Cisco PIX Firewall Basic Command Configuration and explanation

Source: Internet
Author: User
Tags failover snmp connection reset domain name server ftp access ftp protocol

A major part of enterprise security policy is to implement and maintain firewalls, so firewalls play an important role in the implementation of network security. Firewalls are typically located on the edge of the corporate network, which isolates the internal network from the Internet, or with other external networks, and restricts network visits to protect the internal network of the enterprise. The purpose of setting up a firewall is to establish a unique channel between the intranet and the extranet, simplifying the security management of the network.

The Cisco PIX Firewall is one of the best performance for all of the same products in many enterprise-class mainstream firewalls. CISCO PIX Series Firewalls currently have 5 models of pix506,515,520,525,535. PIX535 is the newest and most powerful feature in the PIX 500 series. It provides operator-level processing power for large ISPs, etc.

Service providers. But the PIX-specific OS operating system makes most of the management through the command line, not like other firewalls through the Web management interface for network management, which will cause inconvenience to beginners.


This article will show you how to configure the Cisco PIX Firewall through an example.


Before configuring the PIX firewall, let's introduce the physical characteristics of the firewall. Firewalls typically have at least 3 interfaces, but many of the earlier firewalls have only 2 interfaces; when using a


With a 3-interface firewall, at least 3 networks are generated, as described below:

Internal area (intranet). An internal area is usually an internal network or part of an enterprise's internal network. It is the trusted area of the interconnected network, which is a firewall


of protection.

External area (outside network). An external area usually refers to an Internet or a non-enterprise internal network. It is an untrusted zone in an interconnected network when the external zone wants to access the inner zone


The domain hosts and services, through the firewall, can achieve limited access.

Ceasefire zone (DMZ). The ceasefire zone is an isolated network, or several networks. Hosts or servers located in the ceasefire zone are known as bastion hosts. It can be placed in a ceasefire zone normally.


Web servers, mail servers, and so on. The ceasefire zone is usually accessible to external users, which allows external users to access publicly available information about the enterprise, but does not allow them to access the enterprise


Internal network. Note: The 2-interface firewall is not a ceasefire zone.


Since PIX535 is not universal at the enterprise level, the following is a description of the PIX525 application in the Enterprise network.


The PIX Firewall provides 4 administrative access modes:

2 non-privileged mode. The PIX firewall is in this mode after it has been post. The system is displayed as Pixfirewall>

2 privileged mode. Enter enable to enter privileged mode to change the current configuration. Display as pixfirewall#

2 configuration mode. Input configure terminal into this mode, most of the system configuration is done here. Display as Pixfirewall (config) #

2 monitoring mode. The PIX firewall enters monitoring mode by holding the escape key or sending a "break" character during power-on or restart. Here you can update the operating system image and


Password recovery. Display as Monitor>


The configuration of the PIX firewall has 6 basic commands: Nameif,interface,ip Address,nat,global,route.

These commands are required to configure the PIX. Here are the basic steps to configure:

1. Configure the name of the firewall interface and specify the security level (Nameif).

Pix525 (config) #nameif ethernet0 outside Security0

Pix525 (config) #nameif ethernet1 inside security100

Pix525 (config) #nameif DMZ security50

Tip: In the default configuration, Ethernet 0 is named external interface (outside), security level is 0, Ethernet 1 is named internal interface (inside), and security level is 100. Security level


Do not take a value range of 1~99, the higher the number, the higher the security level. If you add a new interface, the statement can be written like this:

Pix525 (config) #nameif pix/intf3 security40 (Security level)


2. Configuring the Ethernet port parameters (interface)

Pix525 (config) #interface ethernet0 auto (auto option indicates system adaptive NIC type)

Pix525 (config) #interface ethernet1 100full (100full option represents 100mbit/s Ethernet full-duplex communication)

Pix525 (config) #interface ethernet1 100full shutdown (shutdown option indicates that the interface is turned off, if the interface is removed shutdown)


3. Configure the IP address of the internal and external network adapter

Pix525 (config) #ip address outside 61.144.51.42 255.255.255.248

Pix525 (config) #ip address inside 192.168.0.1 255.255.255.0

It is obvious that the IP address of the Pix525 firewall in the external network is 61.144.51.42, the intranet IP address is 192.168.0.1


4. Specify the internal address (NAT) to be converted

The function of network address translation (NAT) is to convert the private IP of the intranet into the public IP of the extranet. The NAT command is always used with the global command because the NAT command can specify a host or a range of hosts to access the extranet, and access to the extranet requires external access using the address pool specified by global.


NAT command Configuration Syntax: Nat (if_name) nat_id local_ip

Where (If_name) represents the intranet interface name, such as inside. The nat_id is used to identify the global address pool so that it matches its corresponding global command, and LOCAL_IP represents the IP address assigned to the intranet. For example, 0.0.0.0 indicates that all hosts in the intranet can be accessed externally. Represents the subnet mask for the intranet IP address.


Example 1. Pix525 (config) #nat (inside) 1 0 0

means that NAT is enabled, and all hosts in the intranet can access the extranet, with 0 representing 0.0.0.0

Example 2. Pix525 (config) #nat (inside) 1 172.16.5.0 255.255.0.0

Indicates that only 172.16.5.0 in this network segment can access the extranet.


5. Specify an external address range (global)

The global command translates the IP address of the intranet into an external IP address or a range of addresses. Configuration syntax for the global command: Global (if_name) nat_id ip_address-ip_address

Where (If_name) represents the name of an extranet interface, such as outside. The nat_id is used to identify the global address pool so that it matches its corresponding NAT command, and Ip_address-ip_address represents a single translated IP address or a range of IP addresses. Represents the network mask for the global IP address.

Example 1. Pix525 (config) #global (outside) 1 61.144.51.42-61.144.51.48

Indicates that the PIX firewall will use the 61.144.51.42-61.144.51.48 IP address pool To assign a global IP address to the host that will access the extranet when the host on the intranet is going to access the extranet through the PIX firewall.


Example 2. Pix525 (config) #global (outside) 1 61.144.51.42

Indicates that when the intranet is going to access the extranet, the PIX firewall will use the 61.144.51.42 single IP address for all hosts accessing the extranet.


Example 3. Pix525 (config) #no Global (outside) 1 61.144.51.42

Represents the deletion of this global table entry.


6. Set up static routes (route) to intranet and extranet

Defines a static route. Route command configuration Syntax: Route (if_name) 0 0 gateway_ip

Where (If_name) represents the interface name, such as Inside,outside. The GATEWAY_IP represents the IP address of the gateway router. Represents the number of hops to gateway_ip. Usually the default is 1.

Example 1. Pix525 (config) #route outside 0 0 61.144.51.168 1

Represents a default route that points to a border router (IP address 61.144.51.168).

Example 2. Pix525 (config) #route inside 10.1.1.0 255.255.255.0 172.16.0.1 1

Pix525 (config) #route inside 10.2.0.0 255.255.0.0 172.16.0.1 1

If the internal network has only one network segment, set a default route as in Example 1, and if multiple networks exist internally, you need to configure more than one static route. The above command indicates


A static route to the network 10.1.1.0 is created, and the next router IP address for the static route is 172.16.0.1


These 6 basic commands, if understood, can go into some advanced configurations of the PIX firewall.


A. Configuring static IP address Translation (static)

If a session is initiated from the extranet, the destination address of the session is an intranet IP address, and static translates the internal address into a specified global address, allowing this session to be established.


Static command configuration syntax: Static (internal_if_name,external_if_name) outside_ip_address inside_ ip_address where internal_if_ The name represents an internal network interface with a high security level.

such as inside.

External_if_name is an external network interface with a low security level. such as outside and so on. Outside_ip_address is the IP address on the interface that is accessing the lower security level.


Inside_ IP_Address is the local IP address of the internal network.

Example 1. Pix525 (config) #static (inside, outside) 61.144.51.62 192.168.0.8

A host that represents an IP address of 192.168.0.8, for each session established through the PIX firewall, is translated into the global address of 61.144.51.62, and can also be understood as a static command to create an internal IP address 192.168.0.8 and an external IP address 61.144.51.62 between State mappings.

Example 2. Pix525 (config) #static (inside, outside) 192.168.0.2 10.0.1.3

Example 3. Pix525 (config) #static (DMZ, outside) 211.48.16.2 172.16.10.8

Note the same example 1. Using the static command allows us to set a permanent global IP address for a specific internal IP address, as illustrated by the above examples. This allows a portal to be created for the specified interface with a lower security level, allowing them to enter the specified interface with a higher security level.


