Cisco PIX Firewall Configuration Guide

Source: Internet
Author: User
Tags ftp port number ftp protocol

Enter the pix 515e using the superuser (enable), the silent password is empty, change the password with the passwd command. Firewall Configuration
The following describes the basic configurations used in general.
1. Create a user and change the password
It is basically the same as a cisco ios router.
2. Activate the Ethernet port
You must use enable to enter, and then enter configure mode.
Pix515e> enable
Password:
Pix515e # config t
Pix515e (config) # interface ethernet0 auto
Pix515e (config) # interface ethernet1 auto
In silent circumstances, ethernet0 is an external network card outside, and ethernet1 is an internal network card inside. The inside has been activated and takes effect when the Initialization Configuration is successful, but the outside must be configured to activate it.
3. Named ports and security levels
Use the nameif command
Pix515e (config) # nameif ethernet0 outside security0
Pix515e (config) # nameif ethernet0 outside security100
Security0 is the security level of the external port outside (0 is the highest security level)
Security100 is the security level of the internal port inside. If there is an Ethernet port in the middle, name security10, security20, and so on. Multiple NICs form multiple networks, generally, an Ethernet port is added as the dmz (demilitarized zones unarmed zone ).
4. Configure the Ethernet port ip Address
Command: ip address
For example, the Intranet is 192.168.1.0 255.255.255.0.
External Network: 222.20.16.0 255.255.255.0
Pix515e (config) # ip address inside 192.168.1.1 255.255.0
Pix515e (config) # ip address outside 222.20.16.1 255.255.255.0
5. configure remote access [telnet]
In silence, the Ethernet port of the pix does not allow telnet, which is different from that of the router. The inside port can be used via telnet, but the outside Port is also related to some security configurations.
Pix515e (config) # telnet 192.168.1.1 255.255.255.0 inside
Pix515e (config) # telnet 222.20.16.1 255.255.0 outside
Test telnet
Go to [start]-> [run]
Telnet 192.168.1.1
Pix passwd:
Enter Password: cisco
6. access-list)
This function is basically similar to cisco ios and is also the main part of firewall. It has two features: permit and deny. The network protocol generally includes ip, tcp, udp, icmp, and so on. For example: only access to the www of the Host: 222.20.16.254, Port: 80
Pix515e (config) # access-list 100 permit ip any host 222.20.16.254 eq www
Pix515e (config) # access-list 100 deny ip any
Pix515e (config) # accesskey-group 100 in interface outside
7. Address Translation (nat) and Port translation (pat)
Nat is basically the same as vro,
First, you must define the ip pool, provide the address segment for internal ip address translation, and then define the Intranet segment.
Pix515e (config) # global (outside) 1 222.20.16.100-222.20.16.200 netmask 255.255.255.0
Pix515e (config) # nat (outside) 1 192.168.0.0 255.255.255.0
If all internal addresses can be converted:
Pix515e (config) # nat (outside) 1 0.0.0.0 0.0.0.0
In some cases, the external address is very limited, and some hosts must occupy an ip address separately. The public ip address (222.20.16.201) must be resolved, and an additional command must be configured, this is called pat, so that more users can share an ip address at the same time, a bit like a proxy server. The configuration is as follows:
Pix515e (config) # global (outside) 1 222.20.16.100-222.20.16.200 netmask 255.255.255.0
Pix515e (config) # global (outside) 1 222.20.16.201 netmask 255.255.255.0
Pix515e (config) # nat (outside) 1 0.0.0.0 0.0.0.0
8. dhcp server
In the internal network, Dynamic Host allocation IP address server (dhcp server) is enabled for centralized management of maintenance and full use of limited IP addresses. cisco firewall pix has this function, the following is a simple configuration of the dhcp server, the address segment is 192.168.1.100-192.168.168.1.200
Dns: Master 202.96.128.68 slave 202.96.144.47
The primary domain name is abc.com.cn.
Dhcp client uses pix firewall
Pix515e (config) # ip address dhcp
Dhcp server configuration
Pix515e (config) # dhcpd address 192.168.1.100-192.168.1.200 inside
Pix515e (config) # dhcp dns 202.96.128.68 202.96.144.47
Pix515e (config) # dhcp domain abc.com.cn
9. Static port redirection (port redirection with statics)
The port redirection function is added in version 6.0 and later versions of the pix, allowing external users to transmit data to the specified internal server through a special IP Address/port through the firewall pix. This function can be used to publish internal www, ftp, mail, and other servers. Instead of directly connecting to the server, this method uses port redirection to ensure the security of the internal server.
Command Format:
Static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip
[Netmask mask] [max_cons [max_cons [emb_limit [norandomseq]
Static [(internal_if_name, external_if_name)] {tcp | udp} {global_ip | interface} local_ip
[Netmask mask] [max_cons [max_cons [emb_limit [norandomseq]
! ---- The external user directly accesses the telnet port 222.20.16.99 and redirects it to the telnet port (23) of the internal host 192.168.1.99 through the pix ). Www.2cto.com
Pix515e (config) # static (inside, outside) tcp 222.20.16.99 telnet 192.168.1.99 telnet netmask 255.255.255.255 0 0
! ---- External users directly access the address 222.20.16.99 ftp and redirect to the internal ftp server 192.168.1.3 through the pix.
Pix515e (config) # static (inside, outside) tcp 222.20.16.99 ftp 192.168.1.3 ftp netmask 255.255.255.255 0 0
! ---- The external user directly accesses the address 222.20.16.208 www (port 80) and redirects it to the internal host www (port 80) of 192.168.123 through the pix ).
Pix515e (config) # static (inside, outside) tcp 222.20.16.208 www 192.168.1.2 www netmask 255.255.255.255 0 0
! ---- The external user directly accesses the address 222.20.16.201 http (port 8080) and redirects it to the www (port 80) of the internal host 192.168.1.4 through the pix ).
Pix515e (config) # static (inside, outside) tcp 222.20.16.208 8080 192.168.1.4 www netmask 255.255.255.255 0 0
! ---- The external user directly accesses the address 222.20.16.5 smtp (port 25) and redirects it to the smtp (port 25) of the internal email host 192.168.1.5 through the pix)
Pix515e (config) # static (inside, outside) tcp 222.20.16.208 smtp 192.168.1.4 smtp netmask 255.255.255.255 0 0
10. Display and save results
Run the show config command.
Save with write memory
 
