NOTE: it is important to note that Cisco no longer provides a vulnerability scanning product/service (though many have suggested we should re-enter this mkt segment) Make point that all these security aspects relate to networking function. Without the network, most security breaches could not happen. For that reason the network security is clearly a major component of any security system.
nat (inside) 1 0.0.0.0 0.0.0.0 nat (inside) 2 192.168.3.0 255.255.255.0 Permit all inside users to start outbound connections using the translated IP addresses from the global pool. global (outside) 1 184.108.40.206-220.127.116.11 netmask 255.255.255.224 global (outside) 2 18.104.22.168-22.214.171.124 netmask 255.255.255.224 Create pools of global addresses to let the nat command statements use the address pools for translating internal IP addresses to external addresses. Each pool is designated by the number from the nat command statement, in this case, 1 and 2.
The Cut-Through feature of the PIX firewall allows authentication with a AAA server of users that traverse the firewall to access internal servers. This check does not require special software on either client nor server side. The PIX terminates the incoming session, sends an authentication request to the user, and forwards the user’s username and password to the AAA server. This server checks the credentials of the user and tells the PIX whether the user is authorised or not. All subsequent connections from this users can then be let through without further authentication (until a defined timeout). User authentication and authorization starts with your security policy and the respective inside RADIUS or TACACS+ server that you have. Authentication verifies that a user is who they say they are. Authorization determines what services a user can use to access a host. From the configuration on this server you need to determine which users can access the network, which services they can use, and what hosts they can access. Once you have this information, you can configure the PIX Firewall to either enable or disable authentication or authorization. In addition, you can also configure the firewall to permit users access to specific hosts or services. However, if you configure the firewall to this degree, you risk the information being different between the authentication server and the firewall. After you enable authentication and authorization, the PIX Firewall provides credential prompts to inbound or outbound users for FTP, Telnet, or HTTP (Web) access. The actual decision about who can access the system and with what services is handled by the authentication and authorization servers.
As opposed to a router, the PIX does not by default forward packets. In fact there is only a small number of defined ways packets can traverse the PIX. Other ways are by default denied. These ways are: 1. Inside to Outside: If a user from the inside starts a connection to the outside (or to be more precise, to an interface with a lower security level), this connection will by default be permitted, and the return packets of this connection too. This can be limited with the “outbound” and “apply” commands. 2. User Authentication: This is the cut-through proxy feature that will be treated in more detail later in the presentation. Typically used from a lower security level to a higher one. Interaction with a AAA server is used for authentication. 3. Conduit: This is a kind of tunnel to allow outside users to access inside resources without defining the outside. Typical application is giving access to a web server to the Internet. Since version 5.0 there is an additional way through the PIX, namely access lists. The functionality is similar to conduits. The reason that this command has been added is IPSec, it does on this level strictly speaking not add functionality, but only in conjunction with IPSec, where access lists are used to define traffic to be secured by IPSec.
The alias command translates one address into another. Use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. You can also use this command to do address translation on a destination address. For example, if a host sends a packet to 126.96.36.199, you can use alias to redirect traffic to another address, such as, 188.8.131.52. Note: You can use the sysopt nodnsalias command to disable inbound embedded DNS A record fixups according to aliases that apply to the A record address and outbound replies. After changing or removing an alias command statement, use the clear xlate command. There must be an A (address) record in the DNS zone file for the &quot;dnat&quot; address in the alias command. The alias command has two uses which can be summarized in the following ways of reading an alias command statement: If the PIX Firewall gets a packet destined for the dnat_IP_address, send it to the foreign_IP_address. If' the PIX Firewall gets a DNS packet returned to the PIX Firewall destined for foreign_network_address, alter the DNS packet to change the foreign network address to dnat_network_address.
The main use of the alias feature is dual NAT, in situations where for example two offices with overlapping address ranges need to communicate over the Internet. In this case the overlapping address range of the remote office can be mapped to a different, free, address range by the PIX. The content of the DNS queries will be changed as well by the PIX, but not the content of the zone transfers. For this reason DNS queries for this address range must be resolved outside the PIX. This feature can also be used for re-routing. In this case, the internal DNS server must point to an external address, so that traffic will be sent to the PIX instead of the internal network.