B. Pipeline command (CONDUIT)

As I said before, using the static command creates a static mapping between a local IP address and a global IP address, but connections from the outside to the internal interface are still blocked by the PIX firewall


Adaptive Security Algorithm (ASA) blocking, the conduit command is used to allow traffic to flow from an interface with a lower security level to an interface with a higher level of security, such as a session that allows incoming directions from outside to the DMZ or internal interface. For connections to internal interfaces, the static and conduit commands are used together to specify the establishment of the session.


Conduit command Configuration syntax:

Conduit Permit | Deny GLOBAL_IP port<-port> protocol Foreign_ip

Permit | Deny Allow | Access Denied

GLOBAL_IP refers to a global IP address that was previously defined by the global or static command, and if GLOBAL_IP is 0, use any instead of 0; if Global_ip is a host, use host


The parameter is made.

Port refers to the ports that the service acts on, such as www using 80,SMTP 25 and so on, and we can specify the port by service name or port number.

Protocol refers to the connection protocol, such as: TCP, UDP, ICMP, and so on.

The FOREIGN_IP represents an external IP that can access the GLOBAL_IP. For any host, it can be represented by any. If Foreign_ip is a host, use the host command parameter.

Example 1. Pix525 (config) #conduit permit tcp host 192.168.0.8 eq www any

This example indicates that any external host is allowed HTTP access to this host for the global address 192.168.0.8. where EQ and a port are used to allow or deny access to this port. Eq


FTP means allowing or denying access to FTP only.

Example 2. Pix525 (config) #conduit deny TCP any EQ FTP host 61.144.51.89

Indicates that an external host 61.144.51.89 is not allowed to FTP access to any global address.

Example 3. Pix525 (config) #conduit permit ICMP any any

Indicates that ICMP messages are allowed to pass internally and externally.

Example 4. Pix525 (config) #static (inside, outside) 61.144.51.62 192.168.0.3

Pix525 (config) #conduit permit tcp host 61.144.51.62 eq www any

This example illustrates the relationship between static and conduit. 192.168.0.3 is a Web server and now hopes that users of the extranet will be able to get web services through the PIX firewall. So do it first.


Static statically mapped: 192.168.0.3->61.144.51.62 (Global), and then use the Conduit command to allow any external host HTTP access to the global address 61.144.51.62.


C. Configuring the Fixup protocol

The fixup command function is to enable, disable, change a service or protocol through the PIX firewall, the port specified by the fixup command is the service that the PIX firewall is listening on. See the following example:

Example 1. Pix525 (config) #fixup protocol ftp 21

Enable the FTP protocol and specify that the port number for FTP is 21

Example 2. Pix525 (config) #fixup protocol HTTP 80

Pix525 (config) #fixup protocol HTTP 1080

Specify 80 and 10,802 ports for the HTTP protocol.

Example 3. Pix525 (config) #no fixup protocol SMTP 80

Disables the SMTP protocol.



D. Setting up Telnet

Telnet has a version of the change. Before the PIX OS 5.0 (the version number of the PIX OS), the PIX can only be accessed via Telnet from hosts on the internal network. In PIX OS 5.0 and later versions, Telnet to PIX Access can be enabled on all interfaces. When you want to telnet to the PIX firewall from the external interface, the Telnet traffic needs to be protected with IPSec, which means that the user must configure the PIX to establish an IPSec tunnel to another pix, router, or VPN client. The other is to configure SSH on the pix, then telnet to the PIX firewall with SSH client, the PIX supports SSH1 and SSH2, but SSH1 is freeware, SSH2 is commercial software. In contrast, the Cisco router's Telnet is not doing much good.


Telnet configuration syntax: Telnet local_ip

LOCAL_IP represents the IP address that is authorized to access the PIX via Telnet. If this item is not set, the PIX is configured only by the console.


Here is a configuration example for your reference, configuration examples are described below, the PIX firewall directly placed in the interface with the Internet, where the network environment has more than 10 public IP, may have a friend asked if my public IP is limited what to do? You can add router to the front of the PIX, or global uses a single IP address, and the IP address of the external interface is the same. Another maintenance command is also useful, show interface view port status, show static view static address mapping, show IP View interface IP address, ping outside | Inside


IP_Address determine connectivity.



Welcome to the PIX firewall


Type help or '? ' for a list of available commands.

