I. Understanding of the PIX Firewall
The pix is a Cisco hardware firewall, which features fast operation and convenient use.
There are many models of the PIX, and the number of concurrent connections is an important parameter of the PIX Firewall. Pix25 is a typical device.
Common interfaces of the PIX Firewall include console, failover, Ethernet, and USB.
Network region:
Internal Network: Inside
External Network: Outside
Intermediate region: DMZ (ceasefire zone ). Place Open servers.
Ii. Firewall Configuration Rules
No data packets can pass through the firewall if there is no connection status (no handshake or a handshake fails or an invalid data packet.
(Internal connections can be returned to the package. Servers opened through ACL allow external connections)
Inside can access any outside and DMZ areas.
DMZ can access the outside area.
To access DMZ through inside, use static (static address conversion ).
Outside DMZ access must be configured with ACL (Access Control List ).
Iii. Configuration Mode of the PIX Firewall:
The Configuration Mode of the PIX Firewall is similar to that of the router. There are four management modes:
Pixfirewall>: User Mode
Pixfirewall #: privileged Mode
Pixfirewall (config) #: Configuration Mode
Monitor>: Rom monitoring mode. Press the [ESC] key or send a "break" character to enter monitoring mode.
4. basic configuration commands of the PIX
Common Commands include nameif, interface, IP address, Nat, global, route, and static.
1. nameif
Set the Interface Name and specify the security level. The security level value range is 1 ~ 100. The larger the number, the higher the security level.
For example:
Ethernet0 is named as the external interface outside, and the security level is 0.
Ethernet1 is named as the internal interface inside, and the security level is 100.
Ethernet2 is named as the intermediate interface DMZ and the installation level is 50.
Run the following command:
Pix525 (config) # nameif ethernet0 outside security0
Pix525 (config) # nameif ethernet1 inside security100
Pix525 (config) # nameif ethernet2 DMZ security50
2. Interface
Configure the Ethernet port working status. Common statuses include auto, 100 full, and shutdown.
Auto: Set the network adapter to work in the adaptive status.
100 full: sets the NIC to work in 100 Mbit/s, full duplex status.
Shutdown: Disable the NIC interface. Otherwise, it is activated.
Command:
Pix525 (config) # interface ethernet0 auto
Pix525 (config) # interface ethernet1 100 full
Pix525 (config) # interface ethernet1 100 full shutdown
3. IP Address
Configure the IP address of the network interface, for example:
Pix525 (config) # IP Address outside 133.0.0.1 255.255.255.252
Pix525 (config) # IP address inside 192.168.0.1 255.255.255.0
The Intranet inside interface uses the private address 192.168.0.1, and the internet outside interface uses the public address 133.0.0.1.
4. Global
Specify the public address range: Define the address pool.
Configuration syntax of the global command:
Ip_address-ip_address for global (if_name) nat_id [netmark global_mask]
Where:
(If_name): the name of the Internet interface, usually outside.
Nat_id: ID of the address pool to be referenced by Nat ).
Ip_address-ip_address: represents a range of IP addresses.
[Netmark global_mask]: indicates the network mask of the Global IP address.
For example:
Pix525 (config) # global (outside) 1 133.0.0.1-133.0.0.15
The IP address corresponding to address pool 1 is 133.0.0.1-133.0.0.15.
Pix525 (config) # global (outside) 1 133.0.0.1
Address pool 1 only has one IP address 133.0.0.1.
Pix525 (config) # No global (outside) 1 133.0.0.1
Indicates that the global table item is deleted.
5. Nat
Address Translation command to convert the private IP address of the Intranet to the public IP address of the Internet.
Nat command configuration Syntax: NAT (if_name) nat_id local_ip [netmark]
Where:
(If_name): indicates the interface name, which is generally inside.
Nat_id: indicates the address pool, which is defined by the Global Command.
Local_ip: the IP address of the Intranet. 0.0.0.0 indicates all hosts on the Intranet.
[Netmark]: The subnet mask of the Intranet IP address.
In actual configuration, the NAT command is always used with the Global Command.
A specified external network and an internal network are connected by net_id.
For example:
Pix525 (config) # NAT (inside) 1 0 0
All Hosts (0 0) on the Intranet can access the Internet specified by global.
Pix525 (config) # NAT (inside) 1 172.16.5.0 255.255.255.0.0
It indicates that only hosts with CIDR blocks 172.16.5.0/16 can access the Internet specified by global.
6. Route
The route command defines static routes.
Syntax:
Route (if_name) 0 0 gateway_ip [metric]
Where:
(If_name): indicates the interface name.
0 0: indicates all hosts
Gateway_ip: the IP address or next hop of the Gateway Router.
[Metric]: Route cost. The default value is 1.
For example:
Pix525 (config) # route outside 0 0 133.0.0.1 1
Set the default route to be sent from the outside port. The next hop is 133.0.0.1.
0 0 indicates 0.0.0.0 0.0.0.0, indicating any network.
Pix525 (config) # route inside 10.1.0.0 255.255.0.0 10.8.0.1 1
Set the next hop to 10.1.0.0 to 10.8.0.1. The last "1" is the cost.
7. Static
Configure static IP address translation to make the internal address one-to-one correspondence with the external address.
Syntax:
Static (internal_if_name, external_if_name) outside_ip_addr inside _ ip_address
Where:
Internal_if_name indicates the internal network interface, which has a high security level, such as inside.
External_if_name indicates an external network interface with a low security level, such as outside.
Outside_ip_address indicates the public IP address of the external network.
Inside _ ip_address indicates the local IP address of the internal network.
(The inner order in parentheses is first inside and then outside, and the outer order is first outside and then inside)
For example:
Pix525 (config) # static (inside, outside) 133.0.0.1 192.168.0.8
The internal IP address 192.168.0.8 is translated into a global address 133.0.0.1 during external access.
Pix525 (config) # static (DMZ, outside) 133.0.0.1 172.16.0.2
The IP address of the intermediate region 172.16.0.2 is translated into a global address 133.0.0.1 when accessing the external region.
8. Conducting it
The pipeline command is used to set interfaces that allow data to flow from interfaces with lower security levels to interfaces with higher security levels.
For example, allow sessions from outside to DMZ or inside (for the same access control list ).
Syntax:
Conducting it permit | deny protocol global_ip port [-port] foreign_ip [netmask]
Where:
When global_ip is a host, the host parameter is added first, and any is used for all hosts.
Foreign_ip indicates an external IP address.
[Netmask] indicates a host or a network.
For example:
Pix525 (config) # static (inside, outside) 133.0.0.1 192.168.0.3
Pix525 (config) # conducting it permit TCP host 133.0.0.1 eq www any
This example describes the relationship between static and conduit. 192.168.0.3 is a web server on the Intranet,
We hope that Internet users can access web services through the PIX Firewall.
So do static ing first: 192.168.0.3-> 133.0.0.1
Then, use the conductor command to allow any external host to perform HTTP access to the global address 133.0.0.1.
9. Access Control List ACL
The access control list command is similar to the couduit command,
Example:
Pix525 (config) # access-list 100 permit IP any host 133.0.0.1 EQ WWW
Pix525 (config) # access-list 100 deny ip any
Pix525 (config) # accesskey-group 100 in interface outside
10. Listening command fixup
The role is to enable or disable a service or protocol,
Set the port on which the PIX Firewall listens to the listen service by specifying a port.
Example:
Pix525 (config) # fixup protocol FTP 21
Enable the FTP protocol and specify the ftp port number as 21.
Pix525 (config) # fixup protocol HTTP 8080
Pix525 (config) # No fixup protocol HTTP 80
Enable http port 8080 and disable port 80.
11. Telnet
When you need to telnet from an external interface to the PIX Firewall, the Telnet data stream must be protected by VPN tunnel IPSec or
Configure SSH on the PIX, and then use the SSH client from the outside to the PIX Firewall.
Example:
Telnet local_ip [netmask]
Local_ip indicates that the authorized IP address of the PIX can be accessed through Telnet.
If this option is not set, you can only use the Console port to connect to the Super Terminal.
12. Display command:
Show interface; view the port status.
Show static; view static address ing.
Show IP; view the interface IP address.
Show config; view the configuration information.
Show run; displays the current configuration information.
Write terminal; write the current configuration information to the terminal.
Show CPU usage; displays CPU utilization and is often used for troubleshooting.
Show traffic; view traffic.
Show connect count; view the number of connections.
Show blocks; displays intercepted data packets.
Show MEM; Display memory
13. Dhcp Service
The pix has the DHCP service function.
Example:
Pix525 (config) # IP address DHCP
Pix525 (config) # DHCPD address 192.168.1.100-192.168.1.200 inside
Pix525 (config) # dhcp dns 202.96.128.68 202.96.144.47
Pix525 (config) # DHCP domain abc.com.cn
5. PIX Firewall example
Settings:
Ethernet0 is named as the external interface outside, and the security level is 0.
Ethernet1 is named as the internal interface inside, with a security level of 100.
Ethernet2 is named as the intermediate interface DMZ and has a security level of 50.
Pix525 # conf t
Pix525 (config) # nameif ethernet0 outside security0
Pix525 (config) # nameif ethernet1 inside security100
Pix525 (config) # nameif ethernet2 DMZ security50
Pix525 (config) # interface ethernet0 auto
Pix525 (config) # interface ethernet1 100 full
Pix525 (config) # interface ethernet2 100 full
Pix525 (config) # IP Address outside 133.0.0.1 255.255.255.252; set the interface IP Address
Pix525 (config) # IP address inside 10.66.1.200 255.255.255.0.0; set the interface IP Address
Pix525 (config) # IP address DMZ 10.65.1.200 255.255.255.0.0; set the interface IP Address
Pix525 (config) # global (outside) 1 133.1.0.1-133.1.0.14; address pool defined
Pix525 (config) # NAT (inside) 1 0 0; 0 0 indicates all
Pix525 (config) # route outside 0 0 133.0.0.2; set the default route
Pix525 (config) # static (DMZ, outside) 133.1.0.1 10.65.1.101; static Nat
Pix525 (config) # static (DMZ, outside) 133.1.0.2 10.65.1.102; static Nat
Pix525 (config) # static (inside, DMZ) 10.66.1.200 10.66.1.200; static Nat
Pix525 (config) # access-list 101 permit IP any host 133.1.0.1 eq www; Set ACL
Pix525 (config) # access-list 101 permit IP any host 133.1.0.2 eq ftp; Set ACL
Pix525 (config) # access-list 101 deny ip any; Set ACL
Pix525 (config) # access-group 101 in interface outside; apply the ACL to the outside Port
When an internal host accesses an external host, it is converted to a public IP address through NAT to access the Internet.
When the internal host accesses the DMZ in the middle area, it maps itself to its own access server. Otherwise, the internal host will
Maps to the IP address of the address pool and finds it externally.
When the external host accesses the DMZ in the middle area, it maps 133.0.0.1 to 10.65.1.101, and static is bidirectional.
All ports of the PIX are disabled by default. The access to the PIX is filtered by the ACL entry.
Static Routing indicates that the internal host and DMZ data packets exit from the outside Port.