The PIX Firewall provides four access management modes:
Non-Permission mode. It is in this mode after the PIX Firewall starts self-check. The system displays pixfirewall>
Privileged mode. Enter enable to enter the privileged mode to change the current configuration. Displayed as pixfirewall #
Configuration mode. Enter configure terminal to enter this mode. Most system configurations are performed here. Displayed as pixfirewall (config )#
Monitoring mode. When a PIX Firewall is started or restarted, press and hold the Escape key or send a "Break" character to enter the monitoring mode. Update the operating system image and password recovery. Show as monitor>

There are six basic commands for configuring the PIX Firewall: nameif, interface, ip address, nat, global, and route.
These commands are required in the configuration of the PIX. Follow these steps:
1. Configure the name of the firewall interface and specify the security level (nameif ).
Pix525 (config) # nameif ethernet0 outside security0
Pix525 (config) # nameif ethernet1 inside security100
Pix525 (config) # nameif dmz security50
Tip: in the default configuration, Ethernet 0 is named as an external interface (outside), the security level is 0, Ethernet 1 is named as an internal interface (inside), and the security level is 100. security level value range: 1 ~ 99. The larger the number, the higher the security level. If a new interface is added, the statement can be written as follows:
Pix525 (config) # nameif pix/intf3 security40 (Security Level)

2. Configure Ethernet interface Parameters)
Pix525 (config) # interface ethernet0 auto (auto option indicates the System Adaptive Nic type)
Pix525 (config) # interface ethernet1 100 full (100full indicates 100 Mbit/s Ethernet full Duplex Communication)
Pix525 (config) # interface ethernet1 100 full shutdown (shutdown indicates that this interface is disabled. If the interface is enabled, shutdown is removed)

3. Configure the ip address of the internal and external network adapter (ip address)
Pix525 (config) # ip address outside 61.144.51.42 255.255.255.255.248
Pix525 (config) # ip address inside 192.168.0.1 255.255.255.0
Obviously, the IP address of the Pix525 firewall on the internet is 61.144.51.42, and the Intranet IP address is 192.168.0.1.