Pix525> en

Password:

Pix525#sh Config

: Saved

:

PIX version 6.0 (1)------PIX Current Operating system version is 6.0

Nameif Ethernet0 outside Security0

Nameif Ethernet1 inside security100------shows that the PIX currently has only 2 interfaces

Enable Password 7Y051HHCCOIRTSQZ Encrypted

Passed 7Y051HHCCOIRTSQZ encrypted------The PIX firewall password is encrypted by default and is not displayed in clear text in the configuration file, and the Telnet password defaults to


Cisco

Hostname PIX525------Host name is PIX525

Domain-name 123.com------A local domain name server 123.com, typically used as an external access

Fixup protocol FTP 21

Fixup protocol HTTP 80

Fixup protocol h323 1720

Fixup protocol Rsh 514

Fixup protocol SMTP 25

Fixup protocol sqlnet 1521

Fixup protocol SIP 5060------Some services or protocols that are currently enabled, note that the RSH service cannot change the port number

Names------resolve the local hostname to the IP address, in the configuration can use the name in place of the IP address, is not currently set, so the list is empty

Pager lines------per 24 lines of page

Interface Ethernet0 Auto

Interface Ethernet1 Auto------Set the two network card type as adaptive

MTU outside 1500

MTU inside------Ethernet Standard MTU length of 1500 bytes


IP address outside 61.144.51.42 255.255.255.248

IP address inside 192.168.0.1 255.255.255.0------The IP addresses of the PIX extranet 61.144.51.42, the IP address of the intranet 192.168.0.1

IP Audit Info Action Alarm

IP audit Attack Action alarm------2 commands for PIX intrusion detection. When a packet has an attack or report type signature, the PIX takes an alarm action (the default action),


Generates syslog messages to the specified logging host, as well as actions such as dropping packets and sending a TCP connection reset signal, which need to be configured separately.

PDM history enable------PIX Device Manager to monitor the PIX graphically

ARP Timeout 14400------ARP table time-out

Global (outside) 1 61.144.51.46------If you visit an external forum or chat with QQ, etc., the IP shown above is this

Nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Static (inside, outside) 61.144.51.43 192.168.0.8 netmask 255.255.255.255 0 0

Conduit permit ICMP any any

Conduit permit TCP host 61.144.51.43 eq www any

Conduit permit UDP host 61.144.51.43 eq domain any

------provide domain-name service with 61.144.51.43 This IP address, and only allow external users to access the UDP port of domain

Route outside 0.0.0.0 0.0.0.0 61.144.51.61 1------External Gateway 61.144.51.61

Timeout xlate------After an internal device has been translated (global) to an external IP packet, after the default of 3 hours, if the packet is not active, the previously created


The table entry is removed from the translation table, releasing the global address that the device occupies

Timeout conn half-closed 0:100 UDP 0:02:00 RPC 0:10:00 h323 0:05:00 sip 0:30:00 Sip_media 0:02:00

Timeout Uauth 0:05:00 Absolute------AAA authentication Time Out, absolute indicates continuous operation Uauth Timer, after user timeout, will force re-authentication

Aaa-server TACACS + protocol Tacacs +

Aaa-server RADIUS Protocol RADIUS------Two protocols for the AAA server. AAA means certification, authorization, audit. PIX Firewall can increase internal network through AAA server


The security

No snmp-server location

No Snmp-server Contact

Snmp-server Community public------There is no SNMP workstation, there is no location and contact

No snmp-server enable traps------Send SNMP Traps

Floodguard enable------Prevent someone from forging a large number of authentication requests, using up the PIX's AAA resources

No sysopt Route Dnat

Telnet Timeout 5

SSH Timeout 5------Time-out for using SSH to access the PIX

Terminal Width 80

Cryptochecksum:a9f03ba4ddb72e1ae6a543292dd4f5e7

pix525#

Pix525#write memory------Save the configuration


This article is just a description of the basic configuration of the PIX firewall, some other features of the PIX such as AAA server, VPN, etc. are limited to space, no longer introduced.


