Configuring PIX Firewall
Download this chapter
Configuring PIX FirewallConfiguring PIX Firewall
 Feedback

Table Of Contents

Configuring the PIX Firewall

Step 1 - Get the Most Current Software

Download Over the Web

Download with FTP

If You Are Using Windows or MS-DOS

If You Are Using UNIX

Step 2 - Get a Console Terminal

Step 3 - Configure Network Routing

Preparing Routers to Work with the PIX Firewall

Setting a Default Route for Each Host

Setting a Solaris or SunOS Default Route

Setting a LINUX Default Route

Setting a Windows 95 and Windows 98 Default Route

Setting a Windows NT Default Route

Setting a MacOS Default Route

Step 4 - Start Configuring PIX Firewall

Go to the PIX Firewall Configuration Mode

Step 5 - Identify Each Interface

The nameif command

Two Interface PIX Firewall

Three Interface PIX Firewall

Four Interface PIX Firewall

The ip address Command

The interface Command

Step 6 - Let Users Start Connections

Step 7 - Create a Default Route

Step 8 - Permit Ping Access

Step 9 - Store the Image in Flash Memory and Reboot

Step 10 - Check the Configuration

Step 11 - Test Network Connectivity

Step 12 - Add Telnet Console Access

Trace Channel Feature

Step 13 - Add Server Access

Step 14 - Add Static Routes

Step 15 - Enable Syslog

More on the logging Command

Syslog Facility and Level

Configuring PIX Firewall to Send Syslog Messages

Configuring a UNIX System for Syslog

Step 16 - Create Access Lists

Step 17 - Add User Authentication

Step 18 - Recheck the Configuration


Configuring the PIX Firewall

You can configure the PIX Firewall by entering commands similar to those of Cisco IOS technology.

When shipped from Cisco, each PIX Firewall comes with a basic configuration that lets the unit boot up, but does not let network traffic pass through until you configure it to do so.

This chapter describes how to start a configuration and build on it. lists the topics in this chapter. The material is presented as a series of steps that you can follow completely if you are creating a new configuration, or as needed with an existing configuration.


Acronyms in this chapter are defined in Appendix B, "." All commands shown in this chapter are explained fully in Chapter 5, "."

If you are new to the PIX Firewall and have a Windows NT system, you can use the PIX Firewall Setup Wizard to simplify your initial configuration. Refer to Appendix C, "" for more information.

If you are upgrading, read the Release Notes for the PIX Firewall, which you can view online at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pixrn420.htm

Then save your configuration on diskette with the write floppy command. Additional upgrading information for the failover feature is described in the "Failover" section in Chapter 3, "."

Step 1 - Get the Most Current Software

If desired, you can obtain the most current version of the PIX Firewall software by downloading it from Cisco's online web or FTP site. If you are using FTP, refer to the section "Download with FTP." If you are using the Web, refer to the section "Download Over the Web." The sections that follow describe how to download the software and prepare a PIX Firewall bootable diskette. When the diskette is ready, you can insert it in the PIX Firewall's diskette drive and restart the firewall. This will give you access to the most current software on your PIX Firewall.

Download Over the Web

To download PIX Firewall software from the CCO web site:

Step 1 Use a network browser, such as Netscape Navigator to access http://www.cisco.com.

Step 2 If you are a registered CCO user, click LOGIN in the upper area of the page. If you have not registered, click REGISTER and follow the steps to register.

Step 3 After you click LOGIN, a dialog box appears requesting your Username and Password. Enter these and click OK.

Step 4 When you are ready to continue, choose Software & Support.

Step 5 On the Software & Support page, click Software Center.

Step 6 On the Software Center page, click Internet Products from the Cisco Software Products list.

Step 7 On the Internet Products page, scroll down to the Other Internet Software heading, then scroll down further, and choose PIX Firewall Software.

Step 8 On the PIX Firewall Software page, click Download PIX Firewall Software.

Step 9 On the software download page, choose the software you need. If you are downloading software for the first time and you use a Windows or MS-DOS system, choose the executable file (pixnnn.exe). This file is a self-extracting archive that provides the rawrite.exe program you use to create a bootable diskette, the readme.txt file listing instructions about how to create the diskette, and the PIX Firewall binary image file.

If you already have the rawrite program or are using a UNIX system, you can just copy the binary image file. The binary image filename ends with the .bin suffix. If you are using a Windows NT system, you can also download software for the PIX Firewall Manager GUI (graphical user interface) and the PIX Firewall Setup Wizard. The PIX Firewall Manager lets you manage from one to ten PIX Firewall units. The PIX Firewall Setup Wizard makes initial configuration of the PIX Firewall faster through a series of dialog screens that lead you through the configuration process.

Step 10 The Software Download page appears and provides these choices:

(a) Choice 1—To copy the file directly to your hard drive, choose a site closest to your location. A dialog box appears requesting that you enter your CCO password again. Enter it and click OK. The Save As... dialog box appears and lets you specify the directory and output file name of the file on your hard drive. You can store the executable file anywhere. When executed, it will extract three files into the same directory in which it is run.

Choose the directory and file name and click Save. A dialog box appears to show you the progress of the transfer.

(b) Choice 2—If you want to receive the file by email, enter the destination email address and the file will be encoded with the UNIX uuencode command before being sent to the address you specify.

(c) Choice 3—Cisco Support engineers can give you access to the file via FTP. You can also use FTP to access this site directly.

If you are using UNIX, proceed to the section "If You Are Using UNIX"; if you are using Windows or MS-DOS, proceed to the section "If You Are Using Windows or MS-DOS."

Download with FTP

Before using FTP, you need to have previously registered with Cisco, which you can do via the Web or by calling Cisco.

Set your FTP client for passive mode. If you are not running in passive mode, you can log in and view the Cisco presentation messages, but entering commands will cause your client to appear to suspend execution.

The Windows 95 and Windows NT command line FTP programs do not support passive mode.

To get the most current software with FTP:

Step 1 Start your FTP client and connect to cco.cisco.com. Use your CCO username and password.

Step 2 You can view the files in the main directory by entering the ls command.

Step 3 Enter the cd cisco command to move to the cisco directory. Then enter cd internet and cd pix to access the PIX Firewall software directory. Use the ls command to view the directory contents.

Step 4 Use the get command to copy the file to your workstation. If you want documentation, use the cd documentation command from the pix directory and copy the files you need to your workstation. Files with the .pdf suffix can be viewed with Adobe Acrobat Reader, which you can download from:

http://www.adobe.com/prodindex/acrobat/readstep.html

Step 5 When you are done, use quit to exit.

If You Are Using Windows or MS-DOS

Step 1 Using Windows Explorer or My Computer, open a window to the directory containing the archive and double-click the file name of the .exe file. It will automatically execute and provide these files:

pix4nn.bin—The PIX Firewall binary file, where 4 is the version number and nn is the release number.

rawrite.exe—The conversion utility that creates a PIX Firewall bootable diskette.

readme.txt—Contains instructions about how to create the bootable diskette.

A sample archive extraction follows: 

...extraction utility messages...

Searching EXE: C:/PIX/PIX4nn.EXE

            Inflating: README.TXT

            Inflating: PIX4nn.BIN

            Inflating:         RAWRITE.EXE

Step 2 Locate an IBM formatted diskette that does not contain useful files. Do not use the PIX Firewall boot diskette that came with your original PIX Firewall purchase—you will need this diskette for system recovery should you need to downgrade versions.

The rawrite program erases all the files on the diskette. If you format the diskette from Windows, choose the long version, not the quick format. The quick format does not adequately prepare the diskette for rawrite. The best way to format the diskette is from the MS-DOS command prompt.

Step 3 Enter rawrite at the MS-DOS command prompt and you are prompted for the name of the .bin binary file, the output device (a: or b: for a 3.5-inch diskette), and to insert a formatted diskette.

The utility then creates a PIX Firewall boot diskette.

A sample rawrite session follows: 

C:\pix>rawrite

RaWrite 1.2 - Write disk file to raw floppy diskette


Enter source file name: pix4nn.bin

Enter destination drive: a:

Please insert a formatted diskette into drive A: and press -ENTER- :

Number of sectors per track for this disk is 18

Writing image to drive A:. Press ^C to abort.

Track: 31 Head: 1 Sector: 16

Done.

C:\pix>

Step 4 Remove the diskette from the drive, place it in the PIX Firewall diskette drive and power cycle the unit. Alternately, if your unit has a Reset switch, use it, or you can enter the reload command from the PIX Firewall console. The PIX Firewall then boots from the new diskette.