To access an alias dnat_ip address with static and conduit command statements, specify the dnat_ip address in the conduit command statement as the address from which traffic is permitted from. The example above illustrates this note: Usage: Administer overlapping addresses with dual NAT. (Configuration mode.) alias [(if_name)] dnat_ip foreign_ip [netmask] no alias [[(if_name)] dnat_ip foreign_ip [netmask]] show alias Syntax Description if_name The internal network interface name in which the foreign_ip overlaps. dnat_ip An IP address on the internal network that provides an alternate IP address for the external address that is the same as an address on the internal network. foreign_ip IP address on the external network that has the same address as a host on the internal network. Netmask Network mask applied to both IP addresses. Use 255.255.255.255 for host masks.
A conduit command statement creates an exception to the PIX Firewall Adaptive Security mechanism by permitting connections from one firewall network interface to access hosts on another. The clear conduit command removes all conduit command statements from your configuration. The conduit command can permit or deny access to either the global or static commands; however, neither is required for the conduit command. You can associate a conduit command statement with a global or static command statement through the global address, either specifically to a single global address, a range of global addresses, or to all global addresses. When used with a static command statement, a conduit command statement permits users on a lower security interface to access a higher security interface. When not used with a static command statement, a conduit command statement permits both inbound and outbound access. If you associate a conduit command statement with a static command statement, only the interfaces specified on the static command statement have access to the conduit command statement. For example, if a static command statement lets users on the dmz interface access a server on the inside interface, only users on the dmz interface can access the server via the static command statement. Users on the outside do not have access. Note: The conduit command statements are processed in the order entered into the configuration. After changing or removing a conduit command statement, use the clear xlate command. You can remove a conduit command statement with the no conduit command. Use the show conduit command to view the conduit command statements in the configuration.
Failover lets you add a secondary PIX Firewall that takes control if the Primary unit fails. With version 5.0, you can choose the Stateful Failover option if you have100 Mbps LAN interfaces so that connection states are automatically relayed between the two units. Both units in a failover pair communicate through the failover cable, which is a modified RS-232 serial link cable that transfers data at 9600 baud. The data provides the unit identification of Primary or Secondary, the power status of the other unit, and serves as a communication link for various failover communications between the two units. The two units send special failover &quot;hello&quot; packets to each other over all network interfaces and the failover cable every 15 seconds. The failover feature in PIXFirewall monitors failover communication, the power status of the other unit, and hello packets received at each interface. If two consecutive hello packets are not received within a time determined by the failover feature, failover starts testing the interfaces to determine which unit has failed, and transfers active control to the Standby unit. When a failover occurs, each unit changes state. The newly Active unit assumes the IP and MAC addresses of the previously Active unit and begins accepting traffic. The new Standby unit assumes the failover IP and MAC addresses of the unit that was previously the Active unit. Because network devices see no change in these addresses, no ARP entries change or timeout anywhere on the network. If you are using Stateful Failover, connection states are relayed from the Primary unit to the Secondary unit. Without Stateful Failover, the Standby unit does not maintain the state information of each connection. This means that all active connections will be dropped when failover occurs and that client systems must reestablish connections.
The unit that has the cable end labeled &quot;primary&quot; becomes the default Primary unit. Configure a failover IP address for each interface on the Active unit using the ip address command. From the Active unit, configure a failover IP address for each interface on the Standby unit using the failover ip address command. Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. The default is the failover off command. Use the failover link command to enable Stateful Failover. If you are not using the failover feature, enter the no failover command in the configuration file for the PIX Firewall if you will not be using the failover feature. Use the failover timeout command to specify the length of time during which if a failover occurs, the Standby unit lets certain traffic through without requiring a prior xlate to exist. Use the show failover command to verify the status of the connection and to determine which unit is active. PIX Firewall configurations using failover require a separate IP address for each network interface on the Standby unit. The system IP address is the address of the Active unit. When the show ip address command is executed on the Active unit, the current IP address is the same as the system IP address. When the show ip address command is executed on the Standby unit, the system IP address is the failover IP address configured for the Standby unit. Use the write standby command to manually save the configuration of the active failover unit to the standby failover unit from RAM to RAM.You can force an update by using the write standby command on the Active unit. If you make changes to the Standby unit, it displays a warning but does not update the Active unit. To save the configuration of the Active unit to Flash memory (permanent memory) on the Standby unit, use the write memory command on the Active unit. The write memory command results are replicated on the Standby unit.
