© 2000, Cisco Systems, Inc. 7-1 Chapter 7 Access Configuration Through the Cisco Secure PIX Firewall
© 2000, Cisco Systems, Inc. CSPFF v Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe how to use statics and conduits. Configure inbound and outbound access through the PIX Firewall. Test and verify correct PIX Firewall operation.
© 2000, Cisco Systems, Inc. 7-3 Access Through the PIX Firewall
© 2000, Cisco Systems, Inc. CSPFF v Only Two Ways Through the PIX Firewall Valid user request –Inside to outside communications Pre-defined static and conduit –Outside to inside communications –Defines addresses, ports, and applications
© 2000, Cisco Systems, Inc. 7-5 Understand Statics and Conduits
© 2000, Cisco Systems, Inc. CSPFF v Outside Security 0 Inside Security 100 Statics and Conduits The static and conduit commands allow connections from a lower security interface to a higher security interface. The static command is used to create a permanent mapping between an inside IP address and a global IP address. The conduit command is an exception in the ASAs inbound security policy for a given host.
© 2000, Cisco Systems, Inc. CSPFF v static Command pixfirewall(config) # static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask] Statically maps a local IP address to a global IP address PIX Firewall Perimeter Router pixfirewall(config)# static (inside,outside) Packet from has source address of Permanently maps a single IP address Recommended for internal service hosts
© 2000, Cisco Systems, Inc. CSPFF v pixfirewall(config)# conduit permit tcp host eq ftp any PIX Firewall Perimeter Router conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask[operator port[port]] conduit Command A conduit maps specific IP address and TCP/UDP connection from outside host to inside host pixfirewall(config) #
© 2000, Cisco Systems, Inc. 7-9 Other Ways Through the PIX Firewalls
© 2000, Cisco Systems, Inc. CSPFF v PATGlobal Port Address Translation Source Port Destination Addr Source Addr Destination Port Source Port Destination Addr Source Addr Destination Port Source Port Destination Addr Source Addr Destination Port Source Port Destination Addr Source Addr Destination Port
© 2000, Cisco Systems, Inc. CSPFF v Configure PAT pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# nat (inside) pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# nat (inside) Assign single IP address ( ) to global pool IP address must be registered with InterNIC Source address of hosts in network are translated to for outgoing access Source port changed to a unique number greater that 1024 SalesEngineering Information Systems Bastion Host PIX Firewall Perimeter Router
© 2000, Cisco Systems, Inc. CSPFF v nat 0 Configuration Example pixfirewall(config)# nat (inside) pixfirewall(config)# show nat pixfirewall(config)# nat will be non- translated pixfirewall(config)# nat (inside) pixfirewall(config)# show nat pixfirewall(config)# nat will be non- translated The nat 0 command ensures that is not translated nat 0 still maintains firewall security for all connections PIX Firewall Perimeter Router
© 2000, Cisco Systems, Inc. CSPFF v fixup Command pixfirewall(config)# fixup protocol ftp [port] pixfirewall(config)# fixup protocol http [port[-port]] pixfirewall(config)# fixup protocol h323 [port[-port]] pixfirewall(config)# fixup protocol rsh [514] pixfirewall(config)# fixup protocol smtp [port[-port]] pixfirewall(config)# fixup protocol sqlnet [port[-port]] pixfirewall(config)# no fixup protocol protocol [port[-port]] pixfirewall(config)# show fixup [protocol protocol] pixfirewall(config)# fixup protocol ftp [port] pixfirewall(config)# fixup protocol http [port[-port]] pixfirewall(config)# fixup protocol h323 [port[-port]] pixfirewall(config)# fixup protocol rsh [514] pixfirewall(config)# fixup protocol smtp [port[-port]] pixfirewall(config)# fixup protocol sqlnet [port[-port]] pixfirewall(config)# no fixup protocol protocol [port[-port]] pixfirewall(config)# show fixup [protocol protocol]
© 2000, Cisco Systems, Inc. CSPFF v Supported Multimedia Applications Intel Internet Phone Microsoft NetMeeting Microsoft NetShow CuSeeMe VDOLive Real Audio and Video VxStream StreamWorks 2.0 VocalTech InternetPhone
© 2000, Cisco Systems, Inc Lab Exercise
© 2000, Cisco Systems, Inc. CSPFF v Lab Visual Objective Inside host Web and FTP server Backbone server Web, FTP, and TFTP server Pod Perimeter Router PIX Firewall P.0/24.1 e1 inside P.0 /24 e0 outside.2 e2 dmz.1 Bastion host Web and ftp server P.0/24 Internet
© 2000, Cisco Systems, Inc Summary
© 2000, Cisco Systems, Inc. CSPFF v Summary Understand how the static and conduit commands are used to allow inbound communication through the PIX Firewall. Understand how PAT, Nat0, fixup, and multimedia are supported through the PIX Firewall.
© 2000, Cisco Systems, Inc Review Questions
© 2000, Cisco Systems, Inc. CSPFF v Review Questions Q1) What are the two ways through the PIX Firewall? Q2) What function does the nat 0 command serve? Q3) What does the fixup command do? Q4) What are the two commands used to enable NAT? Q5) What command has precedence, static, nat, or global?