How to Configure PIX Firewall PART 1

How to Configure PIX Firewall

PART 1

Please find below a step by step process to configure the PIX Firewall from scratch. A simple scenario is given here where you have a corporate network with a PIX Firewall connected to the Internet through the Outside Interface, Internal Network through the Inside interface and DMZ through the DMZ Network. This paper would assist you in a simple step by step, near complete configuration for a PIX Firewall running a midsized corporate network

The Outside Network is connected to the internet through a Internet Router. The Inside Network is connected to a switch to the Internal Clients or Inside Hosts. The DMZ network consists of two servers, the Web server and the WEB server.

Note: An effort has been made to keep this paper as simple as possible for the newbies. Much theory is not covered as you have numerous sites on the internet from where you can read that stuff.. Referral Links are given from time to time for more detailed configuration from Cisco website for Reference purpose.

A Simple Network Diagram

The first thing in configuration is getting connected to the pix firewall. You use the console cable to connect the cable to the console port of the pix firewall. The other end goes to the serial port of your computer. You can then use a terminal emulation software to get connected to the prompt. For Windows users, HyperTerminal is a good option.

The next step is booting the Firewall.

When a non-configured PIX Firewall boots up, it prompts to preconfigure it through interactive prompts. If you press Enter to accept the default answer of yes, you are presented with a series of prompts that lead you through the basic configuration steps:

Pre-configure PIX Firewall now through
interactive prompts [yes]? Enable Password [ ]: abc123

Clock (UTC)
Year [2002]:
Month [Aug]:
Day [2]: 12
Time [2:45:37]: 12:22:00
Inside IP address: 10.1.1.1
Inside network mask: 255.255.255. 0
Host name: pixfirewall
Domain name: secmanager.com
IP address of host running
PIX Device Manager: 101.1.111
Use this configuration and write to flash? Y
The above can also be achieved by entering the setup command in privileged mode.

The pix Firewall has four modes of Operation as given below:

• Unprivileged mode: This mode provides a restricted, limited, view of PIX Firewall settings. Example : pixfirewall>
• Privileged mode: This mode enables you change the current firewall settings. Example: pixfirewall#
• Configuration mode: This mode enables you to change the system configurations of the firewall. Example pixfirewall( config)#
• Monitor mode: This mode is used to update the image over the network, perform password recovery or backup the configuration onto the TFTP server

In case you don't want to use the setup command for the configuration, you can use the console connection and configure as follows:

Priveleged mode

The first step is to enter the privileged mode:

Pixfirewall> en
Password: (Enter or Cisco, for more information refer to the configuration manuals that came with the firewall)
Pixfirewall#

Changing password

The next step is to change the enable password on the firewall:

Pixfirewall# enable password abc123

The next step is to enter the configuration mode for changing the system configurations. To enter the config mode, enter the following command:

Pixfirewall# configure terminal (or popularly conf t)
Pixfirewall (config) #

Give a Hostname to the firewall.

You might want to give a hostname to the firewall. You can use the hostname command to do this.

Pixfirewall (config) #hostname CorpFW1
CorpFW1(config) #

To save the information, use the write memory command or simply wr mem.

CorpFW1(config) # write memory

For purposes of this document, we continue to give the firewall the name "Pixfirewall" . So let us change the name back to Pixfirewall

CorpFW1(config) # hostname Pixfirewall
Pixfirewall (config) # wr mem

Setup the console timeout:

Next, you might want to setup the console timeout for security reasons. The default timeout is 0, which means unlimited.

Pixfirewall (config) # console timeout 5

This means you have setup a console timeout of 5 minutes ( the value can be set from 0-60 minutes) which means after a idle time of 5 minutes, the session will be closed.

Setup a banner to your Pix firewall.

You can do this with the banner command:

Pixfirewall (config) # banner exec Unauthorized access will be prosecuted.

There are also two other commands available:

banner login
banner motd

To remove banner you use the no banner or clear banner commands.

