How to configure Cisco PIX Firewall (Reprinted from the infinite matrix Author: verve)
One of the main parts of any corporate security policy is to implement and maintain firewalls, so firewalls play an important role in the implementation of network security. The firewall is usually located on the edge of the corporate network, which makes the internal network between or with other external networks, and restricts network exchanges to protect the internal network. Setting the firewall objective is to set a unique channel between the internal network and the external network to simplify the security management of the network. In numerous enterprise mainstream firewalls, Cisco PIX firewalls are one of the best properties of all homologous products. The Cisco PIX Series Firewall currently has 5 types of PIX506, 515, 520, 525, 535. The PIX535 is the latest and powerful in the PIX 500 series. It provides operators level processing capabilities for large-scale ISP services providers. However, the PIX-specific OS operating system makes most managements to be implemented by the command line, unlike other similar firewalls to communicate network management through the web management interface, which will bring inconvenience to beginners. This article will introduce how to configure Cisco PIX firewall through an example.
Before configuring the PIX firewall, first introduce the physical properties of the firewall. The firewall usually has at least 3 interfaces, but many early firewalls have only 2 interfaces; when using a firewall having three interfaces, at least 3 networks are generated, as follows:? Internal area (intranet). Internal regions are usually referring to an internal network or part of an internal network of an enterprise. It is a trust area of the interconnected network, which is protected by the firewall. • External area (external network). External regions typically refer to Internet or non-corporate internal networks. It is an area that is not trusted in the interconnect network. When the external area wants to access the host and service of the internal area, there is a restricted access. • Parking Zone (DMZ). The ceasefire area is an isolated network, or several networks. The host or server located in the ceramic area is called the fortress host. The web server, mail server, etc. can generally be placed in the ceasefire zone. The ceasefire zone is usually accessible to external users, which allows external users to access the public information of the company, but they do not allow them to access the enterprise internal network. Note: The firewall of the two interfaces is no parking area.
Since the PIX535 does not have universal in the enterprise level, the following mainly illustrates the application of PIX525 in enterprise networks.
PIX firewall provides 4 management access modes: 2 non-privileged models. After the PIX firewall is turned on, it is in this mode. The system is displayed as PIXFIREWALL> 2 privilege mode. Entering Enable enters privileged mode to change the current configuration. Displayed as PIXFIREWALL # 2 configuration mode. Enter Configure Terminal enters this mode, most of the system configurations are performed here. Displayed as PIXFIREWALL (Config) # 2 monitoring mode. PIX Firewall When you start or restart, press and hold the ESCAPE button or send a "BREAK" character to the monitor mode. Here you can update the operating system image and password recovery. Displayed as monitor>
Configuring a PIX firewall has 6 basic commands: Nameif, Interface, IP Address, Nat, Global, Route. These commands are required to configure PIX. The following is the basic steps of the configuration: 1. Configure the name of the firewall interface and specify the security level (Nameif). Pix525 (config) #nameif ethernet0 outside security0 Pix525 (config) #nameif ethernet1 inside security100 Pix525 (config) #nameif dmz security50 Tip: In the default configuration, the Ethernet 0 is named for the external interface (outside), the security level is 0 Ethernet 1 is named internal interface (Inside), the security level is 100. The security level value ranges from 1 to 99, the greater the number, the higher the security level. If a new interface is added, the statement can be written like this: PIX525 (config) #Nameif PIX / INTF3 Security40 (Configure EtOAc) PIX525 (Config) #interface Ethernet0 Auto (Auto option indicates system self Adaptation NIC Type) PIX525 (Config) #interface Ethernet1 100FULL (100full Options Indicates 100Mbit / s Ethernet Full Duplex) PIX525 (Config) #Iinterface Ethernet1 100Full Shutdown (Shutdown Option Represents Close this interface, if the interface removes Shutdown)
3. Configuring the IP Address (IP Address) PIX525 (Config) #ip address Outside 615.255.248 PIX525.255.248 PIX525 (Config) #ip address inside 192.168.0.1 255.255.255.0 is obvious, PIX525 firewall IP address in the external network It is 61.144.51.42, the intranet IP address is 192.168.0.1
4. Specify the internal address (NAT) network address to be converted to convert the private IP of the intranet to the external network, which is always used with the global command, because the NAT command can Specify a host or a range of hosts access to the external network, and you need to use the address pool specified by Global to access an external access when accessing the external network. NAT command Configuration Syntax: NAT (if_name) NAT_ID local_ip [netmark] where (if_name) represents the internal network interface name, such as INSIDE. NAT_ID to identify the global address pool so that it matches its corresponding global command, local_ip means the intranet Assigned IP address. For example, 0.0.0.0 indicates that all hosts of the intranet can access it. [Netmark] indicates the subnet mask of the intranet IP address. example 1. PIX525 (Config) #NAT (Inside) 1 0 0 Indicates that NAT, all hosts of the intranet can access the external network, and 0 can represent 0.0.0.0 Example 2. PIX525 (Config) #nat (inSide) 1 172.16.5.0 255.255.0.0 Indicates that only 172.16.5.0 The host can access the external network.
