Cisco Systems, Inc.(R)    Cisco | Profile | Contacts & Feedback | Help
Cisco SMB Support Assistant
Set Up Your PIX Security Appliance using PIX Device Manager
Home > Work With My Security Devices > Cisco Security Appliances > Set Up Your PIX Security Appliance using PIX Device Manager  
 

Set Up Internet Security on the PIX Security Appliance

    Step 1:   SMB Support Assistant Site Survey
    Step 2:   Set Up Your PIX Security Appliance Hardware
    Step 3:   Prepare to Configure Your PIX Security Appliance
    Step 4:   Configure Your PIX Security Appliance with PIX Device Manager
    Step 5:   Configure the PIX Security Appliance with Adaptive Security Device Manager
    Step 6:  Set Up Internet Security on the PIX Security Appliance
                      Introduction
                      Requirements
                      Connect to the PIX
                      Configure Fixup Protocol Rules
                      Configure Access Control Lists
                           Create an ACL to Control Incoming Traffic
                           Create Additional Security Rules
                           Create Optional ACL Rules on the Inside Interface
                           Create ACL Rules for the Outside Interface
                      Configure Network Address Translation
                           Set Up NAT with a Dynamic IP Address
                           Set Up NAT with a Static IP Address
                      Set Up Port Address Translation
                      Next Step
                      Troubleshoot the Procedure
                      Related Information

Download PDF


 		 Step 6: Set Up Internet Security on the PIX Security Appliance  


 		 Set Up Your PIX Security Appliance using PIX Device Manager 


Introduction

This document describes how to configure a firewall on your PIX Security Appliance. A firewall is a protective barrier made up of rules that regulate the flow of Internet and network traffic that flows in and out of your network. This document is designed to show you how to set up rules to protect your network and to allow necessary traffic to flow in and out.


Back to Top


Requirements

To perform the steps described in this document, you need to have these items:

  • Ensure that all steps in Configure the PIX Security Appliance have been completed successfully.

  • One of these web browsers, with JavaScript and Java enabled:

    • Netscape version 7.1 or later

    • Internet Explorer version 5.5 or later

  • Completed worksheets as instructed in the Site Survey:

    • Completed Remote Networking Assignments worksheet

    • Completed Internet Worksheet

    • Completed Firewall Worksheet

    • Completed LAN Addressing Worksheet


Back to Top


Connect to the PIX

Complete these steps to access the PIX:

  1. Open a browser and type https://pix_interface_ip_address into the Address field. Refer to field R12 of the Remote Networking Assignments worksheet.

    Note: Ensure that you add the "s" to "https" or the web browser cannot connect. HTTPS (HTTP over SSL) provides a secure connection between your browser and the PIX Security Appliance.

  2. Leave the user name blank and enter the enable password found on line B12 of the Internet Worksheet, then press Enter.

  3. Accept the security certificates (if they appear).

  4. When the next logon screen appears, enter the enable password again and click OK to continue.

  5. When the security warning screen appears, click Always to accept the certificates and launch PIX Device Manager (PDM).


Back to Top


Configure Fixup Protocol Rules

To configure fixup protocol rules on the firewall, follow these steps:

  1. Go to PDM > Configuration > System Properties.

  2. From the PDM home page, click Configuration, and then click the System Properties tab.

  3. From the Categories menu on the left side of the window, click Advanced > Fixup.

    pix-firewall15.gif

  4. To configure the fixup protocol rule, follow these steps:

    1. The list of fixup protocols is displayed in the right side of the panel under Fixup Summary. Click Advanced > Fixup > ICMP Error.

    2. Fixup Summary will be replaced with ICMP Error. Check the Enable NAT for ICMP error messages box.

    3. Click Apply.

    4. Click MGCP. The MGCP information appears in the right side of the PDM Configuration panel.

      pix-firewall16.gif

    5. Enter 2427 in the Low Port box under Port(s) To Be Added.

    6. Click Add.

    7. Click Apply.

    8. Click on PPTP in the tree view.

    9. Enter 1723 in the Low Port box under Port(s) To Be Added.

    10. Click Add.

    11. On the same panel, enter 47 in the Low Port box under Port(s) To Be Added.

    12. Click Add.

    13. Click Apply.

    14. Click SMTP in the tree view.

    15. Enter 465 in the Low Port box under Port(s) To Be Added.

    16. Click Add.

    17. Click Apply.

      Note: In the Fixup Summary panel, the protocols that you changed will now show the port number or enabled instead of saying disabled.

