Foundation TopicsAccess ModesThe Cisco PIX Firewall contains a command set based on Cisco IOS® Software technologies that provides three administrative access modes:
Chapter 4, "System Management/Maintenance." Configuring the PIX FirewallSix important commands are used to produce a basic working configuration for the PIX Firewall: interface nameif ip address nat global route Before you use these commands, it can prove very useful to draw a diagram of your Cisco PIX Firewall with the different security levels, interfaces, and Internet Protocol (IP) addresses. Figure 6-1 shows one such diagram that is used for the discussion in this chapter. Figure 6-1. Documenting Cisco PIX Firewall Security Levels, Interfaces, and IP Addresses![]() interface CommandThe interface command identifies the interface hardware card, sets the speed of the interface, and enables the interface all-in-one command. All interfaces on a Cisco PIX Firewall are shut down by default and are explicitly enabled by the interface command. The basic syntax of the interface command is as follows: Table 6-2 describes the command parameters for the interface command.Example 6-1 shows some examples of the interface command: Example 6-1. Sample Configuration for the interface Command
nameif CommandAs the name intuitively indicates, the nameif command is used to name an interface and assign a security value from 1 to 99. The outside and inside interfaces are named by default and have default security values of 0 and 100, respectively. By default, the interfaces have their hardware ID. Ethernet 0 is the outside interface, and Ethernet 1 is the inside interface. The names that are configured by the nameif command are user-friendly and are easier to use for advanced configuration later.NoteThe nameif command can also be used to assign security values of 0 and 100. The names "inside" and "outside" are merely reserved for security levels 100 and 0, respectively, and are assigned by default, but they can be changed.The syntax of the nameif command is as follows: Table 6-3 describes the command parameters for the nameif command.
Example 6-2. Sample Configuration for the nameif CommandThe security-level value controls how hosts/devices on the different interfaces interact with each other. By default, hosts/devices connected to interfaces with higher security levels can access hosts/devices connected to interfaces with lower-security interfaces. Hosts/devices connected to interfaces with lower-security interfaces cannot access hosts/devices connected to interfaces with higher-security interfaces without the assistance of access lists.You can verify your configuration by using the show nameif command. ip address CommandAll the interfaces on the Cisco PIX Firewall that will be used must be configured with an IP address. The IP address can be configured manually or through Dynamic Host Configuration Protocol (DHCP). The DHCP feature is usually used on Cisco PIX Firewall small office/home office (SOHO) models. DHCP is discussed later in this chapter.The ip address command is used to configure IP addresses on the PIX interfaces. The ip address command binds a logical address (IP address) to the hardware ID. Table 6-4 describes the parameters for the ip address command, the syntax of which is as follows:
Example 6-3 shows configuration of the inside interface with an IP address of 10.10.10.14/24: Example 6-3. Sample Configuration for the ip address CommandUse the show ip command to view the configured IP address on the PIX interface. nat CommandThe nat (which stands for Network Address Translation) command lets you dynamically translate a set of IP addresses (usually on the inside) to a global set of IP addresses.NotePIX Version 6.2 and later support bidirectional translation of inside network IP addresses to global IP addresses and translation of outside IP addresses to inside network IP addresses.The nat command is always paired with a global command, with the exception of the nat 0 command. Table 6-5 describes the command parameters for the nat command, the syntax of which is as follows:
Example 6-4. Sample Configuration for the nat CommandChapter 5, "Understanding Cisco PIX Firewall Translation and Connection," discusses NAT in greater detail. Configuring Port Address TranslationPort Address Translation (PAT) can be configured using the same command as Network Address Translation (NAT). PAT maps a single global IP address to many local addresses. PAT extends the range of available outside addresses at your site by dynamically assigning unique port numbers to the outside address as a connection is requested. A single IP address has up to 65,535 ports available for making connections. For PAT, the port number uniquely identifies each connection.PAT translates a group of local addresses to a single global IP address with a unique source port (above 1024). When a local host accesses the destination network, the Firewall services module assigns it the global IP address and then a unique port number. Each host receives the same IP address, but because the source port numbers are unique, the responding traffic, which includes the IP address and port number as the destination, can be assigned to the correct host. It is highly unlikely that you would run out of addresses in PAT configuration because there are more than 64,000 ports available.PAT enables you to use a single global address, thus conserving routable addresses. You can even use the destination actual interface IP address as the PAT IP address (this type of configuration is used, but not limited to, the outside interface). PAT does not work with multimedia applications that have an inbound data stream different from the outgoing control path.In large enterprise environments, to use NAT you must have a large number of routable addresses in the global pool. If the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses. This can be a disadvantage.PAT does not work with applications that have an inbound data stream on one port and the outgoing control path on another, such as multimedia applications. For those situations, it is more advantageous to use NAT. Example 6-5 shows a sample configuration for PAT. Example 6-5. Sample Configuration for Configuring PAT on the Inside Interface
global CommandThe global command is used to define the address or range of addresses into which the addresses defined by the nat command are translated. It is important that the nat-id be identical to the nat-id used in the nat command. The nat-id pairs the IP address defined by the global and nat commands so that network translation can take place. The syntax of the global command is as follows: Table 6-6 describes the parameters and options for the global command.