5. Specify the external address range (Global) Global command translates the IP address of the intranet into an external network or an address range. Global Command Configuration Syntax: Global (if_name) NAT_ID IP_ADDRESS-IP_ADDRESS [NETMARK GLOBAL_MASK] where (if_name) represents the external network interface name, such as Outside .. NAT_ID is used to identify the global address pool, making it matching the corresponding NAT command, IP_ADDRESS-IP_ADDRESS represents the translated single IP address or a section of IP address. [NetMark Global_mask] represents a network mask of the global IP address. example 1. PIX525 (Config) #global (Outside) 1 61.144.51.42-61.144.51.48 When the host of the internal network is to access the external network through the PIX firewall, the PIX firewall will use 61.144.51.42-61.144.51.48 this IP address pool to access The host of the external network assigns a global IP address. Example 2. PIX525 (Config) #global (outside) 1 61.144.51.42 When the intranet wants to access the external network, the PIX firewall will use the 61.144.51.42 of all hosts to access the external network. Single IP address. Example 3. PIX525 (Config) #NO Global (Outside) 1 61.144.51.42 Represents the deletion of this global entry. 6. Setting the static route to the intranet and the external network (route) defines a static route. Route Command Configuration Syntax: Route (if_name) 0 0 Gateway_IP [Metric] Where (if_name) represents the interface name, such as Inside, Outside. Gateway_ip indicates the IP address of the gateway router. [metric] Indicates the number of hops of Gateway_IP. Usually default is 1. example 1. PIX525 (Config) #Route Outside 0 0 61.144.51.168 1 Represents a default route to the boundary router (IP address 61.144.51.168). Example 2. Pix525 (config) #Route Inside 10.1.0 172.16.0.1 1 PIX525 (config) #Route INSIDE 10.2.0.0 255.255.0.0 172.16.0.11 If there is only one network segment in the internal network, set a default in Example 1 Routing can be; if there are multiple networks internally, you need to configure a static route. The above command represents a static route to the network 10.1.1.0, and the next router IP address of the static route is 172.16.0.1
OK, if you understand, if you understand, you can enter some advanced configurations of the PIX firewall.
A. Configuring Static IP Address Translation (static) If you initiate a session from the external network, the destination address of the session is an intranet IP address, and Static translates the internal address into a specified global address, allowing this session to be established. Static Command Configuration Syntax: Static (INTERNAL_IF_NAME, EXTERNAL_IF_NAME) OUTSIDE_IP_ADDRESS INSIDE_ IP_ADDRESS where INTERNAL_IF_NAME indicates internal network interface, the security level is higher. Such as INSIDE. EXTERNAL_IF_NAME is an external network interface, the security level is lower. Such as Outside et al. Outside_ip_address is an IP address on a lower security level interface. INSIDE_ IP_ADDRESS is the local IP address of the internal network. example 1. PIX525 (Config) #static (Inside, Outside) 61.144.51.62 192.168.0.8 Indicates a host that is 192.168.0.8, which is translated into 61.144.51.62 for each session established by the PIX firewall, or Understanding the static command creates a static mapping between internal IP addresses 192.168.0.8 and external IP addresses 61.144.51.62. Example 2. PIX525 (Config) #static (Inside, Outside) 192.168.0.2 10.0.1.3 Example 3. PIX525 (Config) #static (DMZ, Outside) 211.48.16.2 172.16.10.8 Comments Similar Example 1. Through the above example, you can use the static command to set a permanent global IP address for a specific internal IP address. This creates an inlet for a specified interface with a lower security level, allowing them to enter a specified interface with a higher security level.
