The basics of a Cisco PIX firewall
A Cisco PIX firewall is meant to protect one network from another. There are PIX firewalls for small home networks and PIX firewalls for huge campus or corporate networks. In this example, we will be configuring a PIX 501 firewall. The 501 model is meant for a small home network or a small business.
PIX firewalls have the concept of inside and outside interfaces. The inside interface is the internal, usually private, network. The outside interface is the external, usually public, network. You are trying to protect the inside network from the outside network.
PIX firewalls also use the adaptive security algorithm (ASA). This algorithm assigns security levels to interfaces and says that no traffic can flow from a lower-level interface (like the outside interface) to a higher-level interface (like the inside interface) without a rule allowing it. The outside interface has a security level of zero and the inside interface has a security level of 100.
Here is what the output of the show nameif command looks like:
pixfirewall# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
pixfirewall#
Notice the ethernet0 interface is the outside interface (its default name) and the security level is 0. On the other hand, the ethernet1 interface is named inside (the default) and has a security level of 100.
Guidelines
Before beginning the configuration, your boss has given you some guidelines that you need to follow. Here they are:
- All passwords should be set to “cisco” (in reality, you make these whatever you want, but not “cisco”).
- The inside network is 10.0.0.0 with a 255.0.0.0 subnet mask. The inside IP address for this PIX should be 10.1.1.1.
- The outside network is 1.1.1.0 with a 255.255.255.0 subnet mask. The outside IP address for this PIX should be 1.1.1.1.
- You want to create a rule to allow all inside clients on the 10.0.0.0 network to do port address translation and connect to the outside network. They will all share the global IP address 1.1.1.2.
- However, clients should only have access to port 80 (Web browsing).
- The default route for the outside (Internet) network will be 1.1.1.254.
The configuration
You will be prompted to answer YES or NO as to whether or not you want to configure the PIX through interactive prompts. Answer NO to this question because you want to learn how to really configure the PIX firewall, not just answer a series of questions. After that, you will be sent to a prompt that looks like this:
pixfirewall>
With the “greater than” symbol at the end of the prompt, you are in the PIX user mode. Change to privileged mode with the en or enable command. Press “enter” at the Password prompt. Here is an example:
pixfirewall> en
Password:
pixfirewall#
You now have administrative mode to show things but would have to go into global configuration mode to configure the PIX.
Now, let’s move on to basic configuration of the PIX:
Basic PIX configuration
What I am calling basic configuration is made up of three things:
- Set the hostname
- Set passwords (login and enable)
- Configure IP addresses on interfaces
- Enable interfaces
- Configure a default route
Before you can do any of these things, you need to go into global configuration mode. To do this, type:
pixfirewall# config t
pixfirewall(config)#
To set the hostname, use the hostname command, like this:
pixfirewall(config)# hostname PIX1
PIX1(config)#
Notice that the prompt changed to the name that you set.
Next, set the login password to cisco, like this:
PIX1(config)# password cisco
PIX1(config)#
This is the password required to gain any access to the PIX except administrative access.
Now, configure the enable mode password, used to gain administrative mode access.
PIX1(config)# enable password cisco
PIX1(config)#
Now we need to configure IP addresses on interfaces and enable those interfaces. The PIX, unlike a router, has no concept of interface configuration mode. To configure the IP address on the inside interface, use this command:
PIX1(config)# ip address inside 10.1.1.1 255.0.0.0
PIX1(config)#
Now, configure the outside interface IP address:
PIX1(config)# ip address outside 1.1.1.1 255.255.255.0
PIX1(config)#
Next, enable both the inside and outside interfaces. Make sure that the Ethernet cable, on each interface, is connected to a switch. Note that the ethernet0 interface is the outside interface, and it is only a 10base-T interface on a PIX 501. The ethernet1 interface is the inside interface, and it is a 100Base-T interface. Here is how you enable these interfaces:
PIX1(config)# interface ethernet0 10baset
PIX1(config)# interface ethernet1 100full
PIX1(config)#
Note that you can do a show interfaces command, right from the global configuration prompt line.
