Cisco PIX Firewall Configuration

Abstract: This article describes the first time that the author personally contacts the Cisco PIX Firewall and summarizes ten basic configurations of the firewall.

A hardware firewall is a wall between networks to prevent illegal intrusion and filter information. In terms of structure, it is simply a PC-type computer host with Flash) and firewall operating systems. Its hardware is similar to the common control machine, which is suitable for 24 hours of work and looks similar. The flash memory is basically the same as the vro. It is the EEPROM in it, and the operating system is similar to that in Cisco IOS. They are all command lines.

The first time I personally came to the firewall was Cisco Firewall pix 525, which is a rack-mounted standard (that is, it can be installed in a standard Cabinet) with a 2u height, look at the front like a Cisco router, there are only some indicators, from the back, there are two ethernet ports (RJ-45 Nic), A Configuration Port (console), 2 USB, A 15-pin failover port and three PCI expansion ports.

How to start Cisco Firewall pix? I think it's similar to using a Cisco router, so I used a configuration line to connect com2 from the computer to the Console port of pix 525, and used the "Super Terminal" in Windows to access the PIX operating system ", the communication parameter is set to silent. There is an initialization process for initial use, mainly set: date (date), time (time), hostname (host name), inside IP address (internal Nic IP address), domain (main domain) if the preceding settings are correct, you can save the preceding settings and create an initialization setting.

Enter the PIX 525 with the superuser (enable), the silent password is empty, and the passwd command is used to change the password. In general, what do we need to do for firewall configuration? At that time, I did not know what to do when I first came into contact with the device. I came along with the hardware installation and command user manual. I first read the usage of the command, used to read hundreds of English documents in a few hours, and learned a little about the usage of the command, however, I still don't know where to start with how to configure the PIX. I think I can only go to Cisco now, so I downloaded some documents at www.cisco.com and practiced the PIX while reading the documents.

A firewall is used in a network system, so it is closely related to the network structure. Generally, it involves route and network IP addresses. The standard TCP [rfc793] and UDP [rfc768] ports must also be clearly defined.

The following describes the basic configurations used in general.

1. Create a user and change the password

It is basically the same as a Cisco IOS router.

2. Activate the Ethernet port

You must use enable to enter, and then enter configure mode.

Pix525> enable

Password:

Pix525 # config t

Pix525 (config) # interface ethernet0 auto

Pix525 (config) # interface ethernet1 auto

In silent circumstances, ethernet0 is an external network card outside, and ethernet1 is an internal network card inside. The inside has been activated and takes effect when the Initialization Configuration is successful, but the outside must be configured to activate it.

3. Named ports and security levels

Use the nameif command

Pix525 (config) # nameif ethernet0 outside security0

Pix525 (config) # nameif ethernet0 outside security100

Security0 is the security level of the external port outside (0 is the highest security level)

Security100 is the security level of the internal port inside. If there is an Ethernet port in the middle, name security10, security20, and so on. Multiple NICs form multiple networks, generally, an Ethernet port is added as the DMZ (demilitarized zones unarmed zone ).

4. Configure the Ethernet port IP Address

Command: IP Address

For example, the Intranet is 192.168.1.0 255.255.255.0.

External Network: 222.20.16.0 255.255.255.0

Pix525 (config) # IP address inside 192.168.1.1 255.255.255.0

Pix525 (config) # IP Address outside 222.20.16.1 255.255.255.0

5. configure remote access [Telnet]

In silence, the Ethernet port of the PIX does not allow Telnet, which is different from that of the router. The inside port can be used via Telnet, but the outside Port is also related to some security configurations.

Pix525 (config) # telnet 192.168.1.1 255.255.255.0 inside

Pix525 (config) # telnet 222.20.16.1 255.255.0 outside

Test Telnet

Go to [start]-> [run]

Telnet 192.168.1.1

PIX passwd:

Enter Password: Cisco

6. Access-list)

This function is basically similar to Cisco IOS and is also the main part of firewall. It has two features: permit and deny. The network protocol generally includes IP, TCP, UDP, ICMP, and so on. For example: only access to the WWW of the Host: 222.20.16.254, Port: 80

Pix525 (config) # access-list 100 permit IP any host 222.20.16.254 EQ WWW

Pix525 (config) # access-list 100 deny ip any

Pix525 (config) # accesskey-group 100 in interface outside

7. Address Translation (NAT) and Port translation (PAT)

Nat is basically the same as vro,

First, you must define the IP pool, provide the address segment for internal IP address translation, and then define the Intranet segment.