Internetworking With Pix Firewall
Firewall Basics & Internetworking with Cisco PIX -Firewall Presented by : Souvik Santra [Manager, 3i Infotech Consultancy Services Ltd]
Agenda <ul><li>Introduction to Firewalls </li></ul><ul><li>Types of Firewalls </li></ul><ul><li>Modes and Deployments </li></ul><ul><li>Internetworking with Cisco PIX </li></ul>
What Is a Firewall <ul><li>A firewall is an access control device that looks at the IP packet, compares with policy rules and decides whether to allow, deny or take some other action on the packet </li></ul>Outside Network DMZ Network Inside Network Internet
A Simple Analogy The Firewall as the Premise Guard
<ul><li>PIX Firewall topology options :- </li></ul><ul><li>Scenario-1, </li></ul><ul><li>Think of your network as an office building with security desks at each entry point. At the desks, security guards check identification and make sure visitors aren’t carrying anything unauthorised in or out of the building. They may also ask you what your purpose is in the building and log the time that you came in or went out. This is exactly what firewalls do at the entry points to your network. </li></ul><ul><li>The most common use of a firewall is restricting access to your private network from a public network , such as the Internet. Figure A shows an example of this type of topology. </li></ul><ul><li>Figure A </li></ul>
<ul><li>Scenario-2 , </li></ul><ul><li>You may also want to create a DMZ (demilitarised zone) between the Internet and your private network. You'd use this segment as the home for servers (like Web servers or external mail servers) that are accessed over the Internet, but still need some protection. Figure B shows an example of this topology. </li></ul>
<ul><li>Scenario-3, </li></ul><ul><li>A less common—but still very important—use for a firewall is to protect the borders between internal networks. Perhaps you share a network with a business partner, do e-commerce with a vendor through a leased line, or just want to control access between departments (like human resources or accounting and everyone else). A firewall can serve this purpose as well, as illustrated in Figure C. </li></ul>
Agenda <ul><li>Introduction to Firewalls </li></ul><ul><li>Types of Firewalls </li></ul><ul><li>Modes and Deployments </li></ul><ul><li>Internetworking with Cisco PIX Firewall </li></ul>
Packet Filtering Gateways <ul><li>In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored . The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data. </li></ul><ul><li>Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies . </li></ul><ul><li>Packet filtering policies may be based upon any of the following: </li></ul><ul><li>Allowing or disallowing packets on the basis of the source IP address </li></ul><ul><li>Allowing or disallowing packets on the basis of their destination port </li></ul><ul><li>Allowing or disallowing packets according to protocol . </li></ul>
Packet Filtering Gateways (cont.) <ul><li>Stateless—Two Separate ACLs Are Required </li></ul><ul><li>Permit HTTP traffic from 10.0.0.0 to www.yahoo.com </li></ul><ul><li>Permit HTTP traffic from www.yahoo.com to 10.0.0.0 </li></ul>Inside Outside 10.0.0.15 www.yahoo.com Get Sports Page (Request) Sports Page (Reply) Internet
Stateful Inspection Firewalls <ul><li>Also referred to as dynamic packet filtering . </li></ul><ul><li>A Stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. </li></ul><ul><li>With Stateful Packet Inspection (SPI), every time a packet is sent out of the computer, the firewall keeps track of it. When a packet comes back to the firewall, the firewall can tell whether or not the in-bound packet is a reply to the packet that was sent out. </li></ul><ul><li>This way, the firewall can handle most network traffic safely without a complex configuration of firewall rules. </li></ul><ul><li>As an added security measure against port scanning , stateful inspection firewalls close off ports until connection to the specific port is requested. </li></ul><ul><li>Packet filters operate at the network layer (layer-3) and function more efficiently because they only look at the header part of a packet . </li></ul>
State Table <ul><li>Stateful firewalls maintain a state table showing the current connections </li></ul>
Stateful Inspection Firewalls (cont.) <ul><li>Stateful—Only One ACL Is Required </li></ul><ul><li>Permit HTTP traffic from 10.0.0.0 to www.yahoo.com </li></ul>Inside Outside 10.0.0.15 www.yahoo.com Get Sports Page (Request) Sports Page (Reply) Internet
Proxy Firewalls <ul><li>All requests and replies pass though a proxy server; no direct connection between a client and the server; everything is proxied—thus the name </li></ul>Inside Network Outside Network Internet Proxy Server