Finally, let’s configure a default route so that all traffic sent to the PIX will flow to the next upstream router (the 1.1.1.254 IP address that we were given). Here is how you do this:
PIX1(config)# route outside 0 0 1.1.1.254
PIX1(config)#
The PIX firewall can, of course, support dynamic routing protocols as well (such as RIP and OSPF).
Now, let’s move on to some more advanced configuration.
Network Address Translation
Now that we have IP address connectivity, we need to use Network Address Translation (NAT) to allow inside users to connect to the outside. We will use a type of NAT, called PAT or NAT Overload, so that all inside devices can share one public IP address (the outside IP address of the PIX firewall). To do this, enter these commands:
PIX1(config)# nat (inside) 1 10.0.0.0 255.0.0.0
PIX1(config)# global (outside) 1 1.1.1.2
Global 1.1.1.2 will be Port Address Translated
PIX1(config)#
With this, all inside clients are able to connect to devices on the public network and share IP address 1.1.1.2. However, clients don’t yet have any rule allowing them to do this.
Firewall rules
These clients on the inside network have a NAT translation, but that doesn’t necessarily mean that they are allowed access. They now need a rule to allow them to access the outside network (the Internet). That rule will also allow the return traffic to come back in.
To make a rule to allow these clients port 80 (Web browsing), you would type this:
PIX1(config)# access-list outbound permit tcp 10.0.0.0 255.0.0.0 any eq 80
PIX1(config)# access-group outbound in interface inside
PIX1(config)#
Note that PIX access lists, unlike router access lists, use a normal subnet mask, not a wildcard mask.
With this access list, you have restricted the inside hosts to accessing Web servers only on the outside network (routers).
Showing and saving the configuration
Now that you have configured the PIX firewall, you can show your configuration with the show run command.
Make sure that you save your configuration with the write memory or wr m command. If you don’t, your configuration will be lost when the PIX is powered off.
What Does a PIX Do?
The PIX is a firewall appliance based on a hardened, specially built operating system, PIX OS, minimizing possible OS-specific security holes. The PIX has received ICSA Firewall and IPsec certification as well as Common Criteria EAL4 evaluation status.PIX firewalls provide a wide range of security and networking services including:
- Network Address Translation (NAT) or Port Address Translation (PAT)
- content filtering (Java/ActiveX)
- URL filtering
- IPsec VPN
- support for leading X.509 PKI solutions
- DHCP client/server
- PPPoE support
- advanced security services for multimedia applications and protocols including Voice over IP (VoIP), H.323, SIP, Skinny and Microsoft NetMeeting
- AAA (RADIUS/TACACS+) integration
PIX can be graphically managed using the integrated Web-based management interface known as the PIX Device Manager (PDM) or by the Cisco Secure Policy Manager 2.3f and 3.0f (not to be confused with CSPM 2.3.3i which is for intrusion detection system management). The PDM is a PIX-specific device configuration and management tool whereas CSPM is generally used as part of a larger security management infrastructure and allows one to correlate organizational security policies with a PIX configuration. Management interfaces include command-line interface (CLI), telnet, Secure Shell (SSH 1.5), console port, SNMP, and syslog.
Cisco PIX Models
| Cisco PIX Model |
Rated Throughput |
Concurrent Connections |
Description |
| PIX 535 | 1 Gbps +Up to 95 Mbps 3DES VPN, 2000 IPsec tunnels | 500,000 | Some models include stateful high-availability capabilities, as well as integrated hardware acceleration for VPN. Modular chassis, up to 10 10/100 Fast Ethernet interfaces or 9 Gigabit Ethernet interfaces. |
| PIX 525 | 360 Mbps +Up to 70 Mbps 3DES VPN, 2000 IPsec tunnels | 280,000 | Some models include stateful high-availability capabilities, as well as integrated hardware acceleration for VPN. Modular chassis, up to 8 10/100 Fast Ethernet interfaces or 3 Gigabit Ethernet interfaces. |
| PIX 515E | 188 Mbps + | 125,000 | Some models include stateful high-availability capabilities and integrate support for 2,000 IPsec tunnels. Modular chassis, up to six 10/100 Fast Ethernet interfaces. |
| PIX 506E | 20 Mbps +, 16 Mbps 3DES VPN |
Compact desktop chassis, two auto-sensing 10Base-T interfaces. | |
| PIX 501 | 10 Mbps +, 3 Mbps 3DES VPN |
Compact plug-n-play security appliance, integrated 4-port Fast Ethernet (10/100) switch and one 10Base-T interface. |
See http://www.cisco.com/warp/customer/cc/pd/fw/sqfw500/ for information about the PIX product line in general, or for more details or the latest models added to this product line.
PIX Terminology and Background Information
The following diagram shows a multi-port PIX connected to various networks. We will use this diagram as we build up a PIX configuration in this and any subsequent PIX articles.
PIX terminology: we generally refer to the user segment as the Inside subnet. The interface connected to the Internet router is the outside subnet. As shown, we probably have DMZ (De-Militarized Zone) subnet, the subnet where we quarantine all servers that are accessible from the outside. We might also have a separate management subnet and a subnet tying to a redundant PIX for failover (if supported/licensed).
The PIX Command-Line Interface (CLI) is somewhat like the Cisco IOS interface, but different. Use colon (“:”) for comments (which, as usual, are not retained). Newer PIX OS uses ACL’s, replacing the former conduits (which were arguably more confusing to experienced Cisco router administrators).
PIX interfaces are normally shutdown until the administrator activates them.
PIX interfaces have an associated security level. Two interfaces at same level can’t send packets to each other. We’ll shortly see that you set levels with nameif command. Connections and traffic are normally permitted from higher to lower security level interfaces, although you do have to put in some basic configuration to allow traffic to flow. Connections the other way (from low to high security) are disallowed unless the configuration explicitly permits them.
You actually do not have to put any ACL if going from a higher security level to a lower. Everything will be allowed. Best practice is to put an ACL on all interfaces even if the ACL permits everything to flow using “ip any any”. An ACL put inbound (PIX only does inbound ACLs) to the inside interface can control traffic destined going outbound. If an admin wants to only have www and dns traffic outbound he would allow only tcp on 80 and udp on 53 then everything else like real audio would be denied as it goes out.)
To let traffic flow from a high security level to a lower level, use the nat and global commands. For the opposite direction, from lower to higher, use the static and access-list commands. We suggest using nat and global when going from any non-outside interface to the outside interface (Internet usually unless the PIX is used as a border between business units) which is a little different than the first sentence above. We also suggest using statics from any non-outside interface to any other non-outside interface (like inside to management or ethernet3 to ethernet4, below.)
The PIX normally uses stateful NAT connections and stateful security, referred to as the Adaptive Security Algorithm (ASA). The PIX does not pass multicast traffic. (Can you say “DVMRP tunnel”?)
Cisco and we recommend you do not dynamic routing to or through the PIX. The PIX does support RIP, but the authors both loathe RIP. And static routing is more secure, cannot be as easily fooled.
PIX Configuration
We’ll start off with good housekeeping. Enter configuration mode with “config t”. You’ll want to assign a hostname / prompt name so you can tell which device you’re on. You’ll also want to set up passwords.
|
Command
|
Command Explanation
|
|
enable password myEnableSecret encrypted
|
Set the enable password (displays encrypted). Displays in encrypted form, with the word “encrypted” at the end. Note that when entering the command leave off “encrypted” keyword or the PIX will assume that the string you are putting in is the encryption of the actual password.
|
|
passwd myLoginSecret encrypted
|
Set the user mode password, the first password challenge when using Telnet. Note that when executing the command leave off the “encrypted” keyword or the PIX will assume that the string you are putting in is the encryption of the actual password.
|
|
hostname UNIT1
|
Set the name of the host. It is best to make this name innocuous so that it does not give away the type of device this is.
|
|
Command
|
Command Explanation
|
|
name 10.3.3.22 DMZWEBSERVER
|
Map address to name |
|
name 10.1.1.82 INTERNALDNSHOST
|
|
|
name 10.1.1.79 INTERNALORACLEHOST
|
|
|
name 10.1.1.71 INTERNALNTPHOST
|
|
|
name 1.1.1.5 EXTERNALSMTPHOST
|
|
|
name 1.1.1.22 EXTERNALWWWHOSTNAME
|
We also need to assign IP addresses to the interfaces that will be carrying IP traffic. One trick you can use on a shutdown interface is to assign it the loopback address, 127.0.0.1. This prevents accidental forwarding of traffic through that interface.
|
Command
|
Command Explanation
|
| nameif ethernet0 outside security0 | Define the name of ethernet 0 and security level. |
|
nameif ethernet1 inside security100
|
|
|
nameif ethernet2 management security90
|
|
|
nameif ethernet3 dmz security30
|
|
|
nameif ethernet4 pix_failover security40
|
We’ve connected ethernet4 to another failover-capable PIX. The name reflects this.
|
|
nameif ethernet5 not_in_use security20
|
Not currently in use.
|
|
interface ethernet0 100full
|
Identify network interface speed and duplex. Activate the interface.
|
|
interface ethernet1 100full
|
|
|
interface ethernet2 100full
|
|
|
interface ethernet3 100full
|
|
|
interface ethernet4 100full
|
Identify network interface speed and duplex. Note that this interface must be set to 100 and full duplex for proper operation of failover, which may be explained in another article.
|
|
interface ethernet5 100full shutdown
|
Note that this interface is shutdown.
|
|
ip address outside 1.1.1.1 255.255.255.0
|
Assign IP address and subnet mask for the interface
|
|
ip address inside 10.1.1.1 255.255.255.0
|
|
|
ip address management 10.2.2.1 255.255.255.0
|
|
|
ip address dmz 10.3.3.1 255.255.255.0
|
|
|
ip address pix_failover 10.4.4.1 255.255.255.0
|
We generally put a global command on each lower security interface we want our internal users to have access to, although statics can be preferable for internal-internal access (see below). The main decision (other than addressing design) is whether to use one or multiple NAT ID’s. Using unique NAT ID’s limits access to specific interfaces. Using one NAT ID is simpler and assumes the PIX will sort out which nat command (below) pairs up with which global command on which interface.
We put nat commands on the higher security interfaces, allowing users to start connections to lower security level interfaces with global commands on them. The NAT ID ties the inside addresses in the nat command to the pool of addresses in one or more global commands with the same NAT ID.
Port Address Translation is where all inside addresses appear as one outside address, with shifted ports. PAT has some restrictions, for example it cannot support H.323 or caching nameserver use, so you may want to use it to augment a range of global addresses rather than using it as your sole global address.
Let’s see what that looks like:
|
global (outside) 1 1.1.1.51-1.1.1.100 netmask 255.255.255.0
|
Defines the routable addresses to be used for outbound connections. This pool defines 1.1.1.51 through .100 as being available on a first come first served basis. As connections are torn down the addresses become available again for use. These addresses are used before the PAT address specified below is used. The number “1” is the NAT ID for this pool.
|
|
global (outside) 1 1.1.1.50 netmask 255.255.255.0
|
Defines the port address translation (PAT) address to be used by outbound connections after all one-to-one translation address (defined above) are exhausted. This continues NAT ID (pool) 1.
|
|
nat (inside) 0 access-list 101
|
A “NAT 0” means no NAT-ing is happening. This entry is used for the IPsec connection defined in the configuration. The nat command with access list lets you exempt traffic that is matched by the access-list command statements from the NAT services. Access list 101 (not shown) specifies IPsec traffic. This row may confuse users and if we are not going to touch IPsec now, I would leave it out. We’ll cover IPsec on the PIX in a future article.
|
|
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
|
This command connects the global pool 1 to the networks allowed to tap into that pool. Subnet 10.1.1.0 on the inside interface will be allowed to use global pool 1 for its outbound connections.The nat command lets you enable or disable address translation for one or more internal addresses. The nat command will disable nat for an inside network if that net is not explicitly defined to use the pool. Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses.
|
|
nat (management) 1 10.2.2.0 255.255.255.0 0 0
|
Subnet 10.2.2.0 on the management interface will be allowed to use global pool 1 for its outbound connections.
|
If you’ve used NAT before, you’ll recognize that servers on the inside that need to be connected to from the outside will need static mappings. The static command creates a permanent mapping (called a static translation slot or “xlate”) between a local IP address and a global IP address. Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level. When NAT exists between two interfaces the command takes the form of “static (high,low) low high” . Without address translation, the format of the static command becomes different: “static (high,low) high high“.
|
static (dmz,outside) 1.1.1.22 10.3.3.22 netmask 255.255.255.255 0 0
|
You need to specify the IP address users on the lower security interface’s network will use to access the server on the higher security level interface’s network. In this case, we make a DMZ web server at 10.3.3.22 accessible as outside address 1.1.1.22.
|
|
static (inside,management) 10.1.1.13 10.1.1.13 netmask 255.255.255.255 0 0
|
This static command allows traffic from inside interface (address 10.1.1.13) to management subnet, or vice versa if an appropriate ACL exists for traffic coming from the lower security interface. There is no NAT change to the address.
|
|
route outside 0.0.0.0 0.0.0.0 1.1.1.254 1
|
Specifies a default route out the outside interface to a router at 1.1.1.254 which is 1 hop away.
|
|
route management 10.117.220.0 255.255.255.0 10.2.2.254
|
Specifies a route to the 10.117.220.0 network via the management interface with the next hop address set to 10.2.2.254 (assuming 10.117.220.0 is behind a router on the management subnet).
|
TIP: If you use statics you will also be able to go from higher to lower without having to use nat and global. Example: suppose management station 10.2.2.2 (NMS) needs to talk to serv1 at 10.1.1.15 on the inside. Configure:
static (inside,management) 10.1.1.15 10.1.1.15 netmask 255.255.255.255
access-list from-management-coming-in permit tcp host 10.2.2.2 host 10.1.1.15 eq 8888
access-group from-management-coming-in in interface management
Because the static exists, 10.1.1.15 can also inititate connections to 10.2.2.2 but cannot talk to 10.2.2.50 (NMS2) because no method of translation exists.Another example:
static (inside,management) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
This allows each network to address the other. The inside can then talk to everything on the management net and reply packets are let back through by virtue of stateful inspection but an ACL must exist for the management net to initiate anything to the inside.There are some other variations one can do, but statics are more clear and you can predict behaviour because no timeouts for the connections exist and you still retain ultimate control via the ACL.
==========================================
Network Address Translation (NAT)
Network address translation is a method used to help conserve the limited number of IP addresses available for internet purposes. We will return to the NAT discussion, specifically how to configure it, later on this page, but first a very basic introduction on how to configure and use the PIX.
Accessing the PIX command line
Via The Console Port
Your Cisco PIX will come with a console cable that will allow you to configure your PIX using terminal emulation software such as Hyperterm. Once you’ve set up your PIX with an IP address you’ll be able to access it via Telnet.
Via Telnet
o One easy way to get access to any device on your network is using the /etc/hosts file. Here you list all the IP addresses of important devices that you may want to access with a corresponding nickname. Here is a sample in which the PIX firewall “pixfw” has the default IP address of 192.168.1.1 on its inside protected interface:
#
# Do not remove the following line, or various programs
# that require network functionality will fail.
#
127.0.0.1 localhost.localdomain localhost
192.168.1.1 pixfw
192.168.1.100 bigboy mail.my-site.com
o Once connected to the network you can access the PIX via telnet
[root@bigboy tmp]# telnet pixfw
Trying 192.168.1.1…
Connected to pixfw.
Escape character is ‘^]’.
o You’ll be prompted for a password and will need another password to get into the privileged “enable” mode. If you are directly connected to the console, you should get a similar prompt too. There is no password in a fresh out of the box PIX and simply hitting the “Enter” key will be enough.
User Access Verification
Password:
Type help or ‘?’ for a list of available commands.
pixfw> enable
Password: ********
pixfw#
o Use the “write terminal” command to see the current configuration. You will want to change your “password” and “enable password” right after completing your initial configuration, this will be covered later.
# wr term
Building configuration…
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dsjf5sdfgsjrgjwk encrypted
passwd sdffg8324dgrggjd encrypted
hostname pixfw
fixup protocol ftp 21
…
…
o ALL PIX configuration commands need to be done in configuration mode, by issuing the “configure terminal” command from enable mode prompt.
pixfw# conf t
pixfw(config)# “Enter commands here”
pixfw(config)# exit
pixfw#
o You can usually delete commands in the configuration by adding the word “no” to the beginning of the command you want to delete. Some commands that can only have a single value won’t accept a “no” to change them and will just be over-written when you issue the new command.
In the example below, we change the PIX’s name and then delete one of many access control list (ACL) entries attached to the outside (Internet) interface.
pixfw# conf t
pixfw(config)# no access-list inbound permit tcp any any eq www
pixfw(config)# hostname firewall
firewall(config)# exit
firewall#
o One of the first things you should do is change the default passwords for the PIX.
pixfw# conf t
pixfw(config)# enable password enable-password-here
pixfw(config)# passwd telnet-password-here
pixfw(config)# exit
pixfw#
Note: The console password is the one used to gain access from the console or through telnet.
o When you’ve finished configuring, you can permanently save your changes by using the “write memory” command:
pixfw# wr mem
Building configuration…
Cryptochecksum: 3af43873 d35d6f06 51f8c999 180c2342
[OK]
pixfw#
Sample PIX Configuration: DHCP
Configuring DSL PPPoE DHCP
o DHCP and DSL require you to get a pppoe password and username from your ISP. Most ISPs have a homepage where you can register to get the username and password, ask customer service for the URL. You should substitute this username and password for “dsl-username” and “dsl-password” below. The VPDN group statements just assign a username, password, authentication type to a profile, in this case “ISP”. The configuration steps are relatively straight forward. (Remember to be in config mode)
ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
vpdn group ISP request dialout pppoe
vpdn group ISP localname dsl-username
vpdn group ISP ppp authentication pap
vpdn username dsl-username password dsl-password
In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet, you will have to set the default gateway on all your servers to be 192.168.1.1 You must be using PIX IOS version 6.2 or greater for this to work.
Configuring Cable Modem DHCP
o DHCP configuration for cable modems is much simpler, there is no password requirement like with regular DSL. The command to let your PIX get a DHCP IP address from your ISP is as follows:
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet, you will have to set the default gateway on all your servers to be 192.168.1.1
NAT Configuration with DHCP
Here we allow any traffic coming in on the inside (private/protected) interface to be NAT-ted to the IP address of the outside (Public/unprotected) interface of the firewall. If DSL – DHCP has assigned an address of 97.158.253.12 to your firewall then the traffic passing through the firewall, from your protected PCs, will appear to be coming from address 97.158.253.12. This is frequently called many-to-one NAT.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Dynamic DNS Port Forwarding Entries
It is possible to host your own website on a DHCP DSL / cable modem connection using dynamic DNS. There are many providers to choose from.
Once you have registered with a dynamic DNS provider, you will need to configure your firewall. Here we allow all incoming www traffic (on TCP port 80) destined for the firewall’s interface to be forwarded to the web server at 192.168.1.100 on port 80 (www).
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-group inbound in interface outside
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255
Once configured, you will be able to hit your webserver using the firewall’s outside interface’s IP address as the destination. eg: http://firewall-outside-ip-address. Remember, it’s not possible to hit your firewall’s public NAT IP address from servers on your home network. You’ll have to ask a friend to check it out.
How To Get Static IPs For DSL Cheaply
Many ISP DSL providers offer cheap DHCP (dynamic IP) service. Due to competition they’ll even throw in a DSL modem and even a router for free. This service frequently isn’t available for users with static IPs which the ISPs frequently feel are businesses. If you really want static IP addresses and are willing to pay the higher monthly fee, then you can reduce your installation costs by:
> Ordering DHCP DSL first with the free modem and/or router
> Upgrade to static IPs a week later. They probably won’t ask about the modem and/or router, and it becomes bundled in free.
Sample PIX configuration: DSL – Static IPs
PPPOE authentication is only required for DSL DHCP. Once you go for static IPs, the vpdn statements won’t be required. In this example, the ISP has assigned the Internet subnet 97.158.253.24 with a mask of 255.255.255.248 (/29). The IP address selected for the PIX is 97.158.253.25, the default gateway is 97.158.253.30
If you are converting from dynamic to static IP addresses, you do not need the vpdn PIX command statements for static IPs
ip address outside 97.158.253.25 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 97.158.253.30
In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet, you will have to set the default gateway on all your servers to be 192.168.1.1
Note: When you receive your own /29 allocation all the IPs are exclusively yours whether you use them or not. This can be viewed as being wasteful in the eyes of some ISPs. Some service providers now use PPPoE with DHCP IP address reservations based on your MAC address. It appears to be an attempt to conserve on IP addresses by placing many customers on a large shared network that allows the ISP to add and subtract allocated IPs at will. This means that the ISP, and not its customers, are in possession of all unused IP addresses.
Outgoing Connections NAT Configuration
Here we allow connections originating from servers connected to the inside (private/protected) interface with an IP address in the range 192.168.1.0 to 192.168.1.255 to be NAT-ted to the IP address of the outside (Public/unprotected) interface of the firewall which is 97.158.253.25 :
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
This is another application of many-to-one NAT.
Incoming Connections NAT Configuration
It is possible to dedicate a single public IP address to a single server on your home network. This is called one-to-one NAT.
Here we allow the firewall to handle traffic to a second IP address, namely 97.158.253.26. We then allow all incoming traffic to be forwarded to the protected web server which has an IP address of 192.168.1.100. Only www and DNS (Port 53) traffic is allowed to access it via an access control list applied to the outside interface.
access-list inbound permit icmp any any
access-list inbound permit tcp any host 97.158.253.26 eq www
access-list inbound permit tcp any host 97.158.253.26 eq 53
access-list inbound permit udp any host 97.158.253.26 eq 53
access-group inbound in interface outside
static (inside,outside) 97.158.253.26 192.168.1.100 netmask 255.255.255.255 0 0
Once configured, you will be able to hit your webserver using the firewall’s outside interface’s IP address as the destination. eg: http://one-to-one-NAT-ip-address. Remember, it’s not possible to hit your firewall’s public NAT IP address from servers on your home network. You’ll have to ask a friend to check it out.
Here are some additional TCP ports you may be interested in:
|
Protocol |
Port |
|
FTP |
20, 21 |
|
SMTP Mail |
25 |
|
POP3 Mail |
110 |
|
HTTPS / SSL |
443 |
How To Configure Your PIX To Accept Telnet
The telnet command can be used to configure your PIX to accept telnet sessions. By default, it allows connections on the inside interface from the 192.168.1.0 network, as seen below:
telnet 192.168.2.0 255.255.255.0 inside
Of course, if you change the IP address of the inside interface, you may have to change the statement above.
You can also allow access to the outside interface with a similar command. In the case below we’re allowing access from the network 64.251.19.0. I generally wouldn’t recommended this, but in some cases the need to do it is unavoidable.
telnet 64.251.19.0 255.255.255.0 outside
As an added precaution, you can set the PIX to automatically log out telnet sessions that have been inactive for a period of time. Here is an example of a 15 minute timeout period.
telnet timeout 15
How To Make Your PIX A DHCP Server
Enabling your PIX to be a DHCP server for your home network requires very few statements. First you have to enable the feature on the desired interface, which is usually the “inside” interface. The next step is to set the range of IP addresses the PIX’s “inside” interface will manage, and finally, you need to state the IP address of the DNS server the DHCP clients will use.
The default DNS address the PIX provides its DHCP clients is the IP address of the “inside” protected interface. If the PIX is configured to get it’s Internet IP address from your ISP, then the PIX will automatically become a caching DNS server for your home network. This means that in this case you don’t have to use the DNS statement.
dhcpd enable inside
dhcpd address 192.168.1.20-192.168.1.30 inside
dhcpd dns 192.168.1.100
Basic PIX Troubleshooting
The “show interfaces” Command
The show interfaces command will show you the basic status of the PIX’s interfaces. I’ve included some sample output below:
pixfw# show interface
interface ethernet0 “outside” is up, line protocol is up
Hardware is i82559 ethernet, address is 0009.e89c.fdaa
IP address 97.158.253.25, subnet mask 255.255.255.248
MTU 1500 bytes, BW 10000 Kbit half duplex
5776596 packets input, 569192486 bytes, 0 no buffer
Received 5315835 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
435752 packets output, 74618166 bytes, 0 underruns
0 output errors, 3988 collisions, 0 interface resets
0 babbles, 0 late collisions, 6978 deferred
2 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) (0/77)
output queue (curr/max blocks): hardware (0/53) software (0/1)
…
…
pixfw#
Your basic physical connectivity should be OK if the interfaces are seen as being in an “up” state with line protocol being “up”. If line protocol is down, you probably have your PIX incorrectly cabled to the Internet or your home network.
If the interfaces are seen as “administratively down”, then the PIX configuration will most likely have the interfaces configured as being “shutdown” like this:
interface ethernet0 10baset shutdown
This can be easily corrected. First use the “write terminal” command to confirm the shutdown state. Then you should enter “config” mode and reenter the “interface” command without the word “shutdown” at the end.
pixfw(config)# interface ethernet0 10baset
The “show interfaces” is also important as it shows you whether you have the correct IP addresses assigned to your interfaces and also the amount of traffic and errors associated with each.
The “show xlate” Command
This command will show whether the PIX is doing NAT translations correctly. Double check your configuration if there are no translations immediately after trying to access the Internet. NAT failure could also be due to bad cabling which will prevent Internet bound traffic from reaching the PIX at all.
aquapix# sh xlate
3 in use, 463 most used
PAT Global 97.158.253.25(38448) Local 192.168.1.105(3367)
PAT Global 97.158.253.25(25838) Local 192.168.1.105(2971)
PAT Global 97.158.253.25(26306) Local 192.168.1.105(3610)
aquapix#
Using syslog
A really good method for troubleshooting access control lists (ACLs) and also to view the types of methods people are using to access your site is to use
Other Things To Check
Always make sure your PIX has a:
o correct default route. The default is the one with the lots of zeros.
aquapix# show route
outside 0.0.0.0 0.0.0.0 97.158.253.30 1 DHCP static
outside 12.210.24.0 255.255.252.0 12.210.27.161 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
aquapix#
o default gateway that you can “ping”. In the case above the gateway is 97.158.253.30.