Configuring the PIX Firewall

You can configure the PIX Firewall by entering commands similar to those of Cisco IOS technology.

When shipped from Cisco, each PIX Firewall comes with a basic configuration that lets the unit boot up, but does not let network traffic pass through until you configure it to do so.

This chapter describes how to start a configuration and build on it. lists the sections in this chapter. The material is presented as a series of steps that you can follow completely if you are creating a new configuration, or as needed with an existing configuration.

Table 2-1 Chapter Topics
Before Configuring PIX Firewall	Initial Configuration	Continuing
Step 1 - Get a Console Terminal	Step 5 - Identify Each Interface	Step 12 - Add Telnet Console Access
Step 2 - Get the Most Current Software	Step 6 - Let Users Start Connections	Step 13 - Add Server Access
Step 3 - Configure Network Routing	Step 7 - Create a Default Route	Step 14 - Add Static Routes
Step 4 - Start Configuring PIX Firewall	Step 8 - Permit Ping Access	Step 15 - Enable Syslog
	Step 9 - Store the Image in Flash Memory and Reboot	Step 16 - Create Access Lists
	Step 10 - Check the Configuration	Step 17 - Add AAA User Authentication
	Step 11 - Test Network Connectivity	Step 18 - Recheck the Configuration

Information in Steps 2 and 4 overlap with the initial configuration information in the Installation Guide for the Cisco Secure PIX Firewall Version 5.0, but are shown here to provide continuity.

Upgrading from a Previous Version

Before upgrading from a previous version, save your configuration and write down your activation key. Information for upgrading the failover feature is described in the " Failover" section in Chapter 3, "Advanced Configurations."

Step 1 - Get a Console Terminal

If the computer you are connecting to runs either Windows 95 or Windows NT, the Windows HyperTerminal accessory provides easy-to-use software for communicating with the firewall. If you are using UNIX, refer to your system documentation for a terminal program.

HyperTerminal also lets you cut and paste configuration information from your computer to the firewall console.

Step 1

Connect the serial port of your PC to the console port of the PIX Firewall with the serial cable supplied in the PIX Firewall accessory kit.

Step 2

Locate HyperTerminal by opening the Windows 95 or Windows NT Start menu and clicking Programs>Accessories>HyperTerminal.

Step 3

Double-click the Hypertrm accessory. The New Connection window opens with the smaller Connection Description dialog box in the center.

Step 4

Enter the name of the connection. You can use any name such as PIX Console. Click OK when you are ready to continue.

Step 5

At the Phone Number dialog box, ignore all the fields except "Connect using." In this field, click the arrow at the right to view the choices. Click "Direct to Com 1," unless you are using another serial port. Click OK to continue.

Step 8

The HyperTerminal window is now ready to receive information from the PIX Firewall console. If the serial cable is connected to the firewall, power on the firewall and you should be able to view the console startup display.

If nothing happens, wait 60 seconds first. The firewall does not send information for about 30 seconds. If messages do not appear after 60 seconds, press the Enter key. If still nothing appears, ensure that the serial cable is attached to COM1 and not to COM2 if your computer is so equipped. If garbage characters appear, ensure that the bits per second setting is 9600.

Step 10

On the File menu, click Exit to exit HyperTerminal. HyperTerminal prompts you to be sure you want to disconnect. Click Yes.

HyperTerminal saves a log of your console session that you can access the next time you use it.

To restart HyperTerminal, double-click the connection name you chose in the HyperTerminal folder. When HyperTerminal starts, drag the scroll bar up to view the previous session.

Step 2 - Get the Most Current Software

Latest Software

If desired, you can obtain the most current version of the PIX Firewall software by downloading it from Cisco's online web or FTP site. If you are using FTP, refer to the section " Download with FTP." If you are using the Web, refer to the section " Download over the Web." The sections that follow describe how to download the software and prepare a PIX Firewall bootable diskette. When the diskette is ready, you can insert it in the PIX Firewall's diskette drive and restart the firewall. This will give you access to the most current software on your PIX Firewall.

•

.bin—For UNIX, or for Windows and Windows NT if you already have the rawrite.exe program. Refer to " Creating a Bootable Diskette from UNIX" for installation information. If you have a PIX 515, you can put the .bin image on a TFTP server and download it to the PIX 515—refer to Chapter 7, " PIX 515 Configuration" for information on how to download the image to the PIX 515.

•

.exe—For Windows and Windows NT. Except for the rawrite.exe program for creating bootable diskettes, the rest of the .exe files are self-extracting archives. Refer to the Installation Guide for the Cisco Secure PIX Firewall Version 5.0 for information on installing the PFSS, and PFM. Refer to " Creating a Bootable Diskette from Windows" for installation information about the pix50n.exe and rawrite.exe files.

•

pix50n.exe—Contains the PIX Firewall image, instructions, and the rawrite.exe program.