Proxy Firewalls (Cont.) <ul><li>Two Separate TCP Connections </li></ul><ul><li>Client to proxy firewall </li></ul><ul><li>Proxy firewall to www.yahoo.com </li></ul>Inside Network Internet Proxy Server 1 4 3 2 Get Sports Page (Request) Sports Page (Reply) www.yahoo.com
Personal Firewalls <ul><li>A version of network firewalls for laptops and desktops </li></ul><ul><li>Disallow inbound connections unless explicitly allowed </li></ul><ul><li>Watches inbound/outbound traffic </li></ul><ul><li>Protect laptops and desktops from attacks. </li></ul><ul><li>Example : Trend Micro, Symantec, AVG, McAfee… </li></ul>
NAT Firewalls <ul><li>NAT Firewalls hide all internal addresses—thus protect small networks from external attacks as internal addresses are not exposed. </li></ul><ul><li>Network Address Translation (NAT) is simply that – it takes a network address, and “translates” it to another network address. It is a simple lookup table, where each row is created by a router command with the two addresses. The user address is behind the router on the LAN interface, and the Internet address is sent out across the serial interface. </li></ul><ul><li>The NAT table (lookup table) in the router can be configured in two ways. </li></ul><ul><li>Static NAT - for security - requires n Internet IP addresses - assign unique, unregistered local IP addresses to all users, and use unique Internet addresses as well. Users can all use the same port !!! </li></ul><ul><li>Dynamic NAT (NAT & PAT) - for overloading - requires 1 outside Internet IP address - assign unique, unregistered local IP addresses to all users. Must use unique ports for each user !!! </li></ul><ul><li>Dynamic NAT allows overloading - multiple users access the Internet via one IP address. This is used by Microsoft ICS (Internet Connection Sharing) and by DSL routers that have several home user PC’s connected. In fact, every Cable/DSL Broadband Router on the market accomplishes its job with NAT. </li></ul><ul><li>PAT is a subset of NAT, and is closely related to the concept of Network Address Translation. PAT is also known as NAT Overload. In PAT there is generally only one publicly exposed IP address and multiple private hosts connecting through the exposed address. Incoming packets from the public network are routed to their destinations on the private network by reference to a table held within the PAT device which keeps track of public and private port pairs. </li></ul>
NAT/PAT Firewalls (Cont.) 10.2.0.0 /24 192.168.0.0 10.0.0.0/24 Global pool 192.168.0.17-30 Global pool 192.168.0.3-14 10.0.0.11 10.0.0.4 10.0.0.11 192.168.0.20 Port 2000 10.0.0.4 192.168.0.20 Port 2001 NAT PAT Internet Internet
Cisco PIX ( Private Internet eXchange ) is a popular IP firewall and network address translation (NAT) appliance <ul><li>On January 28, 2008, Cisco announced the end-of-sale and end-of-life dates for all Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms and bundles was July 28, 2008 . The last day to purchase accessories and licenses was January 27, 2009. It is important to note that Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013 . </li></ul><ul><li>In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IPS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination. </li></ul>
PIX Firewall Licensing Cisco PIX Firewall licenses are available in Unrestricted, Restricted, and Fail-Over configurations. Unrestricted —PIX Firewall platforms in an Unrestricted ( UR ) license mode allow installation and use of the maximum number of interfaces and RAM supported by the platform. The Unrestricted license supports a redundant 'hot standby' system for Fail-over operation to minimize network downtime .
PIX Firewall Licensing (cont..) Restricted — PIX Firewall platforms in a Restricted ( R ) license mode limit the number of interfaces supported and the amount of RAM available within the system. A restricted license provides a cost-optimized firewall solution for simplified network connectivity requirements, or where lower than the maximum number of user connections are acceptable. A Restricted licensed firewall does not support a redundant system for fail-over configurations. Fail-Over — The Fail-Over (FO) software licenses place the Cisco PIX Firewall in a 'hot-standby' mode for use along side another PIX Firewall with an Unrestricted license. Fail-Over software licensing provides stateful fail-over capabilities thus enabling high availability network architectures. The fail-over PIX firewall acts as a fully redundant system maintaining state with all active sessions on the primary PIX Firewall, thereby minimizing connection disruptions due to equipment or network failures.
Multiple Interfaces and Security Levels <ul><li>All PIX Firewalls provide at least two interfaces assigned a security level of 0 and 100, respectively </li></ul>
Cut-Through Proxy <ul><li>Unique feature of a PIX Firewall </li></ul><ul><li>Allows user-based authentication of inbound or outbound connections </li></ul><ul><li>A PIX Firewall uses cut-through proxy to authenticate a connection and then allow traffic to flow quickly and directly </li></ul>
User Authentication: Cut-Through-Proxy Private Network Public Network AAA out side in side Outside User www HTTP Request PIX Advanced Configuration 1. HTTP request packet intercepted by PIX 1 2. PIX asks user for credentials, he responds 2 3. PIX sends credentials to AAA server, AAA server ack’s 3 4. PIX forwards packets 4
Access Lists <ul><li>Uses standard and extend ACL’s </li></ul><ul><li>Implemented using access-list and access-group commands </li></ul>
<ul><li>Standard IP Access Lists Example : </li></ul><ul><li>The standard IP access lists filter the network by using the source IP address in an IP packet. You could create a standard IP access list by using the access list numbers 1-99. </li></ul><ul><li>Router # configure terminal Router (config) # access-list 10 deny 172.16.40.0 0.0.0.255 Router (config) # access-list 10 permit any Router (config) # interface e0 Router (config-if) # ip access-group 10 out </li></ul><ul><li>Extended IP Access Lists Example : </li></ul><ul><li>The extended IP access lists allow you to choose your source and destination IP address as well as the protocol and the logical port number, which identify the upper-layer protocol or application. By using extended IP access lists, you can effectively allow access to a physical LAN and stop them from using certain services. You'll use the extended IP access list range from 100 to 199. </li></ul><ul><li>Router # configure terminal Router (config) # access-list 110 deny tcp any host 172.16.10.5 eq 21 Router (config) # access-list 110 deny tcp any host 172.16.10.5 eq 23 Router (config) # access-list 110 permit ip any any </li></ul><ul><li>Monitoring IP Access Lists : </li></ul><ul><li>Show access-list: This command displays all access lists and their parameters configured on the router. This command does not show you that on which interface the list is set. </li></ul><ul><li>Show ip access-list: This command shows only the IP access lists configured on the router. </li></ul><ul><li>Show ip access-list access list no: This command displays the detail of the specific IP access list configured on the router. </li></ul><ul><li>Show ip interface interface no: This command shows that which interfaces have access lists set and in which direction. </li></ul><ul><li>Show running-config : This command shows the access lists configuration and the interfaces status </li></ul>
Only 4 Ways through the PIX Private Network Public Network out side in side PIX “Inside” 1: inside to outside; (Limit with ”outbound” and ”apply”) 2: user authentication AAA 3: conduit 4*: Access List * since PIX IOS 5.0
Destination Address Translation: Alias <ul><li>The PIX's alias feature is used to set up a mechanism whereby the destination IP addresses contained in packets going from one interface to another are NATed (translated). </li></ul><ul><li>This is necessary in various situations, especially where an external DNS server is used to resolve the names for servers on the inside or DMZ networks, where an IP address is being illegally used in the private network behind the PIX, or where two enterprise networks are marged to form one network across a PIX firewall. </li></ul><ul><li>The alias command not only translate the destination IP address, but can also doctor the DNS responses passing through the PIX to comply with the translation taking place on the destination IP address. </li></ul>PIX “Inside”
How “alias” Works PIX “Inside” Inside User www 184.108.40.206 Internet Company 220.127.116.11 www.x.com 1. Access www.x.com alias: 18.104.22.168 = 22.214.171.124 inside outside 2. DNS query 3. Reply: 126.96.36.199 4. Reply: 188.8.131.52 Conflict 5. Destination NAT alias: 184.108.40.206 = 220.127.116.11 inside outside
Address Translation: Alias Configuration alias (inside) 18.104.22.168 22.214.171.124 255.255.255.255 static (inside,outside) 126.96.36.199 188.8.131.52 netmask 255.255.255.255 Use this destination address on the inside... … for this destination address on the outside PIX “Inside” Map this source on outside... … to this one on inside Destination NAT Source NAT
