|
|
You can configure the PIX Firewall by entering commands similar to those of Cisco IOS technology.
 |
Note If you are using a PIX Firewall unit that contains a diskette drive, you must use a "Boothelper" diskette to download the PIX Firewall image with TFTP. If your site has a Cisco router, the use of TFTP is similar to the way you download Cisco IOS software to your router. |
This chapter describes how to start a configuration and build on it. Table 2-1 lists the sections in this chapter. The material is presented as a series of steps that you can follow completely if you are creating a new configuration, or as needed with an existing configuration.
| Before Configuring PIX Firewall | Initial Configuration | Continuing |
|---|---|---|
Also view "Advanced Configurations," for information on configuring optional and advanced features.
For IPSec configuration information, refer to the IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2.
Acronyms in this chapter are defined in Appendix B, "Acronyms and Abbreviations." All commands shown in this chapter are explained fully in "Command Reference."
Before upgrading from a previous version, save your configuration and write down your activation key.
Information for upgrading the failover feature is described in the "Failover" section in "Advanced Configurations."
PIX Firewall displays a warning message if the configuration file (stored in Flash memory) is newer than the PIX Firewall software version currently being loaded. This message warns you of the possibility of unrecognized commands in the configuration file. For example, if you install version 5.1 software when the current version is 5.2, the following message appears at startup:
In the message, "config" is the version in Flash memory and "image" is the version you are installing.
If the computer you are connecting to runs Windows, the Windows HyperTerminal accessory provides easy-to-use software for communicating with the firewall. If you are using UNIX, refer to your system documentation for a terminal program.
HyperTerminal also lets you cut and paste configuration information from your computer to the firewall console.
Follow these steps to configure HyperTerminal:
Step 2 Locate HyperTerminal by opening the Windows 95 or Windows NT Start menu and clicking Programs>Accessories>HyperTerminal.
Step 3 Double-click the Hypertrm accessory. The New Connection window opens with the smaller Connection Description dialog box in the center.
Step 4 Enter the name of the connection. You can use any name such as PIX Console. Click OK when you are ready to continue.
Step 5 At the Phone Number dialog box, ignore all the fields except "Connect using." In this field, click the arrow at the right to view the choices. Click "Direct to Com 1," unless you are using another serial port. Click OK to continue.
Step 6 At the COM1 Properties dialog box, set the following fields:
Step 7 Click OK to continue.
Step 8 The HyperTerminal window is now ready to receive information from the PIX Firewall console. If the serial cable is connected to the firewall, power on the firewall and you should be able to view the console startup display.
If nothing happens, first wait 60 seconds. The firewall does not send information for about 30 seconds. If messages do not appear after 60 seconds, press the Enter key. If still nothing appears, ensure that the serial cable is attached to COM1 and not to COM2 if your computer is so equipped. If garbage characters appear, ensure that the bits per second setting is 9600.
Step 9 On the File menu, click Save to save your settings.
Step 10 On the File menu, click Exit to exit HyperTerminal. HyperTerminal prompts you to be sure you want to disconnect. Click Yes.
HyperTerminal saves a log of your console session that you can access the next time you use it.
To restart HyperTerminal, double-click the connection name you chose in the HyperTerminal folder. When HyperTerminal starts, drag the scroll bar up to view the previous session.
This section includes the following topics:
If you have a Cisco Connection Online (CCO) login, you can obtain software from the following site:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
The software available at this site includes the following items:
You must have a TFTP server to install the PIX Firewall software. If your computer runs the Windows operating system and you have a CCO login, you can download a TFTP server from Cisco from the Web or by FTP.
You can download the server from the Web at the following site:
http://www.cisco.com/cgi-bin/tablebuild.pl/tftp
Follow these steps to download the server by FTP:
Step 2 You can view the files in the main directory by entering the ls command.
Step 3 Enter the cd cisco command to move to the top level software directory. Then enter cd tftp to access the TFTP software directory. Use the ls command to view the directory contents.
Step 4 Use the get command to copy the TFTP executable file to your directory.
The file you download is a self-extracting archive that you can use with Windows 95, Windows 98, or Windows NT version 4.0. Once the file is stored on your Windows system, double-click it to start the setup program. Then follow the prompts that appear to install the server on your system.
The UNIX, Solaris, and LINUX operating systems contain a TFTP server.
|
Note Under no circumstances must you ever download a PIX Firewall image earlier than version 4.4 with TFTP. Doing so will corrupt the PIX Firewall Flash memory unit and require special recovery methods that must be obtained from customer support. |
Use the following steps to download an image over TFTP using the monitor command:
Step 2 If desired, enter a question mark (?) to list the available commands.