4. Specify the internal address (nat) to be converted)
Network Address Translation (nat) is used to convert private ip addresses of the Intranet to public ip addresses of the Internet. the Nat command is always used with the global command because the nat command can specify a host or a range of hosts to access the Internet. when accessing the internet, you need to use the address pool specified by global for external access. Nat command configuration Syntax: nat (if_name) nat_id local_ip [netmark]
(If_name) indicates the name of the Intranet interface. For example, inside. Nat_id is used to identify the global address pool and match it with the corresponding global command. local_ip indicates the IP address allocated by the Intranet. For example, 0.0.0.0 indicates that all hosts on the Intranet can access the Internet. [Netmark] indicates the subnet mask of the Intranet IP address.
Example 1. Pix525 (config) # nat (inside) 1 0 0
Enable nat. All hosts in the Intranet can access the Internet, and 0 can represent 0.0.0.0.
Example 2. Pix525 (config) # nat (inside) 1 172.16.5.0 255.255.255.0.0
Indicates that only hosts in the network segment 172.16.5.0 can access the Internet.

5. Specify the external address range (global)
The global Command translates an intranet IP address into an Internet IP address or an address range. Configuration syntax for the Global Command: global (if_name) nat_id ip_address-ip_address [netmark global_mask]
(If_name) indicates the name of the Internet interface, for example, outside .. Nat_id is used to identify the global address pool so that it matches the corresponding nat command, the ip_address-ip_address represents a single translated IP address or a range of IP addresses. [Netmark global_mask] indicates the network mask of the Global IP address.
Example 1. Pix525 (config) # global (outside) 1 61.144.51.42-61.144.51.48
Indicates that when an intranet host accesses the Internet through the pix Firewall, the pix Firewall uses the IP address pool 61.144.51.42-61.144.51.48 to assign a Global IP address to the host to access the Internet.
Example 2. Pix525 (config) # global (outside) 1 61.144.51.42
Indicates that when the Intranet accesses the Internet, the pix Firewall uses the single IP address 61.144.51.42 for all hosts accessing the Internet.
Example 3. Pix525 (config) # no global (outside) 1 61.144.51.42
Indicates that the global table item is deleted.

6. Set a route pointing to the Intranet and Internet)
Define a static route. Route command configuration Syntax: route (if_name) 0 0 gateway_ip [metric]
(If_name) indicates the interface name, such as inside and outside. Gateway_ip indicates the IP address of the Gateway Router. [Metric] indicates the number of hops to gateway_ip. The default value is 1.
Example 1. Pix525 (config) # route outside 0 0 61.144.51.168 1
A default route pointing to the VBR (IP address 61.144.51.168.
Example 2. Pix525 (config) # route inside 10.1.1.0 255.255.255.0 172.16.0.1 1
Pix525 (config) # route inside 10.2.0.0 255.255.0.0 172.16.0.1 1
If the internal network has only one CIDR Block, set a default route as in Example 1. If there are multiple internal networks, configure more than one static route. The above command indicates that a static route is created to 10.1.1.0, And the IP address of the next router in the static route is 172.16.0.1.

OK. If you understand these six basic commands, you can go to some advanced configurations of the pix Firewall.

A. Configure static IP address translation (static)
If a session is initiated from the Internet, the destination address of the session is an intranet IP address, and the static address translates the internal address into a specified Global Address, allowing the session to be established. Static command configuration Syntax: static (internal_if_name, external_if_name) outside_ip_address inside _ ip_address. internal_if_name indicates the internal network interface, which has a high security level. Such as inside.
External_if_name is an external network interface with a low security level. Such as outside. Outside_ip_address is the IP address of the interface with lower security level being accessed. Inside _ ip_address is the local IP address of the internal network.
Example 1. Pix525 (config) # static (inside, outside) 61.144.51.62 192.168.0.8
Indicates the host whose IP address is 192.168.0.8. For each session created through the pix firewall, it is translated into the global address 61.144.51.62, the static command also creates a static ing between the internal IP address 192.168.0.8 and the external IP address 61.144.51.62.
Example 2. Pix525 (config) # static (inside, outside) 192.168.0.2 10.0.1.3
Example 3. Pix525 (config) # static (dmz, outside) 211.48.16.2 172.16.10.8
Note Example 1. The preceding examples show that the static command allows us to set a permanent Global IP address for a specific internal IP address. In this way, you can create an entry for a specified interface with a lower security level so that they can enter a specified interface with a higher security level.