Conduits <ul><li>When you have private addresses on your LAN and public addresses on the outside of the Pix, you can allow connectivity to the LAN on a port by port basis! </li></ul><ul><li>(1)Adding a Static Route </li></ul><ul><li>Type "conf t" to enter terminal-configuration mode. </li></ul><ul><li>Type "static ( high-security_if_name , low-security_if_name ) outside_ip inside_ip " Examples: </li></ul><ul><li>static (inside,outside) 100.100.100.130 10.1.1.130 </li></ul><ul><li>Type " wr mem " to save changes to flash memory (otherwise they will be lost if pix is restarted. </li></ul>PIX “Inside”
Conduits (Cont.) <ul><li>(2)Adding a Conduit: </li></ul><ul><li>Type "conf t" to enter terminal-configuration mode. </li></ul><ul><li>Type: "conduit permit | deny protocol outside_ip operator port any" </li></ul><ul><ul><li>"permit" allows access and "deny" blocks it. </li></ul></ul><ul><ul><li>"protocol" is either "tcp", "udp", or "ip". </li></ul></ul><ul><ul><li>"operator" is "eq" or "range". </li></ul></ul><ul><ul><li>"port" is either a port number, the common name of a service (www, telnet, pop3, etc.), or a range (Port 80 to 90 would be: 80 90). </li></ul></ul><ul><li>Type "wr mem" to save changes to flash memory (otherwise they will be lost if pix is restarted. </li></ul><ul><li>For example, if we have a web server at 10.1.1.27 internally, and we want it to be available externally at 100.100.100.27 on port 80 only, here are the exact commands: static (inside,outside) 100.100.100.27 10.1.1.27 conduit permit tcp host 100.100.100.27 eq www any That's it! </li></ul>
Fail-over <ul><li>The failover feature allows us to use a standby PIX Firewall to take over the functionality of a failed PIX Firewall. When the active unit fails, it changes to the standby state, while the standby unit changes to the active state. The unit that becomes active takes over the active unit's IP addresses and MAC addresses, and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. (See the "Primary and Secondary Vs. Active and Standby" section for more information about MAC addresses). </li></ul><ul><li>The PIX Firewall supports two types of failover: </li></ul><ul><li>• Regular Failover—When a failover occurs, all active connections are dropped and clients need to reestablish connections when the new active unit takes over. </li></ul><ul><li>• Stateful Failover—During normal operation, the active unit continually passes per-connection stateful information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session. </li></ul>
PIX Failover Primary Secondary .1 10.0.1. x 192.168.236. x .2 .1 .2 Failover Cable PIX Advanced Configuration Failover Link default gateway 10.0.1.1 .1
Failover Configuration Primary Secondary 10.0.1. x .1 .2 Failover Cable PIX Advanced Configuration Failover Link failover [active] failover ip address inside 10.0.1.1 failover link ethernet2 Enable failover Address for Standby PIX (configured on primary) Enable statefulness (over link eth2)
<ul><li>Basic Configuration Commands </li></ul><ul><li>Some commands share the same syntax in PIX OS and IOS, but have different functionality. The six primary commands that you need to watch out for are: </li></ul><ul><li>nameif —assigns a name and security level to an interface </li></ul><ul><li>interface —used to assign hardware parameters (like full or half duplex) and to shutdown interfaces </li></ul><ul><li>ip address —assigns an IP address and other IP parameters to an interface </li></ul><ul><li>nat —does network address translation between the inside interfaces and outside interfaces </li></ul><ul><li>global —does network address translation between the outside and inside interfaces </li></ul><ul><li>route —configures an IP route </li></ul>
<ul><li>‘ interface’ Command </li></ul><ul><li>The interface command identifies the interface hardware card, sets the speed of the interface, and enables the interface all in one command. All interfaces on a Cisco PIX Firewall are shut down by default and are explicitly enabled by the interface command. The basic syntax of the interface command is as follows: </li></ul><ul><li>interface hardware_id hardware_speed [ shutdown ] </li></ul><ul><li>Table describes the command parameters for the interface command. </li></ul>The shutdown parameter administratively shuts down the interface. This parameter performs a very similar function in Cisco IOS Software. However, unlike with IOS, the command no shutdown cannot be used here. To place an interface in an administratively up mode, you reenter the interface command without the shutdown parameter. shutdown Sets the connection speed, depending on which medium is being used. 1000auto sets Ethernet speeds automatically. However, it is recommended that you configure the speed manually. 1000sxfull —Sets full-duplex Gigabit Ethernet. 1000basesx —Sets half-duplex Gigabit Ethernet. 1000auto —Automatically detects and negotiates full-/half-duplex Gigabit Ethernet. 10baset —Sets 10 Mbps half-duplex Ethernet (very rare these days). 10full —Sets 10 Mbps full-duplex Ethernet. 100full —Sets 100 Mbps full-duplex Ethernet. 100basetx —Sets 100 Mbps half-duplex Ethernet. Make sure that the hardware_speed setting matches the port speed on the Catalyst switch the interface is connected to. hardware_speed Indicates the interface's physical location on the Cisco PIX Firewall. hardware_id Description Command Parameter
