How to configure the Cisco PIX Firewall

See http://www.cnblogs.com/shengshuai/category/81478.html for the procedure of Configuration

 

 

A major part of any enterprise's security policy is to implement and maintain the firewall. Therefore, the firewall plays an important role in the implementation of network security. Firewalls are usually located at the edge of an enterprise network, which isolates the internal network from the Internet or other external networks and limits mutual access between networks to protect the enterprise's internal network. The purpose of setting up a firewall is to set up a unique channel between the Intranet and the external network to simplify network security management.
Among the many mainstream enterprise firewalls, Cisco PIX firewalls provide the best performance for all similar products. Cisco PIX series firewalls currently have five models, pix506 and 515,520,525,535. The pix535 is the latest in the PIX 500 series and has the most powerful functions. It provides carrier-level processing capabilities and is suitable for large ISP and other service providers. However, the OS Operating System unique to the PIX makes most of the management implemented through the command line. Unlike other similar firewalls that use the web management interface for network management, this will cause inconvenience for beginners. This document describes how to configure the Cisco PIX Firewall through an instance.

Before configuring the PIX Firewall, let's first introduce the physical features of the firewall. A firewall usually has at least three interfaces, but many early firewalls only have two interfaces. When a firewall with three interfaces is used, at least three networks are generated, as described below:
Local Area (Intranet ). An internal area is usually a part of an enterprise's internal network or an enterprise's internal network. It is a trusted area of the interconnected network, which is protected by the firewall.
Local Area (Internet ). An external region usually refers to the Internet or a non-enterprise internal network. It is a trusted area in the interconnected network. When the external area wants to access hosts and services in the internal area, it can implement restricted access through the firewall.
Zone (DMZ ). A ceasefire zone is an isolated network or several networks. Hosts or servers in the ceasefire zone are called bastion hosts. Generally, web servers and mail servers can be placed in the ceasefire zone. The ceasefire zone is generally accessible to external users, which allows external users to access the public information of the enterprise, but does not allow them to access the internal network of the enterprise. Note: firewalls with two interfaces do not have a ceasefire zone.

Since pix535 is not universal at the enterprise level, the following describes the application of pix525 in the enterprise network.

The PIX Firewall provides four access management modes:
& Sup2; non-Permission mode. It is in this mode after the PIX Firewall starts self-check. The system displays pixfirewall>
& Sup2; privileged mode. Enter enable to enter the privileged mode to change the current configuration. Displayed as pixfirewall #
& Sup2; configuration mode. Enter configure terminal to enter this mode. Most system configurations are performed here. Displayed as pixfirewall (config )#
& Sup2; monitoring mode. When a PIX Firewall is started or restarted, press and hold the Escape key or send a "break" character to enter the monitoring mode. Update the operating system image and password recovery. Show as monitor>

There are six basic commands for configuring the PIX Firewall:Nameif, interface, IP address, Nat, global, route.
These commands are required in the configuration of the PIX. Follow these steps:
1. Configure the name of the firewall interface and specify the security level (nameif ).
Pix525 (config) # nameif ethernet0 outside security0
Pix525 (config) # nameif ethernet1 inside security100
Pix525 (config) # nameif DMZ security50
Tip: in the default configuration, Ethernet 0 is named as an external interface (outside), the security level is 0, Ethernet 1 is named as an internal interface (inside), and the security level is 100. security level value range: 1 ~ 99. The larger the number, the higher the security level. If a new interface is added, the statement can be written as follows:
Pix525 (config) # nameif pix/intf3 security40 (Security Level)

2. Configure Ethernet Interface Parameters)
Pix525 (config) # interface ethernet0 auto (Auto option indicates the System Adaptive Nic type)
Pix525 (config) # interface ethernet1 100 full (100full indicates 100 Mbit/s Ethernet Full Duplex Communication)
Pix525 (config) # interface ethernet1 100 full shutdown (shutdown indicates that this interface is disabled. If the interface is enabled, shutdown is removed)

3. Configure the IP address of the internal and external network adapter (IP address)
Pix525 (config) # IP Address outside 61.144.51.42 255.255.255.255.248
Pix525 (config) # IP address inside 192.168.0.1 255.255.255.0
Obviously, the IP address of the pix525 firewall on the internet is 61.144.51.42, and the Intranet IP address is 192.168.0.1.

