© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 5 Getting Started with the Cisco PIX Firewall
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the PIX Firewall access modes. Navigate the PIX Firewalls user interface and examine the PIX Firewalls status. Describe the ASA security levels. Describe and execute the basic configuration commands. Configure the PIX Firewall to send Syslog messages to a Syslog server. Configure the PIX Firewall as a DHCP client. Describe the PIX Firewalls DHCP server feature. Configure the PIX Firewalls PPPoE client.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA User Interface
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Access Modes The PIX Firewall has four administrative access modes: Unprivileged mode Privileged mode Configuration mode Monitor mode
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA enable and enable password Commands pixfirewall> enable password: pixfirewall# enable password password enable [priv_level] pixfirewall> Enables you to enter other access modes. enable password pw [level priv_level] [encrypted] pixfirewall(config)# Used to control access to the privileged mode.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA configure terminal pixfirewall# configure terminal and exit Commands Used to start configuration mode to enter configuration commands from a terminal. pixfirewall# configure terminal pixfirewall(config)# exit pixfirewall# exit pixfirewall> exit pixfirewall# Used to exit from an access mode.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA hostname Command pixfirewall (config)# hostname proteus proteus(config)# hostname pixfirewall hostname newname pixfirewall(config)# Changes the hostname in the PIX Firewall command line prompt.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring the PIX Firewall
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Setup Dialog pixfirewall (config)# setup Pre-configure PIX Firewall now through interactive prompts [yes]? Enable Password [ ]: ciscopix Clock (UTC) Year [2002]: Month [Aug]: Day [27]: 12 Time [22:47:37]: 14:22:00 Inside IP address: 10.0.P.1 Inside network mask: Host name: pixP Domain name: cisco.com IP address of host running PIX Device Manager: 10.0.P.11 Use this configuration and write to flash? Y
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Viewing and Saving Your Configuration The following commands enable you to view or save your configuration: show running-config write memory show startup-config
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA write erase and tftp-server Commands pixfirewall(config)# write erase Clears the Flash memory configuration. tftp-server [if_name] ip_address path pixfirewall(config)# Specifies the IP address of a TFTP configuration server. pixfirewall(config)# tftp-server pixfirewall/config/test_config pixfirewall(config)# write erase Erase PIX configuration in Flash memory? [confirm]
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA write net and configure net Commands pixfirewall(config)# tftp-server pixfirewall/config/test_config pixfirewall(config)# write net: pixfirewall(config)# configure net [server_ip]:[filename] Merges the current running configuration with the configuration file specified in the tftp-server command. pixfirewall(config)# write net [server_ip]:[filename] Stores the current running configuration to a file on a TFTP server.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# name bastionhost name Command Configures a list of name-to-IP address mappings on the PIX Firewall. name ip_address name pixfirewall(config)# Student PC PIX Firewall Web FTP bastionhost
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA reload Command Reboots the PIX Firewall and reloads the configuration. pixfirewall (config)# reload Proceed with reload?[confirm] y Rebooting... PIX Bios V2.7.. reload [noconfirm] pixfirewall(config)#
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Examining the PIX Firewall Status
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall# show memory bytes total, bytes free show memory Command Displays system memory usage information. pixfirewall(config)# show memory
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA show version Command Displays the PIX Firewalls software version, operating time since its last reboot, processor type, Flash memory type, interface boards, serial number (BIOS identification), and activation key value. pixfirewall(config)# show version pixfirewall# show version Cisco Secure PIX Firewall Version 6.2(1)...