Naming an Interface:

The first two interfaces would have the default names of inside and outside. While inside interface has a security level of 100, the outside interface has a default security level of 0.

Let us configure the Ethernet 2 interface as the dmz.

Pixfirewall (config) # nameif ethernet2 dmz sec60

In this example, we are assigning a security_level of 60 to the DMZ network.

Configure the Interface:

Now let us turn the interface on and configure the speeds for these interfaces:

Pixfirewall (config) # interface ethernet0 100full
Pixfirewall (config) #interface ethernet1 100full
Pixfirewall (config) #interface ethernet2 100full

Assign IP Address to the Interface:

Pixfirewall (config) # ip address outside 192.168.1.1 255.255.255. 0
Pixfirewall (config) # ip address inside 10.1.1.1 255.255.255. 0
Pixfirewall (config) #ip address dmz 172.16.16.1 255.255.255. 0

You can use the "show ip" command to view the ip address information and "clear ip" command to remove all assigned IP addresses from all interfaces.

Route Commands:

Now let us setup the routing information on the pix firewall.

This is the default route, where we are configuring the next hop of the default route to the IP address of the Internet Router which is 192.168.1.100

Pixfirewall (config) # route outside 0.0.0.0 0.0.0.0 192.168.1.100 1

Pixfirewall (config) # route inside 10.0.0.0 255.0.0.0 10.1.1.1 1

Pixfirewall (config) # route dmz 172.16.17.0 255.255.255. 0 172.16.16.1 1

So using these route commands you are telling the PIX router that route the traffic for 10.0.0.0/8 network to inside, 172.16.17.0/ 24 network to dmz. The default route is set for outside, which means for all other networks, route the traffic through the outside interface.

How to Configure PIX Firewall Part 2

How to Configure PIX Firewall

Part 2

Please find below a step by step process to configure the PIXFirewall from scratch. A simple scenario is given here where you have acorporate network with a PIX Firewall connected to the Internet throughthe Outside Interface, Internal Network through the Inside interfaceand DMZ through the DMZ Network. This paper would assist you in asimple step by step, near complete configuration for a PIX Firewallrunning a midsized corporate network

This is part II of the How to Configure Pix Firewall, a step by step approach.
This is in continuation of the Part I of the series.

The Simple Network Diagram:
A Simple Network Diagram




Network Address Translation:

Let us take a simple scenario to explain this section. Let us saythat all the computers in the inside network want internet access. NATalso allows you to keep your internal IP hidden from the outsidenetwork. To achieve this you need to implement address translation. Youdo this using the "nat" and "global" commands.

The NAT command:

Pixfirewall (config) # nat (inside) 1 0.0.0.0 0.0.0.0

In this example, the nat (inside) 1 10.0.0.0 255.255.255. 0 commandmeans that all outbound connections from a host within the specifiednetwork, 10.1.1.0, can pass through the PIX Firewall (with addresstranslation) .

Global command:

Pixfirewall (config) #global (outside) 1 192.168.1.10- 192.168.1. 50

This means that use the IP address from 192.168.1.10 to 192.168.1.50 for NATing the traffic coming from the inside interface.

There is also another simple way for allowing internet /outsideaccess to the inside network using PAT or port address translation. What this would do is hide all the internal networks behind the outsideinterface of the PIX firewall and transmit traffic using Port AddressTranslation. One limitation to this approach is that at a time it canprocess only less than 64000 client computers. But in most cases, thisis more than enough.

PAT using Global:

Pixfirewall (config) # global (outside) 1 interface

Now, let us configure the two servers in the dmz network, thewebserver and the mailserver. The wish list is to allow traffic fromanywhere to reach the webserver on http, https and ftp and traffic fromanywhere to reach the mail server on the smtp port.

To do this we need to setup statics and access-lists.

Setting up Static's:

Pixfirewall (config) #static (dmz,outside) 192.168.1.2 172.16.16.2 netmask 255.255.255. 255 0 0

Pixfirewall (config) # static (dmz,outside) 192.168.1.4 172.16.16.4 netmask 255.255.255. 255 0 0

Having configured the statics, now let us move on to configure theobject-groups that would be used in configuring the access-list

Configuring object-groups:

Pixfirewall (config) #object-group service webservices tcp
Pixfirewall (config-service) # port-object eq http
Pixfirewall (config-service) # port-object eq https
Pixfirewall (config-service) # port-object eq ftp
Pixfirewall (config-service) # exit

Pixfirewall (config) #

Now let us configure the access-lists to allow access to the dmz networks from outside and also to the other interfaces:

Configuring Access-list:

Pixfirewall (config) # access-list external permit tcp any host 192.168.1.2 object-group webservices

Pixfirewall (config) # access-list external permit tcp any host 192.168.1.4 eq smtp.

Pixfirewall (config) #access-list external deny ip any any

(This is a any any drop rule. Place this at the end of theaccess-lists. This acl won't allow any other traffic that is notexplicitly allowed to get into the firewall. This is often helpful inchecking the number of hits on this acl from outside fortroubleshooting or analysis purposes.)

Pixfirewall (config) #access-list internal permit ip 172.16.16.0 255.255.255. 0 10.1.1.0 255.255.255. 0

Pixfirewall (config) # access-list internal deny ip any any

Pixfirewall (config) # access-list dmz permit ip 10.1.1.0 255.255.255. 0 172.16.16.0 255.255.255. 0

Pixfirewall (config) #access-list dmz deny ip any any

Now map these access-lists to access-groups for these access-lists to work properly:

Configuring Access Groups:

Pixfirewall (config) #access-group external in interface outside
Pixfirewall (config) # access-group internal in interface inside
Pixfirewall (config) #access-group dmz in interface ethernet2

With this we have configured the PIX firewall for a normal office setup.

These commands will be helpful in checking the configuration of thepix firewall and also in troubleshooting, analysis and fine tuning.

Useful Commands:

show config

show blocks

show checksum

show conn

show cpu usage

show history

show memory

show processes

show routing

show running-config

show startup-config

show tech-support

show tcpstat

show traffic

show uauth/clear uauth

show version

show xlate/clear xlate

Note: There is a lot that you can do with the PIX firewall. Thisdocument is just a simple guide for a easy setup. It covers mostpopular setups. In case you need any further information please referto Cisco website at http://www.cisco. com

Further reference:

You can also refer to the Getting Started document for more detailed information from the Cisco Website:

http://www.cisco. com/en/US/ products/ sw/secursw/ ps2120/products_ configuration_ guide_chapter091 86a0080172790. html

Cisco PIX Firewall Command Reference, version 6.3

http://www.cisco. com/en/US/ products/ sw/secursw/ ps2120/products_ command_referenc e_book09186a0080 17284e.html

A Final Note:

Feel free to ask questions and if it is in my ability I will answerit. If you like this article, then do leave your suggestions andfeedback.



If you find any typos or errors in this document, do bring it to theauthor's attention through the COMMENT column. It will be in the bestinterest of the readers of this document.

Installing and Configuring a 2603 Router / Firewall in a network

DEAR MEMBERS,

Below you find a short description how to install and configure a CISCO 2603 Router / Firewall. In the example, we have two LAN's using the private IP-addresses 192.168.102. 0 and 192.168.101. 0. Besides routing, the firewall translates all addresses from the internal LAN (192.168.102. 0) to the external LAN (192.168.101. 0) using NAT (Network Address Translation) and implements access lists between the two LAN's.

The following steps have to be done:

*

Connect Admin-Workstation with a serial cable to the firewall for the configuration
*

Install TFTP-Server and Terminalemulation Software on Admin-Workstation
*

Save current CISCO IOS from Router to the Admin-Workstation
*

Download CISCO Firewall IOS to the Router using TFTP
*

Save current Configurationfile from Router to the Admin-Workstation using TFTP
*

Create Configurationfile and download it to the Router using TFTP

Connect Admin-Workstation with a serial cable to the firewall for the configuration

Connect the NT4 Admin-Workstation on COM1 or COM2 using the blue RS-232 cable delivered with the CONSOLE-Port on the CISCO Router. This connection is used as the Router Console, to enter commands and to verify the boot process. To down- and upload the IOS image and configuration file a crossover LAN cable is needed. After booting the router, you will see the following messages in TeraTermPro (Terminal Emulation Software).