To continue configuration, proceed to the "Step 2 - Get a Console Terminal" section.

If You Are Using UNIX

Step 1 Download the .bin binary file to your local directory.

Step 2 Insert a diskette in your workstation's diskette drive.

Step 3 Enter the following command to copy the binary file to the diskette: 

# dd bs=18b if=./pix4nn.bin of=/dev/rfd0

This command copies the binary file to the output device file with a block size of 18 blocks.

Note   The diskette may have a name other than rfd0 on some UNIX systems.

Step 4 Eject the diskette, insert it in the PIX Firewall diskette drive, and power cycle the unit. Alternately, if available, use your unit's Reset switch, or enter the reload command from the PIX Firewall console. The PIX Firewall then boots from the new diskette.

When done, continue your configuration with the "Step 3 - Configure Network Routing" section.

Step 2 - Get a Console Terminal

If the computer you are connecting to runs either Windows 95 or Windows NT, the Windows HyperTerminal accessory provides easy-to-use software for communicating with the firewall. If you are using UNIX, refer to your system documentation for a terminal program.

HyperTerminal also lets you cut and paste configuration information from your computer to the firewall console.

To configure HyperTerminal:

Step 1 Connect the serial port of your PC to the console port of the PIX Firewall with the serial cable supplied in the PIX Firewall accessory kit.

Step 2 Locate HyperTerminal by opening the Windows 95 or Windows NT Start menu and choosing Programs, then Accessories, and then the HyperTerminal folder.

Step 3 Double-click the Hypertrm accessory. The New Connection window opens with the smaller Connection Description dialog box in the center.

Step 4 Enter the name of the connection. You can use any name such as PIX Console. Click OK when you are ready to continue.

Step 5 At the Phone Number dialog box, ignore all the fields except "Connect using." In this field, click the arrow at the right to view the choices. Choose "Direct to Com 1," unless you are using another serial port. Click OK to continue.

Step 6 At the COM1 Properties dialog box, set the following fields:

Bits per second to 9600.

Data bits to 8.

Parity to None.

Stop bits to 1.

Flow control to Hardware.

Step 7 Click OK to continue.

Step 8 The HyperTerminal window is now ready to receive information from the PIX Firewall console. If the serial cable is connected to the firewall, power on the firewall and you should be able to view the console startup display.

If nothing happens, wait 60 seconds first. The firewall does not send information for about 30 seconds. If messages do not appear after 60 seconds, press the Enter key. If still nothing appears, ensure that the serial cable is attached to COM1 and not to COM2 if your computer is so equipped. If garbage characters appear, ensure that the bits per second setting is 9600.

Step 9 To save your settings, click Save on the File menu.

Step 10 To exit, click Exit on the File menu. HyperTerminal prompts you to be sure you want to disconnect. Click Yes.

HyperTerminal saves a log of your console session that you can access the next time you use it.

To restart HyperTerminal, double-click the connection name you chose in the HyperTerminal folder. When HyperTerminal starts, drag the scroll bar up to view the previous session.

Step 3 - Configure Network Routing

Read this section before configuring the PIX Firewall to help you make decisions for configuring network routing.

Routing directs the flow of packets through a network. A default route specifies to which router packets are sent when the address is not known.

A host sends a message to another user. If the computer itself does not contain a login account for the user, the computer sends the message to its default gateway router. A router stores the paths through the network known as routes. If a router does not have the route to the user in its storage, it passes the message to its default router which knows routes from the larger network. The message is checked against the routes in this router. If it is not found, it is sent to another router with a still larger view of the network. This process repeats with the message sent from one router to another until the message is sent to the correct destination.

Preparing Routers to Work with the PIX Firewall

Once you have configured the PIX Firewall, you need to configure the other devices that will interact with the PIX Firewall. The most important element that works with the PIX Firewall are the routers, or switches, if they have routing capability. The instructions that follow assume that the routers are from Cisco.

To prepare the routers to work with the PIX Firewall:

Step 1 Connect a computer to the console port of the router that connects to the outside interface of the PIX Firewall. If you are using a Windows PC, you can use the HyperTerminal program with the router as well. You will need to know the username and password for the router.

Step 2 Access configuration mode by entering the configure terminal command.

Step 3 Clear the ARP cache. Use the clear arp command. Then enter Cntrl-Z to exit configuration mode.

Step 4 Connect to the router on the inside of the PIX Firewall and access configuration mode.

Step 5 Set the default route to the inside interface of the PIX Firewall with the following command: 

ip route pix_inside_interface_ip_address

Step 6 Enter the show ip route command and make sure that the PIX Firewall interface is listed as the "gateway of last resort."

Step 7 Clear the ARP cache with the clear arp command. Then enter Cntrl-Z to exit configuration mode.

Step 8 If you changed the default route, use the write memory command to store the configuration in Flash memory. The clear arp command will make the new default gateway usable by the router.

Step 9 Connect to the routers on each perimeter interface and repeat the commands in Steps 5 through 8 for each router.

Step 10 If you have routers on networks subordinate to the routers that connect to the PIX Firewall's interfaces, configure them so that their default routes point to the router connected to the PIX Firewall and then clear their ARP caches as well.

Because the PIX Firewall is not a router, you need to specifically tell it where to route packets. The PIX Firewall lets you specify one default route to the outside interface, with one exception: if your PIX Firewall has only two interface cards installed (not 3 or 4 that are in the firewall, but not connected to cables), you can specify two default routes, one for the outside and one for the inside. For a PIX Firewall with 3 or more interfaces, only the outside default route is allowed.

In many networks, the interface connecting to the PIX Firewall connects to a router. Many times, a number of networks connect to the router. To ensure that the PIX Firewall can see these routes, you need to add static route statements for each network.

Both default and static routes are set on the PIX Firewall with the route command.

Setting a Default Route for Each Host

Each host on the same subnet as the inside or perimeter interfaces must have its default route pointing to the PIX Firewall.

Setting a Solaris or SunOS Default Route

If the host is a Solaris or SunOS workstation, you can determine the default route with this command: 

netstat -nr

With root permissions, edit the /etc/defaultrouter file to point the default route at the PIX Firewall and then reboot the workstation so that the information is usable.

Setting a LINUX Default Route

On LINUX systems, use the netstat -r command to view the routing table including the default route.

With root permissions, use the following command to set the default route: 

route add default gw IP_address_of_next_host

Replace IP_address_of_next_host with the IP address of the next host.

Setting a Windows 95 and Windows 98 Default Route

If the host is a Windows workstation, you can view the default route by selecting Start>Run and entering this command: 

winipcfg

To change the default route, select Start>Settings>Control Panel and double-click the Network item.

Select the TCP/IP entry from the list of installed network components and click Properties. The default route is on the Gateway tab.

Setting a Windows NT Default Route

You can view the default route from the Command Prompt by entering the ipconfig command. You can access the Command Prompt by selecting Start>Programs>Command Prompt.

To change the default gateway in Windows NT:

Step 1 Click the Protocols tab.

Step 2 Select TCP/IP Protocol in the Network Protocols window and click Properties.

Step 3 In the Microsoft TCP/IP Properties window, click the IP Address tab.

Step 4 Click Advanced.... The default gateway IP address appears in the Gateways window. If the gateway is not the address of the PIX Firewall interface to which the server is connected, select the gateway address and click Remove.

Step 5 Then click Add... and enter the IP address for the PIX Firewall interface.

Step 6 After you exit from the menus, Windows will prompt you to restart your computer. Click Yes.

Setting a MacOS Default Route

You can view the default route from the MacOS 7.5 and later from the Apple menu>Control Panels>TCP/IP window. You can also set the default route from this window.

Step 4 - Start Configuring PIX Firewall

Before continuing, view "Command Line Guidelines" in Chapter 1, "" for information on how to specify ports and protocols, terminology, and other useful PIX Firewall facts.

When you start your PIX Firewall for the first time or load a new PIX Firewall boot disk, the configuration comes with many of the commands you need to get started. Use the write terminal command to view your configuration at any time. Use the write memory command frequently to save your configuration to Flash memory.

Before you configure the PIX Firewall, sketch out a network diagram with IP addresses that you will assign to the PIX Firewall and those of routers on each interface. If you have more than two interfaces in the PIX Firewall, note the security level for each interface. Security levels are set with the nameif command described in "Step 5 - Identify Each Interface."

Locate the following IP addresses:

An IP address for each interface that will connect to a network segment. Each address must be unique so that it is not used in the pool of global addresses or with any other statement in the configuration.

A pool of global addresses for each interface that each translated connection uses as it passes through the firewall. Use a global pool to let users start connections from a higher security level interface to access a lower security level interface.

The IP address of the outside default router.

Go to the PIX Firewall Configuration Mode

To initially configure the PIX Firewall:

Step 1 Start your terminal emulation program.

Step 2 Power on the PIX Firewall. On newer models, the switch is at the back, on older models, the front.

Step 3 After the startup messages appear, you are prompted with the following unprivileged mode prompt: 

pixfirewall>

Enter enable and press the Enter key.

Step 4 The following prompt appears: 

Password:

Press the Enter key.

Step 5 You are now in privileged mode. The following prompt appears: 

pixfirewall#>

Enter the configure terminal command and press Enter. You are now in configuration mode.

Step 5 - Identify Each Interface

PIX Firewall requires that you enter the nameif and ip address commands to identify each interface in your PIX Firewall that will connect to a network segment. You will need unique IP addresses for the ip address command to assign to each interface you will use.

If the PIX Firewall has Ethernet cards, upon startup, PIX Firewall adds an interface command to the configuration for each interface. The interface command specifies the line speed and duplex for an interface.

PIX Firewall assumes that the outside network is connected to slot 0 on the unit, which is the leftmost slot that can accept cards. For Ethernet, this is known as ethernet0, for Token Ring, it is called token0.

The nameif command

The PIX Firewall default configuration supplies nameif commands for the inside and outside interfaces. Use the show nameif command to view these commands. They will appear as: 

nameif ethernet0 outside security0

nameif ethernet1 inside security100

The nameif commands you need to enter, if any, are determined by how many network interface cards are in your PIX Firewall. The sections that follow describe how to configure this command.

An example nameif command is: 

nameif ethernet2 perimeter security50

If you make a mistake or want to replace a command you entered, enter the new version of the command, instead of first removing the old version, as is required for other PIX Firewall commands. For example, if you accidentally enter: 

nameif ethernot2 permetter security50

Reenter the command as: 

nameif ethernet2 perimeter security50

Two Interface PIX Firewall

If you have only two interfaces, you do not need to enter any further information for the nameif command and can now proceed to next command for your configuration.

Three Interface PIX Firewall

If the PIX Firewall has three interfaces, enter the nameif command for the perimeter interface, which you can name: 

nameif ethernet2 interface security_level

If you have Token Ring, replace ethernetn in the nameif command with token0, token1, token2, and so on for Token Ring. If you have a mixed Token Ring and Ethernet environment, start with ethernet0 or token0 and number the Ethernet or Token Ring interfaces sequentially thereafter.

Replace interface with a name such as dmz or perim for each perimeter interface. Whichever name you pick, you will need to enter it repeatedly as you create your configuration, so a short name, such as dmz, will be easier to enter.

Replace security_level with a value such as security40 or security60. You can choose any security level between 1 and 99 for a perimeter interface as long as they are not the same value. If you have four interfaces, it will be easier to code your configuration if you use the higher security level for the perimeter interface with the most hosts. When you access a higher security level interface from a lower security level interface, you use the static command. When you access a lower security interface from a higher security level interface, you use the nat command. By using the higher security level, hosts on that interface can access the other perimeter interface and the outside interface using the nat command.

You may also want to consider which interface should be your inside interface. While you cannot assign a perimeter interface to have a security level of 100, you can change the cabling of your networks as they connect to the PIX Firewall. Again, the network with the most number of hosts should plug into the network interface card in the second slot (ethernet1 for Ethernet, token1 for Token Ring), which is used for the inside network.

If you have three interfaces, and the interface that was supposed to be the perimeter has more hosts than the inside, it will be easier to configure the PIX Firewall if you switch connections on the PIX Firewall network interface cards so that the inside has the most hosts.

Four Interface PIX Firewall

If the PIX Firewall has four interfaces, enter two nameif commands, one for each perimeter interface. Pick a unique interface name and security level for each: 

nameif hardware_id interface security_level

nameif hardware_id interface security_level

Replace hardware_id with the hardware name for the network interface card. For Ethernet cards, use ethernet0, ethernet1, ethernet2, or ethernet3 depending on which interface you want to reference. The number after the name corresponds to the position of the cards in the slots on the PIX Firewall. If you are looking at the slots, the ethernet1 card must be in the second slot from the left that can contain a network interface card. The ethernet1 card must be connected to the inside interface.

You can abbreviate this name with any significant letters, such as, e0 for ethernet0, or t0 for token0.

Replace interface and security_level as described in the section "Three Interface PIX Firewall."

The ip address Command

Assign an ip address command to each interface in your PIX Firewall that connects to the network. In version 4.2(3), for unused interfaces, PIX Firewall assigns 127.0.0.1 to each interface with a subnet mask of 255.255.255.255 that does not permit traffic to flow through the interface. For version 4.2(2), you must assign an IP address to each interface, whether or not they connect to the network.

The format for the ip address command is: 

ip address inside ip_address netmask

ip address outside ip_address netmask

Replace ip_address with the IP address you specify for the interface. The IP addresses that you assign must be unique for each interface—do not use an address you previously used for routers, hosts, or with any other PIX Firewall command, such as an IP address in the global pool or for a static.

Replace netmask with the network mask for the IP address; for example, 255.255.255.0 for a Class A address. Enter a mask appropriate for the network class, which is determined by the first octet of the IP address. Use a netmask of 255.0.0.0 for IP addresses 1.x.x.x to 127.x.x.x, use 255.255.0.0 for IP addresses 128.x.x.x to 191.x.x.x, and 255.255.255.0 for addresses 192.x.x.x and higher. Do not use 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

If subnetting is in use, use the subnet in the mask; for example, 255.255.255.228.

Use the show ip command to view the commands you entered. If you make a mistake while entering a command, reenter the same command with new information.

An example ip address command is: 

ip address inside 192.168.1.1 255.255.255.0

If you are using subnetting, enter a network mask applicable to the subnet. Refer to Appendix E, "" to ensure that the IP address you pick for each interface is correct for the subnet.

The interface Command

If you have Ethernet interfaces on the PIX Firewall, the default configuration provides interface commands for all interfaces. If you have Token Ring interfaces, you will need to create interface commands in this format: 

interface token speed

Replace token with token0, token1, and so on. Replace speed with either 4mbps or 16mbps depending on the line speed of the card.

Use the write terminal command to view the configuration and locate the interface command information. If you make a mistake while entering a command, reenter the same command with new information.

Examples of the interface command are: 

interface ethernet0 auto

interface token0 16mbps

Step 6 - Let Users Start Connections

As described in the section, "Step 5 - Identify Each Interface," the nameif command assigns a security level to each interface. For interfaces with a higher security level such as the inside interface, or a perimeter interface relative to the outside interface, use the nat and global commands to let users on the higher security interface access a lower security interface. For the opposite direction, from lower to higher, you use the static and conduit commands described in the section "Step 13 - Add Server Access."

As you enter commands, you can use the show nat or show global commands to list the existing commands. If you make a mistake, remove the old command with the no form of the command, specifying all the options of the first command. This is where a terminal with cut and paste capability is useful. After you use show global, you can cut the old command, enter no and a space on the command line, paste the old line in, and press the Enter key to remove it.

PIX Firewall favors the use of NAT (Network Address Translation) for addressing of your network. When a PIX Firewall is first inserted in a network, keeping existing addressing may appear desirable, but imposes an extra layer of complexity in working with the PIX Firewall. Almost all of the PIX Firewall commands that work with IP addresses are affected by the use of NAT.

As you enter each command and debug it, you have to work with how your network addressing affects server access, creating global pools, authentication, routing, and starting connections. When you add in multiple interfaces, the complexity rises more. For this reason, Cisco recommends that you use PIX Firewall with NAT if possible. If you must disable NAT, use the nat 0 command. Refer to the nat and static command pages for a discussion of the implications of disabling NAT.

To let users on a higher security level interface start connections:

Step 1 Use the show nameif command to view the security level of each interface.

Step 2 Sketch a diagram with each interface and its security level. For example:

   

 outside: 204.31.17.1,
security 0

 
 

dmz1: 192.168.1.1,
security 40  

PIX Firewall

dmz2: 192.168.2.1,
security 60
   

inside: 192.168.3.1,
security 100

 

Step 3 Add a nat command statement for each higher security level interface from which you want users to start connections to interfaces with lower security levels; for example between the inside and outside, between dmz1 and the outside, between dmz2 and the outside and between dmz2 and dmz1. The nat command statements would appear as in this example: 

nat (inside) 1 0 0

nat (dmz2) 1 0 0

nat (dmz1) 1 0 0

Each nat command statement lets users start connections from the higher security level interface, shown in parentheses, to any lower security level interface. Therefore, the nat (inside) 1 0 0 command statement lets inside users start connections on the dmz1, dmz2, and outside interfaces. Similarly, the dmz2 nat command statement lets dmz2 users start connections on the dmz1 interface and the outside interface. Lastly, the dmz1 nat command statement lets dmz1 users start connections on the outside.

Step 4 Add a global command statement for each lower security interface that which you want users to have access to; for example, on the outside, dmz1, and dmz2. The global command creates a pool of addresses that translated connections pass through. There needs to be enough global addresses to handle the number of users each interface may have trying to access the lower security interface. The global commands are: 

global (outside) 1 204.31.17.2 netmask 255.255.255.0

global (dmz1) 1 192.168.1.10-192.168.1.100 netmask 255.255.255.0

global (dmz2) 1 192.168.2.10-192.168.2.100 netmask 255.255.255.0

These statements create a pool of global addresses on the outside interface so that users on the inside, dmz1, and dmz2 can access the outside interface. Because this is a registered address, a PAT (Port Address Translation) global is used because it lets up to 65,000 users pass through to the outside. PIX Firewall only permits one PAT global in the configuration, so using it on the interface with the most traffic across a registered address is the best use of it. However, using a PAT global has a few caveats such as limits on multimedia applications such as H.323. Refer to the global command page for more information.

The next global statement for dmz1 lets users on the inside and dmz2 start connections on the dmz1 interface.

The last global statement for dmz2 lets users on the inside start connections on the dmz2 interface.

If you use network subnetting, specify the subnet mask with the netmask option. Refer to Appendix E, "" for more information on subnetting.

Step 5 If you have a limited number of IP addresses, such as when you are working with an ISP (Internet service provider), then you use two global commands for the interface, one to specify a limited range of available IP addresses, another to augment the range with a PAT global. PIX Firewall translates IP addresses in the global pool from the highest number IP address to the lowest, so to augment the range with a PAT, code it as the lowest number address; for example: 

global (outside) 1 204.31.17.10 netmask 255.255.255.0

global (outside) 1 204.31.17.11-204.31.17.100 netmask 255.255.255.0

In this example, if the addresses in the second global statement are used up, then the PAT address is used. This helps offset the PAT global's restrictions, such as with multimedia applications, so that users will only hit the PAT when the first range is unavailable—if a user cannot start a connection because of an application conflict, another should appear momentarily to let the user try again. Global addresses are freed up as soon as the session ends.

Step 7 - Create a Default Route

Use the route command to set a default route to the outside router. Use the show route command to view the command you entered. If needed, use the no route command to remove a route command. If the outside router is at address 204.31.17.3, you would use this command: 

route outside 0 0 204.31.17.2 1

This command states that the default router is on the outside interface. The 0 0 information is an IP address of 0.0.0.0 and mask of 0.0.0.0, which the PIX Firewall associates with the default route. The route command could be read as "if I have a packet intended for IP address 0.0.0.0, send it to 204.31.17.2 instead." The 1 at the end is the number of hops that the router is from the PIX Firewall. Hops are routers, so 1 hop is the router nearest the PIX Firewall.

If the PIX Firewall has only two interfaces, you can specify a default route for the inside. Note that this exception only applies when the PIX Firewall has physically two interfaces. If a third interface is present in the firewall without a cable connection, you have to physically remove the card before you can use this exception. If there are only two interfaces, the default route command for the inside will eliminate having to add static route statements for the networks connected to the inside router (if any).

Note   If you are not sure how many interfaces are in the PIX Firewall, examine the configuration with the write terminal command and count the number of interface commands that appear. If there are 3 or 4, you must only have one default route statement to the outside interface; otherwise, the PIX Firewall will experience routing problems that are difficult to diagnose.

Step 8 - Permit Ping Access

Enter the conduit permit icmp any any command in your configuration. This lets hosts on the inside ping outside hosts and hosts on the outside ping global addresses configured with the conduit command.

Step 9 - Store the Image in Flash Memory and Reboot

When you complete entering commands in the configuration, save it to Flash memory with the write memory command.

Then use the reload command to restart the configuration. After you enter the reload command, PIX Firewall prompts you to confirm that you want to continue. Enter y and the reboot occurs.

You are now done configuring the PIX Firewall. This configuration lets protected network users start connections, but prevents users on unprotected networks from attacking protected hosts.

Step 10 - Check the Configuration

Use the write terminal command to view your current configuration. Check the following before proceeding to ensure that your configuration is correct:

Step 1 Make sure that the IP addresses you use in the ip address, global, nat, and route commands are unique. In addition, the ip address command IP address cannot be the same as a router or any hosts. Use the following commands to examine this information: 

show ip address

show global

show nat

show route

Step 2 Use the show route command to make sure you have a default route statement pointing to the outside router. A default route command appears as: 

route outside 0 0 ip_address_of_outside_router 1

Replace ip_address_of_outside_router with the IP address of the nearest router on the outside interface.

If you do not see this command in your configuration, add it now. A default route command is crucial to get other commands to work correctly. If you are testing the network before putting it into production, get a router and add it to the test network so that the PIX Firewall has a default route.

Step 3 Make sure that the nat and global statements have the same NAT ID, as shown in the following example: 

nat (dmz) 1 0 0

global (outside) 1 204.31.17.2 netmask 255.255.255.0

The number 1 after the interface name is the NAT ID.

Also, it is best to keep all the nat statements and globals in the same NAT ID even if the global statements refer to different interfaces, for example: 

nat (inside) 1 0 0

nat (dmz1) 1 0 0

nat (dmz2) 1 0 0

global (outside) 1 204.31.17.2 netmask 255.255.255.0

global (outside) 1 204.31.17.10-204.31.17.200 netmask 255.255.255.0

global (dmz1) 1 192.168.1.20-192.168.1.200 netmask 255.255.255.0

The nat statements let users on the inside, dmz1, and dmz2 interfaces start outside connections. The first global statement creates a PAT address on the outside interface at the end of the range of globals. (PIX Firewall reads through the global IP addresses starting from the highest and going to the smallest.)

The second global statement creates a pool of IP addresses in the range of 204.31.17.30 to 204.31.17.200 on the outside interface.

The third global statement creates a pool of IP addresses on the dmz1 interface.

Step 4 Use the show global command to make sure that a range of global addresses starts from a low number and goes to a high number. In addition, it is good to leave a few addresses before the range for static statements, hosts, or additional routers. In other words, instead of starting the global pool at an address such as 204.31.17.2, use 204.31.17.10 (assuming you have a full Class C address to use).

Step 5 If your ISP (Internet service provider) has only provided a few registered addresses, always have a PAT address at the end of the range. This expands your pool of addresses, if needed. Remember to give the PAT an address lower than the pool of global addresses. PIX Firewall uses global addresses starting from the highest numbered IP address and works down.

Step 6 If you are using subnetting, examine Appendix E, "" for more information on subnetting. Use the show global command to make sure that all addresses in the global pool are in the same subnet. For example, if you have a 255.255.255.192 subnet mask, the pool of global addresses could not contain addresses 204.31.17.60-204.31.17.100 because this would cross subnet boundaries. Also make sure that the global pool does not contain subnetted network addresses or broadcast addresses as explained in Appendix E. For example, with the 255.255.255.224 mask, specifying a global pool of 204.31.17.64-204.31.17.95 would not work because 204.31.17.64 is a network address and 204.31.17.95 is a broadcast address.

(a) Use the show ip address command to ensure that addresses on each interface are in the correct subnet for that interface. Each interface needs its own subnet. For example, if the outside interface has registered addresses 204.31.17.0 through 204.31.17.31 with a 255.255.255.224 subnet mask, the outside interface, outside router, any hosts on this interface, the global pool, and any addresses set aside for static statements (explained in the "Step 13 - Add Server Access" section) must all reside on addresses 204.31.17.1 through 204.31.17.30.

(b) If you are using subnetting, put the subnet value in the ip address and global statements masks. For example, if you are using a .192 subnet mask, the ip address command would appear as: 

ip address outside 204.31.17.1 255.255.255.192

The global command would appear as: 

global (outside) 1 204.31.17.75-204.31.17.126 netmask 255.255.255.192

Step 7 Use the show nat command If you need to restrict IP addresses in nat statements, do not overlap the groups. An example is: 

nat (dmz1) 1 10.0.0.0 255.0.0.0

If you want only users on the 10.0.0.0 network to start connections, do not specify a second nat group with address 10.1.1.0 because this network would be included in 10.0.0.0.

Step 8 Use the show ip address command to check all IP addresses to be sure you have the correct addresses values for the devices.

Make sure all inside interface or perimeter interface hosts and routers have their default routes set to the respective PIX Firewall interface IP address. Refer to section "Step 3 - Configure Network Routing" for more information.

Step 11 - Test Network Connectivity

For the steps that follow, you will need access to the PIX Firewall console and to at least one host on both the internal and external networks.

Use the steps that follow to determine whether or not the firewall is functioning correctly in the network:

Step 1 Sketch a diagram of your network—With a sketch, it is much easier to methodically test the network with the PIX Firewall to be sure if everything works as expected:

   

 router: 204.31.17.2
outside: 204.31.17.1

 
 

router: 192.168.1.2
dmz1: 192.168.1.1

PIX Firewall

router: 192.168.2.2
dmz2: 192.168.2.1

   

inside: 192.168.3.1
router: 192.168.3.2

 

For example:

Step 1 Start debugging commands—Enter configuration mode and start the debug icmp trace command to monitor ping results through the PIX Firewall. In addition, start syslog logging with the logging buffered debugging command to check for denied connections or ping results. The debug messages display directly on the console session. You can view syslog messages with the show logging command.

If you are using version 4.2(3), before using the debug command, use the who command to see if there are any Telnet sessions to the console. If the debug command finds a Telnet session, it automatically sends the debug output to the Telnet session instead of the console. This will cause the serial console session to seem as though no output is appearing when it is really going to the Telnet session.

Step 2 Ping around the PIX Firewall—Ping from the PIX Firewall to a host or router on each interface. Then go to a host or router on each interface and ping the PIX Firewall's interface. For the example, you would use these commands from the PIX Firewall: 

ping inside 192.168.3.2

ping dmz1 192.168.1.2

ping dmz2 192.168.2.2

ping outside 204.31.17.2

Then ping the PIX Firewall interfaces from the hosts or routers with commands such as: 

ping 192.168.3.1

ping 192.168.1.1

ping 192.168.2.1

ping 204.31.17.1

If the pings from the hosts or routers to the PIX Firewall interfaces are not successful, check the debug messages which should have displayed on the console. Successful ping debug messages appear as in this example: 

ICMP echo request (len 32 id 1 seq 512) 204.31.17.42 > 204.31.17.1

ICMP echo reply (len 32 id 1 seq 256) 204.31.17.1 > 204.31.17.42

Both the request and reply statements should appear to show that the PIX Firewall and responded. If none of these messages appeared while pinging the interfaces, then there is a routing problem between the host or router and the PIX Firewall that caused the ping (ICMP) packets to never arrive at the PIX Firewall.

Also try the following to fix unsuccessful pings:

(a) Make sure you have a default route statement for the outside interface. For example, 

route outside 0 0 204.31.17.2 1

(b) Use the show conduit command to ensure that the conduit permit icmp any any command is in the configuration. Add this command if it is not present.

(c) Except for the outside interface, make sure that the host or router on each interface has the PIX Firewall as its default gateway. If so, set the host's default gateway to the router and set the router's default route to the PIX Firewall. Setting default routes in routers and hosts is explained in the section "Step 3 - Configure Network Routing."

(d) Check to see if there is a router between the host and the PIX Firewall. If so, make sure the default route on the router points to the PIX Firewall interface. If there is a hub between the host and the PIX Firewall, make sure that the hub does not have a routing module. If there is a routing module, configure its default route to point to the PIX Firewall.

(e) Go to the PIX Firewall and use the show interface command to ensure that the interface is functioning and that the cables are connected correctly. If the display contains "line protocol is up," then the cable type used is correct and connected to the firewall. If the display states that each interface "is up," then the interface is ready for use. If both of these are true, check "packets input" and "packets output." If packets are being received and transmitted, the firewall is correctly configured and a cable is attached.

(f) Check that network cables are attached.

Ping through the PIX Firewall—Once you can ping the PIX Firewall's inside interface, try pinging through the PIX Firewall to a host on another interface, such as the outside. If there is not a host on the interface, ping the router. If the ping is not successful, check the debug messages on the PIX Firewall console to be sure both inbound and outbound pings were received. If you see the Inbound message without the Outbound, then the host or router is not responding. Check that the nat and global statements are correct and that the host or router is on the same subnet as the outside interface. Successful ping debug messages appear as in this example: 

Inbound ICMP echo reply (len 32 id 1 seq 256) 204.31.17.1 > 204.31.17.42 

Outbound ICMP echo request (len 32 id 1 seq 512) 204.31.17.42 > 204.31.17.1

Step 3 Once you can ping successfully across interfaces of higher security levels to lower security levels, such as inside to outside, inside to dmz, or dmz2 to dmz1, add static and conduit statements as described in the section "Step 13 - Add Server Access" so that you can ping from the lower security level interfaces to the higher security level interfaces.

Step 12 - Add Telnet Console Access

The serial console lets a single user configure the PIX Firewall, but many times this is not convenient for a site with more than one administrator. PIX Firewall lets you access the serial console via Telnet from hosts on the inside interface.

To configure Telnet console access:

Step 1 Use the PIX Firewall telnet command. For example, to let host 192.168.1.2 access the PIX Firewall, enter: 

telnet 192.168.1.2 255.255.255.255

Step 2 If required, set the duration for how long a Telnet session can be idle before PIX Firewall disconnects the session. The default duration, 5 minutes, is too short in most cases and should be increased until all pre-production testing and troubleshooting has been completed. Set a longer idle time duration as shown in the following example: 

telnet timeout 15

Step 3 Save the commands in the configuration using the write memory command.

To test Telnet access:

Step 1 Start a Telnet session to the PIX Firewall's inside interface IP address. If you are using Windows 95 or Windows NT, click the Start>Run command prompt to start a Telnet session. For example, if the inside interface IP address is 192.168.1.1, enter the following command: 

telnet 192.168.1.1

Step 2 The PIX Firewall prompts you with a password: 

PIX passwd:

Enter cisco and press the Enter key. You are then logged into the PIX Firewall.

The default password is cisco, which you can change with the passwd command.

You can enter any command on the Telnet console that you can set from the serial console, but if you reboot the PIX Firewall, you will need to log back into the PIX Firewall after it restarts.

Some Telnet applications such as the Windows 95 or Windows NT Telnet sessions may not support access to the PIX Firewall's command history feature used with the arrow keys. However, you can access the last entered commands by pressing Ctrl-P.

Step 3 Once you have Telnet access available, you may want to view ping information while debugging. Starting with version 4.2(3), you can view ping information from Telnet sessions with the debug icmp trace command. Version 4.2(3) also implements the trace channel feature which affects debug displays, which is explained in the section "Trace Channel Feature."

In versions prior to 4.2(3), you can only view the ICMP traces from the serial console and not from a Telnet session. If you are using version 4.2(3), messages for a successful ping appear as: 

Inbound ICMP echo reply (len 32 id 1 seq 256) 204.31.17.1 > 204.31.17.42

Outbound ICMP echo request (len 32 id 1 seq 512) 204.31.17.42 > 204.31.17.1

Step 4 In addition, you can use the Telnet console session to view syslog message:

(a) Start message displays with the logging monitor 7 command. The "7" will display all syslog messages.

If you are using the PIX Firewall in production mode, you may wish to use the logging buffered 7 command to store messages in a buffer that you can view with the show logging command, and clear the buffer for easier viewing with the clear logging command. To stop buffering messages, use the no logging buffered command.

You can also lower the number from 7 to a lesser value, such as 3, to limit the number of messages that appear.

(b) If you entered the logging monitor command, then enter the terminal monitor command to cause the messages to display in your Telnet session. To disable message displays, use the terminal no monitor command.

Trace Channel Feature

In version 4.2(3), the debug command has changed so that the debug icmp trace and debug sqlnet commands now send their output to the Trace Channel. The location of the Trace Channel depends on whether you have a simultaneous Telnet console session running at the same time as the console session, or if you are using only the PIX Firewall serial console:

If you are only using the PIX Firewall serial console, all debug commands display on the serial console.

If you have both a serial console session and a Telnet console session accessing the console, then no matter where you enter the debug icmp trace or the debug sqlnet commands, the output displays on the Telnet console session.

If you have two or more Telnet console sessions, the first session is the Trace Channel. If that session closes, the serial console session become the Trace Channel. The next Telnet console session that accesses the console will then become the Trace Channel.

The debug packet command only displays on the serial console. However, you can enable or disable this command from either the serial console or a Telnet console sessions.

The debug commands are shared between all Telnet and serial console sessions.

Note   The downside of the Trace Channel feature is that if one administrator is using the serial console and another administrator starts a Telnet console session, the serial console debug icmp trace and debug sqlnet output will suddenly stop without warning. In addition, the administrator on the Telnet console session will suddenly be viewing debug output, which may be unexpected. If you are using the serial console and debug output is not appearing, use the who command to see if a Telnet console session is running.

Step 13 - Add Server Access

By default, the PIX Firewall prevents all outside connections from accessing "inside" hosts or servers. Any server on a network that has a higher security level than the current interface requires a static and conduit statement.

Note   If you are using nat 0, refer to the static command page for information about how to handle server access in this environment.

For example to let outside users access a dmz1 web server, you could have static and conduit statements as follows: 

static (dmz1,outside) 204.31.17.5 192.168.1.5 netmask 255.255.255.255

conduit permit tcp host 204.31.17.5 eq www any

In this example, the static command maps access to the dmz1 host 192.168.1.5 through a global address on the outside interface of 204.31.17.5. The conduit command lets any users on the outside access IP address 204.31.17.5 using a web browser on port 80 (www). In this example, the higher security level interface is dmz1 and the lower is the outside interface. On the outside interface, through the use of DNS, a company can map 204.31.17.5 to their web site address of www.caguana.com.

To help you code server access, use this rule for creating static statements:

static (high,low) low high

The idea is to present an IP address to users on one interface that gives them access to a host on another. You use the static command to let users on a lower security level interface access a server on a higher security level interface. You use the nat command to let users on a higher security level interface access a lower security level interface.

To create server access:

Step 1 View the security levels with the show nameif command.

Step 2 Sketch out a diagram of your network and label each interface with its security level and the IP addresses of the hosts you want to provide access to.

For example:

   

 outside: 204.31.17.1,
security 0

 
 

dmz1: 192.168.1.1,
security 40  

PIX Firewall

dmz2: 192.168.2.1, security 60
web server 192.168.2.3
   

inside: 192.168.3.1,
security 100
mail server 192.168.3.4

  

                                                                           

From this scenario, you will need static statements to let outside users access the dmz2 web server and for dmz1 users to access dmz2. You will need a nat statement to let inside users access the dmz2 web server. For the mail server, you will need static statements for access from the outside, dmz1, and dmz2.

Step 3 Provide access from the outside to the inside mail server with these commands: 

static (inside,outside) 204.31.17.4 192.168.3.4 netmask 255.255.255.255

conduit permit tcp host 204.31.17.4 eq smtp any

These commands create a global address of 204.31.17.4 that PIX Firewall maps to the 192.168.3.4 mail server on the dmz2 interface. The conduit statement permits any outside users to access the mail server at the SMTP port (25).

You will need to inform your DNS administrator to create an MX record for the global address (such as 204.31.17.4) so that mail is directed to the correct address.

The "any" in the conduit statement means that any host on the outside interface can access the conduit because the static associates an inside server to an outside address. PIX Firewall makes this distinction to protect access to the conduits. This is very important when there are multiple interfaces. If you set up a conduit for the dmz2 interface to access the dmz1 interface, you would not want outside users to be able to access the conduit. PIX Firewall handles this for you. It automatically determines which interfaces are mapped together with the static statement.

Two conduit statements are required for establishing access to the following services: discard, dns, echo, ident, pptp, rpc, sunrpc, syslog, tacacs-ds, talk, and time. Each service, except for pptp, requires one conduit for TCP and one for UDP. For DNS, if you are only receiving zone updates, you only need a single conduit statement for TCP.

The two conduit statements for the PPTP transport protocol, which is a subset of the GRE protocol, are as shown in this example: 

static (dmz2,outside) 204.31.17.5 192.168.1.5 netmask 255.255.255.255

conduit permit tcp host 204.31.17.5 eq 1723 any

conduit permit gre host 204.31.17.5 any

In this example, PPTP is being used to handle access to host 192.168.1.5 on the dmz2 interface from users on the outside. Outside users access the dmz2 host using global address 204.31.17.5. The first conduit statement opens access for the PPTP protocol and gives access to any outside users. The second conduit permits access to GRE. If PPTP was not involved and GRE was, you could omit the first conduit statement.

Step 4 Add the remaining static and conduit statements to let the dmz1 and dmz2 interfaces access the mail server on the inside interface: 

static (inside,dmz1) 192.168.1.4 192.168.3.4 netmask 255.255.255.255

conduit permit tcp host 192.168.1.4 eq smtp any

static (inside,dmz2) 192.168.2.4 192.168.3.4 netmask 255.255.255.255

conduit permit tcp host 192.168.2.4 eq smtp any

These statements create a global address on each interface to map to the inside mail server and then create a conduit so that users on each interface can access the mail server via the SMTP port (25).

Step 5 Let users know how to access the server. Users on the inside access the server at 192.168.3.4, users on the dmz1 interface access it at 192.168.1.4, and users on the dmz2 interface access it at 192.168.2.4.

To let users access the web server:

Step 1 Add statements to let users on the various interfaces access the web server on dmz2: 

static (dmz2,outside) 204.31.17.3 192.168.2.3 netmask 255.255.255.255

conduit permit tcp host 204.31.17.3 eq www any

static (dmz2,dmz1) 192.168.1.3 192.168.2.3 netmask 255.255.255.255

conduit permit tcp host 192.168.1.3 eq www any

nat (inside) 1 0 0

global (dmz2) 1 192.168.2.10-192.168.2.100 netmask 255.255.255.0

The static and conduit statements work the same way as described before for the mail server, creating a global address through which users on the interface can access the web server. The global command adds a new dimension to server access. Because the inside interface is at a higher security level than the dmz2 interface, instead of using the static and conduit commands to permit access, you use the nat and global commands. (The nat statement is probably a redundancy because your configuration should already have this command as described in the section "Step 6 - Let Users Start Connections"—do not enter this command twice in the configuration.)

The nat statement lets inside users start connections on any interface of a lower security level; therefore, they can access the dmz2 interface. The global command lets the inside users translate their connections to access the address of the web server on the dmz2 interface.

Step 2 Let users know what IP address to access the server. For users on the inside interface, they would access the web server at address 192.168.2.3, as would users on the same interface, dmz2. Users on dmz1 would access it at 192.168.1.3, and users on the outside would access it at 204.31.17.3.

Step 14 - Add Static Routes

Specify a static route for each network connected to any router. Refer to the section "Step 7 - Create a Default Route" for information on default routes, and to the section "Step 3 - Configure Network Routing" for information on configuring routers and hosts for default routes.

To add static routes:

Step 1 Sketch out a diagram of your network, for example:

   

router: 204.31.17.2

 outside: 204.31.17.1

 
 

dmz1: 192.168.1.1

PIX Firewall

dmz2: 192.168.2.1, router 192.168.2.5 connects to 192.168.6.0 and 192.168.7.0

   

inside: 192.168.3.1
router: 192.168.3.5 connects to 192.168.4.0 and 192.168.5.0

 

Step 2 When you have three or more interfaces as shown in the diagram, only one default route is permitted: 

route outside 0 0 204.31.17.2 1

This statement sends all packets destined for the default route, IP address 0.0.0.0 (abbreviated as 0, and 0 for the netmask), to the router 204.31.17.2. The "1" at the end indicates that the router is the router closest to the PIX Firewall; that is, one hop away.

In addition, you must add static routes for the networks that connect to the inside router as follows: 

route inside 192.168.4.0 255.255.255.0 192.168.3.5 1

route inside 192.168.5.0 255.255.255.0 192.168.3.5 1

These static route statements can be read as "for packets intended for either network 192.168.4.0 or 192.168.5.0, ship them to the router at 192.168.3.5." The router decides which packet goes to which network. The PIX Firewall is not a router and cannot make these decisions.

The "1" at the end of the statement specifies how many hops (routers) the router is from the PIX Firewall. Because it is the first router, you use 1.

Step 3 Add the static routes for the dmz2 interface: 

route inside 192.168.6.0 255.255.255.0 192.168.2.5 1

route inside 192.168.7.0 255.255.255.0 192.168.2.5 1

These statements direct packets intended to the 192.168.6.0 and 192.168.7.0 networks back through the router at 192.168.3.5.

Step 15 - Enable Syslog

The syslog message facility in the PIX Firewall is a useful means to view troubleshooting messages and to watch for network events such as attacks and service denials. You can view syslog messages either from the PIX Firewall console or from a syslog server that the PIX Firewall sends syslog messages to.

To view messages from the PIX Firewall console:

Step 1 Use the enable command followed by the configure terminal commands to get to configuration mode.

Step 2 Start storing messages in the PIX Firewall message buffer with the logging command: 

logging buffered debugging

This command opens syslog up for all possible messages. The debugging setting is very useful for troubleshooting, but on a PIX Firewall in production, will generate too many messages to make troubleshooting viable. If you are testing a production mode PIX Firewall, substitute the errors keyword for the debugging keyword. This will reduce the messages to only those generated by logging levels 0, 1, 2, and 3. Refer to the System Log Messages for the PIX Firewall guide for information about which messages display at each syslog level. You can view this guide online at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/syslog/index.htm

Step 3 Trigger some event in the PIX Firewall; for example, ping a host through the PIX Firewall. If your security policy permits pings, ensure that the ICMP conduit is in your configuration by using the show conduit command and checking for this statement: 

conduit permit icmp any any

If this command is not present, then add it.

Step 4 View the syslog messages with the show logging command. New messages append to the end of the display.

Step 5 To clear the messages in the buffer, use the clear logging command.

Step 6 When done, set the logging buffered command back to a minimal setting such as: 

logging buffered alerts

This command will only store messages of levels 0 and 1.

To view syslog messages on a Telnet console session:

Step 1 Start Telnet specify the inside interface of the PIX Firewall. Enter the Telnet password, which is cisco by default.

Step 2 Use the enable command followed by the configure terminal commands to get to configuration mode.

Step 3 Start message logging with the logging monitor command.

Step 4 Display messages directly to the Telnet session by entering the terminal monitor command.

Step 5 Trigger some events by pinging a host or starting a web browser. The syslog messages then appear in the Telnet session window.

Step 6 When done, disable this feature with these commands: 

terminal no monitor

no logging monitor

The information in the remainder of this section describes additional information on the logging command and how to configure PIX Firewall to send messages to a syslog server.

More on the logging Command

The logging facility and logging level commands configure the facility and level of syslog messages. Because network devices share the eight facilities, logging facility lets you set the facility marked on all messages. Messages are sent to the syslog host over UDP. The logging on command starts sending messages onto the network. Use the logging host command to specify which systems receive the messages.

You can use show logging to view previously sent messages.

The PIX Firewall generates syslog messages for system events, such as security alerts and resource depletion. Syslog messages may be used to create email alerts and log files, or displayed on the console of a designated host using UNIX syslog conventions.

A PC WinSock version of syslogd will also work.

The PIX Firewall sends syslog messages to document the following events:

Security—Dropped UDP packets and denied TCP connections.

Resources—Notification of connection and translation slot depletion.

System—Console and Telnet logins and logouts, and when the PIX Firewall reboots.

Accounting—Bytes transferred per connection.

Logging is enabled by configuring the PIX Firewall with the IP address of the log host.

Syslog Facility and Level

The logging facility and logging trap commands let you specify the syslog facility and level for how messages are sent to the syslog host.

The facility consists of eight facilities LOCAL0(16) through LOCAL7(23); the default is LOCAL4(20). Hosts file the messages based on the facility number in the message.

The level specifies the types of messages sent to the syslog host. Setting the level to 3, the default value, for example, allows messages with levels 0, 1, 2, and 3 to display. The default is 3. The level values are:

Table 2-2 Syslog Message Levels

Use Level:
Or Use this Name:
For This Type of Message:

0

emergencies

System unusable messages

1

alerts

Take immediate action

2

critical

Critical condition

3

errors

Error message

4

warnings

Warning message

5

notification

Normal but significant condition

6

informational

Information message

7

debugging

Debug messages and log FTP commands and WWW URLs. For more information about logging FTP commands and URLs, refer to "FTP and URL Logging" in Chapter 3, "."


Configuring PIX Firewall to Send Syslog Messages

To configure the PIX Firewall to send syslog messages to the UNIX host:

Step 1 Enable the syslog facility with the logging on command. The PIX Firewall will start storing syslog messages in its internal storage buffer.

Step 2 Specify the IP address of the host that will receive the syslog messages with the following command: 

logging host interface ip_address

Replace interface with the name of the interface on which the syslog server resides. Replace ip_address with the IP address of the syslog server.

For example, if the syslog server is on the dmz interface at 192.168.1.2, the command would be: 

logging host dmz 192.168.1.2

Step 3 Set the syslog message facility to 20 (the standard for UNIX and many other syslog servers) as follows: 

logging facility 20

Facility 20 sends messages to the UNIX local4 message receiving mechanism, which is described in the section Configuring a UNIX System for Syslog.

Step 4 Instruct the PIX Firewall to send messages to the syslog server with the following command: 

logging trap warnings

This same command starts sending syslog events to an SNMP server as well.

Step 5 You can test that the PIX Firewall is generating messages by using the show logging command. If the messages do not seem to arrive at the UNIX server after you have configured it as described in the next section, testing for whether the packets are sent, requires a network sniffer or some way to view packets over the network.

Configuring a UNIX System for Syslog

After you have configured PIX Firewall to send syslog messages, configure either a PC or UNIX host to receive the messages. This section describes how to configure a UNIX host to receive syslog messages.

To configure a UNIX system to accept syslog messages:

Step 1 Use the PIX Firewall logging host command to configure the PIX Firewall to send syslog messages to the UNIX host's IP address.

Step 2 Log into the UNIX system as root (superuser) and execute the following commands; change name to the log file in which you want syslog messages to appear: 

# mkdir /var/log/pix

# touch /var/log/pix/pixfirewall

Step 3 While still logged in as root, edit the /etc/syslog.conf file with a UNIX editor and add a single selector and action pair for local4.error which will receive all the PIX Firewall syslog messages: 

# PIX Firewall syslog messages

local4.error     /var/log/pix/pixfirewall

This configuration directs the PIX Firewall syslog message to the specified file. Alternatively, if you want the message sent to the logging host console or emailed to a system administrator, refer to the UNIX syslog.conf(4) manual page.

Note   The UNIX log file can grow to several megabytes per day when monitoring a busy PIX Firewall.

Entries in /etc/syslog.conf must follow these rules:

(a) Comments, which start with the pound (#) character, are only allowed on separate lines.

(b) Separate the selector and action pairs with a tab character. Blanks are not acceptable.

(c) Ensure that there are no trailing spaces after the file names.

Step 4 Inform the syslog server program on the UNIX system to reread the syslog.conf file by sending it a HUP (hang up) signal with the following command: 

# kill -1 `cat /etc/syslog.pid`

This command lists the syslog process ID. This number may vary by system. The second command sends syslog the HUP signal to cause it to restart.

Step 16 - Create Access Lists

PIX Firewall provides the outbound and apply commands that you can use to limit internal users access to services on external interfaces. Use these commands to limit access for users who are on higher security level interface from accessing a lower security level interface; for example, from the inside to the outside, from the inside to a perimeter interface, or between perimeter interfaces. These commands follow the direction of the nat command—also from a higher security level interface to a lower security level interface.

The outbound and apply commands' use is very interwoven. Depending on how you set the apply command, you use the outbound command to specify the details. The apply command lets you specify the interface you want to protect and how you are using the access list—to limit service access to your internal users (with the outgoing_src option, or to limit internal users access to a specific site (with the outgoing_dest option).

The outbound command specifies whether you are permitting or denying access, the affected IP addresses, and the port number or numbers. To coordinate the outbound and apply statements, there is an identification number on both commands called the "list ID." The list ID is also used to order groups of commands so as to determine which group is processed first. This number is independent of the nat and global identification numbers—you can use the same number or another. Cisco recommends coding list IDs with a gaps to permit future additions, such as 10, 20, 30, or 100, 200, 300. Just be sure to use the same list ID on the apply statement as on the outbound command for the same group. For example: 

outbound 10 deny 0 0 www tcp

outbound 10 permit 192.168.1.2 255.255.255.255 www tcp

apply (dmz1) 10 outgoing_src

In addition, the order in which you specify the outbound commands determines how PIX Firewall evaluates them. The outbound command statements are ordered first by denies, then permits, and then by the list ID. Then there is the except option to this command which has its own set of rules which are best viewed on the outbound / apply command page in Chapter 5, "."

There are a few caveats with the outbound command. With the outgoing_src option to apply, you can only specify the internal hosts that are affected, not where you want them to go. Use outgoing_src to regulate access to services (ports) and protocols.