Step 3 Use the address command to specify the IP address of the PIX Firewall unit's interface on which the TFTP server resides.
Step 4 Use the server command to specify the IP address of the host running the TFTP server.
Step 5 Use the file command to specify the filename of the PIX Firewall image. In UNIX, the file needs to be world readable for the TFTP server to access it.
Step 6 If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible.
Step 7 If needed, use the ping command to verify accessibility. Use the interface command to specify which interface the ping traffic should use. If the PIX Firewall has only two interfaces, the monitor command defaults to the inside interface.If this command fails, fix access to the server before continuing.
Step 8 Use the tftp command to start the download.
During a TFTP download, if tracing is on, non-fatal errors appear in the midst of dots that display as the software downloads. The error code appears inside angle brackets. Table 2-2 lists the code values.
For example, random bad blocks appear as follows:
Also, tracing will show "A" and "T" for ARP and timeouts, respectively. Receipt of non-IP packets causes the protocol number to display inside parentheses.
Table 2-2 lists the TFTP error codes.
Table 2-2 Error Code Numeric Values
Error codes 9 and 10 cause the download to stop.
You can obtain PIX Firewall software by downloading it from Cisco's online web or FTP site. If you are using FTP, refer to the section "Download the Latest Software with FTP."
Before downloading software, you need to have a CCO username and password. If you do not have these, register now at the following site:
http://www.cisco.com/register/
Follow these steps to install the latest PIX Firewall software:
Step 2 If you are a registered CCO user, click LOGIN in the upper area of the page. If you have not registered, click REGISTER and follow the steps to register.
Step 3 After you click LOGIN, a dialog box appears requesting your Username and Password. Enter these and click OK.
Step 4 Access CCO at http://www.cisco.com and log in. Then access the PIX Firewall software downloads at the following site:
http://www.cisco.com/cgi-bin/tablebuild.pl/pix
Step 5 Obtain the software you need. If you have a PIX Firewall unit with a diskette drive, you must obtain the Boothelper binary image file bh512.bin so you can store a PIX Firewall image on a diskette. If you have a PIX 515, you can skip the discussion of the Boothelper diskette.
Before using FTP, you need to have a CCO username and password. If you do not have these, register now at the following site:
http://www.cisco.com/register/
Once you have registered, set your FTP client for passive mode. If you are not running in passive mode, you can log in and view the Cisco presentation messages, but entering commands will cause your client to appear to suspend execution.
The Windows 95 and Windows NT command line FTP programs do not support passive mode.
Follow these steps to get the most current software with FTP:
Step 2 You can view the files in the main directory by entering the ls command.
Step 3 Enter the cd cisco command to move to the top level software directory. Then enter cd internet and cd pix to access the PIX Firewall software directory. Use the ls command to view the directory contents.
Step 4 Use the get command to copy the proper file to your workstation as described at the start of the current section.
Step 5 If you have not done so already, you can also download a TFTP server for use with Windows by using the cd .. command to return to the internet directory. Then use the cd tftp command to access the TFTP software directory. Use the get command to copy the TFTP executable file to your directory.
Step 6 If you want documentation, use the cd documentation command from the pix directory and copy the files you need to your workstation. Files with the .pdf suffix can be viewed with Adobe Acrobat Reader, which you can download from the following site:
http://www.adobe.com/prodindex/acrobat/readstep.html
Step 7 When you are done, enter quit to exit.
If your PIX Firewall unit has a diskette drive, you need to obtain the Boothelper binary image file bh521.bin and create a diskette.
This section contains the following topics:
Use the following steps to download the Boothelper binary image:
Step 2 Download the bh521.bin Boothelper image from CCO and prepare a diskette as described in the sections that follow.
|
Note The Boothelper installation only supports PIX Firewall version 5.1, 5.2, and later. After Boothelper downloads the PIX Firewall image via TFTP, it verifies the checksum of the image. If it is not version 5.1 or later, it displays the message "Checksum verification on flash image failed" and reboots the PIX Firewall. |
Step 3 Download the PIX Firewall software binary image file pix521.bin from CCO and store this file in a directory accessible by your TFTP server.
Follow these steps to prepare a Boothelper diskette:
Step 2 Use the ps aux | grep inetd command string to determine the process ID of the current inetd process.
Step 3 Use the kill -HUP process_id command to kill the process. The process will restart automatically.
Step 4 Use the dd command to create the Boothelper diskette for the PIX Firewall unit. For example, if the diskette device name is rd0, use the following command:
This command copies the binary file to the output device file with a block size of 18 blocks.
Step 5 Eject the diskette, insert it in the PIX Firewall diskette drive, and power cycle the unit. Alternately, if available, use your unit's Reset switch, or enter the reload command from the PIX Firewall console. The PIX Firewall then boots from the new diskette.
Follow these steps to create the Boothelper diskette from a Windows system:
Step 2 Enter rawrite at the MS-DOS command prompt and you are prompted for the name of the .bin binary file, the output device (a: or b: for a 3.5-inch diskette), and to insert a formatted diskette. A sample rawrite session follows:
Ensure that the binary filename is in the "8.3" character format (8 characters before the dot; 3 characters after the dot).
Step 3 When you are done, eject the diskette, insert it in the PIX Firewall diskette drive, and power cycle the unit. Alternately, if available, use your unit's Reset switch, or enter the reload command from the PIX Firewall console. The PIX Firewall then boots from the new diskette.
|
Note When using Boothelper to upgrade the PIX Firewall image over a Token Ring interface, the interface must be in the same subnet as the TFTP server. If the Token Ring interface is on a different subnet (connected through a router), use the copy tftp flash command from the CLI prompt to perform the upgrade. |
Follow these steps to use the Boothelper diskette to download an image from a TFTP server:
Step 2 Start the TFTP server on the remote host and point the TFTP server to the directory containing the PIX Firewall image. On the Cisco TFTP Server, access the View>Options menu and enter the name of the directory containing the image in the TFTP server root directory field.
Step 3 Connect a console to the PIX Firewall and ensure that it is ready.
Step 4 Put the Boothelper diskette you prepared in the PIX Firewall and reboot it. When the PIX Firewall starts, the pixboothelper> prompt appears.
Step 5 You can now enter commands to download the binary image from the TFTP server. In most cases, you need only specify the address, server, and file commands, and then enter the tftp command to start the download. The commands are as follows:
a. If needed, use a question mark (?) or enter the help command to list the available commands.
b. Use the address command to specify the IP address of the network interface on which the TFTP server resides.
c. Use the server command to specify the IP address of the host running the TFTP server.
d. Use the file command to specify the filename of the PIX Firewall image.
e. If needed, use the gateway command to specify the IP address of a router gateway through which the server is accessible.
f. If needed, use the ping command to verify accessibility. If this command fails, fix access to the server before continuing. You can use the interface command to specify which interface the ping traffic should use. The Boothelper defaults to the interface 1 (one).
Step 6 After the image downloads, you are prompted to install the new image. Enter y.
Step 7 When you are prompted, enter your activation key.
Step 8 After you enter your activation key, PIX Firewall prompts you to remove the Boothelper diskette. You have 30 seconds to remove the diskette. During this time you have three options:
a. Remove the diskette and reboot the unit with the reboot switch.
b. Use the reload command while the diskette is in the unit.
c. After the interval, the PIX Firewall will automatically boot from the Boothelper diskette.
After Boothelper downloads the PIX Firewall image via TFTP, it verifies the checksum of the image. If it is not version 5.1 or later, it displays the message "Checksum verification on flash image failed" and reboots the PIX Firewall.
Keep the Boothelper diskette available for future upgrades. You will need to repeat these steps whenever you download an image to your PIX Firewall unit. Alternatively, you can use the copy tftp flash command to download an image directly from the PIX Firewall command line.
Read this section before configuring the PIX Firewall to help you make decisions for configuring network routing.
This section includes the following topics:
Routing directs the flow of packets through a network. A default route specifies to which router packets are sent when the address is not known.
A router stores the paths through the network known as routes. If a router does not have the route to the user in its storage, it passes the message to its default router which knows routes from the larger network. The message is checked against the routes in this router. If it is not found, it is sent to another router with a still larger view of the network. This process repeats with the message sent from one router to another until the message is sent to the correct destination.
Once you have configured the PIX Firewall, you need to configure the other devices that will interact with the PIX Firewall. The most important element that works with the PIX Firewall are the routers, or switches, if they have routing capability. The instructions that follow assume that the routers are from Cisco.
Follow these steps to prepare the routers to work with the PIX Firewall:
Step 2 At the PIX Firewall, access configuration mode by entering the configure terminal command.
Step 3 Also at the PIX Firewall, clear the ARP cache. Use the clear arp command. Then enter Cntrl-Z to exit configuration mode.
Step 4 Connect to the router on the inside of the PIX Firewall and access configuration mode.
Step 5 From the router, set the default route to the inside interface of the PIX Firewall with the following Cisco IOS software command:
Step 6 While still at the router, enter the show ip route command and make sure that the PIX Firewall interface is listed as the "gateway of last resort."
Step 7 From the router, clear the ARP cache with the clear arp command. Then enter Cntrl-Z to exit configuration mode.
Step 8 From the router, if you changed the default route, use the write memory command to store the configuration in Flash memory. The clear arp command will make the new default gateway usable by the router.
Step 9 Connect to other routers on each perimeter interface and repeat the commands in Steps 5 through 8 for each router.
Step 10 If you have routers on networks subordinate to the routers that connect to the PIX Firewall's interfaces, configure them so that their default routes point to the router connected to the PIX Firewall and then clear their ARP caches as well.
Each host on the same subnet as the inside or perimeter interfaces must have its default route pointing to the PIX Firewall.
This section includes the following topics:
If the host is a Solaris or SunOS workstation, you can determine the default route with this command:
With root permissions, edit the /etc/defaultrouter file to point the default route at the PIX Firewall and then reboot the workstation so that the information is usable.
On LINUX systems, use the netstat -r command to view the routing table including the default route.
With root permissions, use the following command to set the default route:
Replace IP_address_of_next_host with the IP address of the next host.
You can view the default route by clicking Start>Run and entering this command:
To change the default route, click Start>Settings>Control Panel and double-click the Network item.
Select the TCP/IP entry from the list of installed network components and click Properties. The default route is on the Gateway tab.
You can view the default route from the Command Prompt by entering the ipconfig command. You can access the Command Prompt by clicking Start>Programs>Command Prompt.
Follow these steps to change the default gateway in Windows NT:
Step 2 In the Network Protocols window, click TCP/IP Protocol, and click Properties.
Step 3 In the Microsoft TCP/IP Properties window, click the IP Address tab.
Step 4 Click Advanced. The default gateway IP address appears in the Gateways window. If the gateway is not the address of the PIX Firewall interface to which the server is connected, select the gateway address and click Remove.
Step 5 Click Add and enter the IP address for the PIX Firewall interface.
Step 6 After you exit from the menus, Windows will prompt you to restart your computer. Click Yes.
You can view the default route from the MacOS 7.5 and later from the Apple menu>Control Panels>TCP/IP window. You can also set the default route from this window.
Before continuing, view "Command Line Guidelines" in "Introduction," for information on how to specify ports and protocols, terminology, and other useful PIX Firewall facts.
When you start your PIX Firewall for the first time or load a new PIX Firewall boot disk, the configuration comes with many of the commands you need to get started. The configuration you first receive is known as the default configuration and is described in more detail in "Introduction."
You can use the write terminal command to view your configuration at any time. Use the write memory command frequently to save your configuration to Flash memory.
Before you configure the PIX Firewall, sketch out a network diagram with IP addresses that you will assign to the PIX Firewall and those of routers on each interface. If you have more than two interfaces in the PIX Firewall, note the security level for each interface. Security levels are set with the nameif command described in "Step 5__EMDASH__Identify Each Interface."
Locate the following IP addresses:
Follow these steps to initially configure the PIX Firewall:
Step 2 Power on the PIX Firewall. On newer models, the switch is at the back, on older models, at the front.
Step 3 If you are configuring a PIX 515 and your site downloads configuration images from a central source with TFTP, look for the following prompt in the startup messages:
PIX Firewall holds this prompt for 10 seconds. To download an image, press the Escape key to start boot mode. If you are not downloading an image, ignore the prompt or press the Space bar to start immediately and PIX Firewall starts normally.
Step 4 After the startup messages appear, you are prompted with the following unprivileged mode prompt:
Enter enable and press the Enter key.
Step 5 The following prompt appears:
Step 6 You are now in privileged mode. The following prompt appears:
Enter the configure terminal command and press Enter. You are now in configuration mode.
On new installations, PIX Firewall provides names for each interface, which you can view with the show nameif command. If you want to provide alternative names, use the nameif command to do so.
For new installations, PIX Firewall requires that you enable the use of each interface you intend to use with the interface command.
You need to specify a unique IP address for each interface you want to use with the ip address command.
Before deciding how to identify each interface, you should be sure you have the best network connected to meet your needs. Refer to the section "Deciding How to Use Multiple Interfaces" in "Introduction."
Refer to the Installation Guide for the Cisco Secure PIX Firewall Version 5.2 for a description of the various configurations that can occur depending on in which slot a 4-port card resides. Using a PIX 515 or PIX 520 changes how the unit determines how each network connects to the PIX Firewall.
This section includes the following topics:
The PIX Firewall default configuration supplies nameif commands for the inside, outside and perimeter interfaces. Use the show nameif command to view these commands. An example nameif command follows:
|
Note With the 5.2 software release, it is no longer necessary to use ethernet1 as the inside network port and ethernet2 outside network port. Any port, whether fixed or a PCI expansion port, and any interface type, FDDI, Token Ring, Fast Ethernet, or Gigabit Ethernet, can be assigned to be the inside or outside network port. |
An example nameif command follows:
If you make a mistake or want to replace a command you entered, enter the new version of the command, instead of first removing the old version, as is required for other PIX Firewall commands. For example, if you accidentally enter the following command:
Reenter the corrected command as follows:
nameif ethernet2 perimeter security50
The nameif commands that need to be entered, if any, are determined by how many network interface cards are in your PIX Firewall.
Use the sections that follow depending on the number of interface cards:
If you have only two interfaces, you do not need to enter any further information for the nameif command and can now proceed to next command for your configuration.
PIX Firewall provides nameif commands for all interfaces. The inside interface default name is "inside" and the outside interface default name is "outside." Any perimeter interface default names are "intfn," such as "intf2" for the first perimeter interface, "intf3" for the second perimeter interface, and so on to the last interface. The numbers in the intf string corresponds to the interface card's position in the PIX Firewall. You can use the default names or give each interface a more meaningful name.
The format for the nameif command is as follows:
If you have both Ethernet and Token Ring cards, the third and fourth interfaces' hardware_id names differ depending on the interface type. For example, if you have an Ethernet interface on the outside, a Token Ring on the inside, and an Ethernet interface as the third interface, and another Token Ring as the fourth interface, the interfaces would be named ethernet0, token0, ethernet1, and token1.
If one of the Ethernet cards is a 4-port card, the Ethernet names change to correspond to in which slot the card resides. However the Token Ring card names stay the same. For example, if slot 0 has a single port Ethernet card, the slot 1 has a 4-port card, and slot 2 has a Token Ring card, the interfaces would be named as follows:
You can abbreviate the hardware_id name with any significant letters, such as, e0 for ethernet0, or t0 for token0.
If you are configuring PIX Firewall for the first time, the default security levels for perimeter interfaces start with security10 for intf2 (the default name for the first perimeter interface), security15 for intf3, security20 for intf4, and security25 for intf5.
When you access a lower security interface from a higher security level interface, you use the nat command. By using the higher security level, hosts on that interface can access the other perimeter interface and the outside interface using the nat command.
Assign an ip address command to each interface in your PIX Firewall that connects to the network. For unused interfaces, PIX Firewall assigns 127.0.0.1 (the local host address) to each interface and a subnet mask of 255.255.255.255 that does not permit traffic to flow through the interface. The 127.0.0.1 address is the Internet address for the local host and is not used by any Internet site.
The format for the ip address command is as follows:
Replace ip_address with the IP address you specify for the interface. The IP addresses that you assign must be unique for each interface—do not use an address you previously used for routers, hosts, or with any other PIX Firewall command, such as an IP address in the global pool or for a static.
Replace netmask with the network mask for the IP address; for example, 255.0.0.0 for a Class A address (those that begin with 1 to 127), use 255.255.0.0 for Class B addresses (those that begin with 128 to 191), and 255.255.255.0 for Class C addresses (those that begin with 192 and higher). Do not use 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.
If subnetting is in use, use the subnet in the mask; for example, 255.255.255.228.
Use the show ip command to view the commands you entered. If you make a mistake while entering a command, reenter the same command with new information.
An example ip address command follows:
If you are using subnetting, enter a network mask applicable to the subnet. Refer to Appendix D, "Subnet Masking and Addressing" to ensure that the IP address you pick for each interface is correct for the subnet.
If you have Ethernet interfaces in the PIX Firewall, the default configuration provides interface commands for all interfaces. If your PIX Firewall has gigabit Ethernet, FDDI, or Token Ring interfaces, refer to the interface command page in "Command Reference," for configuration information.
|
Note All interfaces in a new configuration are shut down by default and need to be explicitly
enabled for use. Upgraded configurations from a previous PIX Firewall version are not affected by this new feature. |
The format for this command follows:
For each interface you intend to operate, you need to reenter each command without the shutdown option. The following example enables the first three interfaces and leaves the last interface shutdown:
Use the write terminal command to view the configuration and locate the interface command information. If you make a mistake while entering an interface command, reenter the same command with new information.
Examples of the interface command are as follows:
As described in the section, "Step 5__EMDASH__Identify Each Interface," the nameif command assigns a security level to each interface. For interfaces with a higher security level such as the inside interface, or a perimeter interface relative to the outside interface, use the nat and global commands to let users on the higher security interface access a lower security interface. For the opposite direction, from lower to higher, you use the access-list command described in the section "Step 13__EMDASH__Add Inbound Server Access."
As you enter the nat and global commands to let users start connections, you can use the show nat or show global commands to list the existing commands. If you make a mistake, remove the old command with the no form of the command, specifying all the options of the first command. This is where a terminal with cut and paste capability is useful. After you use show global, you can cut the old command, enter no and a space on the command line, paste the old line in, and press the Enter key to remove it.
As you enter each command and debug it, you have to work with how your network addressing affects server access, creating global pools, authentication, routing, and starting connections. If you need to disable NAT, use the nat 0 command. Refer to the nat command page, described in "Command Reference," for how to disable NAT.
Follow these steps to let users on a higher security level interface start connections:
Step 2 Make a simple sketch of your network with each interface and its security level as shown in Figure 2-1.
Step 3 Add a nat command statement for each higher security level interface from which you want users to start connections to interfaces with lower security levels:
a. To let inside users start connections on any lower security interface, use the nat (inside) 1 0 0 command.
b. To let dmz4 users start connections on any lower security interface such as dmz3, dmz2, dmz1, or the outside, use the nat (dmz4) 1 0 0 command.
c. To let dmz3 users start connections on any lower security interface such as dmz2, dmz1, or the outside, use the nat (dmz3) 1 0 0 command.
d. To let dmz2 users start connections on any lower security interface, such as dmz1 or outside, use the nat (dmz2) 1 0 0 command.
e. To let dmz1 users start connections to the outside, use the nat (dmz1) 1 0 0 command.
Instead of specifying "0 0," to let all hosts start connections, you can specify a host or a network address and mask.
For example, to let only host 192.168.2.42 start connections on the dmz2 interface, you could specify the following:
The "1" after the interface specifier is the NAT ID. You can use one ID for all interfaces and the PIX Firewall sorts out which nat command statement pertains to which global command statement on which interface, or you can specify a unique NAT ID to limit access to specific interface. Remember that the nat command opens access to all lower security level interfaces so that if you want users on the inside to access the perimeter interfaces as well as the outside, then use one NAT ID for all interfaces. If you only want inside users to access the dmz1 interface but not the outside interface, use unique NAT IDs for each interface.
The NAT ID in the nat command must be the same NAT ID you use for the corresponding global command.
NAT ID 0 means to disable Network Address Translation.
Step 4 Add a global command statement for each lower security interface which you want users to have access to; for example, on the outside, dmz1, and dmz2. The global command creates a pool of addresses that translated connections pass through.
There must be enough global addresses to handle the number of users each interface may have trying to access the lower security interface. You can specify a single PAT (Port Address Translation) which permits up to 65,535 hosts to use a single IP address. PAT has some restrictions in its use such as it cannot support H.323 or caching nameserver use, so you may want to use it to augment a range of global addresses rather than using it as your sole global address.
The first global command statement specifies a single IP address, which the PIX Firewall interprets as a PAT. You can specify PAT using the IP address at the interface using the interface keyword.The PAT lets up to 65,535 hosts start connections to the outside. PIX Firewall permits one PAT global command statement for each interface The second global command statement augments the pool of global addresses on the outside interface. The PAT creates a pool of addresses used only when the addresses in the second global command statement are in use. This minimizes the exposure of PAT in the event users need to use H.323 applications.
The global command statement for dmz1 lets users on the inside,dmz2, dmz3, and dmz4 start connections on the dmz1 interface.
The global command statement for dmz2 lets users on the inside, dmz3, and dmz4 start connections on the dmz2 interface.
If you use network subnetting, specify the subnet mask with the netmask option. Refer to Appendix D, "Subnet Masking and Addressing" for more information on subnetting.
You can track usage among different subnets by mapping different internal subnets to different PAT addresses.
