Basic PIX Firewall Configuration

In working with the PIX Firewall device, using the CLI is common because of its similarities to the CLI in Cisco routers and switches. The alternatives include two graphical interface tools: the PIX Firewall Manager (PFM) and the PIX Device Manager (PDM). PFM is the older of the two and is being retired.

The CLI commands are introduced and used in this section.

PIC Command-Line Interface

While similar to the IOS command set, the PIX are somewhat different. You might assume these differences will become less noticeable over time as Cisco moves toward an IOS interface for more and more devices. As with the IOS, it’s necessary to be in the correct mode. The four PIX modes are the following:

Unprivileged mode	Like the User mode on the router, this is the first level in accessing a PIX Firewall. This is also called the User EXEC mode and offers a limited set of commands, none of which can change the configuration. The > symbol at the end of the prompt indicates Unprivileged mode. Prompt: Pixfirewall>
Privileged mode	Allows the user to change settings and access the Configuration mode. Use the enable command to get to this mode, and use disable, exit, or quit to return to the Unprivileged mode. All Unprivileged mode commands have a counterpart in this mode. The # symbol at the end of the prompt indicates Privileged mode. Prompt: Pixfirewall#
Configuration mode	Allows configuration changes. All Unprivileged and Privileged mode commands have a counterpart in this mode. Unlike the routers, returning to Privilege mode to see the results of configuration changes is unnecessary. The (config)# at the end of the prompt indicates Configuration mode. Prompt: Pixfirewall(config)#
Monitor mode	PIX devices that don’t have an internal floppy drive come with a ROM boot monitor program, which is used for upgrading the PIX Firewall’s image. Prompt: Monitor>

PIX commands can be abbreviated, much like the IOS counterparts; but because of the command differences, the abbreviation might be different. For example, most routers require config t to change to Configuration mode, while co t will work on the firewall.

The following basic commands are important to know when you start to work with the PIX CLI. While many should be familiar, always be on the lookout for differences.

configure memory	Merges the current configuration with that in Flash memory (startup config). Note, this doesn’t replace the copy in Flash, but merges with it.
configure net	Merges a configuration from a TFTP server and the path you specify into the current configuration.
enable password	Changes the Privileged (enable) Mode password. This password is encrypted by default. If no Privileged Mode password is set, press ENTER at the Password prompt. To restore the enable password (press ENTER at prompt), type the following: Pixfirewall#enable password.
passwd	Sets password for Telnet access to the PIX Firewall console (Privileged mode). The default is cisco. Passwords can be up to 16 characters. The clear passwd command resets the password back to cisco.
show configure	Displays Flash (startup) configuration on the terminal.
show history	Displays the previously entered commands, same as with routers.
show ip address	Displays the IP addresses that are assigned to interfaces.
show xlate	Displays current translations and connection slot information. Similar in concept to displaying the NAT translations.
write erase	Erases the configuration stored in Flash (startup config).
write floppy	Stores the current configuration on diskette for models with floppy. Not supported by current models. Floppy disk must be in DOS format.
write memory	Stores the current configuration in Flash memory, along with the activation key value and timestamp for when the configuration was last modified. Replaces the existing saved configuration.
write *server_ip*	Specifies the IP address of the TFTP server. If you specify the full path and filename in the tftp-server command, then use a “:” in the write command.
write standby	Writes the current configuration to the failover standby PIX unit from RAM to RAM. This occurs automatically when the Active PIX boots up.
write terminal	Displays current configuration on the terminal.

Commands that are close enough to their IOS counterparts not to present serious problems include the following if you have trouble with abbreviations or optional parameters, the ? help feature works the same as in the IOS.

host name

ping

reload

show interface

show version

The next sections look at the basic commands required to configure a PIX Firewall device.

The nameif Command

The nameif command can be used to assign a name to an interface if more than two network interfaces are in the PIX Firewall. The first two interfaces are named inside and outside by default. The inside interface has a default security level of 100, while the outside interface has a default security level of 0. The clear nameif command restores default interface names and security levels. The syntax is

nameif hardware_id if_name security_level
clear nameif

hardware_id	Specifies the interface type and location on the PIX device. Like the interface designations on routers, the names can be spelled out or abbreviated, such as Ethernet 0 or e0.
if_name	Interface names can be up to 48 characters long, but then they must be used for all configuration references. So keep them short and easy to remember. Defaults: e1 is named inside, e0 is named outside, and any perimeter interface intfn where n is 2 through 5.
security_level

The following example shows the use of the nameif command:

Pixfirewall(config)#nameif ethernet2 dmz1 sec50
Pixfirewall(config)#nameif ethernet3 dmz2 sec25

The inside interface can’t be renamed or given a different security level. You can rename the outside interface, but you can’t change the security level. After changing an interface name, use the clear xlate command.