If interested readers have access to the following resources:

Http://www.cisco.com/global/CN/products/sc/index.shtml

PIX Firewall Chinese Information

Http://www.cisco.com/en/US/products...ons_guides.html

PIX Firewall English official website, detailed technical information

Http://www.net130.com/ccnp-labs/index.htm

NET130 's PIX Online Experiment section


Configuration of the PIX525:

pixfirewall# Show config

: Saved

:

PIX Version 5.3 (2)

Nameif Ethernet0 outside Security0

Nameif Ethernet1 inside security100

Nameif Ethernet2 INTF2 Security10

Enable password 2kfqnbnidi.2kyou encrypted

passwd 2kfqnbnidi.2kyou Encrypted

Hostname Pixfirewall

Fixup protocol FTP 21

Fixup protocol HTTP 80

Fixup protocol h323 1720

Fixup protocol Rsh 514

Fixup protocol RTSP 554

Fixup protocol SMTP 25

Fixup protocol sqlnet 1521

Fixup protocol sip 5060

Names

Pager lines 24

Logging on

No logging timestamp

No logging Standby

No logging console

No logging monitor

No logging buffered

No logging trap

No logging history

Logging Facility 20

Logging Queue 512

Interface Ethernet0 Auto

Interface Ethernet1 Auto

Interface Ethernet2 Auto

MTU outside 1500

MTU Inside 1500

MTU INTF2 1500

IP address outside 218.91.154.195 255.255.255.0

IP address inside 172.16.10.253 255.255.255.0

IP address INTF2 192.168.20.1 255.255.255.0

IP Audit Info Action Alarm

IP Audit Attack Action Alarm

No failover

Failover Timeout 0:00:00

Failover Poll 15

Failover IP address outside 0.0.0.0

Failover IP address inside 0.0.0.0

Failover IP Address INTF2 0.0.0.0

ARP Timeout 14400

Global (Outside) 1 218.91.154.194 netmask 255.255.255.0

Nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Alias (inside) 10.77.137.8 218.91.154.196 255.255.255.255

Alias (inside) 10.77.137.9 218.91.154.206 255.255.255.255

Alias (inside) 10.77.137.12 218.91.154.198 255.255.255.255

Alias (inside) 10.77.137.6 218.91.154.197 255.255.255.255

Static (Inside,outside) 218.91.154.206 10.77.137.9 netmask 255.255.255.255 0 0

Static (Inside,outside) 218.91.154.197 10.77.137.6 netmask 255.255.255.255 0 0

Static (Inside,outside) 218.91.154.198 10.77.137.12 netmask 255.255.255.255 0 0

Static (Inside,outside) 218.91.154.196 10.77.137.8 netmask 255.255.255.255 0 0

Conduit permit ICMP any any

Conduit permit TCP host 218.91.154.196 eq www any

Conduit permit TCP host 218.91.154.197 eq SMTP any

Conduit permit TCP host 218.91.154.197 eq POP3 any

Conduit permit TCP host 218.91.154.198 eq FTP any

Conduit permit TCP host 218.91.154.206 eq www any

Conduit permit TCP host 218.91.154.206 eq POP3 any

Conduit permit TCP host 218.91.154.206 eq SMTP any

Conduit permit TCP host 218.91.154.197 eq www any

Conduit permit TCP host 218.91.154.198 eq www any

Conduit permit TCP host 218.91.154.198 any

Conduit permit UDP host 218.91.154.198 any

Route outside 0.0.0.0 0.0.0.0 218.91.154.193 1

Route inside 10.77.0.0 255.255.0.0 172.16.10.254 1

Route inside 10.77.140.0 255.255.255.0 172.16.10.254 1

Route inside 172.16.20.0 255.255.255.0 172.16.10.254 1

Route inside 192.168.0.0 255.255.0.0 172.16.10.254 1

Timeout Xlate 3:00:00

Timeout conn 1:00:00 half-closed 0:10:00 UDP 0:02:00 rpc 0:10:00 h323 0:05:00 si

P 0:30:00 Sip_media 0:02:00

Timeout Uauth 0:05:00 Absolute

Aaa-server TACACS + protocol Tacacs +

Aaa-server RADIUS Protocol Radius

No snmp-server location

No Snmp-server Contact

Snmp-server Community Public

No snmp-server enable traps

Floodguard Enable

No sysopt Route Dnat

ISAKMP identity hostname

Telnet Timeout 5

SSH Timeout 5

Terminal Width 80

Cryptochecksum:c437bcb92b40d21ef9d782db51da7f4d

return send Short Message



2009-05-13


This article is from the "Five Corners" blog, please be sure to keep this source http://hi289.blog.51cto.com/4513812/1757700

Cisco PIX Firewall Basic Command Configuration and explanation

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.