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW: IOS:Specials for info
C2600 platform with 32768 Kbytes of main memory

Enter the basic parameters

Continue with configuration dialog? [yes/no]: yes
Would you like to enter basic management setup? [yes/no]: yes
Enter host name []: firebox
Enter enable secret []: eiger
Enter enable password []: moench
Enter virtual terminal password []: jungfrau
Configure SNMP Network Management? [no]: no
Enter interface name used to connect to the
management network from the above interface summary: FastEthernet0/ 0

Configuring interface FastEthernet0/ 0:
Use the 100 Base-TX (RJ-45) connector? [yes]: yes
Operate in full-duplex mode? [no]: no
Configure IP on this interface? [yes]: yes
IP address for this interface []: 192.168.102. 200
Subnet mask for this interface [] : 255.255.255. 0
Class C network is 192.168.102. 0, 24 subnet bits; mask is /24

[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2

Install TFTP-Server and Terminalemulation Software on Admin-Workstation

CISCO TFTP-Server

- Load CD-ROM
- Click on Tftpserv.exe, install it in C:\TFTP
- Start TFTP
- Menü: View/Options: TFTP server root directory: C:\TFTP\root

Save current CISCO IOS from Router to the Admin-Workstation

firebox# sh flash

System flash directory:
File Length Name/status 1 4519168 C2600-IP_FW_ MZ-120-7
[4519232 bytes used, 3869376 available, 8388608 total]
8192K bytes of processor board System flash (Read/Write)

firebox# copy flash tftp
Source filename []? C2600-IP_FW_ MZ-120-7
Address or name of remote host []? 192.168.102. 147
Destination filename []? C2600-IP_FW_MZ- 120-7

The current IOS image is now saved to the Admin Workstation.

Download CISCO Firewall IOS to the Router using TFTP

- Insert CD-ROM
- Go to E:\Images\12. 0
- Look at Info File using Notepad: RIL.idf for the correct OS
- We used aaa1314.bin Cisco 2600 IOS IP/FW Feature Set 12.0(7)XK1
- Copy aaa1314.bin to TFTP directory: C:\TFTP\root

Load Image to Router:

firebox> enable
firebox2# copy tftp flash
Address or name of remote host []? 192.168.102. 147
Source filename []? aaa1314.bin
Destination filename [aaa1314.bin] ?
Accessing tftp://192.168. 102.147/aaa1314. bin...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! [confirm]

Erasing device...erased
Erase of flash: complete
Loading aaa1314.bin from 192.168.102. 147 (via FastEthernet0/ 0):
[OK - 4519168/9037824 bytes]

Verifying checksum... OK (0x37C6)
4519168 bytes copied in 56.244 secs (80699 bytes/sec)

firebox2# reload
Proceed with reload? [confirm]

Save current Configurationfile from Router to the Admin-Workstation using TFTP

firebox> enable
firebox# copy running-config tftp
Address or name of remote host []? 192.168.102. 147
Destination filename [firebox2-confg] ?
738 bytes copied in 2.4 secs (369 bytes/sec)

Edit Configurationfile and download it to the Router using TFTP

firebox> enable
firebox# copy tftp running-config
Address or name of remote host []? 192.168.102. 147
Source filename []? firebox2-confg
Destination filename [running-config] ?
Accessing tftp://192.168. 102.17/firebox2- confg...
Loading firebox2-confg from 192.168.102. 17 (via FastEthernet0/ 0): !
[OK - 2653/5120 bytes]
2653 bytes copied in 1.244 secs (2653 bytes/sec)

