool of global IP addresses. Let’s say that you have the range 192.168.1.2 through 192.168.1.6/24 The command would be: Don’t forget that the IP address of the PIX’s outside interface cannot be in the pool of global addresses. JR So now the users on the inside can get out. In a small network, how does the inside traffic that is destined for the outside world know about the PIX? Denise If it’s a small network, like one subnet and no internal router, just configure all the workstations Default Gateway with the IP address of the PIX’s inside interface. If there is an internal router between the PIX and your users, the workstations will naturally have the router as the Default Gateway and the router will have a default static route pointing to the PIX. If there are internal networks on the other side of your internal router (from the PIX’s perspective), you have to tell the PIX about them. JR How do you do that? How does the PIX know where to forward packets for those networks that are not directly connected? Denise It’s easy, you do it with a static route statement. Say the PIX is directly connected to the 10.1.1.0/24 network. The 10.1.2.0/24 network is on the other side of a router with an IP address of 10.1.1.3 You would add the following command: |
|
|
JR OK, I see how inside traffic makes it to the PIX, but how does the PIX know what to do with the outbound traffic? Denise You would configure a static default route, say the next hop router is at 192.168.1.254, the command would be: JR What if I have a web server inside at 10.1.1.7 but it is known globally with the address of 192.168.3.22? Denise You would use a “static” to allow this translation from the outside to the inside, here’s how: |
|
|
|
Back to RouterGod Online Magazine
Leave a Comment
You must be logged in to post a comment.