Task 1: Basic Configuration for the Cisco PIX Firewall
Figure 20-2.Table 20-1. PIX Interface Information for HQ | Interface Name | Hardware ID | Interface IP Address | Interface Speed |
|---|
| Outside | Ethernet0 | 192.168.1.2 | 100full | | Inside | Ethernet1 | 10.10.10.1 | 100full | | DMZ | Ethernet2 | 172.16.31.1 | 100full | | Failover | Ethernet3 | 1.1.1.1 | 100full |
Basic Configuration Information for HQ-PIX
Table 20-1 lists the physical interfaces of the Cisco PIX Firewall that is installed in the Reston headquarters. This table includes the interface name, physical interface ID, assigned address, and speed/duplex.Table 20-2 shows what routing information needs to be configured on the PIX. Note that the only route required is the default route. No specific routes are defined on the firewall.Table 20-2. PIX Routing Information for HQ | Interface Name | Destination Network IP Address | Network Mask | Gateway (Router) IP Address |
|---|
| Outside | 0.0.0.0 | 0.0.0.0 | 192.168.1.1 |
Table 20-3 shows which outside addresses or address ranges are available for the global address pool. Remember that the global addresses are used in conjunction with the nat command to assign the addresses to which the PIX is translating (this is not the original source but the translated source).Table 20-3. Recording Global IP Information for HQ | Interface Name | NAT ID Number | Bringing of IP Address Range | End of IP Address Range |
|---|
| Outside | 1 | 192.168.1.12 | 192.168.1.150 | | Outside | 1 | 192.168.1.152 | | | DMZ | 1 | 172.16.31.12 | 172.16.31.100 |
Table 20-4 shows which Internet Protocol (IP) addresses or network segments are to be translated (into the global addresses) as they pass through the firewall.Table 20-4. NAT IP Information for HQ | Interface Name | NAT ID Number | Network Address | Network Mask for This Address |
|---|
| Inside | 1 | 10.10.10.0 | 255.255.255.0 | | DMZ | 1 | 172.16.31.0 | 255.255.255.0 |
Table 20-5 shows static IP address mapping for resources that are accessed from the outside (public) network. The static IP address is the address that is configured on the individual server, and the host IP address is the IP address that the PIX uses when answering for the server.Table 20-5. Static IP Address Mapping Information for HQ | Interface on Which the Host Resides | Interface Name Where the Global Address Resides | Static IP Address | Host IP Address | Description |
|---|
| DMZ | Outside | 192.168.1.4 | 172.16.31.4 | Mail server | | DMZ | Outside | 192.168.1.5 | 172.16.31.5 | Web server | | DMZ | Outside | 192.168.1.6 | 172.16.31.6 | FTP server |
Example 20-1 shows the individual configuration commands for all the items documented in Tables 20-1 through 20-5.Example 20-1. Firewall Configuration for the Reston Headquarters
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security80
nameif ethernet3 failover security90
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
ip address inside 10.10.10.1 255.255.255.0
ip address outside 192.168.1.2 255.255.255.0
ip address DMZ 172.16.31.1 255.255.255.0
ip address failover 1.1.1.1 255.255.255.0
hostname HQ-PIX
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 192.168.1.12-192.168.1.150 netmask 255.255.255.0
global (outside) 1 192.168.1.152 netmask 255.255.255.0
global (DMZ) 1 172.16.31.12-172.16.31.100 netmask 255.255.255.0
static (DMZ,outside) 192.168.1.4 172.16.31.4 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.1.5 172.16.31.5 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.1.6 172.16.31.6 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.1
Basic Configuration Information for MN-PIX
Tables 20-6 through 20-9 provide the information needed to configure the PIX Firewall at the Minneapolis office.Table 20-6. PIX Interface Information for Minneapolis | Interface Name | Hardware ID | Interface IP Address | Interface Speed |
|---|
| Outside | Ethernet0 | 192.168.2.2 | 100full | | Inside | Ethernet1 | 10.20.10.1 | 100full |
Table 20-6 shows information about the physical interfaces on the PIX Firewall.Table 20-7 depicts which routes need to be configured on the PIX Firewall in the Minneapolis office.Table 20-7. Routing Information for the Minneapolis PIX | Interface Name | Destination Network IP Address | Network Mask | Gateway (Router) IP Address |
|---|
| Outside | 0.0.0.0 | 0.0.0.0 | 192.168.2.1 |
Table 20-8 lists the global IP addresses or address ranges that are used in conjunction with Network Address Translation (NAT) for translation purposes.Table 20-8. Global IP Address Information for the Minneapolis PIX | Interface Name | NAT ID Number | Beginning of IP Address Range | End of IP Address Range |
|---|
| Outside | 1 | 192.168.2.12 | 192.168.2.250 | | Outside | 1 | 192.168.2.252 | |
Table 20-9 lists which addresses are dynamically translated on the PIX Firewall.Table 20-9. NAT IP Address Information for the Minneapolis PIX | Interface Name | NAT ID Number | Network Address | Network Mask for This Address |
|---|
| Inside | 1 | 10.20.10.0 | 255.255.255.0 |
Example 20-2 depicts the individual configuration commands for each of the items listed in Tables 20-6 through 20-9.Example 20-2. Firewall Configuration for the Minneapolis Office
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 100full
interface ethernet1 100full
ip address inside 10.20.10.1 255.255.255.0
ip address outside 192.168.2.2 255.255.255.0
hostname MN-PIX
nat (inside) 1 10.20.10.0 255.255.255.0
global (outside) 1 192.168.2.12-192.168.2.250 netmask 255.255.255.0
global (outside) 1 192.168.2.252 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.2.1
Basic Configuration Information for HOU-PIX
Tables 20-10 through 20-13 provide the information needed to configure the PIX Firewall in the Houston office.Table 20-10. Interface Information for the Houston PIX | Interface Name | Hardware ID | Interface IP Address | Interface Speed |
|---|
| Outside | Ethernet0 | 192.168.3.2 | 100full | | Inside | Ethernet1 | 10.30.10.1 | 100full |
Table 20-10 shows information about the physical interfaces of the Cisco PIX Firewall.Table 20-11 depicts which routes need to be configured on the PIX Firewall in the Houston office.Table 20-11. Routing Information for the Houston PIX | Interface Name | Destination Network IP Address | Network Mask | Gateway (Router) IP Address |
|---|
| Outside | 0.0.0.0 | 0.0.0.0 | 192.168.3.1 |
Table 20-12 lists the global IP addresses or address ranges that are used in conjunction with NAT for translation purposes.Table 20-12. Global IP Address Information for the Houston PIX | Interface Name | NAT ID Number | Beginning of IP Address Range | End of IP Address Range |
|---|
| Outside | 1 | 192.168.3.12 | 192.168.3.250 | | Outside | 1 | 192.168.3.252 | |
Table 20-13 lists which addresses are dynamically translated on the PIX Firewall.Table 20-13. NAT IP Address Information for the Houston PIX | Interface Name | NAT ID Number | Network Address | Network Mask for This Address |
|---|
| Inside | 1 | 10.30.10.0 | 255.255.255.0 |
Example 20-3 depicts the individual configuration commands for each of the items listed in Tables 20-10 through 20-13.Example 20-3. Firewall Configuration for the Houston Office
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 100full
interface ethernet1 100full
ip address inside 10.30.10.1 255.255.255.0
ip address outside 192.168.3.2 255.255.255.0
hostname HOU-PIX
nat (inside) 1 10.30.10.0 255.255.255.0
global (outside) 1 192.168.3.12-192.168.3.250 netmask 255.255.255.0
global (outside) 1 192.168.3.252 netmask 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.3.1
 |
لطفا منتظر باشید ...