Configurationfile using NAT, Access-Lists and Routing enabled

!
version 12.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname firebox
!
logging buffered 4096 debugging
no logging console
enable secret 5 xxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxx
!
ip subnet-zero
no ip domain-lookup
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name CBAC1 tcp timeout 3600
ip inspect name CBAC1 udp timeout 15
ip inspect name CBAC1 ftp timeout 3600
ip inspect name CBAC1 rcmd timeout 3600
ip inspect name CBAC1 smtp timeout 3600
ip inspect name CBAC1 sqlnet timeout 3600
ip inspect name CBAC1 tftp timeout 30
ip inspect name CBAC2 tcp timeout 3600
ip inspect name CBAC2 ftp timeout 3600
ip inspect name CBAC2 udp timeout 15
ip inspect name CBAC2 rcmd timeout 3600
ip inspect name CBAC2 smtp timeout 3600
ip inspect name CBAC2 sqlnet timeout 3600
ip inspect name CBAC2 tftp timeout 30
ip audit notify log
ip audit po max-events 100
!
interface FastEthernet0/ 0
description HSZ
ip address 192.168.102. 200 255.255.255. 0
ip access-group 111 in
ip access-group 112 out
no ip directed-broadcast
ip nat inside
ip inspect CBAC1 in
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/ 1
description SICAP
ip address 192.168.101. 200 255.255.255. 0
ip access-group 121 in
ip access-group 122 out
no ip directed-broadcast
ip nat outside
ip inspect CBAC2 in
duplex auto
speed auto
no cdp enable
!
ip default-gateway 192.168.102. 1
ip nat inside source list 1 interface FastEthernet0/ 1 overload
ip classless
ip route 140.20.110.142 255.255.255. 0 192.168.101. 100
ip route 194.75.121.206 255.255.255. 255 192.168.101. 100
ip route 194.75.121.207 255.255.255. 255 192.168.101. 100
no ip http server
!
access-list 1 permit 192.168.102. 0 0.0.0.255
access-list 111 permit ip 192.168.102. 0 0.0.0.255 any
access-list 111 deny ip any any
access-list 112 permit ip any any
access-list 121 permit icmp any any administratively- prohibited
access-list 121 permit icmp any any echo
access-list 121 permit icmp any any echo-reply
access-list 121 permit icmp any any packet-too-big
access-list 121 permit icmp any any time-exceeded
access-list 121 permit icmp any any unreachable
access-list 121 deny ip any any log
access-list 122 permit ip any any
no cdp run
banner motd Akadia AG
Information Technology
Arvenweg 4
CH-3604 Thun
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxxxxxx
login
transport input none
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxx
login
!
no scheduler allocate
end

How to Configure PIX Firewall

How to Configure PIX Firewall

Part 2

Please find below a step by step process to configure the PIXFirewall from scratch. A simple scenario is given here where you have acorporate network with a PIX Firewall connected to the Internet throughthe Outside Interface, Internal Network through the Inside interfaceand DMZ through the DMZ Network. This paper would assist you in asimple step by step, near complete configuration for a PIX Firewallrunning a midsized corporate network

This is part II of the How to Configure Pix Firewall, a step by step approach.
This is in continuation of the Part I of the series.

The Simple Network Diagram:

A Simple Network Diagram

Network Address Translation:

Let us take a simple scenario to explain this section. Let us saythat all the computers in the inside network want internet access. NATalso allows you to keep your internal IP hidden from the outsidenetwork. To achieve this you need to implement address translation. Youdo this using the "nat" and "global" commands.

The NAT command:

Pixfirewall (config) # nat (inside) 1 0.0.0.0 0.0.0.0

In this example, the nat (inside) 1 10.0.0.0 255.255.255. 0 commandmeans that all outbound connections from a host within the specifiednetwork, 10.1.1.0, can pass through the PIX Firewall (with addresstranslation) .

Global command:

Pixfirewall (config) #global (outside) 1 192.168.1.10- 192.168.1. 50

This means that use the IP address from 192.168.1.10 to 192.168.1.50 for NATing the traffic coming from the inside interface.