B. Pipeline commands)
As mentioned earlier, the static command can be used to create a static ing between a local IP address and a global IP address, however, connections from external interfaces to internal interfaces will still be blocked by the Adaptive Security Algorithm (ASA) of the pix Firewall, the conductor command is used to allow data streams to flow from interfaces with lower security levels to interfaces with higher security levels, for example, to allow inbound sessions from the external to DMZ or internal interfaces. For connections to internal interfaces, the static and conductor commands are used together to specify session creation.
Conductor command configuration Syntax:
Conducting it permit | deny global_ip port [-port] protocol foreign_ip [netmask]
Permit | deny allowed | Access Denied
Global_ip refers to the global IP address previously defined by the global or static command. If global_ip is 0, use any instead of 0. If global_ip is a host, use the host command parameter.
Port refers to the port used by the Service, such as www Using 80, smtp using 25, etc. We can specify the port through the service name or port number.
Protocols refer to connection protocols, such as TCP, UDP, and ICMP.
Foreign_ip indicates the external ip address that can access global_ip. Any host can be expressed as any. If foreign_ip is a host, use the host command parameter.
Example 1. Pix525 (config) # conducting it permit tcp host 192.168.0.8 eq www any
In this example, any external host is allowed to perform http access to this host whose global address is 192.168.0.8. An eq and a port are used to allow or deny access to this port. Eq ftp is to allow or deny access to ftp only.
Example 2. Pix525 (config) # conducting it deny tcp any eq ftp host 61.144.51.89
The external host 61.144.51.89 is not allowed to access any global address through ftp.
Example 3. Pix525 (config) # conducting it permit icmp any
Allow icmp messages to pass to internal and external sources.
Example 4. Pix525 (config) # static (inside, outside) 61.144.51.62 192.168.0.3
Pix525 (config) # conducting it permit tcp host 61.144.51.62 eq www any
This example describes the relationship between static and conduit. 192.168.0.3 is a web server on the Intranet. We hope that users on the internet can obtain web services through the pix Firewall. So do static ing: 192.168.0.3-> 61.144.51.62 (global) first, and then use the conductor command to allow any external host to perform http access to the global address 61.144.51.62.

C. Configure the fixup Protocol
The fixup command is used to enable or disable a service or protocol. The port specified by the fixup command is the service that the pix Firewall wants to listen. See the following example:
Example 1. Pix525 (config) # fixup protocol ftp 21
Enable the ftp protocol and specify the ftp port number as 21.
Example 2. Pix525 (config) # fixup protocol http 80
Pix525 (config) # fixup protocol http 1080
Specify port 80 and port 1080 for the http protocol.
Example 3. Pix525 (config) # no fixup protocol smtp 80
Disable the smtp protocol.

D. Set telnet
Telnet has a version change. Before the pix OS 5.0 (the version number of the pix operating system), you can only access the pix from hosts on the internal network through telnet. In pix OS 5.0 and later versions, you can enable telnet-to-pix access on all interfaces. When you need to telnet from an external interface to the pix Firewall, the telnet data stream must be protected by ipsec. That is to say, you must configure the pix to establish an ipsec tunnel to another pix, router, or vpn Client. In addition, you can configure SSH on the PIX and then use the SSH client to telnet from the outside to the PIX Firewall. The PIX supports SSH1 and SSH2, but SSH1 is free of charge, and SSH2 is commercial software. In contrast, telnet on the cisco Router does not work well.
Telnet configuration Syntax: telnet local_ip [netmask]
Local_ip indicates the IP address authorized to access the pix through telnet. If this option is not set, the configuration of the pix can only be performed by the console.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.