With the outgoing_dest option, you can only specify which host you do not want users to access, but not limit specific users access to the host. Use outgoing_dest to regulate access to a host.

Before creating an access list:

Step 1 Use the show nameif command to view the security levels of each interface.

Step 2 Use a nat statement to let the users on the higher security level interface start connections on lower security level interfaces. For example, use nat (inside) 1 0 0 to let inside users start connections, use nat (dmz1) 1 0 0 for dmz1 users, or nat (dmz2) 1 0 0 to let dmz2 users start connections.

To limit users access to a service:

Step 1 Create a blanket deny to limit higher security level users from accessing whatever service you are limiting. For example, to limit users on the 192.168.1.0 network on the dmz1 interface from using chat services on the outside, use: 

outbound 10 deny 192.168.1.0 255.255.255.0 irc tcp

Step 2 If required, permit access to those users who require access to this service; for example, to researchers studying social rituals who need to use chat in their work: 

outbound 10 permit 192.168.1.42 255.255.255.255 irc tcp

Step 3 Then add the apply statement to determine how you want to use the outbound list. In this example, because you are blocking every user at the source, use the outgoing_src option of the apply command: 

apply (dmz1) 10 outgoing_src

To limit users access to a host:

Step 1 In this example, you want to keep dmz1 users from accessing a specific web site at 204.31.17.42 with objectionable material: 

outbound 20 deny 204.31.17.42 255.255.255.255 www tcp

Step 2 Add the apply statement: 

apply (dmz1) 20 outgoing_dest

Step 17 - Add User Authentication

User authentication and authorization starts with your security policy and the respective inside RADIUS or TACACS+ server that you have.

Authentication verifies that a user is who they say they are. Authorization determines what services a user can use to access a host.

From the configuration on this server you need to determine which users can access the network, which services they can use, and what hosts they can access. Once you have this information, you can configure the PIX Firewall to either enable or disable authentication or authorization.

In addition, you can also configure the firewall to permit users access to specific hosts or services. However, if you configure the firewall to this degree, you risk the information being different between the authentication server and the firewall. After you enable authentication and authorization, the PIX Firewall provides credential prompts to inbound or outbound users for FTP, Telnet, or HTTP (Web) access. The actual decision about who can access the system and with what services is handled by the authentication and authorization servers.

To provide user authentication and authorization:

Step 1 For inbound authentication, create the static and conduit statements required to permit outside hosts to access servers on the inside network. This is described in "Step 13 - Add Server Access."

Step 2 If the external network connects to the Internet, create a global address pool of registered IP addresses, or if the network connects to an intranet, a pool of those addresses with the global command. Then specify which inside hosts can start outbound connections with the nat command and with the access control lists features found in the outbound and apply commands.

Step 3 Specify which server handles authentication or authorization with the radius-server or the tacacs-server commands. RADIUS can provide authentication but not authorization.

Step 4 Enable authentication with the aaa authentication command. It is best to use this command only to enable authentication with one or both of the following commands: 

aaa authentication any outbound 0 0 0 0 tacacs+

aaa authentication any inbound 0 0 0 0 tacacs+

In these commands, if the server is RADIUS, use radius instead of tacacs+. While the aaa authentication command lets you specify hosts that can be authenticated or specific hosts, if you implement this level of management in the firewall, you run the risk that your authentication server and the firewall can have different configurations. For example, if the authentication server is only accepting Telnet logins and you set the firewall for FTP, no users will be authenticated.

Step 5 Enable authorization with the aaa authorization command. Even though this command lets you specify which services and inside hosts an authorized user can access, it is best to not set it here and only use this command to enable authorization. The authorization server should make the decision. Use one or both of the following commands: 

aaa authorization any outbound 0 0 0 0

aaa authorization any inbound 0 0 0 0

Step 18 - Recheck the Configuration

When you have completed your configuration, check it carefully as described in the following steps and tips:

Step 1 Check that the interface addresses, global and NAT addresses, and route addresses are unique. All interfaces must be defined, have valid addresses, and appropriate masks.

Step 2 If you have more than two interfaces, check the nameif command for the security level.

Step 3 If you are establishing access from a higher security level interface to a lower security interface, use the nat and global commands:

(a) Make sure that the NAT ID used in the nat command is the same as used in the global command.

(b) For the global statement, ensure that you have enough global addresses for users in the network.

(c) Check the IP addresses to be sure they are correctly entered.

(d) If you use subnetting, be sure to specify a subnet mask with the global command and be sure that the addresses you specify are correct for the subnet mask range. Refer to Appendix E, "" for more information about subnet mask ranges.

Step 4 If you are establishing access from a lower security interface to a higher security interface, use the static and conduit commands:

(a) For server access, make sure that you have a conduit command for every static command you specify.

(b) Code conduit commands as tightly as possible. For example, specify which network can access the conduit and specify the exact port for which you permit access.

(c) Make sure that the global address in the static command is the same in the conduit command. For example if users on the dmz1 interface need to access a server on the dmz2 interface (dmz2 has a higher security level than dmz1), use commands similar to this example: 

static (dmz2,dmz1) 10.1.1.2 192.168.1.2 netmask 255.255.255.255

conduit permit tcp host 10.1.1.2 eq smtp 10.1.1.0 255.255.255.0

In this example, the static statement maps the 192.168.1.2 mail server on the dmz2 interface so that users on the dmz1 interface can access the server as 10.1.1.2. The conduit statement specifies that only users on the 10.1.1.0 network can access the server via the SMTP port (25).

(d) Check that each static and conduit statement pair has the correct addresses.

(e) Check that two conduit statements are entered for establishing access to the following services: discard, dns, echo, ident, pptp, rpc, sunrpc, syslog, tacacs-ds, talk, and time. Each service, except for pptp, requires one conduit for TCP and one for UDP. For DNS, if you are only receiving zone updates, you only need a single conduit statement for TCP. Refer to the section "Step 13 - Add Server Access" for an example of two conduit statements for the PPTP protocol.

Step 5 If an outbound list exists, ensure that the apply statement is correct and that the list ID matches between the outbound and apply statements.

Step 6 Ensure that the route statements point to routers on appropriate interfaces. Ping these routers from the PIX Firewall to make sure they exist.

Step 7 Ensure that there is only one default route statement to the outside interface.

Step 8 Ensure that the global pool contains enough addresses for the number of clients on the interface to which it applies. If PAT is in use, ensure that it is configured with the same nat statement identifier as the main pool of global addresses.

Step 9 When you ping from an internal or external host during testing, use the debug icmp trace command to ensure that traffic is moving through the firewall correctly. If you are using version 4.2(3), before using the debug command, use the who command to see if there are any Telnet sessions to the console. If the debug command finds a Telnet session, it automatically sends the debug output to the Telnet session instead of the console. This will cause the serial console session to seem as though no output is appearing when it is really going to the Telnet session.

Step 10 Consult with your ISP (Internet service provider) to make sure that all addresses used in globals are routed to your outside router before configuring the PIX Firewall with global addresses.

Step 11 If you use the same IP address range on all interfaces, IP addresses on the inside and outside (and perimeter) interfaces must be on different subnets.

Additional tips to consider are as follows:

Ethernet network interface cards support both half and full duplex transmissions. However, the 3Com 10/100 card on earlier PIX Firewalls does not support 100 Mbps full duplex or the 100full option to the interface command. These interfaces also report "line protocol down" with the show interface command.

Use the timeout command to decrease the xlate and conn timer, if you see these syslog messages: 

%PIX-3-305005: No translation group found for packet

%PIX-3-305006: xlate_type translation creation failed for packet

When the messages display, the contents of the packet displays as text. The xlate_type can be either static, portmapped, or regular. Portmapped refers to a PAT global.

If you have a router on the inside, the hosts inside need a default gateway pointing to the inside router and the inside router needs a default gateway pointing to the PIX Firewall's inside interface. Only specify one default gateway.

If you have a global pool and if it is not on the same subnet as the router outside, the outside router MUST have a static route pointing back towards the outside interface of the PIX Firewall.

Use the write memory command often to save your configuration to Flash memory.

Use the write memory and reload commands after changing alias, conduit, global, nat, or static commands.

Use the no failover command to disable failover if it is not in use.

Evaluate your connections allowed through the PIX Firewall by using the show conn command. Add the "in use" and "remain" values to see how many connections your license permits. If your security policy allows HTTP access, use a 1:4 user/connection ratio for Netscape Navigator and a 20:4 ratio for Microsoft Internet Explorer. Remember that all outbound connections through the PIX Firewall are counted, even outbound from a perimeter interface to the outside.