The show nameif Command

To displays interface names, use the show nameif command. The syntax is

show nameif

The interface Command

Use the interface command to define the speed and duplex settings of the network interface boards. After changing an interface command, use the clear xlate command. The syntax is

interface hardware_id [hardware_speed] [shutdown]

hardware_id	Specifies the interface type and location on the PIX device. Names can be spelled out or abbreviated, such as Ethernet 0 or e0.
hardware_speed	Network interface speed (optional). Possible Ethernet values include 10baset—10 Mbps Ethernet half-duplex 10full—10 Mbps Ethernet full-duplex 100basetx—100 Mbps Ethernet half-duplex 100full—100 Mbps Ethernet full-duplex 1000sxfull—1000 Mbps Gigabit Ethernet full-duplex 1000basesx—1000 Mbps Gigabit Ethernet half-duplex 1000auto—1000 Mbps Gigabit Ethernet to autonegotiate full- or half-duplex aui—10 for Mbps Ethernet half-duplex with an AUI cable interface auto—Set Ethernet speed automatically bnc—10 Mbps Ethernet half-duplex with a BNC cable interface
shutdown	Disable an interface.

Note

The previous auto keyword options aren’t recommended because of a lack of standards among vendors. Even though the default is the interface hardware_id auto command, specifying the speed of the network interfaces lets the PIX Firewall operate in network environments, which might include switches or other devices that don’t handle autosensing correctly.

The shutdown Option

The shutdown option disables the interface. When installing a PIX Firewall, all interfaces are shut down by default. Interfaces must be explicitly enabled by using the command without the shutdown option.

The show interface Command

To display detailed interface information, including the packet-drop count of Unicast RPF for each interface and buffer counters for Ethernet interfaces, use the show interface command. The clear interface command clears all interface statistics, except the number of input bytes. The command works with all interface types, except Gigabit Ethernet. This command no longer shuts down all system interfaces. The syntax for both commands is

show interface hardware_id [hardware_speed] [shutdown]
clear interface

Pixfirewall#show interface
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 00aa.0000.003b
IP address 209.165.201.7, subnet mask 255.255.255.224
MTU 1500 bytes, BW 100000 Kbit half duplex
       1184342 packets input, 1222298001 bytes, 0 no buffer
       Received 26 broadcasts, 27 runts, 0 giants
       4 input errors, 0 CRC, 4 frame, 0 overrun, 0 ignored, 0 abort
       1310091 packets output, 547097270 bytes, 0 underruns, 0 unicast rpf drops
       0 output errors, 28075 collisions, 0 interface resets
       0 babbles, 0 late collisions, 117573 deferred
       0 lost carrier, 0 no carrier
       input queue (curr/max blocks): hardware (128/128) software (0/1)
       output queue (curr/max blocks): hardware (0/2) software (0/1)

The ip address Command

The default address for an interface is 127.0.0.1. Use the ip address command to assign an IP address to each interface. If you make a mistake, reenter the command with the correct information. After changing an ip address command, use the clear xlate command. The syntax is

ip address if_name ip_address [netmask]

if_name	The internal or external interface name designated by the nameif command
ip_address	PIX Firewall unit’s network interface IP address
netmask	Network mask of ip_address

If a netmask isn’t specified, PIX Firewall assigns one of the following default classful network masks based on the IP address.

Class A—255.0.0.0
Class B—255.255.0.0

Class C—255.255.255.0

Note

If you’re using subnets, the best policy is to specify a network mask with this command. Otherwise, it’s possible that PIX using the classful mask could see another address you want to use as being a part of a previously defined network and prevent you from using it.

The show ip Command

To IP addresses on each interface, use the show ip command. The following is sample output from the show ip command:

Pixfirewall#show ip
System IP Addresses:
       ip address outside 209.165.201.2 255.255.255.224
       ip address inside 192.168.2.1 255.255.255.0
       ip address perimeter 192.168.70.3 255.255.255.0
Current IP Addresses:
       ip address outside 209.165.201.2 255.255.255.224
       ip address inside 192.168.2.1 255.255.255.0
       ip address perimeter 192.168.70.3 255.255.255.0

The nat Command

NAT allows the network to have any IP addressing scheme, including private addresses, and the PIX Firewall hides these addresses from visibility on the external network. While the implementation is different, the purpose and result are much the same as NAT covered in Chapter 6. With address translation, when a host starts an outbound connection, the IP addresses of the internal network are translated into global addresses, which will be seen by the outside world. The syntax is

nat (if_name) nat_id local_ip [netmask]

if_name	The internal network interface name.
nat_id	The ID number to match with the global address pool.
local_ip	Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0.
netmask	Network mask for local_ip. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool. The netmask 0.0.0.0 can be abbreviated as 0.