  5. Click the Save icon at the top of the panel.

  6. When prompted to save the running configuration to flash memory, click Apply.


Back to Top


Configure Access Control Lists

An access control list (ACL) lets you specify what type of traffic to allow into an interface. By default, traffic that is not explicitly permitted is denied.

Create an ACL to Control Incoming Traffic

Complete these steps to create ACLs on your device:

  1. Go to PDM > Configuration.

    pix-firewall01.gif

  2. On the PDM home page, click Configuration.

  3. On the Configuration page, ensure that the Access Rules tab is displayed and that the Access Rules radio button is selected.

    pix-firewall02.gif

  4. Create an ACL rule to block all incoming traffic that is not sent to the PIX.

    1. The Rules menu will be accessible from the Configuration view. Click Rules > Add.

      pix-firewall03.gif

    2. When the Add Rule panel appears, select permit from the drop-down list under Action.

      pix-firewall04.gif

    3. Under Source Host/Network, select IP Address.

    4. For the Interface, select outside.

    5. Leave the IP address and Mask set to 0.0.0.0.

    6. Under Protocol and Service, select IP.

    7. Under IP protocol, select any.

    8. For Syslog leave the box unchecked.

    9. Under Destination Host/Network, select IP Address.

    10. For IP address, enter the IP address of the PIX found on line R12 of the Remote Network Addressing worksheet.

    11. For the Mask, select 255.255.255.255 from the drop-down list.

    12. In the text box at the bottom of the Add Rule panel, enter a descriptive name for this rule.

    13. Click OK to save the rule.

  5. Create an ACL rule to allow incoming web traffic:

    1. Click Rules > Insert After.

    2. Select permit from the drop-down list under Action.

    3. Under Source Host/Network, select IP Address.

    4. For the Interface, select outside.

    5. Leave the IP address and Mask set to 0.0.0.0.

    6. Under Protocol and Service, select TCP.

    7. Under Service, select any.

    8. For Syslog, leave the box unchecked.

    9. Under Destination Host/Network, select IP Address.

    10. For IP address, enter the IP address of the PIX found on line R12 of the Remote Network Addressing worksheet.

    11. For the Mask, select 255.255.255.255 from the drop-down list.

    12. In the text box at the bottom of the Add Rule panel, enter a descriptive name for this rule.

    13. Under Destination Port, select Service. Click the details button (...) and select www.

      pix-firewall05.gif

    14. Click OK.

    15. At the bottom of the Insert After Rule panel, enter a descriptive name for this rule.

    16. Click OK to save this rule.

  6. Create an ACL rule to allow incoming secure web traffic.

    1. Click Rules > Insert After.

    2. Select permit from the drop-down list under Action.

    3. Under Source Host/Network, select IP Address.

    4. For the Interface, select outside.

    5. Leave the IP address and Mask set to 0.0.0.0.

    6. Under Protocol and Service, select TCP.

    7. Under Source Port, select www.

    8. Under Destination Host/Network, select IP Address.

    9. For the Interface, select inside.

    10. Leave IP address and Mask set to 0.0.0.0.

    11. Under Destination Port, select https.

    12. At the bottom of the Insert Rule After panel, enter a descriptive name for this rule.

    13. Click OK to save this rule.

  7. Create an ACL rule to block incoming network broadcast traffic from the Internet.

    1. Click Rules > Insert After.

    2. Select deny from the drop-down list under Action.

    3. Under Source Host/Network, select IP Address.

    4. For the Interface, select outside.

    5. Leave the IP address and Mask set to 0.0.0.0.

    6. Under Protocol and Service, select IP.

    7. Under IP protocol, select any.

    8. Under Destination Host/Network, select IP Address.

    9. For the Interface, select inside.

    10. Leave IP address and Mask set to 255.255.255.255.

    11. At the bottom of the Insert Rule After panel, enter a descriptive name for this rule.

    12. Click OK to save this rule.

  8. Create an ACL rule to allow incoming Secure Shell (SSH) traffic on TCP.

    1. Click Rules > Insert After.

    2. Select permit from the drop-down list under Action.

    3. Under Source Host/Network, select IP Address.

    4. For the Interface, select outside.

    5. Leave the IP address and Mask set to 0.0.0.0.

    6. Under Protocol and Service, select TCP.

    7. Under Source Port select Service. Click the details button (...) and select ssh.

    8. Under Destination Host/Network, select IP Address.

    9. For the Interface, select inside.

    10. For IP address enter the IP address of the PIX found on line R12 of the Remote Network Addressing worksheet.

    11. For the Mask, select 255.255.255.255 from the drop-down list.

    12. Under Destination Port, select Service. Click the details button (...) and select ssh.

    13. At the bottom of the Insert Rule After panel, enter a descriptive name for this rule.

    14. Click OK to save this rule.

  9. Click the Save icon at the top of the panel.

  10. When prompted to save the running configuration to flash memory, click Apply.

  11. Create an ACL rule to allow incoming Network Time Protocol traffic on UCP port 123.

    1. Click Rules > Insert After.

    2. Select permit from the drop-down list under Action.

    3. Under Source Host/Network, select IP Address.

    4. For the Interface, select outside.

    5. Leave the IP address and Mask set to 0.0.0.0.

    6. Under Protocol and Service, select UDP.

    7. Under Source Port select Service. Click the details button (...) and select ntp.

    8. Under Destination Host/Network, select IP Address.

    9. For the Interface, select inside.

    10. For IP address enter the IP address of the PIX found on line R12 of the Remote Network Addressing worksheet.

    11. For the Mask, select 255.255.255.255 from the drop-down list.

    12. Under Destination Port, select Service. Click the details button (...) and select ntp.

    13. At the bottom of the Insert Rule After panel, enter a descriptive name for this rule.

    14. Click OK to save this rule.

  12. Click the Save icon at the top of the panel.

  13. When prompted to save the running configuration to flash memory, click Apply.

  14. Create a rule to allow incoming time-exceeded ICMP messages on ICMP Type.

    1. Click the System Properties tab. From the tree view on the left, select Administration.

    2. Select ICMP.

    3. When the ICMP information appears in the right side of the panel, click Add.

    4. When the Add ICMP Rule panel appears, select time-exceeded from the ICMP Type drop-down list .

      pix-firewall06.gif

    5. For the Interface, select inside.

    6. For IP Address, enter 0.0.0.255.

    7. For the Mask, select 255.255.255.255 from the drop-down list.

    8. Select permit from the drop-down list under Action.

    9. Click OK.

  15. Create a rule to allow incoming traceroute ICMP messages on ICMP Type.

    1. Click Add.

    2. For ICMP Type, choose traceroute.

    3. For the Interface, select inside.

    4. For IP Address, enter 0.0.0.255.

    5. For the Mask, select 255.255.255.255 from the drop-down list.

    6. Select permit from the drop-down list under Action.

    7. Click OK.

    8. Click Apply.

  16. Click the Save icon at the top of the panel.

  17. When prompted to save the running configuration to flash memory, click Apply.

Create Additional Security Rules

Now that you have created the rules for SSH, you need to create rules for the PIX to recognize the sessions. To create the additional security rules, follow these steps:

  1. Create a rule for Telnet.

    1. Click the System Properties tab. From the tree view on the left, select Administration > Password.

      pix-firewall07.gif

    2. Under Telnet Password, enter cisco for the Old Password.

    3. Enter a strong password in the New Password field. For information on how to create strong passwords, refer to Password Security.

    4. Enter the password again to confirm.

    5. Click Apply.

    6. From the tree view, click Telnet.

    7. In the right side of the panel, click Add.

    8. When the Add Telnet Configuration window appears, select inside from the Interface Name drop-down list.

      pix-firewall08.gif

    9. For the IP Address, enter 192.168.0.0.

    10. For the Mask, select 255.255.0.0 from the drop-down list.

    11. Click OK.

    12. Click Apply.

  2. Create a rule for SSH.

    1. In the tree view, click Secure Shell.

    2. For the IP Address, enter 192.168.0.0.

    3. For the Mask, select 255.255.0.0 from the drop-down list.

    4. Click OK.

    5. Click Apply.

  3. Create a rule to allow NTP Authentication.

    1. In the tree view, click NTP.

    2. On the right side of the panel, check Enable NTP Authentication.

    3. Click Add.

      pix-firewall09.gif

    4. When the NTP Server Detail window appears, enter 129.6.15.28 for the IP Address.

    5. For the Interface select outside.

    6. Check the Preferred box.

    7. Click OK.

    8. Click Add.

    9. For the IP Address enter 129.6.15.28.

    10. Select outside from the Interface drop-down list.

    11. Check the Preferred check box.

    12. Click OK.

    13. Click Apply.

  4. Click the Save icon at the top of the panel.

  5. When prompted to save the running configuration to flash memory, click Apply.

Create Optional ACL Rules on the Inside Interface

If you need to allow certain types of VPN and email traffic through the firewall, you can create additional ACL rules. Each ACL rule in this section is optional. If you do not use VPN or have SMTP email traffic, you can skip this section.