<ul><li>Here are some examples of the interface command: </li></ul><ul><li>interface ethernet0 100full </li></ul><ul><li>interface ethernet1 100full </li></ul><ul><li>interface ethernet2 100full </li></ul><ul><li>‘ nameif’ Command </li></ul><ul><li>As the name intuitively indicates, the nameif command is used to name an interface and assign a security value from 1 to 99. The outside and inside interfaces are named by default and have default security values of 0 and 100, respectively. By default, the interfaces have their hardware ID. Ethernet 0 is the outside interface, and Ethernet 1 is the inside interface. The names that are configured by the nameif command are user-friendly and are easier to use for advanced configuration later. </li></ul><ul><li>The syntax of the nameif command is, </li></ul><ul><li>nameif hardware_id if_name security_level </li></ul><ul><li>Table describes the command parameters for the nameif command. </li></ul>A numerical value from 1 to 99 indicating the security level. security_level The name by which you refer to this interface. The name cannot have any spaces and must not exceed 48 characters. if_name Indicates the interface's physical location on the Cisco PIX Firewall. hardware_id Description Command Parameter
<ul><li>Here are some examples of the nameif command: </li></ul><ul><li>nameif ethernet0 outside security0 </li></ul><ul><li>nameif ethernet1 inside security100 </li></ul><ul><li>nameif ethernet2 dmz security20 </li></ul><ul><li>The security_level value controls how hosts/devices on the different interfaces interact with each other. By default, hosts/devices connected to interfaces with higher security levels can access hosts/devices connected to interfaces with lower-security interfaces. Hosts/devices connected to interfaces with lower-security interfaces cannot access hosts/devices connected to interfaces with higher-security interfaces without the assistance of access lists or conduits. </li></ul><ul><li>You can verify your configuration by using the show nameif command. </li></ul><ul><li>‘ ip address’ Command </li></ul><ul><li>All the interfaces on the Cisco PIX Firewall that will be used must be configured with an IP address. The IP address can be configured manually or through Dynamic Host Configuration Protocol (DHCP). The DHCP feature is usually used on Cisco PIX Firewall small office/home office (SOHO) models. DHCP is discussed later in this chapter. </li></ul><ul><li>The ip address command is used to configure IP addresses on the PIX interfaces. The ip address command binds a logical address (IP address) to the hardware ID. Table describes the parameters for the ip address command, the syntax of which is as follows: </li></ul><ul><li>ip address if_name ip_address [ netmask ] </li></ul>
<ul><li>Table ip address Command Parameters </li></ul>Here's an example of the ip address command: ip address inside 10.10.10.14 255.255.255.0 Use the show ip command to view the configured IP address on the PIX interface. ‘ nat’ Command The nat (Network Address Translation) command lets you translate a set of IP addresses to another set of IP addresses. NOTE PIX 6.2 supports bidirectional translation of inside network IP addresses to global IP addresses and translation of outside IP addresses to inside network IP addresses. The nat command is always paired with a global command, with the exception of the nat 0 command. Table describes the command parameters for the nat command, the syntax of which is as follows: nat ( if_name ) nat_id local_ip [ netmask ] The appropriate network mask. If the mask value is not entered, the PIX assigns a classful network mask. netmask The interface's IP address. ip_address The interface name that was configured using the nameif command. if_name Description Command Parameter
Table nat Command Parameters Here are some examples of the nat command: nat (inside) 1 10.10.10.0 255.255.255.0 nat (inside) 1 172.16.1.0 255.255.255.0 ‘ Global’ Command The global command is used to define the address or range of addresses that the addresses defined by the nat command are translated into. It is important that the nat_id be identical to the nat_id used in the nat command. The nat_id pairs the IP address defined by the global and nat commands so that network translation can take place. The syntax of the global command is global ( if_name ) nat_id global_ip | global_ip-global_ip [ netmask ] Network mask for the local IP address. netmask The IP address that is translated. This is usually the inside network IP address. It is possible to assign all the inside network for the local_ip through nat (inside) 1 0 0 . local_ip The ID number to match with the global address pool. nat_id The internal network interface name. (if_name) Description Command Parameter