Pix525 (config) # global (outside) 1 222.20.16.100-222.20.16.200 netmask 255.255.255.0

Pix525 (config) # NAT (outside) 1 192.168.0.0 255.255.255.0

If all internal addresses can be converted:

Pix525 (config) # NAT (outside) 1 0.0.0.0 0.0.0.0

In some cases, the external address is very limited, and some hosts must occupy an IP address separately. The public IP address (222.20.16.201) must be resolved, and an additional command must be configured, this is called pat, so that more users can share an IP address at the same time, a bit like a proxy server. The configuration is as follows:

Pix525 (config) # global (outside) 1 222.20.16.100-222.20.16.200 netmask 255.255.255.0

Pix525 (config) # global (outside) 1 222.20.16.201 netmask 255.255.255.0

Pix525 (config) # NAT (outside) 1 0.0.0.0 0.0.0.0

8. DHCP server

In the internal network, Dynamic Host allocation IP address server (DHCP server) is enabled for centralized management of maintenance and full use of limited IP addresses. Cisco Firewall pix has this function, the following is a simple configuration of the DHCP server, the address segment is 192.168.1.100-192.168.168.1.200

DNS: Master 202.96.128.68 slave 202.96.144.47

The primary domain name is abc.com.cn.

DHCP client uses PIX Firewall

Pix525 (config) # IP address DHCP

DHCP server configuration

Pix525 (config) # DHCPD address 192.168.1.100-192.168.1.200 inside

Pix525 (config) # dhcp dns 202.96.128.68 202.96.144.47

Pix525 (config) # DHCP domain abc.com.cn

9. Static port redirection (Port redirection with statics)

The port redirection function is added in version 6.0 and later versions of the PIX, allowing external users to transmit data to the specified internal server through a special IP Address/port through the firewall pix. This function can be used to publish internal WWW, FTP, mail, and other servers. Instead of directly connecting to the server, this method uses port redirection to ensure the security of the internal server.

Command Format:

Static [(internal_if_name, external_if_name)] {global_ip | interface} local_ip

[Netmask mask] [max_cons [max_cons [emb_limit [norandomseq]

Static [(internal_if_name, external_if_name)] {tcp | udp} {global_ip | interface} local_ip

[Netmask mask] [max_cons [max_cons [emb_limit [norandomseq]

! ---- The external user directly accesses the telnet port 222.20.16.99 and redirects it to the Telnet port (23) of the internal host 192.168.1.99 through the PIX ).

Pix525 (config) # static (inside, outside) TCP 222.20.16.99 Telnet 192.168.1.99 Telnet netmask 255.255.255.255 0 0

! ---- External users directly access the address 222.20.16.99 FTP and redirect to the internal FTP server 192.168.1.3 through the PIX.

Pix525 (config) # static (inside, outside) TCP 222.20.16.99 FTP 192.168.1.3 FTP netmask 255.255.255 0 0

! ---- The external user directly accesses the address 222.20.16.208 WWW (port 80) and redirects it to the internal host WWW (port 80) of 192.168.123 through the PIX ).

Pix525 (config) # static (inside, outside) TCP 222.20.16.208 WWW 192.168.1.2 WWW netmask 255.255.255.255 0 0

! ---- The external user directly accesses the address 222.20.16.201 HTTP (port 8080) and redirects it to the WWW (port 80) of the internal host 192.168.1.4 through the PIX ).

Pix525 (config) # static (inside, outside) TCP 222.20.16.208 8080 192.168.1.4 WWW netmask 255.255.255.255 0 0

! ---- The external user directly accesses the address 222.20.16.5 SMTP (port 25) and redirects it to the SMTP (port 25) of the internal email host 192.168.1.5 through the PIX)

Pix525 (config) # static (inside, outside) TCP 222.20.16.208 SMTP 192.168.1.4 SMTP netmask 255.255.255.255 0 0

10. Display and save results

Run the show config command.

Save with write memory

The above describes my first hands-on access to Cisco Firewall pix 525 and my basic understanding of it. I have summarized the top ten basic configuration points, the author's understanding of the Cisco Firewall PIX Firewall is still superficial. It is inevitable that there are errors and failures. Please give me some advice.

(Contact: Email: hillriver@21cn.com QQ: 17355809) Author: hillriver