4. Specify the internal address (NAT) to be converted)
Network Address Translation (NAT) is used to convert private IP addresses of the Intranet to public IP addresses of the Internet. the Nat command is always used with the global command because the NAT command can specify a host or a range of hosts to access the Internet. when accessing the internet, you need to use the address pool specified by global for external access. Nat command configuration Syntax: NAT (if_name) nat_id local_ip
(If_name) indicates the name of the Intranet interface. For example, inside. nat_id is used to identify the global address pool and match it with the corresponding global command. local_ip indicates the IP address allocated by the Intranet. For example, 0.0.0.0 indicates that all hosts on the Intranet can access the Internet. The subnet mask of the Intranet IP address.
Example 1. pix525 (config) # NAT (inside) 1 0 0
Enable Nat. All hosts in the Intranet can access the Internet, and 0 can represent 0.0.0.0.
Example 2. pix525 (config) # NAT (inside) 1 172.16.5.0 255.255.255.0.0
Indicates that only hosts in the network segment 172.16.5.0 can access the Internet.

5. Specify the external address range (global)
The Global Command translates an intranet IP address into an Internet IP address or an address range. Configuration syntax for the Global Command: Global (if_name) nat_id ip_address-ip_address
(If_name) indicates the name of the Internet interface, for example, outside .. Nat_id is used to identify the global address pool so that it matches the corresponding Nat command, the ip_address-ip_address represents a single translated IP address or a range of IP addresses. Indicates the network mask of the Global IP address.
Example 1. pix525 (config) # global (outside) 1 61.144.51.42-61.144.51.48
Indicates that when an intranet host accesses the Internet through the PIX Firewall, the PIX Firewall uses the IP address pool 61.144.51.42-61.144.51.48 to assign a Global IP address to the host to access the Internet.
Example 2. pix525 (config) # global (outside) 1 61.144.51.42
Indicates that when the Intranet accesses the Internet, the PIX Firewall uses the single IP address 61.144.51.42 for all hosts accessing the Internet.
Example 3. pix525 (config) # No global (outside) 1 61.144.51.42
Indicates that the global table item is deleted.

6. Set a route pointing to the Intranet and Internet)
Define a static route. Route command configuration Syntax: Route (if_name) 0 0 gateway_ip
(If_name) indicates the interface name, such as inside and outside. Gateway_ip indicates the IP address of the Gateway Router. The number of hops to gateway_ip. The default value is 1.
Example 1. pix525 (config) # route outside 0 0 61.144.51.168 1
A default route pointing to the VBR (IP address 61.144.51.168.
Example 2. pix525 (config) # route inside 10.1.1.0 255.255.255.0 172.16.0.1 1
Pix525 (config) # route inside 10.2.0.0 255.255.0.0 172.16.0.1 1
If the internal network has only one CIDR Block, set a default route as in Example 1. If there are multiple internal networks, configure more than one static route. The above command indicates that a static route is created to 10.1.1.0, And the IP address of the next router in the static route is 172.16.0.1.

If you understand these six basic commands, you can access some advanced configurations of the PIX Firewall.

A. Configure static IP address translation (static)
If a session is initiated from the Internet, the destination address of the session is an intranet IP address, and the static address translates the internal address into a specified Global Address, allowing the session to be established. Static command configuration Syntax: static (internal_if_name, external_if_name) outside_ip_address inside _ ip_address. internal_if_name indicates the internal network interface, which has a high security level. Such as inside.
External_if_name is an external network interface with a low security level. Such as outside. Outside_ip_address is the IP address of the interface with lower security level being accessed. Inside _ ip_address is the local IP address of the internal network.
Example 1. pix525 (config) # static (inside, outside) 61.144.51.62 192.168.0.8
Indicates the host whose IP address is 192.168.0.8. For each session created through the PIX firewall, it is translated into the global address 61.144.51.62, the static command also creates a static ing between the internal IP address 192.168.0.8 and the external IP address 61.144.51.62.
Example 2. pix525 (config) # static (inside, outside) 192.168.0.2 10.0.1.3
Example 3. pix525 (config) # static (DMZ, outside) 211.48.16.2 172.16.10.8
Note Example 1. The preceding examples show that the static command allows us to set a permanent Global IP address for a specific internal IP address. In this way, you can create an entry for a specified interface with a lower security level so that they can enter a specified interface with a higher security level.