There is also another simple way for allowing internet /outsideaccess to the inside network using PAT or port address translation. What this would do is hide all the internal networks behind the outsideinterface of the PIX firewall and transmit traffic using Port AddressTranslation. One limitation to this approach is that at a time it canprocess only less than 64000 client computers. But in most cases, thisis more than enough.

PAT using Global:

Pixfirewall (config) # global (outside) 1 interface

Now, let us configure the two servers in the dmz network, thewebserver and the mailserver. The wish list is to allow traffic fromanywhere to reach the webserver on http, https and ftp and traffic fromanywhere to reach the mail server on the smtp port.

To do this we need to setup statics and access-lists.

Setting up Static's:

Pixfirewall (config) #static (dmz,outside) 192.168.1.2 172.16.16.2 netmask 255.255.255. 255 0 0

Pixfirewall (config) # static (dmz,outside) 192.168.1.4 172.16.16.4 netmask 255.255.255. 255 0 0

Having configured the statics, now let us move on to configure theobject-groups that would be used in configuring the access-list

Configuring object-groups:

Pixfirewall (config) #object-group service webservices tcp
Pixfirewall (config-service) # port-object eq http
Pixfirewall (config-service) # port-object eq https
Pixfirewall (config-service) # port-object eq ftp
Pixfirewall (config-service) # exit

Pixfirewall (config) #

Now let us configure the access-lists to allow access to the dmz networks from outside and also to the other interfaces:

Configuring Access-list:

Pixfirewall (config) # access-list external permit tcp any host 192.168.1.2 object-group webservices

Pixfirewall (config) # access-list external permit tcp any host 192.168.1.4 eq smtp.

Pixfirewall (config) #access-list external deny ip any any

(This is a any any drop rule. Place this at the end of theaccess-lists. This acl won't allow any other traffic that is notexplicitly allowed to get into the firewall. This is often helpful inchecking the number of hits on this acl from outside fortroubleshooting or analysis purposes.)

Pixfirewall (config) #access-list internal permit ip 172.16.16.0 255.255.255. 0 10.1.1.0 255.255.255. 0

Pixfirewall (config) # access-list internal deny ip any any

Pixfirewall (config) # access-list dmz permit ip 10.1.1.0 255.255.255. 0 172.16.16.0 255.255.255. 0

Pixfirewall (config) #access-list dmz deny ip any any

Now map these access-lists to access-groups for these access-lists to work properly:

Configuring Access Groups:

Pixfirewall (config) #access-group external in interface outside
Pixfirewall (config) # access-group internal in interface inside
Pixfirewall (config) #access-group dmz in interface ethernet2

With this we have configured the PIX firewall for a normal office setup.

These commands will be helpful in checking the configuration of thepix firewall and also in troubleshooting, analysis and fine tuning.

Useful Commands:

show config

show blocks

show checksum

show conn

show cpu usage

show history

show memory

show processes

show routing

show running-config

show startup-config

show tech-support

show tcpstat

show traffic

show uauth/clear uauth

show version

show xlate/clear xlate

Note: There is a lot that you can do with the PIX firewall. Thisdocument is just a simple guide for a easy setup. It covers mostpopular setups. In case you need any further information please referto Cisco website at http://www.cisco. com

Further reference:

You can also refer to the Getting Started document for more detailed information from the Cisco Website:

http://www.cisco. com/en/US/ products/ sw/secursw/ ps2120/products_ configuration_ guide_chapter091 86a0080172790. html

Cisco PIX Firewall Command Reference, version 6.3

http://www.cisco. com/en/US/ products/ sw/secursw/ ps2120/products_ command_referenc e_book09186a0080 17284e.html

A Final Note:

Feel free to ask questions and if it is in my ability I will answerit. If you like this article, then do leave your suggestions andfeedback.

If you find any typos or errors in this document, do bring it to theauthor's attention through the COMMENT column. It will be in the bestinterest of the readers of this document.