Basic PIX
Firewall Configuration
In this section, you will implement the commands introduced
in Chapter 17,
and add those commands that will be useful and/or necessary. The commands from
Chapter 17 are
used without further explanation because they were covered earlier. These
commands make up the six basic commands for initial PIX Firewall
configuration.
-
The nameif command
-
The interface command
-
The ip address command
-
The nat command
-
The global command
-
The route command
These commands are approached as if they were a series of steps to
be followed each time a firewall needs configuration. This method ensures that
you won’t overlook a basic step and have trouble implementing an advanced
feature because of it.
|
Tip |
When I first started with routers, I developed a similar
list that has since become a habit. And I have a similar list for switches and
servers. The key is to identify those basic commands and to have an efficient
order that’s required to get up and running (period). Once operating, you can
take the time to add additional features. I learned this from my own mistakes,
as well as watching the repeated and predictable mistakes of many
others. |
Step 1: Name the PIX Firewall, assign a privilege-level password,
assign a Telnet password, and specify the IP addresses of a host that can Telnet
to the PIX.
pixfirewall#config t
pixfirewall(config)#hostname Pix
Pix(config)#
Pix(config)#enable password cisco (privilege mode password)
Pix(config)#passwd letmein (Telnet password)
Pix(config)#telnet 192.168.1.10
Step 2: Name and define the DMZ interface. We’ll use the default
settings for inside (e1 security100) and outside (e0 security0).
Pix(config)#nameif ethernet2 dmz sec50
Step 3: Assign IP addresses to the interfaces.
Pix(config)#ip address outside 1.1.1.1 255.255.255.0
Pix(config)#ip address inside 192.168.1.1 255.255.255.0
Pix(config)#ip address dmz 192.168.2.1 255.255.255.0
Step 4: By default, the interfaces on the PIX are administratively
shut down. Use the interface command to enable the physical
interfaces and set the interface speed and duplex mode. The following example
sets the inside and outside to Autodetect mode and the DMZ to 100MB /
full-duplex.
Pix(config)#interface e0 auto
Pix(config)#interface e1 auto
Pix(config)#interface e2 100full
Step 5: Now that you’ve configured IP addresses for the inside and
outside interfaces, you need to specify a default route using the route command. The route outside command tells
the PIX Firewall to send all outbound traffic to the next hop router. The
numeral 1 specifies the router is one hop count away. The command could be
abbreviated as route outside 0 0 2.1.1.2 1.
Pix(config)#route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
Step 6: To allow all inside hosts to initiate outbound connections
using NAT, use the nat command, as shown here:
Pix(config)#nat (inside) 1 0 0
Pix(config)#nat (dmz) 1 0 0
Next, configure a global pool of addresses to be used by inside
hosts. You must configure a pool for use when communicating with hosts on the
outside and hosts on the DMZ.
Pix(config)#global (outside) 1 1.1.1.20-1.1.1.254 netmask 255.255.255.0
Step 7: To allow public access to the DMZ web server, create a
static mapping between the web server address on the DMZ and the address to be
used by outside hosts when they send connection requests to the PIX outside
interface. This static command specifies the inside interface
(dmz) and the outside interface (outside) used for this translation. The first
IP specifies the address outside hosts will use, while the second IP address
specifies the address to translate to.
Pix(config)#static (dmz,outside) 1.1.1.19 192.168.2.2
Step 8: Even with the static mapping, the PIX’s ASA won’t permit
outside hosts to connect to the web server on the DMZ. This is because the DMZ’s
security level (50) is higher than the outside interface’s security level (0).
Also, ASA won’t permit ICMP by default.
IOS versions prior to v5.0.1 used the conduit
command to get around this. The following conduit command
permits any outside host to initiate a connection with the web server.
Pix(config)#conduit permit tcp host 1.1.1.19 eq www any
In PIX software versions 5.0.1 and later, ACLs with access groups
can be used instead of conduits. Combining ACLs and conduits on the same
configuration isn’t good practice. If both are configured, ACLs take preference
over the conduits.
The following example shows an ACL entry that permits any outside
host to initiate a connection with the web server. The second line applies the
ACL to the outside interface.
Pix(config)#access-list 101 permit tcp any host 1.1.1.19 eq www
Pix(config)#access-group 101 in interface outside
If any time changes are made to the PIX NAT configuration or
conduits, a clear xlate command must be issued for ASA to
apply this change (writing the configuration also applies the new settings).
|
Note |
Care must be taken when implementing commands that allow
outside traffic into the firewall. It’s important not to allow more access than
intended. The conduit permit ip any any or access-list 101 permit ip any any command would allow any host on
the untrusted outside network to access any host on the trusted network using IP
as long as an active translation exists. |
Step 9: The final steps are to save the configuration by issuing
the write memory command, checking the configuration by using
the write terminal command, and then testing the network
connectivity.
Verifying
Configuration and Traffic
Pinging the different interfaces of the firewall and getting
a response would be a good start in verifying network connectivity. The first
four of the following commands check the configuration of the PIX firewall,
while the last four confirm activity.
Sections
Comments (0 posted)
Syndication
