How to configure a new PIX firewall? You will need to will configure passwords, IP addresses, network address translation (NAT) and basic firewall rules.
If you have a new PIX firewall that has never been configured, it will need to be configured with some basic IP addresses, security and a couple of basic firewall rules. You also have never used a PIX firewall before. How will you be able to perform this configuration? After reading the following tips, you will be clearer about it.
Cisco PIX firewall Basics
A Cisco PIX firewall is meant to protect one network from another. There are PIX firewalls for small home networks and PIX firewalls for huge campus or corporate networks. In this example, we will be configuring a PIX 501 firewall. The 501 model is meant for a small home network or a small business.
PIX firewalls have the concept of inside and outside interfaces. The inside interface is the internal, usually private, network. The outside interface is the external, usually public, network. You are trying to protect the inside network from the outside network.
PIX firewalls also use the adaptive security algorithm (ASA). This algorithm assigns security levels to interfaces and says that no traffic can flow from a lower-level interface (like the outside interface) to a higher-level interface (like the inside interface) without a rule allowing it. The outside interface has a security level of zero and the inside interface has a security level of 100.
Here is what the output of the show nameif command looks like:
pixfirewall# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
Notice the ethernet0 interface is the outside interface (its default name) and the security level is 0. On the other hand, the ethernet1 interface is named inside (the default) and has a security level of 100.
NOTE: More info of Cisco PIX Firewall Basics, such as Cisco PIX Models, PIX Terminology and Background Information, PIX Configuration, etc. you can read at http://blog.router-switch.com/2012/05/cisco-pix-firewall-basics/
Configuring a Cisco PIX Firewall
Before beginning the configuration, your boss has given you some guidelines that you need to follow. Here they are:
- All passwords should be set to “cisco” (in reality, you make these whatever you want, but not “cisco”).
- The inside network is 10.0.0.0 with a 255.0.0.0 subnet mask. The inside IP address for this PIX should be 10.1.1.1.
- The outside network is 184.108.40.206 with a 255.255.255.0 subnet mask. The outside IP address for this PIX should be 220.127.116.11.
- You want to create a rule to allow all inside clients on the 10.0.0.0 network to do port address translation and connect to the outside network. They will all share the global IP address 18.104.22.168.
- However, clients should only have access to port 80 (Web browsing).
- The default route for the outside (Internet) network will be 22.214.171.124.
Initial PIX Firewall Configuration
When you boot up your PIX firewall for the first time, you should see a screen like this:
You will be prompted to answer YES or NO as to whether or not you want to configure the PIX through interactive prompts. Answer NO to this question because you want to learn how to really configure the PIX firewall, not just answer a series of questions.
After that, you will be sent to a prompt that looks like this:
With the “greater than” symbol at the end of the prompt, you are in the PIX user mode. Change to privileged mode with the en or enable command. Press “enter” at the Password prompt. Here is an example:
You now have administrative mode to show things but would have to go into global configuration mode to configure the PIX.
Basic PIX configuration
What I am calling basic configuration is made up of three things:
- Set the hostname
- Set passwords (login and enable)
- Configure IP addresses on interfaces
- Enable interfaces
- Configure a default route
Before you can do any of these things, you need to go into global configuration mode. To do this, type:
pixfirewall# config t
To set the hostname, use the hostname command, like this:
pixfirewall(config)# hostname PIX1
Notice that the prompt changed to the name that you set.
Next, set the login password to cisco, like this:
PIX1(config)# password cisco
This is the password required to gain any access to the PIX except administrative access.
Now, configure the enable mode password, used to gain administrative mode access.
PIX1(config)# enable password cisco
Now we need to configure IP addresses on interfaces and enable those interfaces. The PIX, unlike a router, has no concept of interface configuration mode. To configure the IP address on the inside interface, use this command:
PIX1(config)# ip address inside 10.1.1.1 255.0.0.0
Now, configure the outside interface IP address:
PIX1(config)# ip address outside 126.96.36.199 255.255.255.0
Next, enable both the inside and outside interfaces. Make sure that the Ethernet cable, on each interface, is connected to a switch. Note that the ethernet0 interface is the outside interface, and it is only a 10base-T interface on a PIX 501. The ethernet1 interface is the inside interface, and it is a 100Base-T interface. Here is how you enable these interfaces:
PIX1(config)# interface ethernet0 10baset
PIX1(config)# interface ethernet1 100full
Note that you can do a show interfaces command, right from the global configuration prompt line.
Finally, let’s configure a default route so that all traffic sent to the PIX will flow to the next upstream router (the 188.8.131.52 IP address that we were given). Here is how you do this:
PIX1(config)# route outside 0 0 184.108.40.206
The PIX firewall can, of course, support dynamic routing protocols as well (such as RIP and OSPF).
Network Address Translation
Now that we have IP address connectivity, we need to use Network Address Translation (NAT) to allow inside users to connect to the outside. We will use a type of NAT, called PAT or NAT
Overload, so that all inside devices can share one public IP address (the outside IP address of the PIX firewall). To do this, enter these commands:
PIX1(config)# nat (inside) 1 10.0.0.0 255.0.0.0
PIX1(config)# global (outside) 1 220.127.116.11
Global 18.104.22.168 will be Port Address Translated
With this, all inside clients are able to connect to devices on the public network and share IP address 22.214.171.124. However, clients don’t yet have any rule allowing them to do this.
Note: Network Address Translation (NAT)
NAT (Network Address Translation or Network Address Translator) is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps it’s local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world.
NAT is included as part of a router and is often part of a corporate firewall. Network administrators create a NAT table that does the global-to-local and local-to-global IP address mapping. NAT can also be used in conjunction with policy routing. NAT can be statically defined or it can be set up to dynamically translate from and to a pool of IP addresses. Cisco’s version of NAT lets an administrator create tables that map:
- A local IP address to one global IP address statically
- A local IP address to any of a rotating pool of global IP addresses that a company may have
- A local IP address plus a particular TCP port to a global IP address or one in a pool of them
- A global IP address to any of a pool of local IP addresses on a round-robin basis
NAT is described in general terms in RFC 1631, which discusses NAT’s relationship to Classless Inter domain Routing (CIDR) as a way to reduce the IP address depletion problem. NAT reduces the need for a large amount of publicly known IP addresses by creating a separation between publicly known and privately known IP addresses. CIDR aggregates publicly known IP addresses into blocks so that fewer IP addresses are wasted. In the end, both extend the use of IPv4 IP addresses for a few more years before IPv6 is generally supported.
These clients on the inside network have a NAT translation, but that doesn’t necessarily mean that they are allowed access. They now need a rule to allow them to access the outside network (the Internet). That rule will also allow the return traffic to come back in.
To make a rule to allow these clients port 80 (Web browsing), you would type this:
PIX1(config)# access-list outbound permit tcp 10.0.0.0 255.0.0.0 any eq 80
PIX1(config)# access-group outbound in interface inside
Note that PIX access lists, unlike router access lists, use a normal subnet mask, not a wildcard mask.
With this access list, you have restricted the inside hosts to accessing Web servers only on the outside network (routers).
Showing and saving the configuration
Now that you have configured the PIX firewall, you can show your configuration with the show run command.
Make sure that you save your configuration with the write memory or wr m command. If you don’t, your configuration will be lost when the PIX is powered off.
—Original tip reading appeared at SearchNetworking.com