CISCO PIX Firewall Configuration Instance

Absrtact: This article describes the first time the author contact Cisco PIX Firewall, summed up the Basic Firewall configuration 10 aspects of content.

Hardware firewall, is the network between the wall, to prevent illegal intrusion, filtering information, etc., structurally speaking, is simply a PC-style computer host plus flash (Flash) and firewall operating system. Its hardware is similar to the common control machine, all belong to can be suitable for 24 hours of work, the appearance of modelling is similarly. The flash memory is basically the same as the router, which is the EEPROM, the operating system is similar to Cisco IOS, are command-line (command) type.

The first time I came in my own hands. The firewall is Cisco Firewall Pix 525, is a rack-like standard (that can be installed in a standard cabinet), with a height of 2U, as with the Cisco router, only a few LEDs, from the back panel view, there are two Taikou (RJ-45 network card), One configuration port (console), 2 USB, one 15-pin failover port, and three PCI expansion ports.

How do I start Cisco Firewall pix? I think it should be similar to the Cisco router, and then use the configuration line from the computer's COM2 to the PIX 525 console port, into the PIX operating system using the "HyperTerminal" in Windows, the communication parameters are set to silent. Initial use has an initialization process, the main settings: Date (date), Time (times), hostname (host name), Inside IP address (internal network card IP addresses), domain (primary domain), etc., if the above settings are correct, you can save the above settings, An initialization setting is also established.

Access to PIX 525 using Superuser (enable), silent password is blank, modify password with passwd command. Under normal circumstances firewall configuration, what do we need to do? I didn't know what to do with the first contact, and with the installation of hardware and the Command manual. I first looked at the use of the command, used for a few hours to read the hundreds of-side English book, the use of the command to know a little, but how to configure the PIX is not clear how to start, I think now can only go to Cisco, So in www.cisco.com downloaded some information, while looking at the practice of PIX.

Firewall is a virgin network system, so it is closely related to the structure of the network, the general will involve route (router), network IP address. There are also definitions that must be clear about the standard tcp[rfc793] and udp[rfc768] ports.

Let me talk about the most basic configuration

1, the establishment of users and modify the password

Basically the same as Cisco IOS routers.

2. Activate Ethernet port

Must enter with enable and enter configure mode

Pix525>enable

Password:

Pix525#config T

PIX525 (config) #interface ethernet0 auto

PIX525 (config) #interface Ethernet1 auto

In the case of ETHERNET0 is an external network card outside, ETHERNET1 is an internal network card inside, inside in the case of successful initialization configuration has been activated, but outside must command configuration activation.

3, named port and security level

Using Command Nameif

PIX525 (config) #nameif ethernet0 outside Security0

PIX525 (config) #nameif ethernet0 outside security100

Security0 is the security level of the external port outside (0 highest security level)

SECURITY100 is the security level of the internal port inside, if there are Ethernet ports in the middle, then security10,security20, and so on, multiple network cards to form multiple networks, generally add an Ethernet port as a DMZ (demilitarized Zones unarmed zone).

4. Configure Ethernet port IP address

Using the command: IP address

For example: The internal network is: 192.168.1.0 255.255.255.0

The external network is: 222.20.16.0 255.255.255.0

PIX525 (config) #ip address inside 192.168.1.1 255.255.255.0

PIX525 (config) #ip address outside 222.20.16.1 255.255.255.0

5. Configure remote access [Telnet]

In the case of silence, the PIX Ethernet port is not allowed to telnet, which is different from the router. The inside port can be used for Telnet, but the outside port is also related to some security configuration.

PIX525 (config) #telnet 192.168.1.1 255.255.255.0 inside

PIX525 (config) #telnet 222.20.16.1 255.255.255.0 outside

Test Telnet

At [Start]->[Run]

Telnet 192.168.1.1

PIX passwd:

Enter Password: Cisco

6. Access list (access-list)

This feature is basically similar to Cisco iOS, is also the main part of firewall, there are permit and deny two functions, network protocols generally have ip| tcp| udp| ICMP, etc., such as: only access to host: 222.20.16.254 www, port: 80

PIX525 (config) #access-list permit ip any host 222.20.16.254 eq www

PIX525 (config) #access-list deny IP any

PIX525 (config) #access-group in interface outside

7, Address translation (NAT) and port conversion (PAT)

NAT and routers are basically the same,

You must first define an IP Pool, provide an address segment for internal IP address translation, and then define an internal network segment.

PIX525 (config) #global (outside) 1 222.20.16.100-222.20.16.200 netmask 255.255.255.0

PIX525 (config) #nat (outside) 1 192.168.0.0 255.255.255.0

If it is internal to all the address can be converted out:

PIX525 (config) #nat (outside) 1 0.0.0.0 0.0.0.0

In some cases, the external address is very limited, some hosts must occupy a separate IP address, must be resolved by a common external IP (222.20.16.201), you must configure a command, which is called (PAT), so that more users can share an IP, A bit like a proxy server function. The configuration is as follows: