© 2000, Cisco Systems, Inc. CSPFF 1.118-1 Chapter 8 Configuration of Multiple Interfaces. - презентация

1 © 2000, Cisco Systems, Inc. CSPFF Chapter 8 Configuration of Multiple Interfaces

2 © 2000, Cisco Systems, Inc. CSPFF Objectives Upon completion of this chapter, you will be able to perform the following tasks: Configure multiple interfaces on the PIX Firewall. Test and verify that the PIX Firewall is operating correctly.

3 © 2000, Cisco Systems, Inc. CSPFF Additional Interface Support The PIX Firewall supports up to four additional interfaces Increases security of publicly available services Easily interconnect multiple extranet or partner networks Easily configured with standard PIX Firewall commands e0 e1 e2 e3 e4 e5

4 © 2000, Cisco Systems, Inc. CSPFF Configure Three Interfaces

5 © 2000, Cisco Systems, Inc. CSPFF Configure Three Interfaces pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# conduit permit tcp host eq http any pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# conduit permit tcp host eq http any e0 e2 e1 Bastion Host / / /24 Internet

6 © 2000, Cisco Systems, Inc. CSPFF Configure Four Interfaces

7 © 2000, Cisco Systems, Inc. CSPFF Configure Four Interfaces pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# nameif ethernet3 partnernet sec20 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# ip address partnernet pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# conduit permit tcp host eq http any pixfirewall(config)# static (dmz,partnernet) pixfirewall(config)# conduit permit tcp host eq http any pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# nameif ethernet3 partnernet sec20 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# ip address partnernet pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# conduit permit tcp host eq http any pixfirewall(config)# static (dmz,partnernet) pixfirewall(config)# conduit permit tcp host eq http any Partnernet e0 e2 e1 Bastion Host DMZ / / /24 e /24.1

8 © 2000, Cisco Systems, Inc. CSPFF pixfirewall(config)# name bastionhost name Command The use of this command configures a list of name-to-ip mappings on the PIX Firewall. e0 e2 e1 DMZ / / /24 Bastion Host

9 © 2000, Cisco Systems, Inc. CSPFF Lab Exercise

10 © 2000, Cisco Systems, Inc. CSPFF Inside host Web and FTP server Backbone server Web, FTP, and TFTP server Lab Visual Objective Pod Perimeter Router PIX Firewall P.0/24.1 e1 inside P.0 /24 e0 outside.2 e2 dmz.1 Bastion host Web and ftp server P.0/24 Internet

11 © 2000, Cisco Systems, Inc. CSPFF Summary

12 © 2000, Cisco Systems, Inc. CSPFF Summary The PIX Firewall can be configured with up to four additional interfaces. Using the name command configures a list of name-to-IP mappings on the PIX Firewall.

13 © 2000, Cisco Systems, Inc. CSPFF Review Questions

14 © 2000, Cisco Systems, Inc. CSPFF Review Questions Q1) What is the advantage of not using NAT? Q2) What blocks of the IP address space are used for private internets? Q3) Explain the name command. Q4) What command clears the translation table? Q5) How are the conduit command statements processed? Q6) What is the name command used for?