© 2000, Cisco Systems, Inc. CSPFF Chapter 5 Cisco Secure PIX Firewall Configuration
© 2000, Cisco Systems, Inc. CSPFF Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe the security levels. Describe the six basic commands used to configure the PIX Firewall. Configure the PIX Firewall with six commands.
© 2000, Cisco Systems, Inc. CSPFF Security Levels
© 2000, Cisco Systems, Inc. CSPFF ASA Security Levels PIX Firewall Outside Network e0 Security level 0 Interface name=outside e0 Security level 0 Interface name=outside Perimeter Network e2 Security level 50 Interface name=pix/intf2 e2 Security level 50 Interface name=pix/intf2 Inside Network e1 Security level 100 Interface name=inside e1 Security level 100 Interface name=inside e0 e1 e2 Internet
© 2000, Cisco Systems, Inc. CSPFF The Six Basic Commands
© 2000, Cisco Systems, Inc. CSPFF PIX Firewall Basic Commands There are six basic configuration commands for the PIX Firewall: nameif interface ip address nat global route
© 2000, Cisco Systems, Inc. CSPFF nameif hardware_id if_name security_level pixfirewall(config)# pixfirewall(config)# nameif ethernet2 dmz sec50 Command 1: nameif The nameif command assigns a name to each perimeter interface on the PIX Firewall and specifies its security level.
© 2000, Cisco Systems, Inc. CSPFF interface hardware_id hardware_speed pixfirewall(config)# Command 2: interface The interface command configures the type and capability of each perimeter interface. pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# interface token-ring0 16mbps pixfirewall(config)# interface fddi1 auto pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# interface token-ring0 16mbps pixfirewall(config)# interface fddi1 auto
© 2000, Cisco Systems, Inc. CSPFF ip address if_name ip_address [netmask] pixfirewall(config)# Command 3: ip address The ip address command assigns an IP address to each interface. pixfirewall(config)# ip address dmz pixfirewall(config)#
© 2000, Cisco Systems, Inc. CSPFF nat [(if_name)] nat_id local_ip [netmask] pixfirewall(config)# Command 4: nat The nat command shields IP addresses on the inside network from the outside network. pixfirewall(config)# nat (inside) pixfirewall(config)#
© 2000, Cisco Systems, Inc. CSPFF NAT Example Source Port Destination Addr Source Addr Destination Port Source Port Destination Addr Source Addr Destination Port InsideOutside Inside Local IP Address Global IP Pool Internet Translation table
© 2000, Cisco Systems, Inc. CSPFF global [(if_name)] nat_id global_ip[-global_ip] [netmask global_mask] pixfirewall(config)# Command 5: global The global command shields IP addresses on the inside network from the outside network using a pool of IP addresses. pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside)
© 2000, Cisco Systems, Inc. CSPFF route if_name ip_address netmask gateway_ip [metric] pixfirewall(config)# Command 6: route The route command defines a static or default route for an interface. pixfirewall(config)# route outside
© 2000, Cisco Systems, Inc. CSPFF Lab Exercise
© 2000, Cisco Systems, Inc. CSPFF Lab Visual Objective Inside host Web and FTP server Backbone server Web, FTP, and TFTP server Pod Perimeter Router PIX Firewall P.0/24.1 e1 inside P.0 /24 e0 outside.2 e2 dmz.1 Bastion host Web and ftp server P.0/24 Internet
© 2000, Cisco Systems, Inc. CSPFF Summary
© 2000, Cisco Systems, Inc. CSPFF Summary Interfaces with higher security levels are more secure than interfaces with lower security levels. Interfaces with a higher security level can access interfaces with a lower security level, while interfaces with a lower security level cannot access interfaces with a higher security level unless given permission. The six basic commands necessary to configure the PIX Firewall are: nameif, interface, ip address, nat, global, route.
© 2000, Cisco Systems, Inc. CSPFF Review Questions
© 2000, Cisco Systems, Inc. CSPFF Review Questions Q1) What function does the nameif command provide? Q2) Explain the function of the nat command. Q3) How do you activate an interface? Q4) What function does the route command serve? Q5) How do you delete a global entry?