Part 2
Please find below a step by step process to configure the PIXFirewall from scratch. A simple scenario is given here where you have acorporate network with a PIX Firewall connected to the Internet throughthe Outside Interface, Internal Network through the Inside interfaceand DMZ through the DMZ Network. This paper would assist you in asimple step by step, near complete configuration for a PIX Firewallrunning a midsized corporate network
This is part II of the How to Configure Pix Firewall, a step by step approach.
This is in continuation of the Part I of the series.
The Simple Network Diagram:
Network Address Translation:
Let us take a simple scenario to explain this section. Let us saythat all the computers in the inside network want internet access. NATalso allows you to keep your internal IP hidden from the outsidenetwork. To achieve this you need to implement address translation. Youdo this using the "nat" and "global" commands.
The NAT command:
Pixfirewall (config) # nat (inside) 1 0.0.0.0 0.0.0.0
In this example, the nat (inside) 1 10.0.0.0 255.255.255. 0 commandmeans that all outbound connections from a host within the specifiednetwork, 10.1.1.0, can pass through the PIX Firewall (with addresstranslation) .
Global command:
Pixfirewall (config) #global (outside) 1 192.168.1.10- 192.168.1. 50
This means that use the IP address from 192.168.1.10 to 192.168.1.50 for NATing the traffic coming from the inside interface.
There is also another simple way for allowing internet /outsideaccess to the inside network using PAT or port address translation. What this would do is hide all the internal networks behind the outsideinterface of the PIX firewall and transmit traffic using Port AddressTranslation. One limitation to this approach is that at a time it canprocess only less than 64000 client computers. But in most cases, thisis more than enough.
PAT using Global:
Pixfirewall (config) # global (outside) 1 interface
Now, let us configure the two servers in the dmz network, thewebserver and the mailserver. The wish list is to allow traffic fromanywhere to reach the webserver on http, https and ftp and traffic fromanywhere to reach the mail server on the smtp port.
To do this we need to setup statics and access-lists.
Setting up Static's:
Pixfirewall (config) #static (dmz,outside) 192.168.1.2 172.16.16.2 netmask 255.255.255. 255 0 0
Pixfirewall (config) # static (dmz,outside) 192.168.1.4 172.16.16.4 netmask 255.255.255. 255 0 0
Having configured the statics, now let us move on to configure theobject-groups that would be used in configuring the access-list
Configuring object-groups:
Pixfirewall (config) #object-group service webservices tcp
Pixfirewall (config-service) # port-object eq http
Pixfirewall (config-service) # port-object eq https
Pixfirewall (config-service) # port-object eq ftp
Pixfirewall (config-service) # exit
Pixfirewall (config) #
Now let us configure the access-lists to allow access to the dmz networks from outside and also to the other interfaces:
Configuring Access-list:
Pixfirewall (config) # access-list external permit tcp any host 192.168.1.2 object-group webservices
Pixfirewall (config) # access-list external permit tcp any host 192.168.1.4 eq smtp.
Pixfirewall (config) #access-list external deny ip any any
(This is a any any drop rule. Place this at the end of theaccess-lists. This acl won't allow any other traffic that is notexplicitly allowed to get into the firewall. This is often helpful inchecking the number of hits on this acl from outside fortroubleshooting or analysis purposes.)
Pixfirewall (config) #access-list internal permit ip 172.16.16.0 255.255.255. 0 10.1.1.0 255.255.255. 0
Pixfirewall (config) # access-list internal deny ip any any
Pixfirewall (config) # access-list dmz permit ip 10.1.1.0 255.255.255. 0 172.16.16.0 255.255.255. 0
Pixfirewall (config) #access-list dmz deny ip any any
Now map these access-lists to access-groups for these access-lists to work properly:
Configuring Access Groups:
Pixfirewall (config) #access-group external in interface outside
Pixfirewall (config) # access-group internal in interface inside
Pixfirewall (config) #access-group dmz in interface ethernet2
With this we have configured the PIX firewall for a normal office setup.
These commands will be helpful in checking the configuration of thepix firewall and also in troubleshooting, analysis and fine tuning.
Useful Commands:
show config
show blocks
show checksum
show conn
show cpu usage
show history
show memory
show processes
show routing
show running-config
show startup-config
show tech-support
show tcpstat
show traffic
show uauth/clear uauth
show version
show xlate/clear xlate
Note: There is a lot that you can do with the PIX firewall. Thisdocument is just a simple guide for a easy setup. It covers mostpopular setups. In case you need any further information please referto Cisco website at http://www.cisco. com
Further reference:
You can also refer to the Getting Started document for more detailed information from the Cisco Website:
http://www.cisco. com/en/US/ products/ sw/secursw/ ps2120/products_ configuration_ guide_chapter091 86a0080172790. html
Cisco PIX Firewall Command Reference, version 6.3
http://www.cisco. com/en/US/ products/ sw/secursw/ ps2120/products_ command_referenc e_book09186a0080 17284e.html
A Final Note:
Feel free to ask questions and if it is in my ability I will answerit. If you like this article, then do leave your suggestions andfeedback.
If you find any typos or errors in this document, do bring it to theauthor's attention through the COMMENT column. It will be in the bestinterest of the readers of this document.
Posts
No comments:
Post a Comment