Asa & amp; pix Firewall transparent mode configuration

 

In transparent mode, the pix is equivalent to a network cable.

Therefore, you do not need to set another network address. You only need to add an ip address for later configuration.

I. upgrade the system

Generally, the pre-installed IOS version of the PIX series firewall is 6.x, and only later than 7.0 supports transparent mode.

So the first step is to upgrade IOS

Preparations:

Find a computer with a firewall and install the ciscotftp software on the switch.

Go to www.skycn.com and you will find the Simplified Chinese version.

Then download a 7.0 bind file (pix701.bin I downloaded) on the cisco website and put it in the root directory of the tftp server.

Official start:

When the firewall is powered on, Press ESC to go to the monitor> status.

 

Monitor> address 192.1.1.1 -- set the firewall IP address

Address 192.1.1.1

Monitor> server 192.1.1.2 -- set the IP address of the tftp server

Server 192.1.1.2

Monitor> ping 192.1.1.2 -- check whether ping is successful

Sending 5, 100-byte 0x7970 ICMP Echoes to 10.32.2.78, timeout is 4 seconds:

!!!!!

Success rate is 100 percent (5/5)

Monitor> file pix701.bin -- declare the full name of the binfile you downloaded

File pix704.bin

Monitor> tftp -- start filling

Tftp ...........................

 

Wait patiently. Wait until the ">" symbol in the non-Permission mode appears. Enter the binfile in flash. The binfile can be used normally later.

Pixfirewall> en

Password:

Pixfirewall # con t

Pixfirewall (config) # interface ethernet1 -- enter port Mode

Pixfirewall (config-if) # ip address 192.1.11 255.255.255.0 -- configure the IP address of the e1 Port

Pixfirewall (config-if) # nameif inside -- configure the e1 port as the inside port of the firewall

INFO: Security level for "inside" set to 100 by default.

Pixfirewall (config-if) # no shutdown -- activate the inside Port

Pixfirewall (config-if) # ping 192.1.1.2 -- Test

Sending 5, 100-byte ICMP Echos to 192.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 MS

Pixfirewall (config-if) # exit -- exit port Mode

Pixfirewall (config) # copy tftp flash: -- copybin File

Address or name of remote host []? 192.1.1.2 -- IP address of the tftp Server

Source filename []? Pix701.bin -- file name

Destination filename [pix701.bin]? Pix701.bin -- confirm

Accessing t -- start copy and wait patiently

Writing file flash: pix701.bin ...!!!!!!!!!!!!!

5124096 bytes copied in 82.80 secs (62488 bytes/sec)

Pixfirewall (config) # reload -- upgrade complete. Restart !!!!!!! Ps. The first start time will take a little longer. Don't worry.

2. PIX anti-question control is generally implemented using ACL.

1. Use access-list to create a list.

2. access-group (access-list name) interface (interface name) in/out application.

Iii. Example

Pixfirewall> en

Password:

Pixfirewall # con t

Pixfirewall (config) # interface ethernet0

Pixfirewall (config-if) # nameif outside

INFO: Security level for "outside" set to 0 by default.

Pixfirewall (config-if) # no shutdown

Pixfirewall (config-if) # exit

Pixfirewall (config) # interface ethernet1

Pixfirewall (config-if) # nameif inside

INFO: Security level for "inside" set to 100 by default.

Pixfirewall (config-if) # no shutdown

Pixfirewall (config-if) # exit

Configure transparent mode

Pixfirewall (config) # firewall transparent -- set the firewall to transparent mode

Pixfirewall (config) # access-list out-list extended permit icmp any -- set to allow all protocols

Pixfirewall (config) # access-list out-list extended permit ip any -- set to allow all IP addresses

Pixfirewall (config) # access-group out-list in interface outside -- bind the access list to the outside interface

Pixfirewall (config) # access-group out-list out interface outside -- bind the access list to the outside interface

Pixfirewall (config) # ip address 192.168.11.1 255.255.255.0 -- set an IP address for configuring the firewall later

Access-list goout permit tcp any eq 7411 -- Port 7411 that can be opened

Access-list goout permit tcp any eq 7412 -- Port 7412 that can be opened

.....

Add a sentence

Access-list goout deny tcp any -- disable all ports except 7411 and 7412

Access-group goout in interface outside -- apply the acl rule to the outside endpoint.

Access-group goout out interface outside -- apply the acl rule to the outside egress end.

Enable telnet

Telnet 192.168.11.0 255.255.255.0 inside

Add User

Username cisco password cisco123456

Iv. Differences between in and out in acl

In and out are relative, for example:

A (s0) ----- (s0) B (s1) -------- (s1) C

Assume that you want to deny access to C by A, and assume that you want to perform an ACL on B (of course, C can also), we will replace this topology with an example:

B's s0 port is the front door, s1 port is the back door, B is your living room, the front door is connected to A, the living room backdoor is connected to your vault (C)

If you want to reject thieves from A, there are two ways to make A setup in your living room:

1. install an iron gate (ACL) in the front door of your living room (B) (s0 of B) and prevent thieves from coming in (in ).

2. install an iron gate (s1 of B) in the back door of your living room. Although thieves enter your living room, they still cannot go out (out) from the back door to your vault (C)

Although these two methods (in/out) can achieve the effect, there is a difference in performance,

In fact, the best way is to choose method 1, as though the thief did not enter the vault, at least into your living room (B ),

Dirty the carpet in your living room (B consumes some additional unnecessary processing)

Suppose you want to put the iron gate (ACL) in C, should you use in or out at that time?

You can answer this question by yourself.

 

Compared with a vro, the incoming

The extended acl must be close to the source. The standard acl is close to the target address.

In fact, in and out applications are flexible.

 

Heiying kid' blog