B. Pipeline Command (Conduit) Saicable using the static command can create a static mapping between a local IP address and a global IP address, but the connection from the external to the internal interface will still be adaptive security algorithm for the PIX firewall. (ASA) Blocking, the conduit command is used to allow the data stream to flow from an interface with a lower security level to an interface having a higher level of security, such as a session that allows from the outside to the DMZ or internal interface. For connectivity to the internal interface, the Static and the Conduit command will be used together to specify the establishment of the session. Conduit Command Configuration Syntax: Conduit Permit | Deny Global_ip Port [-Port] protocol foreign_ip [netmask] permit | DENY Allow | Refusal to access global_ip refers to the global IP address defined by the global or static command, if global_ip is 0, Any instead of 0; if global_ip is a host, use the host command parameter. Port refers to ports that the service acts, such as WWW uses 80, SMTP use 25, etc., we can specify ports through service names or port numbers. Protocol refers to a connection protocol, such as TCP, UDP, ICMP, etc. Foreign_ip represents external IP accessible to Global_IP. For any host, you can use any representation. If foreign_ip is a host, use the host command parameter. Example 1. PIX525 (config) #Conduit Permit TCP Host 192.168.0.8 EQ WWW Any This example represents HTTP access to this host for the overall address 192.168.0.8. Use EQ and a port to allow or reject access to this port. EQ FTP means that allows or rejects only access to FTP. Example 2. PIX525 (config) #Conduit Deny TCP ANY EQ FTP HOST 61.144.51.89 Indicates that the external host 61.144.51.89 is not allowed to access any global address for FTP access. Example 3. PIX525 (config) #Conduit Permit ICMP Any Any Indicates that the ICMP message is allowed to pass internally and outside. Example 4. PIX525 (Config) #static (Inside, Outside) 61.144.51.62 192.168.0.3 PIX525 (config) #Conduit Permit TCP HOST 61.144.51.62 EQ WWW ANY This example shows the relationship between Static and Conduit. 192.168.0.3 In the Internet is a web server, and now users can get web services through the PIX firewall. So first do Static static mapping: 192.168.0.3-> 61.144.51.62 (globally), then use the conduit command to allow any external host to HTTP access to the global address 61.144.51.62.
C. Configuring the FixUP protocol fixup command effect is enabled, disabled, changing a service or protocol through the PIX firewall, the port specified by the fixup command is the service of the PIX firewall to listen. See Examples: Example 1. PIX525 (Config) #fixup protocol FTP 21 Enables FTP protocol, and specifies that the port number of FTP is 21 cases. PIX525 (Config) #fixup protocol HTTP 80 PIX525 (Config) #fixup protocol HTTP 1080 Specifies two ports of 80 and 1080 for HTTP protocols. Example 3. PIX525 (Config) #NO FIXUP PROTOCOL SMTP 80 Disables the SMTP protocol. D. Set the Telnet Telnet has a version of change. Before the PIX OS 5.0 (version number of the PIX operating system), you can only access PIX from the host on the internal network. In PIX OS 5.0 and subsequent versions, Telnet to PIX access can be enabled on all interfaces. When the Telnet to the PIX firewall from the external interface, Telnet data streams need to be protected with IPsec, which means that the user must configure PIX to create an IPsec tunnel to another PIX, router, or VPN client. Alternatively, SSH is configured on PIX, then use SSH Client from the external Telnet to the PIX firewall, PIX supports SSH1 and SSH2, but SSH1 is free software, SSH2 is commercial software. In contrast, the telnet of the Cisco router is not very good. Telnet Configuration Syntax: Telnet local_ip [netmask] local_ip indicates that the authorized IP address accesses the PIX through the Telnet. If this item is not set, the PIX configuration can only be performed by console.
Said so much, here is given a configuration example for your reference.
Welcome to the PIX FireWall
TYP525> EN Password: Pix525 # SH config: Saved: PIX Version 6.0 (1) ------ PIX current operating system version is 6.0 nameif etc thernet0 Outside security0 nameif Ethernet1 Inside Security100 ----- Displaying Current PIX only 2 interface enable password 7y051hhccoirtsqz encrypted passed 7y051hhccoirtsqz encrypted ------ PIX firewall password is encrypted in the default state, not in clear text in the configuration file, Telnet password defaults to Cisco Hostname Pix525 ------ Host Name is Pix525 Domain-name 123.com ------ Local Domain Server 123.com, usually used as external access Fixup protocol FTP 21 fixup protocol HTTP 80 FIXUP Protocol H323 1720 Fixup Protocol RSH 514 Fixup Protocol SMTP 25 Fixup Protocol SIP 5060 ------ Some service or protocols currently enabled, pay attention to the RSH service does not change the port number Names ----- - Resolving the local host name to the IP address, can be used instead of the IP address in the configuration, there is no setting, so the list is empty Pager line 24 ------ Every 24 lines Interface Ethernet0 Auto Interface Ethernet1 Auto --- --- Set two network cards to adaptive MTU Outside 1500 MTU Inside 1500 ------ Ethernet standard MTU length is 1500 bytes
ip address 192.168.0.1 ip audit ip address outside 61.144.51.42 255.255.255.248 ip address inside 192.168.0.1 255.255.255.0 ------ ip pix external network address 61.144.51.42, intranet info action alarm ip audit attack Action ALARM ------ 2 commands for PIX intrusion detection. When a data packet has an attack or report signage, PIX will take alarm action (default action), generate system log messages to the specified log host; in addition, it can be made to discard the packet and issue a TCP connection reset signal. It is necessary to configure. PDM History Enable ---- PIX Device Manager can graphically monitor PIX ARP TIMEOUT 14400 ------ ARP Table Timeout Global (Outside) 1 61.144.51.46 ------ If you visit External Forum or QQ chat, etc., IP displayed above is this NAT (inside) 1 0.0.0.0 0.0.0.0 0 0 Static (Inside, Outside) 61.144.51.43 192.168.0.8 Netmask 255.255.255.255 0 0 Conduit ICMP Any Any Conduit Permit TCP HOST 61.144.51.43 EQ WWW Any Conduit Permit UDP Host 61.144.51.43 EQ Domain Any ------ Use the 61.144.51.43 IP address to provide Domain-Name service, and only allow external users to access Domain's UDP port Route outside 0.0.0.0 0.0.0.0 61.144.51.61 1 ------ External gateway 61.144.51.61 Timeout Xlate 3:00:00 ------ Entry IP package emitted outside the IP package (Global After the default 3 hours, this packet is not active. The previously created entry will be removed from the translation table, and the global address TIMEOUT CONN 1:00:00 Half-closed 0:10 is released from the translation table. 00 UDP 0:02:00 RPC 0:10:00 H323 0:05:00 Sip 0:30:00 Sip_media 0:02:00 Timeout Uauth 0:05:00 ABSOLUTE ------ AAA certified timeout time Absolute represents two protocols for the AAA-Server Taccs Protocol Radius ------ AAA Server for continuously running the UAUTH timer. After the user is timeout. AAA refers to certification, authorization, audit.
PIX firewall can add internal network security NO SNMP-Server Location No SNMP-Server Contact SNMP-Server Community Public ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -server enable traps ------ Send SNMP Trap Floodguard Enable ------ Prevent SothoSopt Route DNAT Telnet Timeout 5 SSH Timeout 5 -------的 的 的 的 的 的 的 的 的 的 的 的 的 的- Use SSH to access PIX timeout Terminal Width 80 CryptoChecksum: A9F03BA4DDB72E1AE6A543292DD4F5E7 PIX543292DD4F5E7 PIX525 # PIX525 # write memory ------ Will save the above configuration instances need to explain, PIX firewall directly with the Internet interface, here There are more than a dozen public IP in the network environment, and there may be a friend asking if my public IP is very limited? You can add Router placed in front of PIX, or Global uses a single IP address, and the IP address of the external interface. There are also several maintenance commands. SHOW interface view port status, show static View static address mapping, show ip View interface IP address, ping outside | inside ip_address determines connectivity.
This article only describes the basic configuration of the PIX firewall, some of the other features of PIX, such as the AAA server, VPN, etc., which are limited, no longer introduced. I hope this article will be able to throw the jade,