B. Pipeline commands)
As mentioned earlier, the static command can be used to create a static ing between a local IP address and a global IP address, however, connections from external interfaces to internal interfaces will still be blocked by the Adaptive Security Algorithm (ASA) of the PIX Firewall, the conductor command is used to allow data streams to flow from interfaces with lower security levels to interfaces with higher security levels, for example, to allow inbound sessions from the external to DMZ or internal interfaces. For connections to internal interfaces, the static and conductor commands are used together to specify session creation.
Conductor command configuration Syntax:
Conducting it permit | deny global_ip port <-port> protocol foreign_ip
Permit | deny allowed | Access Denied
Global_ip refers to the global IP address previously defined by the global or static command. If global_ip is 0, use any instead of 0. If global_ip is a host, use the host command parameter.
Port refers to the port used by the Service, such as WWW Using 80, SMTP using 25, etc. We can specify the port through the service name or port number.
Protocols refer to connection protocols, such as TCP, UDP, and ICMP.
Foreign_ip indicates the external IP address that can access global_ip. Any host can be expressed as any. If foreign_ip is a host, use the host command parameter.
Example 1. pix525 (config) # conducting it permit TCP host 192.168.0.8 eq www any
In this example, any external host is allowed to perform HTTP access to this host whose global address is 192.168.0.8. An EQ and a port are used to allow or deny access to this port. Eq ftp is to allow or deny access to ftp only.
Example 2. pix525 (config) # conducting it deny TCP any eq ftp host 61.144.51.89
The external host 61.144.51.89 is not allowed to access any global address through FTP.
Example 3. pix525 (config) # conducting it permit ICMP any
Allow ICMP messages to pass to internal and external sources.
Example 4. pix525 (config) # static (inside, outside) 61.144.51.62 192.168.0.3
Pix525 (config) # conducting it permit TCP host 61.144.51.62 eq www any
This example describes the relationship between static and conduit. 192.168.0.3 is a web server on the Intranet. We hope that users on the internet can obtain web services through the PIX Firewall. So do static ing: 192.168.0.3-> 61.144.51.62 (global) first, and then use the conductor command to allow any external host to perform HTTP access to the global address 61.144.51.62.

C. Configure the fixup Protocol
The fixup command is used to enable or disable a service or protocol. The port specified by the fixup command is the service that the PIX Firewall wants to listen. See the following example:
Example 1. pix525 (config) # fixup protocol FTP 21
Enable the FTP protocol and specify the ftp port number as 21.
Example 2. pix525 (config) # fixup protocol HTTP 80
Pix525 (config) # fixup protocol HTTP 1080
Specify port 80 and port 1080 for the HTTP protocol.
Example 3. pix525 (config) # No fixup protocol SMTP 80
Disable the SMTP protocol.

D. Set Telnet
Telnet has a version change. Before the pix OS 5.0 (the version number of the PIX operating system), you can only access the PIX from hosts on the internal network through Telnet. In pix OS 5.0 and later versions, you can enable telnet-to-pix access on all interfaces. When you need to telnet from an external interface to the PIX Firewall, the Telnet data stream must be protected by IPSec. That is to say, you must configure the PIX to establish an IPsec tunnel to another pix, router, or VPN Client. In addition, you can configure SSH on the PIX and then use the SSH client to telnet from the outside to the PIX Firewall. The pix supports SSH1 and SSH2, but SSH1 is free of charge, and SSH2 is commercial software. In contrast, Telnet on the Cisco Router does not work well.
Telnet configuration Syntax: Telnet local_ip
Local_ip indicates the IP address authorized to access the PIX through Telnet. If this option is not set, the configuration of the PIX can only be performed by the console.

