Application Guide: Cisco PIX Firewall settings

Source: Internet
Author: User
Application Guide: Cisco PIX Firewall configuration details-Linux Enterprise Application-Linux server application information, the following is a detailed description. In this application guide, the administrator can learn how to set up a new PIX Firewall. You will set passwords, IP addresses, network address resolution, and basic firewall rules.

Assume that your boss gives you a new PIX Firewall. This firewall has never been set. He said that the firewall needs to set some basic IP addresses, security, and some basic firewall rules. You have never used the PIX Firewall before. How do you perform this setting? After reading this article, this setting is easy. Next, let's see how to set it.

   Foundation of Cisco PIX Firewall

The Cisco PIX Firewall can protect various networks. There is a PIX Firewall for small-sized home networks, or a PIX Firewall for large campus or enterprise networks. In this example, we will set a PIX 501 firewall. The PIX 501 is a firewall for small-sized home networks or small businesses.

The PIX Firewall has internal and external interfaces. Internal interfaces are internal, usually private networks. External interfaces are external, usually public networks. Try to protect the internal network from the influence of the external network.

The PIX Firewall also uses an adaptive security algorithm (ASA ). This algorithm assigns a security level to an interface and claims that no communication can flow from a low-level interface (such as an external interface) to a high-level interface (such as an internal interface) without rule permission ). The security level of this external interface is "0", and the security level of this internal interface is "100 ".

The following shows the output of the "nameif" command:

Pixfirewall # show nameif

Nameif ethernet0 outside security0

Nameif ethernet1 inside security100

Pixfirewall #

Note that the ethernet0 (Ethernet 0) interface is an external interface (its default name) and the security level is 0. On the other hand, the ethernet1 (Ethernet 1) interface is the internal Interface Name (default), and the security level is 100.

   Guide

Before getting started, your boss has given you some guidelines you need to follow. These guidelines are:

· All passwords should be set to "Cisco" (in fact, you can set any password except Cisco ).

· The internal network is 10.0.0.0 and has a subnet mask of 255.0.0.0. The internal IP address of this PIX Firewall should be 10.1.1.1.

· The external network is 1.1.1.0 and has a subnet mask of 255.0.0.0. The external IP address of this PIX Firewall should be 1.1.1.1.

· You need to create a rule to allow all customers on the 10.0.0.0 network to perform port address resolution and connect to the external network. They will all share the global IP address 1.1.1.2.

· However, the customer can only access port 80 (network browsing ).

· The default route used for external (Internet) networks is 1.1.1.254.

   Set

When you start the PIX firewall for the first time, you should see a screen like this:

You will answer "yes" or "no" as prompted to determine whether to set the PIX Firewall Based on the Interaction prompt. Answer "no" to this question, because you need to learn how to set up a firewall, not just to answer a series of questions.

Then, you will see a prompt: pixfirewall>

At the end of the prompt, there is a greater than ">". You are in the PIX user mode. Use the en or enable command to modify the permission mode. Press enter at the password prompt. The following is an example:

Pixfirewall> en

Password:

Pixfirewall #

You now have the Administrator mode to display the content. However, you must enter the General setting mode to set this PIX Firewall.

Now let's learn about the basic configuration of the PIX Firewall:

   Basic configuration of the PIX Firewall

The basic settings I mentioned include the following:

· Set the Host Name

· Set a password (logon and startup)

· Set the IP address of the interface

· Startup Interface

· Set a default route

Before you do anything above, you need to enter the General setting mode. To enter this mode, type:

Pixfirewall # config t

Pixfirewall (config )#

To set the host name, run the host name command, as shown in the following code:

Pixfirewall (config) # hostname PIX1

PIX1 (config )#

Note: The prompt is changed to the name you set.

Next, set the logon password to cisco, as shown in the following figure:

PIX1 (config) # password cisco

PIX1 (config )#

This is the password required to access the PIX Firewall in addition to the Administrator.

Now, set the start mode password for administrator access.

PIX1 (config) # enable password cisco

PIX1 (config )#

Now, we need to set the IP address of the interface and start these interfaces. Like a router, the PIX does not have the interface setting mode. To set the IP address of an internal interface, run the following command:

PIX1 (config) # ip address inside 10.1.1.1 255.0.0.0

PIX1 (config )#

Now, set the IP address of the external interface:

PIX1 (config) # ip address outside 1.1.1.1 255.255.0

PIX1 (config )#

Next, start the internal and external interfaces. Confirm that the ethernet cable for each interface is connected to a switch. Note that the ethernet0 interface is an external interface, which is only a 10base-T interface in the PIX 501 firewall. The ethernet1 interface is an internal interface and a 100Base-T interface. The following describes how to start these interfaces:

PIX1 (config) # interface ethernet0 10 baset

PIX1 (config) # interface ethernet1 100 full

PIX1 (config )#

Note: You can use a command to display the interface, and use this command in the general settings prompt command line.

Finally, let's set a default route. In this way, all communications sent to the PIX firewall will flow to the next uplink router (our allocated IP address is 1.1.1.254 ). You can do this:

PIX1 (config) # route outside 0 0 1.1.1.254

PIX1 (config )#

Of course, the PIX Firewall also supports dynamic routing protocols (such as RIP and OSPF ).

Now, we will introduce some more advanced settings.

   Network Address Resolution

Because we have an IP address connection, we need to use network address resolution to connect internal users to an external network. We will use a network address resolution called "PAT" or "NAT Overload. In this way, all internal devices can share a public IP address (the external IP address of the PIX Firewall ). To do this, enter these commands:

PIX1 (config) # nat (inside) 1 10.0.0.0 255.0.0.0

PIX1 (config) # global (outside) 1 1.1.1.2

Global 1.1.1.2 will be Port Address Translated

PIX1 (config )#

After using these commands, all internal clients can connect to devices in the public network and the shared IP address 1.1.1.2. However, the client has no rules so far to allow them to do so.

   Firewall Rules

These clients in the internal network have a network address resolution. However, this does not mean that they are allowed to access. They now need a rule that allows them to access external networks (Internet. This rule also allows the returned communication.

To create a rule that allows these clients to access port 80, enter the following command:

PIX1 (config) # access-list outbound permit tcp 10.0.0.0 255.0.0.0 any eq 80

PIX1 (config) # access-group outbound in interface inside

PIX1 (config )#

Note: Unlike the router access list, the PIX access list uses a normal subnet mask instead of a wildcard subnet mask.

By using this access list, you can restrict the access of internal hosts to Web servers (routers) that are only in the external network ).

   Display and storage setting results

Now you have completed the configuration of the PIX Firewall. You can use the display command to display your settings.

Make sure you use the write memory or "wr m" command to store your settings. If you do not use this command, your settings will be lost when you turn off the power of the PIX Firewall.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.