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall# show ip address Building configuration…… System IP Addresses: ip address outside ip address inside ip address dmz Current IP Addresses: ip address outside ip address inside ip address dmz show ip address Command
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall# show interface interface ethernet0 outside is up, line protocol is up hardware is i82557 ethernet, address is f16 ip address , subnet mask MTU 1500 bytes, BW Kbit half duplex packets input, bytes, 0 no buffer received 26 broadcasts, 27 runts, 0 giants 4 input errors, 0 crc, 4 frame, 0 overrun, 0 ignored, 0 abort packets output, bytes, 0 underruns 0 unicast rpf drops 0 output errors, collisions, 0 interface resets 0 babbles, 0 late collisions, deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/1) output queue (curr/max blocks): hardware (0/2) software (0/1) show interface Command
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall# show cpu usage CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0% show cpu usage Command Displays CPU use. pixfirewall(config)# show cpu usage
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ping Command Determines if other IP addresses are visible from the PIX Firewall. pixfirewall(config)# ping response received -- 0Ms ping [if_name] host pixfirewall(config)#
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Time Setting and NTP Support
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA clock Command Sets the PIX Firewall clock. pixfirewall(config)# clock set 21:0:0 apr clock set hh:mm:ss {day month | month day} year pixfirewall(config)#
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Setting Daylight Savings Time and Time Zones Specifies that summertime starts on the first Sunday in April at 2 a.m. and ends on the last Sunday in October at 2 a.m. pixfirewall(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset] pixfirewall(config)# clock timezone zone hours [minutes] pixfirewall(config)# Sets the clock display to the time zone specified. Displays summertime hours during the specified summertime date range.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ntp Command Synchronizes the PIX Firewall with a network time server. pixfirewall(config)# ntp server key 1234 source inside prefer ntp server ip_address [key number] source if_name [prefer] pixfirewall(config)#
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ASA Security Levels
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Functions of the ASA Implements stateful connection control through the PIX Firewall. Allows outbound connections without an explicit configuration for each internal system and application (an outbound connection is a connection originating from a host on a more protected network and destined for a host on a less-protected network). Monitors return packets to ensure that they are valid. Randomizes the TCP sequence number to minimize the risk of attack.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ASA Security Level Example PIX Firewall Outside network e0 Security level 0 Interface name = outside Perimeter network e2 Security level 50 Interface name = pix/intf2 Inside network e1 Security level 100 Interface name = inside e0 e1 e2 Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Basic PIX Firewall Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall Basic Commands nameif interface ip address nat global route
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA nameif hardware_id if_name security_level pixfirewall(config)# pixfirewall(config)# nameif ethernet2 dmz sec50 nameif Command Assigns a name to each perimeter interface on the PIX Firewall and specifies its security level.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA interface hardware_id [hardware_speed] [shutdown] pixfirewall(config)# interface Command Enables an interface and configures its type and speed. The outside and inside interfaces are set for 100 Mbps Ethernet full-duplex communication. pixfirewall(config)# interface ethernet0 100full pixfirewall(config)# interface ethernet1 100full
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA ip address if_name ip_address [netmask] pixfirewall(config)# ip address Command Assigns an IP address to each interface. pixfirewall(config)# ip address outside dhcp pixfirewall(config)# ip address dmz pixfirewall(config)# ip address outside dhcp [setroute] [retry retry_cnt] Enables the DHCP client feature on the outside interface. The outside interface obtains an IP address from a DHCP server, but the DMZ interface is assigned the static address of
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Network Address Translation Source port Destination port Source port InsideOutside Inside local IP address Global IP pool Translation table Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA nat [(if_name)] nat_id address [netmask][timeout hh:mm:ss] pixfirewall(config)# nat Command Enables IP address translation. pixfirewall(config)# nat (inside)
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA global Command Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall. When internal hosts access the outside network through the firewall, they are assigned public addresses from the – range. pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) pixfirewall(config)# global[(if_name)] nat_id {global_ip[-global_ip] [netmask global_mask]} | interface
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA route if_name ip_address netmask gateway_ip [metric] pixfirewall(config)# route Command Defines a static or default route for an interface. pixfirewall(config)# route outside
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Syslog Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Student PC Syslog server Backbone router PIX Firewall /24.1 e1 inside /24 e0 outside.2 e2 dmz.1 bastionhost: Web or FTP /24 Configure Syslog Output to a Syslog Server
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Syslog Messages The PIX Firewall sends Syslog messages to document the following events: Security Resources System Accounting
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA show logging Configure Message Output to the PIX Firewall Buffer Sends Syslog messages to an internal buffer. pixfirewall(config)# logging buffered level Enables a specific Syslog message. Clears the internal buffer. clear logging pixfirewall(config)# logging message syslog_id pixfirewall(config)# logging standby Allows a standby unit to send Syslog messages. Displays messages from the internal buffer. logging on Enables logging. pixfirewall(config)#
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA logging trap level Configure Message Output to a Syslog Server Designates the Syslog host server. Sets the logging level. pixfirewall(config)# logging host [in_if_name] ip_address [protocol/port] logging on pixfirewall(config)# Enables logging.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configure Message Output to a Syslog Server (cont.) Sets the facility marked on all messages. Starts and stops sending timestamped messages. logging facility facility pixfirewall(config)# logging timestamp pixfirewall(config)#
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA DHCP Server Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA DHCP The PIX Firewalls DHCP server can be used to dynamically assign An IP address and subnet mask. The IP address of a DNS server. The IP address of a WINS server. A domain name. The IP address of a TFTP server. A lease length.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA DHCP Server DHCP pool – DHCPDISCOVERThe client seeks an address 2. DHCPOFFERThe server offers DHCPREQUESTThe client requests DHCPACKThe server acknowledges the assignment of Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring the PIX Firewall as a DHCP Server Step 1Assign a static IP address to the inside interface. Step 2Specify a range of addresses for the DHCP server to distribute. Step 3Specify the IP address of the DNS server (optional). Step 4Specify the IP address of the WINS server (optional). Step 5Specify the IP address of the TFTP server (optional). Step 6Specify the lease length (default = 3,600 seconds). Step 7Specify the ping timeout value (optional). Step 8Configure the domain name (optional). Step 9Enable DHCP.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA dhcpd address Command Specifies a range of addresses for DHCP to assign. pixfirewall(config)# dhcpd address – inside pixfirewall(config)# dhcpd address ip1[-ip2][if_name] The DHCP server assigns addresses – to DHCP clients on the inside. Addresses are assigned in numerical order beginning with
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA dhcpd dns Command Specifies the IP address of the DNS server the client will use (optional) pixfirewall(config)# dhcpd dns pixfirewall(config)# dhcpd dns dns1 [dns2] The DHCP server notifies the DHCP client that is the address of the DNS server to use
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA dhcpd wins Command Specifies the IP address of the WINS server that the client will use (optional) pixfirewall(config)# dhcpd wins pixfirewall(config)# dhcpd wins wins1 [wins2] The DHCP server notifies the DHCP client that it will use as its WINS server
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA dhcpd option Commands pixfirewall(config)# dhcpd option 150 ip pixfirewall(config)# dhcpd option 150 ip server_ip1 [server_ip2] pixfirewall(config)# dhcpd option 66 ascii {server_name | server_ip_str} Enables the PIX Firewall to distribute the IP addresses of a list of TFTP servers for IP Phone connections Enables the PIX Firewall to distribute the IP address of a TFTP server for IP Phone connections
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA dhcpd lease Command Specifies the lease length to grant the client Default = 3,600 seconds pixfirewall(config)# dhcpd lease 3600 pixfirewall(config)# dhcpd lease lease_length The DHCP clients can use their allocated leases for 3600 seconds
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA dhcpd ping_timeout Command pixfirewall(config)# dhcpd ping_timeout pixfirewall(config)# dhcpd ping_timeout timeout The DHCP server waits milliseconds (10 seconds) before allocating an address to a client. Specifies the length of time the DHCP server waits before allocating an address to a client. Default = 750 milliseconds
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA dhcpd domain Command Specifies the domain name the client will use (optional) pixfirewall(config)# dhcpd domain cisco.com pixfirewall(config)# The DHCP server notifies the client that the domain name is cisco.com dhcpd domain domain_name
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA dhcpd enable Command Enables the DHCP daemon within the PIX Firewall to listen for DHCP client requests on the enabled interface pixfirewall(config)# dhcpd enable inside pixfirewall(config)# dhcpd enable [if_name] The DHCP server feature is enabled on the inside interface
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA debug dhcpd and clear dhcpd Commands Displays information associated with the DHCP server Removes all dhcpd command statements from the configuration pixfirewall(config)# debug dhcpd event | packet pixfirewall(config)# clear dhcpd
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA dhcpd auto_config Command Enables the PIX Firewall to automatically configure DNS, WINS, and domain name values from the DHCP client to the DHCP server. pixfirewall(config)# ip address outside dhcp pixfirewall(config)# dhcpd address inside pixfirewall(config)# dhcpd enable inside pixfirewall(config)# dhcpd auto_config pixfirewall(config)# dhcpd auto_config[client_ifx_name] The PIX Firewall obtains its outside IP address and other configuration parameters from a DHCP server on its outside interface. The PIX Firewall distributes IP addresses from the – range to its own DHCP clients, the hosts on its inside interface. The PIX Firewall passes other configuration parameters it obtained from the DHCP server on its outside interface to the hosts on its inside interface.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PPPoE and the PIX Firewall
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA The PIX Firewall as a PPPoE Client Remote office /24 ISP PPPoE Access Concentrator Central site PIX Firewall DSL modem PIX Firewall 501 PPPoE client
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA vpdn group group_name ppp authentication PAP | CHAP | MSCHAP Configure the PIX Firewall to Support PPPoE Step 1Define a VPDN group to be used for PPPoE. Step 2Select an authentication method. pixfirewall(config)# vpdn group group_name request dialout pppoe Step 3Associates the username assigned by your ISP with the VPDN group. vpdn group group_name localname username pixfirewall(config)# vpdn username name password pass pixfirewall(config)# Step 4Creates a username and password pair for the PPPoE connection.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configure the PIX Firewall to Support PPPoE (cont.) Step 5Enables the PPPoE client feature within the PIX Firewall. pixfirewall(config)# ip address if_name pppoe [setroute] pixfirewall(config)# vpdn group PPPOEGROUP request dialout pppoe pixfirewall(config)# vpdn group PPPOEGROUP localname MYUSERNAME pixfirewall(config)# vpdn group PPPOEGROUP ppp authentication pap pixfirewall(config)# vpdn username MYUSERNAME password mypassword pixfirewall(config)# ip address outside pppoe setroute
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA show vpdn session [l2tp | pptp | pppoe] [id session_id | packets | state | window] Monitoring the PPPoE Client Displays session information. pixfirewall(config)# show vpdn tunnel [l2tp | pptp | pppoe] [id tunnel_id | packets | state | summary | transport] Displays tunnel information. pixfirewall(config)# show vpdn Displays tunnel and session information.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Monitoring the PPPoE Client (cont.) Displays detailed information about a PPPOE connection. pixfirewall(config)# show ip address if_name pppoe show vpdn pppinterface [id intf_id] pixfirewall(config)# Displays the interface identification value. pixfirewall(config)# show vpdn username [name] Displays local usernames. pixfirewall(config)# show vpdn group [groupname] Displays configured groups.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Debugging the PPPoE Client Enables debugging for the PPPoE client. pixfirewall(config)# debug pppoe event | error | packet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary The PIX Firewall has four administrative access modes: unprivileged, privileged, configuration, and monitor. Interfaces with a higher security level can access interfaces with a lower security level, while interfaces with a lower security level cannot access interfaces with a higher security level unless given permission. Using the PIX Firewall general maintenance commands help you to manage the PIX Firewall. The commands include the following: enable, write, show, and reload.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary (cont.) The basic commands necessary to configure the PIX Firewall are the following: nameif, interface, ip address, nat, global, and route. The nat and global commands work together to translate ip addresses. The PIX Firewall can send Syslog messages to a Syslog server. The PIX Firewall can function as a DHCP client and DHCP server. Configuring the PIX Firewall as a PPPoE client enables it to secure broadband Internet connections such as DSL.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web or FTP, Cisco Secure ACS, and Syslog PIX Firewall.1 Remote : 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web, FTP, and DHCP RBB.2 bastion host: Web or FTP P Q.0 bastion host: Web or FTP.1 Web or FTP, Cisco Secure ACS, and Syslog