Note: The firewall denies all network traffic by default unless an ACL rule explicitly permits traffic on a certain IP address or port.

  1. If you use an SMTP email server, follow these steps to create an ACL rule to allow email traffic:

    1. On the Configuration page, click the Access Rules tab, and then click the Access Rules radio button.

    2. Click Rules > Insert After.

    3. Select permit from the drop-down list under Action.

    4. Under Source Host/Network, select IP Address.

    5. For the Interface, select inside.

    6. Leave IP address and Mask set to 0.0.0.0.

    7. Under Protocol and Service, select TCP.

    8. Under Source Port, click, the details button (...) and select smtp.

    9. Under Destination Host/Network, select IP Address.

    10. For the Interface, select outside.

    11. For IP address, enter the IP address of the PIX found on line R12 of the Remote Network Addressing worksheet.

    12. For the Mask, select 255.255.255.255 from the drop-down list.

    13. Under Destination Port, select Service, click the details button (...), and then select smtp.

    14. In the text box at the bottom of the panel, enter a descriptive name for this rule.

    15. Click OK to save the rule.

  2. Check the Firewall Worksheet line F5, if you have PPTP VPN create two rules to allow PPTP VPN traffic. Follow these steps for the first rule:

    1. On the Configuration page, click the Access Rules tab, and then click the Access Rules radio button.

    2. Click Rules > Insert After.

    3. Select permit from the drop-down list under Action.

    4. Under Source Host/Network, select IP Address.

    5. For the Interface, select inside.

    6. Leave IP address and Mask set to 0.0.0.0.

    7. Under Protocol and Service, select TCP.

    8. Under Source Port, click the details button (...) and select pptp.

    9. Under Destination Host/Network, select IP Address.

    10. For the Interface, select outside.

    11. For IP address, enter the IP address of the PIX found on line R12 of the Remote Network Addressing worksheet.

    12. For the Mask, select 255.255.255.255 from the drop-down list.

    13. Under Destination Port, select Service, click the details button (...), and then select pptp.

    14. In the text box at the bottom of the panel, enter a descriptive name for this rule.

    15. Click OK to save the rule.

  3. Follow these steps to create the second PPTP rule:

    1. On the Configuration page, click the Access Rules tab, and then click the Access Rules radio button.

    2. Click Rules > Insert After.

    3. Select permit from the drop-down list under Action.

    4. Under Source Host/Network, select IP Address.

    5. For the Interface, select inside.

    6. Leave IP address and Mask set to 0.0.0.0.

    7. Under Protocol and Service, select IP.

    8. Under Source Port, click the details button (...) and select pptp.

    9. Under Destination Host/Network, select IP Address.

    10. For the Interface, select outside.

    11. For IP address, enter the IP address of the PIX found on line R12 of the Remote Network Addressing worksheet.

    12. For the Mask, select 255.255.255.255 from the drop-down list.

    13. Under Destination Port, select Service, click the details button (...), and select pptp.

    14. In the text box at the bottom of the panel, enter a descriptive name for this rule.

    15. Click OK to save the rule.

  4. Click Apply.

  5. Click the Save icon at the top of the panel.

  6. When prompted to save the running configuration to flash memory, click Apply.

Create ACL Rules for the Outside Interface

To create an ACL on the outside interface to limit unsolicited internet traffic, follow these steps:

  1. Click the System Properties tab.

  2. From the tree view on the left, click Administration.

  3. Click Anti-Spoofing.

  4. In the Anti-Spoofing area, select the inside interface.

    pix-firewall10.gif

  5. Click Enable.

  6. Select the outside interface, and then click Enable.

  7. Click Apply.

  8. Click the Save icon at the top of the panel.

  9. When prompted to save the running configuration to flash memory, click Apply.


Back to Top


Configure Network Address Translation

Network Address Translation (NAT) uses an internal address scheme to provide additional security for your network. In order to set up NAT, you need to know whether your connection uses a static or dynamic IP address. Refer to the Internet Worksheet (B45, B46) for this information.

Set Up NAT with a Dynamic IP Address

If your connection uses a dynamic address, follow these steps to set up NAT with a dynamic IP address:

  1. Click the Translation Rules tab.

  2. Click the Translation Rules button.

    pix-firewall11.gif

  3. Click Rules > Add.

  4. Under Original Host/Network, select inside from the Interface drop-down list.

    pix-firewall12.gif

  5. For the IP Address, enter 0.0.0.0.

  6. For the Mask, select 0.0.0.0 from the drop-down list.

  7. In the Translate address on interface, select outside.

  8. In the Translate Address To section, click Dynamic.

  9. In the Address Pool box, select the address pool you created on your worksheet.

  10. Click OK.

  11. Click Apply.

  12. Click the Save icon at the top of the panel.

  13. When prompted to save the running configuration to flash memory, click Apply.

Set Up NAT with a Static IP Address

To set up NAT with a static IP address, follow these steps:

  1. Click Rules > Add.

  2. Under Original Host/Network, select inside from the Interface drop-down list.

    pix-firewall13.gif

  3. For IP address, enter the IP address of the PIX found on line R12 of the Remote Network Addressing worksheet.

  4. For the Mask, select 255.255.255.255 from the drop-down list.

  5. In the Translate address on interface, select outside.

  6. In the Translate Address To section, click Static.

  7. For IP address, enter the IP address of the PIX found on line R12 of the Remote Network Addressing worksheet.

  8. Click OK.

  9. Click Apply.

  10. Click the Save icon at the top of the panel.

  11. When prompted to save the running configuration to flash memory, click Apply.


Back to Top


Set Up Port Address Translation

If you have servers in your network that users outside of your network need to access, you must set up Port Address Translation (PAT).

You can set up PAT for a variety of internal servers. Remember that PAT is only needed if the server is physically located inside your network. Use the table to find the worksheet reference you need to verify if you have each type of server.

Server Type

Worksheet Reference

Internal email server

Firewall Worksheet line F1

Internal web server

Firewall Worksheet line F4

Microsoft PPTP VPN server

Firewall Worksheet line F5

You need to create one PAT rule for each server that you want to make available outside of your network.

You also need to ensure that you have set up the appropriate access rules to allow traffic from the server to leave the network. See Create Optional ACL Rules on the Inside Interface for more information.

To set up a new PAT rule, follow these steps:

  1. From the Translation Rules tab, click Rules > Add.

    pix-firewall14.gif

  2. Under Original Host/Network, select inside from the Interface drop-down list.

  3. For the IP address, enter the IP Address for the server. See the appropriate line on the Firewall Worksheet indicated in the table of server types.

  4. For the Mask, select 255.255.255.255 from the drop-down list.

  5. In the Translate address on interface, select outside.

  6. In the Translate Address To section, click Static.

  7. For IP address, enter the IP address of the PIX found on line R12 of the Remote Network Addressing worksheet.

  8. Check the Redirect Port check box.

  9. Choose TCP or UDP and enter the port number in the Original Port and Translated Port fields. Refer to the table for a listing of common ports.

    Service

    Port Type

    Port Number (s)

    HTTP (Internet)

    TCP

    80

    HTTPS

    TCP

    443

    SMTP

    TCP

    25, 465

    PPTP VPN

    TCP

    1723

    PPTP VPN

    IP

    47

  10. Click OK.

  11. Click Apply.

  12. Repeat these steps for each internal server that needs to be accessed from the outside.

  13. Click the Save icon at the top of the panel.

  14. When prompted to save the running configuration to flash memory, click Apply.


Back to Top


Next Step

You have completed the set up of the firewall on your PIX.

To configure a VPN on the PIX, proceed to Configure VPN on the PIX Security Appliance.

To make further changes to your PIX, refer to the PIX Support Page.

To configure other devices in your network, refer to the Configuration Overview Page.


Back to Top


Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Problem

Cause(s) and Suggested Solution(s)

I added a new rule to the firewall, and now I cannot access the PIX Security Appliance.

Contact the SMB TAC for assistance.


Back to Top


Related Information
Service Requests

  Open a service request
  Update a service request

Feedback

Please rate this site:
++ + +/- - --

Suggestions for improvement:




If Cisco may contact you for more details
or for future feedback opportunities,
please enter your contact information:
Full Name:
Email:



© 1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc.