The basics of Cisco PIX Firewalls
Cisco PIX Firewalls can protect various networks. There are pix firewalls for small home networks, as well as PIX firewalls for large parks or corporate networks. In the example of this article, we will set up a PIX type 501 firewall. PIX 501 is a firewall for small home networks or small businesses.
The PIX firewall has the concept of internal and external interfaces. Internal interfaces are internal and are typically dedicated to the network. An external interface is external, usually a public network. You have to try to protect the internal network from the external network.
The PIX firewall also uses an adaptive security Algorithm (ASA). This algorithm assigns a security level to the interface, and claims that no communication can flow from a low-level interface (such as an external interface) to a high level interface (such as an internal interface) without a rule license. The security level of this external interface is "0", and the security level of this internal interface is "100".
The output of the "Nameif" command is shown below:
pixfirewall# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
pixfirewall#
Note that the ETHERNET0 (Ethernet 0) interface is the external interface (its default name) and the security level is 0. On the other hand, the ETHERNET1 (Ethernet 1) interface is the name of the internal interface (default), and the security level is 100.
Guide
Before you start setting up, your boss has given you some guidelines to follow. These guidelines are:
· All passwords should be set to "Cisco" (in fact, you can set any password except Cisco).
· The internal network is a 10.0.0.0, with a 255.0.0.0 subnet mask. The internal IP address of this PIX firewall should be 10.1.1.1.
· The external network is 1.1.1.0 and has a 255.0.0.0 subnet mask. The external IP address of this PIX firewall should be 1.1.1.1.
· You want to create a rule that allows all clients on the 10.0.0.0 network to do port address resolution and connect to the external network. They will all share the global IP address 1.1.1.2.