Table global Command Parameters There should be enough global IP addresses to match the local IP addresses specified by the nat command. If there aren't, you can leverage the shortage of global addresses by PAT entry, which permits up to 64,000 hosts to use a single IP address. PAT divides the available ports per global IP address into three ranges: 0 to 511 512 to 1023 1024 to 65535 PAT assigns a unique source port for each UDP or TCP session. It attempts to assign the same port value of the original request, but if the original source port has already been used, PAT starts scanning from the beginning of the particular port range to find the first available port and assigns it to the conversation. PAT has some restrictions in its use. For example, it cannot support H.323 or caching name server use. The following example shows a configuration using a range of global IP and single IP for PAT: nat (inside) 1 10.0.0.0 255.0.0.0 global (outside) 1 192.168.10.15-192.168.1.62 netmask 255.255.255.0 global (outside) 1 192.168.10.65 netmask 255.255.255.0 When a host or device tries to start a connection, the PIX Firewall checks the translation table if there is an entry for that particular IP. If there is no existing translation, a new translation slot is created. The default time that a translated IP is kept in the translation table is 3 hours. You can change this with the timeout xlate hh:mm:ss command. To view the translated addresses, use the show xlate command. The network mask for the global IP address(es). netmask Defines a range of global IP addresses to be used by the PIX to NAT. global_ip-global_ip A single IP address. When a single IP address is specified, the PIX automatically performs Port Address Translation (PAT). A warning message indicating that the PIX will PAT all addresses is displayed on the console. global_ip Identifies the global address and matches it with the nat command it is pairing with. nat_id The external network where you use these global addresses. (if_name) Description Command Parameter
route Command The route command tells the Cisco PIX Firewall where to send information that is forwarded on a specific interface and that is destined for a particular network address. You add static routes to the PIX using the route command. Table 6-6 describes the route command parameters, the syntax of which is as follows: route if_name ip_address netmask gateway_ip [ metric ] Table : route Command Parameters The following example shows a default route configuration on a Cisco PIX Firewall: route outside 0.0.0.0 0.0.0.0 192.168.1.3 1 The 1 at the end indicates that the gateway router is only one hop away. If a metric is not specified in the route command, the default is 1. You can configure only one default route on the PIX Firewall. It is good practice to use the clear arp command to clear the PIX Firewall's ARP cache before testing your new route configuration. Specifies the number of hops to gateway_ip. metric The IP address of the next-hop address. Usually this is the IP address of the perimeter router. gateway_ip The network mask of the IP address to be routed. netmask The IP address to be routed. ip_address The name of the interface where the data leaves from. if_name Description Command Parameter
Summary Table provides a quick reference to the commands needed to configure the Cisco PIX Firewall, time server and NTP support, and the DNS server. Lets you specify the time, month, day, and year for use with time-stamped syslog messages. clock Synchronizes the PIX Firewall with the network time server that is specified and authenticates according to the authentication options that are set. ntp server Controls the DHCP server feature. dhcpd Enables IP routing table updates from received RIP broadcasts. rip Displays the current configuration on the terminal. write terminal Used to enter a default or static route for an interface. route Defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id . global Lets you associate a network with a pool of global IP addresses. nat Identifies addresses for network interfaces and lets you set how many times the PIX Firewall polls for DHCP information. ip address Lets you name interfaces and assign security levels. nameif Identifies the speed and duplex settings of the network interface boards. interface Specifies to activate a process, mode, or privilege level. enable Descriptions Commands