In the following example, the nat command statement allows all the hosts on the 192.168.1.0 network to start outbound connections. The default netmask is being used. The nat_id 1 is a pool of global addresses created by the global command, in the next section.

Pixfirewall(config)#nat (inside) 1 192.168.1.0

In the next example, all internal users can use the 1 global address pool to start outbound connections.

Pixfirewall(config)#nat (inside) 1 0 0

The show nat and show xlate Commands

The show nat command displays the nat command statements in the current configuration. Use the show xlate command to view translation slot information. The clear xlate command would clear the translation table.

The following is sample output from the show xlate command with three active PATs:

Pixfirewall(config)#show xlate
3 in use, 3 most used
PAT Global 192.168.1.97(0) Local 172.16.205.49 ICMP id 340
PAT Global 192.168.1.97(1024) Local 172.16.205.49(1028)
PAT Global 192.168.1.97(1024) Local 172.16.205.49(516)

The global Command

Use the configuration mode global command to define a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for those inbound connections resulting from outbound connections. To use the global pool of addresses, the nat and global command statements must use the same nat_id. The PIX Firewall assigns the addresses from the beginning of the range (smallest address) to the largest.

The global command can’t use names with a dash (-) in them because the dash is used by the command to indicate a range of IP addresses. After changing or removing a global command statement, use the clear xlate command. The syntax is

global (if_name) nat_id interface | global_ip [-global_ip] [netmask global_mask]

if_name	The external network where you use these global addresses.
nat_id	A positive integer shared with the nat command that links the nat and global command statements together. Valid ID numbers 1 to 2,147,483,647.
interface	Specifies PAT using the IP address of the interface.
global_ip	Single global IP address or the first in a range.
-global_ip	A range ending with global_ip.
netmask	(Optional) Reserved word that prefaces the network global_mask variable.
global_mask	(Optional) The network mask for global_ip.

If subnetting is used, specify a subnet mask; for example, 255.255.255.128 will specify one half of a class C network. If a specified address range in the global_ip global_ip overlaps subnets defined by the netmask global_mask statement, the global pool won’t use any broadcast or network addresses included in the pool of global addresses.

For example, using the 255.255.255.128 and the 192.168.1.0 network would normally be used to define either the first half or the second half of the address pool 192.168.1.0 to 192.168.1.127 or 192.168.1.128 to 192.168.1.255. The following command seems correct.

global (outside) 1 192.168.1.0 - 192.168.1.127 netmask 255.255.255.128

The pool contains the network address 192.168.1.0 and the broadcast address 192.168.1.127. Both will be ignored by the pool. A better implementation of the command might be the following:

global (outside) 1 192.168.1.1 - 192.168.1.126 netmask 255.255.255.128

Using nat and global Commands Together

The following example specifies with nat command statements, which all the hosts on the 192.168.1.0 and 192.168.100.0 inside networks can use to start outbound connections. The global command statements create a pool of global addresses as follows:

nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 1.1.1.1-1.1.1.30 netmask 255.255.255.224
global (outside) 1 215.4.61.0

nat (inside) 3 192.168.100.0 255.255.255.0
global (outside) 3 1.1.11.15-1.1.11.27 netmask 255.255.255.224

The show global Command

To display the range of global addresses, use the show global command.

The route Command

Use the configuration mode route command to define a default or a static route for an interface. To define a default route, set ip_address and netmask both to 0.0.0.0, or the shortened form of 0. All routes entered using the route command are stored in the configuration when it’s saved. The clear route command removes route command statements that don’t contain the CONNECT keyword from the configuration. The syntax is

route if_name ip_address netmask gateway_ip [metric]

if_name	The internal or external network interface name.
ip_address	The internal or external network IP address. Use 0.0.0.0 to specify a default route, which can be abbreviated as 0.
netmask	Specify a network mask to apply to ip_address. Use 0.0.0.0 to specify a default route, which can be abbreviated as 0.
gateway_ip	Specify the IP address of the gateway router (the next hop address for this route).
metric	Specify the number of hops to gateway_ip. The default is 1.

Static routes are conceptually the same as with the routers. Because PIX devices aren’t routers per se, static and default static routes are used to direct packets to their destination. In this example, the PIX Firewall will send all packets destined to the 192.168.12.0 network to the 192.168.0.2 router with this static route statement.

Pixfirewall(config)#route dmz1 192.168.12.0 255.255.255.0 192.168.0.2 1

To define a default route for the outside interface, use the following command to direct all traffic to the 192.168.44.1 interface on the perimeter router.

Pixfirewall(config)#route outside 0 0 192.168.44.1 1

The show route Command

Use the show route command to confirm static and default route configuration.