The following is a configuration instance for your reference. The configuration instance description is as follows: the PIX Firewall is directly placed at the interface with the Internet, where there are more than a dozen public IP addresses in the network environment, some may ask what if my public IP address is very limited? You can add a router to the front of the PIX, or use a single IP address in global, which is the same as the IP address of the external interface. In addition, several maintenance commands are also useful. Show interface can view the port status, show static can view the static address ing, show IP can view the interface IP address, and Ping outside | inside ip_address to determine the connectivity.

Welcome to the PIX Firewall

Type help or '? 'For a list of available commands.
Pix525> en
Password:
Pix525 # sh config
: Saved
:
PIX version 6.0 (1) ------ the current OS version of pix is 6.0
Nameif ethernet0 outside security0
Nameif ethernet1 inside security100 ------ currently, only two interfaces are available in the PIX.
Enable Password 7y051hhccoirtsqz encrypted
Passed 7y051hhccoirtsqz encrypted ------ the PIX firewall password is encrypted by default and is not displayed in plaintext in the configuration file. The default telnet password is Cisco
Hostname pix525 ------ the host name is pix525
Domain-Name 123.com ------ A Local Domain Name Server 123.com, usually used as an external access
Fixup protocol FTP 21
Fixup protocol HTTP 80
Fixup protocol h323 1720
Fixup protocol RSH 514
Fixup protocol SMTP 25
Fixup protocol sqlnet 1521
Fixup protocol sip 5060 ------ some services or protocols currently enabled. Note that the RSH service cannot change the port number.
Names ------ resolve the local host name to the IP address. In the configuration, you can replace the IP address with the name. Currently, the list is empty.
Pager lines 24 ------ one page per 24 rows
Interface ethernet0 auto
Interface ethernet1 auto ------ set the two NICs to adaptive
MTU outgoing side 1500
MTU inside 1500 ------ Ethernet standard MTU length is 1500 bytes

IP address outside 61.144.51.42 255.255.255.248
IP address inside 192.168.0.1 255.255.255.0 ------ IP address of the PIX Internet 61.144.51.42, IP address of the Intranet 192.168.0.1
IP audit info action alarm
IP audit attack action alarm ------ two commands for pix intrusion detection. When a data packet has an attack or report pattern, the PIX will take an alarm action (default action) to generate system log messages to the specified host; in addition, you can discard data packets and send TCP Connection Reset signals.
PDM history enable ------ the PIX Device Manager can monitor the PIX graphically.
ARP timeout 14400 ------ ARP table timeout
Global (outside) 1 61.144.51.46 ------ if you visit an external forum or chat via QQ, the IP shown above is
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Static (inside, outside) 61.144.51.43 192.168.0.8 netmask 255.255.255.255 0
Conducting it permit ICMP any
Conducting it permit TCP host 61.144.51.43 eq www any
Conducting it permit UDP host 61.144.51.43 EQ domain any
------ Use the 61.144.51.43 IP address to provide the domain-name service, and only allow external users to access the UDP port of the domain
Route outside 0.0.0.0 0.0.0.0 61.144.51.61 1 ------ external gateway 61.144.51.61
Timeout Xlate 3:00:00 ------ after an internal device sends an IP packet to an external device after translation (global), if the packet is not active three hours by default, previously created table items will be deleted from the translation table, releasing the global address occupied by the device
Timeout conn 1:00:00 half-closed 0:10:00 UDP 0:02:00 RPC 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout uauth 0:05:00 absolute ------ AAA authentication timeout time. Absolute indicates that the uauth timer is run continuously. After the user times out, the user will force re-Authentication
Aaa-server TACACS + protocol TACACS +
Aaa-Server Radius protocol radius ------ two Protocols of the AAA Server. AAA indicates authentication, authorization, and audit. The PIX Firewall can enhance the security of the internal network through the AAA Server.
No SNMP-server location
No SNMP-server contact
SNMP-server community public ------ because no snmp workstation is set, there is no snmp workstation location and contact
No SNMP-server enable traps ------ send SNMP traps
Floodguard enable ------ prevent someone from forging a large number of authentication requests and use up the AAA resources of the PIX
No sysopt route DNAT
Telnet timeout 5
SSH timeout 5 ------ timeout for accessing the PIX Using SSH
Terminal width 80
Cryptochecksum: a9f03ba4ddb72e1ae6a543292dd4f5e7
Pix525 #
Pix525 # write memory ------ Save the Configuration