•

pfss422.exe—Contains the PIX Firewall Syslog Server (PFSS), which provides a Windows NT Server that receives syslog messages from the PIX Firewall and stores them in daily log files. The PIX Firewall sends messages to the PFSS via TCP or UDP and can receive syslog messages from up to 10 PIX Firewall units. The version 4.4(2) PFSS works with versions 4.4, 5.0, and later.

•

pfm432c.exe—Contains the PIX Firewall Manager (PFM) and its accompanying files. As an alternative to the PFSS, the PFM GUI (graphical user interface) lets you manage up to 10 PIX Firewall units. The PFM also contains a syslog server that must not be used with the PFSS. Version 4.3(2)c or later of the PFM accepts PIX Firewall versions 4.3, 4.4, 5.0, and later. The PFM has not been upgraded with version 5.0 changes. Refer to the Release Notes for the PIX Firewall Manager Version 4.3(2)c for more information on how to install and use this feature.

•

psw501.exe—Contains the PIX Firewall Setup Wizard, which simplifies the PIX Firewall installation. The Setup Wizard works with PIX Firewall versions 4.3, 4.4, 5.0 and later. Refer to the Installation Guide for the Cisco Secure PIX Firewall Version 5.0 for how to install the Setup Wizard.

•

rawrite.exe—A program you use to create a bootable diskette for the PIX Firewall.

Download over the Web

Step 1

Use a network browser, such as Netscape Navigator to access http://www.cisco.com.

Step 2

If you are a registered CCO user, click LOGIN in the upper area of the page. If you have not registered, click REGISTER and follow the steps to register.

Step 3

After you click LOGIN, a dialog box appears requesting your Username and Password. Enter these and click OK.

Step 4

When you are ready to continue, choose Software Center under the Service & Support heading.

Step 5

On the Service & Support page, click Internet Products from the center column.

Step 6

On the Internet Products page, scroll down to the Other Internet Software bullet item. Then scroll down further and click PIX Firewall Software.

Step 7

On the PIX Firewall Software page, click Download PIX Firewall Software.

Step 8

On the software download page, choose the software you need depending on the file suffix: .exe or .bin as described in the last section.

(a)

Choice 1—To copy the file directly to your hard drive, choose a regional site closest to your location. A dialog box appears requesting that you enter your CCO password again. Enter it and click OK. The Save As dialog box appears and lets you specify the directory and output filename of the file on your hard drive. You can store the executable file anywhere. When executed, it will extract three files into the same directory in which it is run.

Choose the directory and filename and click Save. A dialog box appears to show you the progress of the transfer.

(b)

Choice 2—If you want to receive the file by email, enter the destination email address and the file will be encoded with the UNIX uuencode command before being sent to the address you specify.

(c)

Choice 3—Cisco Support engineers can give you access to the file via FTP. You can also use FTP to access this site directly.

Download with FTP

Before using FTP, you need to have previously registered with Cisco, which you can do via the Web or by calling Cisco.

Set your FTP client for passive mode. If you are not running in passive mode, you can log in and view the Cisco presentation messages, but entering commands will cause your client to appear to suspend execution.

The Windows 95 and Windows NT command line FTP programs do not support passive mode.

Step 1

Start your FTP client and connect to cco.cisco.com. Use your CCO username and password.

Step 2

You can view the files in the main directory by entering the ls command.

Step 3

Enter the cd cisco command to move to the cisco directory. Then enter cd internet and cd pix to access the PIX Firewall software directory. Use the ls command to view the directory contents.

Step 4

Use the get command to copy the proper file to your workstation as described at the start of the current section. If you want documentation, use the cd documentation command from the pix directory and copy the files you need to your workstation. Files with the .pdf suffix can be viewed with Adobe Acrobat Reader, which you can download from:

Creating a Bootable Diskette from Windows

Step 1

Using Windows Explorer or My Computer, open a window to the directory containing the archive and double-click the filename of the .exe file. It will automatically execute and provide these files:

•

pix5nn.bin—The PIX Firewall binary file, where 5 is the version number and nn is the release number.

•

rawrite.exe—The conversion utility that creates a PIX Firewall bootable diskette.

•

readme.txt—Contains instructions about how to create the bootable diskette.

Step 2

Locate an IBM formatted diskette that does not contain useful files. Do not use the PIX Firewall boot diskette that came with your original PIX Firewall purchase—you will need this diskette for system recovery should you need to downgrade versions.

The rawrite program erases all the files on the diskette. If you format the diskette from Windows, choose the long version, not the quick format. The quick format does not adequately prepare the diskette for rawrite. The best way to format the diskette is from the MS-DOS command prompt.

Step 3

Enter rawrite at the MS-DOS command prompt and you are prompted for the name of the .bin binary file, the output device (a: or b: for a 3.5-inch diskette), and to insert a formatted diskette.

Note

Ensure that the binary filename is in the "8.3" character format (8 characters before the dot; 3 characters after the dot). Due to the size of the version 5.0 image, creating a diskette may take several minutes to complete.

Step 4

Remove the diskette from the drive, place it in the PIX Firewall diskette drive and power cycle the unit. Alternately, if your unit has a Reset switch, use it, or you can enter the reload command from the PIX Firewall console. The PIX Firewall then boots from the new diskette.

Creating a Bootable Diskette from UNIX

This command copies the binary file to the output device file with a block size of 18 blocks.

Step 4

Eject the diskette, insert it in the PIX Firewall diskette drive, and power cycle the unit. Alternately, if available, use your unit's Reset switch, or enter the reload command from the PIX Firewall console. The PIX Firewall then boots from the new diskette.

Step 3 - Configure Network Routing

Read this section before configuring the PIX Firewall to help you make decisions for configuring network routing.

Routing directs the flow of packets through a network. A default route specifies to which router packets are sent when the address is not known.

A host sends a message to another user. If the computer itself does not contain a login account for the user, the computer sends the message to its default gateway router. A router stores the paths through the network known as routes. If a router does not have the route to the user in its storage, it passes the message to its default router which knows routes from the larger network. The message is checked against the routes in this router. If it is not found, it is sent to another router with a still larger view of the network. This process repeats with the message sent from one router to another until the message is sent to the correct destination.

Preparing Routers to Work with the PIX Firewall

Once you have configured the PIX Firewall, you need to configure the other devices that will interact with the PIX Firewall. The most important element that works with the PIX Firewall are the routers, or switches, if they have routing capability. The instructions that follow assume that the routers are from Cisco.

Step 1

Connect a computer to the console port of the router that connects to the outside interface of the PIX Firewall. If you are using a Windows PC, you can use the HyperTerminal program with the router as well. You will need to know the username and password for the router.

Step 2

Access configuration mode by entering the configure terminal command.

Step 3

Clear the ARP cache. Use the clear arp command. Then enter Cntrl-Z to exit configuration mode.

Step 4

Connect to the router on the inside of the PIX Firewall and access configuration mode.

Step 5

Set the default route to the inside interface of the PIX Firewall with the following command:

Step 6

Enter the show ip route command and make sure that the PIX Firewall interface is listed as the "gateway of last resort."

Step 7

Clear the ARP cache with the clear arp command. Then enter Cntrl-Z to exit configuration mode.

Step 8

If you changed the default route, use the write memory command to store the configuration in Flash memory. The clear arp command will make the new default gateway usable by the router.

Step 9

Connect to the routers on each perimeter interface and repeat the commands in Steps 5 through 8 for each router.

Step 10

If you have routers on networks subordinate to the routers that connect to the PIX Firewall's interfaces, configure them so that their default routes point to the router connected to the PIX Firewall and then clear their ARP caches as well.

Because the PIX Firewall is not a router, you need to specifically tell it where to route packets. The PIX Firewall lets you specify one default route to the outside interface, with one exception: if your PIX Firewall has only two interface cards installed, you can specify two default routes, one for the outside and one for the inside.

Note For a PIX Firewall with 3 or more interfaces, only the outside default route is allowed.

In many networks, the interface connecting to the PIX Firewall connects to a router. Many times, a number of networks connect to the router. To ensure that the PIX Firewall can see these routes, you need to add static route command statements for each network.

Both default and static routes are set on the PIX Firewall with the route command.

Setting a Default Route for Each Host

Each host on the same subnet as the inside or perimeter interfaces must have its default route pointing to the PIX Firewall.

Setting a Solaris or SunOS Default Route

If the host is a Solaris or SunOS workstation, you can determine the default route with this command:

With root permissions, edit the /etc/defaultrouter file to point the default route at the PIX Firewall and then reboot the workstation so that the information is usable.

Setting a LINUX Default Route

On LINUX systems, use the netstat -r command to view the routing table including the default route.

Setting a Windows 95 and Windows 98 Default Route

If the host is a Windows workstation, you can view the default route by clicking Start>Run and entering this command:

To change the default route, click Start>Settings>Control Panel and double-click the Network item.

Select the TCP/IP entry from the list of installed network components and click Properties. The default route is on the Gateway tab.

Setting a Windows NT Default Route

You can view the default route from the Command Prompt by entering the ipconfig command. You can access the Command Prompt by clicking Start>Programs>Command Prompt.

Step 2

In the Network Protocols window, click TCP/IP Protocol, and click Properties.

Step 4

Click Advanced The default gateway IP address appears in the Gateways window. If the gateway is not the address of the PIX Firewall interface to which the server is connected, select the gateway address and click Remove.

Step 6

After you exit from the menus, Windows will prompt you to restart your computer. Click Yes.

Setting a MacOS Default Route

You can view the default route from the MacOS 7.5 and later from the Apple menu>Control Panels>TCP/IP window. You can also set the default route from this window.

Step 4 - Start Configuring PIX Firewall

When you start your PIX Firewall for the first time or load a new PIX Firewall boot disk, the configuration comes with many of the commands you need to get started. The configuration you first receive is known as the default configuration and is described in more detail in Chapter 1, "Introduction."

You can use the write terminal command to view your configuration at any time. Use the write memory command frequently to save your configuration to Flash memory.

Before you configure the PIX Firewall, sketch out a network diagram with IP addresses that you will assign to the PIX Firewall and those of routers on each interface. If you have more than two interfaces in the PIX Firewall, note the security level for each interface. Security levels are set with the nameif command described in " Step 5 - Identify Each Interface."

•

An IP address for each interface that will connect to a network segment. Each address must be unique so that it is not used in the pool of global addresses or with any other command statement in the configuration.

•

A pool of global addresses for each interface that each translated connection uses as it passes through the firewall. Use a global pool to let users start connections from a higher security level interface to access a lower security level interface.

Go to the PIX Firewall Configuration Mode

Step 2

Power on the PIX Firewall. On newer models, the switch is at the back, on older models, the front.

Step 3

If you are configuring a PIX 515 and your site downloads configuration images from a central source with TFTP, look for the following prompt in the startup messages:

PIX Firewall holds this prompt for 10 seconds. To download an image, press the Escape key to start boot mode. If you are not downloading an image, ignore the prompt or press the Space bar to start immediately and PIX Firewall starts normally. Refer now to Chapter 7, "PIX 515 Configuration" for information about how to download the configuration image.

Step 4

After the startup messages appear, you are prompted with the following unprivileged mode prompt:

Enter the configure terminal command and press Enter. You are now in configuration mode.

Step 5 - Identify Each Interface

On new installations, PIX Firewall provides names for each interface, which you can view with the show nameif command. If you want to provide alternative names, use the nameif command to do so.

For new installations, PIX Firewall requires that you enable the use of each interface you intend to use with the interface command.

You need to specify a unique IP address for each interface you want to use with the ip address command.

Refer to the Installation Guide for the Cisco Secure PIX Firewall Version 5.0 for a description of the various configurations that can occur depending on in which slot a 4-port card resides. Using a PIX 515 or PIX 520 changes how the unit determines how each network connects to the PIX Firewall.

The nameif Command

The PIX Firewall default configuration supplies nameif commands for the inside and outside interfaces. Use the show nameif command to view these commands. They will appear as follows:

The nameif commands you need to enter, if any, are determined by how many network interface cards are in your PIX Firewall. The sections that follow describe how to configure this command.

If you make a mistake or want to replace a command you entered, enter the new version of the command, instead of first removing the old version, as is required for other PIX Firewall commands. For example, if you accidentally enter:

Two-Interface PIX Firewall

If you have only two interfaces, you do not need to enter any further information for the nameif command and can now proceed to next command for your configuration.

Three or More Interfaces in the PIX Firewall

PIX Firewall provides nameif commands for all interfaces. The inside interface is named "inside" and the outside interface is named "outside." Any perimeter interfaces are named "intfn," such as "intf2" for the first perimeter interface, "intf3" for the second perimeter interface up to a maximum of "intf5" for the fourth perimeter interface (PIX Firewall supports up to 6 interfaces). The numbers correspond to the interface card's position in the PIX Firewall, such that for Ethernet interfaces, ethernet0 is the outside interface, ethernet1 is the inside interface, ethernet2 is the first perimeter interface, and so on up to ethernet5 as the fourth perimeter interface. You can use the default names or give each interface a more meaningful name.

•

hardware_id—The hardware name for the network interface card. If you have all Ethernet interfaces in the PIX Firewall, use ethernet2 and ethernet3 for the nameif commands you supply.

If you have both Ethernet and Token Ring cards, the third and fourth interfaces' hardware_id names differ depending on the interface type. For example, if you have an Ethernet interface on the outside, a Token Ring on the inside, and an Ethernet interface as the third interface, and another Token Ring as the fourth interface, the interfaces would be named ethernet0, token0, ethernet1, and token1.

If one of the Ethernet cards is a 4-port card, the Ethernet names change to correspond to in which slot the card resides. However the Token Ring card names stay the same. For example, if slot 0 has a single port Ethernet card, the slot 1 has a 4-port card, and slot 2 has a Token Ring card, the interfaces would be named as follows:

•

For the 4-port card in slot 1, ethernet1, ethernet2, ethernet3, and ethernet4.

You can abbreviate the hardware_id name with any significant letters, such as, e0 for ethernet0, or t0 for token0.

•

interface—If you want to use names other than the default names, you can enter a name such as dmz or perim for each perimeter interface. Whichever name you pick, you will need to enter it repeatedly as you create your configuration, so a short name, such as dmz, will be easier to enter. However, if you want to, you can specify up to 48 characters in an interface name.

•

security_level—A value such as security40 or security60. You can choose any security level between 1 and 99 for a perimeter interface as long as it is not the same as the inside and outside interfaces. If you have four or more interfaces, it will be easier to code your configuration if you use the higher security level for the perimeter interface with the most hosts. When you access a higher security level interface from a lower security level interface, you use the static command.

If you are configuring PIX Firewall for the first time, the default security levels for perimeter interfaces start with security10 for intf2 (the default name for the first perimeter interface), security15 for intf3, security20 for intf4, and security25 for intf5.

When you access a lower security interface from a higher security level interface, you use the nat command. By using the higher security level, hosts on that interface can access the other perimeter interface and the outside interface using the nat command.

The ip address Command

Assign an ip address command to each interface in your PIX Firewall that connects to the network. For unused interfaces, PIX Firewall assigns 127.0.0.1 (the local host address) to each interface and a subnet mask of 255.255.255.255 that does not permit traffic to flow through the interface. The 127.0.0.1 address is the Internet address for the local host and is not used by any Internet site.

Replace ip_address with the IP address you specify for the interface. The IP addresses that you assign must be unique for each interface—do not use an address you previously used for routers, hosts, or with any other PIX Firewall command, such as an IP address in the global pool or for a static.

Replace netmask with the network mask for the IP address; for example, 255.0.0.0 for a Class A address (those that begin with 1 to 127), use 255.255.0.0 for Class B addresses (those that begin with 128 to 191), and 255.255.255.0 for Class C addresses (those that begin with 192 and higher). Do not use 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

If subnetting is in use, use the subnet in the mask; for example, 255.255.255.228.

Use the show ip command to view the commands you entered. If you make a mistake while entering a command, reenter the same command with new information.

If you are using subnetting, enter a network mask applicable to the subnet. Refer to Appendix D, " Subnet Masking and Addressing" to ensure that the IP address you pick for each interface is correct for the subnet.

The interface Command

If you have Ethernet interfaces in the PIX Firewall, the default configuration provides interface commands for all interfaces.

Note Starting with version 5.0, all interfaces in a new configuration are shut down by default and need to be explicitly enabled for use.

Upgraded configurations from a previous PIX Firewall version are not affected by this new feature.

•

hardware_id—Either ethernetn for Ethernet or tokenx for Token Ring depending on how you specified the hardware_id in the nameif command.

•

hardware_speed—If the interface is Token Ring, either 4mbps or 16mbps depending on the line speed of the Token Ring card. If the interface is Ethernet, and the PIX Firewall uses the Intel 10/100 interface type, use auto. If you purchased your PIX Firewall before November 1996, the Ethernet interfaces do not auto sense the interface speed. Refer to the interface command page in Chapter 6, "Command Reference," for how to specify the hardware_speed.

•

shutdown—Disables use of the interface. When you first install PIX Firewall version 5.0, all interfaces have the shutdown option enabled. To enable use of the interface, recode the interface command without the shutdown option. For example, the starting configuration appears as follows for a four-interface PIX Firewall:

For each interface you intend to operate, you need to reenter each command without the shutdown option. The following example enables the first three interfaces and leaves the last interface shutdown:

Use the write terminal command to view the configuration and locate the interface command information. If you make a mistake while entering a command, reenter the same command with new information.

Step 6 - Let Users Start Connections

As described in the section, " Step 5 - Identify Each Interface," the nameif command assigns a security level to each interface. For interfaces with a higher security level such as the inside interface, or a perimeter interface relative to the outside interface, use the nat and global commands to let users on the higher security interface access a lower security interface. For the opposite direction, from lower to higher, you use the static and conduit commands described in the section " Step 13 - Add Server Access."

As you enter the nat and global commands to let users start connections, you can use the show nat or show global commands to list the existing commands. If you make a mistake, remove the old command with the no form of the command, specifying all the options of the first command. This is where a terminal with cut and paste capability is useful. After you use show global, you can cut the old command, enter no and a space on the command line, paste the old line in, and press the Enter key to remove it.

PIX Firewall favors the use of NAT (Network Address Translation) for addressing of your network. When a PIX Firewall is first inserted in a network, keeping existing addressing may appear desirable, but imposes an extra layer of complexity in working with the PIX Firewall. Almost all of the PIX Firewall commands that work with IP addresses are affected by the use of NAT.

As you enter each command and debug it, you have to work with how your network addressing affects server access, creating global pools, authentication, routing, and starting connections. When you add in multiple interfaces, the complexity rises more. For this reason, Cisco recommends that you use PIX Firewall with NAT if possible. If you must disable NAT, use the nat 0 command. Refer to the nat and static command pages, described in Chapter 6, "Command Reference," for a discussion of the implications of disabling NAT.

Step 1

Use the show nameif command to view the security level of each interface.

Step 2

Make a simple sketch of your network with each interface and its security level as shown in .

Step 3

Add a nat command statement for each higher security level interface from which you want users to start connections to interfaces with lower security levels:

•

To let inside users start connections on any lower security interface, use the nat (inside) 1 0 0 command.

•

To let dmz4 users start connections on any lower security interface such as dmz3, dmz2, dmz1, or the outside, use the nat (dmz4) 1 0 0 command.

•

To let dmz3 users start connections on any lower security interface such as dmz2, dmz1, or the outside, use the nat (dmz3) 1 0 0 command.

•

To let dmz2 users start connections on any lower security interface, such as dmz1 or outside, use the nat (dmz2) 1 0 0 command.

•

To let dmz1 users start connections to the outside, use the nat (dmz1) 1 0 0 command,

Instead of specifying "0 0," to let all hosts start connections, you can specify a host or a network address and mask.

For example, to let only host 192.168.2.42 start connections on the dmz2 interface, you could specify:

The "1" after the interface specifier is the NAT ID. You can use one ID for all interfaces and the PIX Firewall sorts out which nat command statement pertains to which global command statement on which interface, or you can specify a unique NAT ID to limit access to specific interface. Remember that the nat command opens access to all lower security level interfaces so that if you want users on the inside to access the perimeter interfaces as well as the outside, then use one NAT ID for all interfaces. If you only want inside users to access the dmz1 interface but not the outside interface, use unique NAT IDs for each interface.

The NAT ID in the nat command must be the same NAT ID you use for the corresponding global command.

Step 4

Add a global command statement for each lower security interface which you want users to have access to; for example, on the outside, dmz1, and dmz2. The global command creates a pool of addresses that translated connections pass through.

There must be enough global addresses to handle the number of users each interface may have trying to access the lower security interface. You can specify a single PAT (Port Address Translation) which permits up to 65,000 hosts to use a single IP address. PAT has some restrictions in its use such as it cannot support H.323 or caching nameserver use, so you may want to use it to augment a range of global addresses rather than using it as your sole global address.

The first global command statement specifies a single IP address, which the PIX Firewall interprets as a PAT. The PAT lets up to 65,535 hosts start connections to the outside. PIX Firewall permits one PAT global command statement for each interface The second global command statement augments the pool of global addresses on the outside interface. The PAT creates a pool of addresses used only when the addresses in the second global command statement are in use. This minimizes the exposure of the PAT in the event users need to use H.323 applications.

The global command statement for dmz1 lets users on the inside and dmz2 start connections on the dmz1 interface.

The global command statement for dmz2 lets users on the inside start connections on the dmz2 interface.

If you use network subnetting, specify the subnet mask with the netmask option. Refer to Appendix D, " Subnet Masking and Addressing" for more information on subnetting.

Step 7 - Create a Default Route

Use the route command to set a default route to the outside router. Use the show route command to view the command you entered. If needed, use the no route command to remove a route command. If the outside router is at address 192.150.50.3, you would use this command:

This command states that the default router is on the outside interface. The 0 0 information is an IP address of 0.0.0.0 and mask of 0.0.0.0, which the PIX Firewall associates with the default route. The route command could be read as "if I have a packet intended for IP address 0.0.0.0, send it to 192.150.50.2 instead." The "1" at the end is the number of hops that the router is from the PIX Firewall. Hops are routers, so 1 hop is the router nearest the PIX Firewall.

If the PIX Firewall has only two interfaces, you can specify a default route for the inside. Note that this exception only applies when the PIX Firewall has physically two interfaces. If a third interface is present in the firewall without a cable connection, you have to physically remove the card before you can use this exception. If there are only two interfaces, the default route command for the inside will eliminate having to add static route command statements for the networks connected to the inside router (if any).

Note If you are not sure how many interfaces are in the PIX Firewall, examine the configuration with the write terminal command and count the number of interface commands that appear. If there are 3 or 4, you must only have one default route command statement to the outside interface; otherwise, the PIX Firewall will experience routing problems that are difficult to diagnose.

Step 8 - Permit Ping Access

Enter the conduit permit icmp any any command in your configuration. This lets hosts on the inside ping outside hosts and hosts on the outside ping global addresses configured with the conduit command.

Step 9 - Store the Image in Flash Memory and Reboot

When you complete entering commands in the configuration, save it to Flash memory with the write memory command.

Then use the reload command to restart the configuration. After you enter the reload command, PIX Firewall prompts you to confirm that you want to continue. Enter y and the reboot occurs.

You are now done configuring the PIX Firewall. This configuration lets protected network users start connections, but prevents users on unprotected networks from attacking protected hosts.

Step 10 - Check the Configuration

Use the write terminal command to view your current configuration. Check the following before proceeding to ensure that your configuration is correct:

Step 1

Make sure that the each interface you intend to operate has the shutdown option disabled. Refer to the section "The interface Command" for more information.

Step 2

Make sure that the IP addresses you use in the ip address, global, nat, and route commands are unique. In addition, the ip address command IP address cannot be the same as a router or any hosts. Use the following commands to examine this information:

Step 3

Use the show route command to make sure you have a default route command statement pointing to the outside router. A default route command follows:

Replace ip_address_of_outside_router with the IP address of the nearest router on the outside interface.

If you do not see this command in your configuration, add it now. A default route command is crucial to get other commands to work correctly. If you are testing the network before putting it into production, get a router and add it to the test network so that the PIX Firewall has a default route.

Step 4

Make sure that the nat and global command statements have the same NAT ID, as shown in the following example:

Also, it is best to keep all the nat command statements and global command statements in the same NAT ID even if the global command statements refer to different interfaces, for example:

The nat command statements let users on the inside, dmz1, and dmz2 interfaces start outside connections. The first global command statement creates a PAT address on the outside interface. The second global command statement creates a pool of IP addresses in the range of 192.150.50.30 to 192.150.50.200 on the outside interface.

The third global command statement creates a pool of IP addresses on the dmz1 interface. You can have one PAT global command statement per interface.

Step 5

Use the show global command to make sure that a range of global addresses starts from a low number and goes to a high number. In addition, it is good to leave a few addresses before the range for static command statements, hosts, or additional routers. In other words, instead of starting the global pool at an address such as 192.150.50.2, use 192.150.50.10 (assuming you have a full Class C address to use).

Step 6

If your ISP (Internet service provider) has only provided a few registered addresses, always have a PAT address at the end of the range. This expands your pool of addresses, if needed. Remember to give the PAT an address lower than the pool of global addresses. PIX Firewall uses global addresses starting from the highest numbered IP address and works down.

Step 7

If you are using subnetting, examine Appendix D, "Subnet Masking and Addressing," for more information on subnetting. Use the show global command to make sure that all addresses in the global pool are in the same subnet. For example, if you have a 255.255.255.192 subnet mask, the pool of global addresses could not contain addresses 192.150.50.60-192.150.50.100 because this would cross subnet boundaries.

Also make sure that the global pool contains correctly subnetted network addresses and broadcast addresses as explained in Appendix D, "Subnet Masking and Addressing." For example, with the 255.255.255.224 mask, specifying a global pool of 192.150.50.64-192.150.50.95 would not work because 192.150.50.64 is a network address and 192.150.50.95 is a broadcast address.

(a)

Use the show ip address command to ensure that addresses on each interface are in the correct subnet for that interface. Each interface needs its own subnet. For example, if the outside interface has registered addresses 192.150.50.0 through 192.150.50.31 with a 255.255.255.224 subnet mask, the outside interface, outside router, any hosts on this interface, the global pool, and any addresses set aside for static command statements (explained in " Step 13 - Add Server Access") must all reside on addresses 192.150.50.1 through 192.150.50.30.

(b)

If you are using subnetting, put the subnet value in the ip address and global command statements masks. For example, if you are using a .192 subnet mask, the ip address command would appear as:

Step 8

Use the show nat command If you need to restrict IP addresses in nat command statements, do not overlap the groups. An example follows

If you want only users on the 10.0.0.0 network to start connections, do not specify a second nat group with address 10.1.1.0 because this network would be included in 10.0.0.0.

Step 9

Use the show ip address command to check all IP addresses to be sure you have the correct addresses values for the devices.

Make sure all inside interface or perimeter interface hosts and routers have their default routes set to the respective PIX Firewall interface IP address. Refer to section "Step 3 - Configure Network Routing" for more information.

Step 11 - Test Network Connectivity

For the steps that follow, you will need access to the PIX Firewall console and to at least one host on both the internal and external networks.

Use the steps that follow to determine whether or not the firewall is functioning correctly in the network:

Step 1

Sketch a diagram of your network—With a sketch, it is much easier to methodically test the network with the PIX Firewall to be sure if everything works as expected as shown in .

Step 2

Start debugging commands—Enter configuration mode and start the debug icmp trace command to monitor ping results through the PIX Firewall. In addition, start syslog logging with the logging buffered debugging command to check for denied connections or ping results. The debug messages display directly on the console session. You can view syslog messages with the show logging command.

Before using the debug command, use the who command to see if there are any Telnet sessions to the console. If the debug command finds a Telnet session, it automatically sends the debug output to the Telnet session instead of the console. This will cause the serial console session to seem as though no output is appearing when it is really going to the Telnet session.

Step 3

Ping around the PIX Firewall—Ping from the PIX Firewall to a host or router on each interface. Then go to a host or router on each interface and ping the PIX Firewall's interface. For the example, you would use these commands from the PIX Firewall:

Then ping the PIX Firewall interfaces from the hosts or routers with commands such as:

If the pings from the hosts or routers to the PIX Firewall interfaces are not successful, check the debug messages which should have displayed on the console. Successful ping debug messages appear as in this example:

Both the request and reply statements should appear to show that the PIX Firewall and the host responded. If none of these messages appeared while pinging the interfaces, then there is a routing problem between the host or router and the PIX Firewall that caused the ping (ICMP) packets to never arrive at the PIX Firewall.

(a)

Make sure you have a default route command statement for the outside interface. For example:

(b)

Use the show conduit command to ensure that the conduit permit icmp any any command is in the configuration. Add this command if it is not present.

(c)

Except for the outside interface, make sure that the host or router on each interface has the PIX Firewall as its default gateway. If so, set the host's default gateway to the router and set the router's default route to the PIX Firewall. Setting default routes in routers and hosts is explained in the section " Step 3 - Configure Network Routing."

(d)

Check to see if there is a router between the host and the PIX Firewall. If so, make sure the default route on the router points to the PIX Firewall interface. If there is a hub between the host and the PIX Firewall, make sure that the hub does not have a routing module. If there is a routing module, configure its default route to point to the PIX Firewall.

(e)

Go to the PIX Firewall and use the show interface command to ensure that the interface is functioning and that the cables are connected correctly. If the display contains "line protocol is up," then the cable type used is correct and connected to the firewall. If the display states that each interface "is up," then the interface is ready for use. If both of these are true, check "packets input" and "packets output." If packets are being received and transmitted, the firewall is correctly configured and a cable is attached.

Ping through the PIX Firewall—Once you can ping the PIX Firewall's inside interface, try pinging through the PIX Firewall to a host on another interface, such as the outside. If there is not a host on the interface, ping the router. If the ping is not successful, check the debug messages on the PIX Firewall console to be sure both inbound and outbound pings were received. If you see the Inbound message without the Outbound, then the host or router is not responding. Check that the nat and global command statements are correct and that the host or router is on the same subnet as the outside interface. Successful ping debug messages appear as in this example:

Inbound ICMP echo reply (len 32 id 1 seq 256) 192.150.50.1 > 192.150.50.42

Outbound ICMP echo request (len 32 id 1 seq 512) 192.150.50.42 > 192.150.50.1

Step 4

Once you can ping successfully across interfaces of higher security levels to lower security levels, such as inside to outside, inside to dmz, or dmz2 to dmz1, add static and conduit command statements as described in the section " Step 13 - Add Server Access" so that you can ping from the lower security level interfaces to the higher security level interfaces.

Step 12 - Add Telnet Console Access

The serial console lets a single user configure the PIX Firewall, but many times this is not convenient for a site with more than one administrator. PIX Firewall lets you access the serial console via Telnet from hosts on any internal interface.

With PIX Firewall version 5.0 and IPSec configured, you can use Telnet to remotely administer the console of a PIX Firewall from the outside interface.

Step 1

Use the PIX Firewall telnet command. For example, to let a host on the internal interface with an address of 192.168.1.2 access the PIX Firewall, enter:

If IPSec is in place, you can let a host on the outside interface access the PIX Firewall console. Use a command such as:

The telnet command does not have an interface identifier. The PIX Firewall compares the IP address you specify in the telnet command to those in the ip address command statements to ensure that the address you specify is on an internal interface (any interface except the outside interface).

Step 2

If required, set the duration for how long a Telnet session can be idle before PIX Firewall disconnects the session. The default duration, 5 minutes, is too short in most cases and should be increased until all pre-production testing and troubleshooting has been completed. Set a longer idle time duration as shown in the following example:

Step 3

If you want to protect access to the console with an authentication server, you can use the aaa authentication telnet console command, which requires that you have a username and password on the authentication server. When you access the console, PIX Firewall prompts you for these login credentials. If the authentication server is offline, you can still access the console by using the username pix and the password set with the enable password command.

Step 4

Save the commands in the configuration using the write memory command.

Step 1

From the host, start a Telnet session to a PIX Firewall interface IP address. If you are using Windows 95 or Windows NT, click Start>Run to start a Telnet session. For example, if the inside interface IP address is 192.168.1.1, enter the following command:

You can enter any command on the Telnet console that you can set from the serial console, but if you reboot the PIX Firewall, you will need to log back into the PIX Firewall after it restarts.

Some Telnet applications such as the Windows 95 or Windows NT Telnet sessions may not support access to the PIX Firewall's command history feature used with the arrow keys. However, you can access the last entered commands by pressing Ctrl-P.

Step 3

Once you have Telnet access available, you may want to view ping information while debugging. You can view ping information from Telnet sessions with the debug icmp trace command. The Trace Channel feature also affects

Table Of Contents

2