PAT assigns a unique source port for each User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) session. It attempts to assign the same port value of the original request, but if the original source port has already been used, PAT starts scanning from the beginning of the particular port range to find the first available port and then assigns it to the conversation. PAT has some restrictions in its use. For example, it cannot support H.323. Example 6-6 shows a configuration using a range of global IP addresses and a single IP address for PAT. Example 6-6. Sample Configuration for NAT and PATWhen a host or device tries to start a connection, the PIX Firewall checks the translation table to see whether there is an entry for that particular IP address. If there is no existing translation, a new translation slot is created. The default time that a translated IP address is kept in the translation table is 3 hours. You can change this with the timeout xlate hh:mm:ss command. To view the translated addresses, use the show xlate command. route CommandThe route command tells the Cisco PIX Firewall where to send information that is forwarded on a specific interface and that is destined for a particular network address. You add static routes to the PIX using the route command.Table 6-7 describes the route command parameters, the syntax of which is as follows: Example 6-7 shows a default route configuration on a Cisco PIX Firewall: Example 6-7. Default Route of 192.168.1.3NoteOn the PIX Firewall, only one default route is permitted.The 1 at the end of the route indicates that the gateway router is only one hop away. If a metric is not specified in the route command, the default is 1. You can configure only one default route on the PIX Firewall. It is good practice to use the clear arp command to clear the ARP cache of the PIX Firewall before testing your new route configuration. Routing Information ProtocolThe Routing Information Protocol (RIP) can be enabled to build the Cisco PIX Firewall routing table. RIP configuration specifies whether the PIX updates its routing tables by passively listening to RIP traffic and whether the interface broadcasts itself as a default route for network traffic on that interface. When using RIP version 2 with PIX software versions earlier than 5.3, it is important to configure the router providing the RIP updates with the network address of the PIX interface. The default version is 1 if not explicitly specified. The syntax to enable RIP is as follows: Table 6-8 describes the rip command parameters.
Testing Your ConfigurationMaking sure that the configuration you entered works is an important part of the configuration process. At this point you test basic connectivity from the inside interface out to the other interfaces. Use the ping and debug commands to test your connectivity.The ping command sends an Internet Control Message Protocol (ICMP) echo request message to the target IP address and expects an ICMP echo reply. By default, the PIX denies all inbound traffic through the outside interface. Based on your network security policy, you should consider configuring the PIX to deny all ICMP traffic to the outside interface, or any other interface you deem necessary, by entering the icmp command. The icmp command controls ICMP traffic that terminates on the PIX. If no ICMP control list is configured, the PIX accepts all ICMP traffic that terminates at any interface (including the outside interface). For example, when you first configure the PIX, it is a good idea to be able to ping an interface and get a response. The following makes that possible for the outside interface: The icmp permit any any outside command is used during the testing/debugging phase of your configuration process. Make sure that you change it so it does not respond to ping requests after you complete testing. It is a security risk to leave it set to accept and respond to ICMP packets.After the icmp permit command has been configured, you can ping the outside interface on your Cisco PIX Firewall and ping from hosts on each firewall interface. For example: You also can monitor ping results by starting debug icmp trace . Saving Your ConfigurationConfiguration changes that you have made stay in the random access memory (RAM) of the PIX Firewall unless you save them to Flash memory. If for any reason the PIX must be rebooted, the configuration changes you made are lost. So, when you finish entering commands in the configuration, save the changes to Flash memory by using the write memory command, as follows: NoteThere is one obvious advantage of not having configuration changes committed to Flash memory immediately. For example, if you make a configuration change that you cannot back out from, you simply reboot and return to the settings you had before you made the changes.You are now finished configuring the Cisco PIX Firewall. This basic configuration lets protected network users start connections and prevents users on unprotected networks from accessing (or attacking) protected hosts.Use the write terminal or show running-config command to view your current configuration. Support for Domain Name System MessagesPIX Firewall fully supports NAT and PAT Domain Name System (DNS) messages originating from either a more secure interface or less secure interfaces. This means that if a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A record is translated correctly. To illustrate this point, Figure 6-2 shows a user from inside obtaining DNS resolution from the outside (maybe from an Internet service provider) for a web server on the inside. Figure 6-2. User Obtaining DNS Resolution from the Outside![]() Configuring Dynamic Host Configuration Protocol on the Cisco PIX FirewallThe Cisco PIX Firewall can be configured as either of the following:
Using the PIX Firewall Dynamic Host Configuration Protocol ServerThe DHCP server is usually used in, but not limited to, SOHO environments. The address pool of a PIX Firewall DHCP server must be within the same subnet of the PIX Firewall interface that is enabled, and you must specify the associated PIX Firewall interface with if-name . In other words, the client must be physically connected to the subnet of a PIX Firewall interface. The size of the pool is limited to 32 addresses with a 10-user license and 128 addresses with a 50-user license on the PIX 501. The unlimited user license on the PIX 501 and all other PIX Firewall platforms supports 256 addresses. To configure DHCP on the PIX, use the dhcpd command. The following is the syntax for the dhcpd command: Table 6-9 describes the different dhcpd command parameters.
Configuring the PIX Firewall Dynamic Host Configuration Protocol ClientDHCP client support on the Cisco PIX Firewall is designed for use in SOHO environments in which Digital Subscriber Line (DSL) and cable modems are used. The DHCP client can be enabled only on the outside interface of the PIX Firewall. When the DHCP client is enabled, DHCP servers on the outside provide the outside interface with an IP address.NoteThe DHCP client does not support failover configuration.The DHCP client feature on the PIX Firewall is enabled by the ip address dhcp command: The setroute option tells the Cisco PIX Firewall to set its default route using the default gateway parameter that the DHCP server returns. Do not configure a default route when using the setroute option.Noteip address dhcp is used to release and renew the outside interface''s IP address.To view current information about the DHCP lease, enter the following command: The partial configuration in Example 6-8 demonstrates how to use three new features that are associated with each other: DHCP server, DHCP client, and PAT using the interface IP address to configure a PIX Firewall in a SOHO environment with the inside interface as the DHCP server: Example 6-8. Sample Configuration for the dhcpd Command
Configuring Time Settings on the Cisco PIX FirewallThe PIX obtains its time setting information in two ways:
Network Time ProtocolThe Network Time Protocol (NTP) is used to implement a hierarchical system of servers that provide a source for a precise synchronized time among network systems. It is important to maintain a consistent time throughout all network devices, such as servers, routers, and switches. When analyzing network events, logs are an important source of information. Analyzing and troubleshooting network events can be difficult if there is a time inconsistency between network devices on the network. Furthermore, some time-sensitive operations, such as validating certificates and certificate revocation lists (CRLs), require precise time stamps.Cisco PIX Firewall Version 6.2 and later enable you obtain the system time from NTP version 3 servers.The syntax to enable an NTP client on the PIX Firewall is as follows: Table 6-10 describes the parameters of the ntp command.
NoteNTP uses port 123 for communication.The ntp authenticate command enables NTP authentication and refuses synchronization with an NTP server unless the server is configured with one of the authentication keys specified using the ntp trusted-key command.The ntp authentication-key command is used to define authentication keys for use with other NTP commands to provide a higher degree of security. The number parameter is the key number (1 to 4294967295). The md5 option is the encryption algorithm. The value parameter is the key value (an arbitrary string of up to 32 characters).The ntp trusted-key command is used to define one or more key numbers that the NTP server is required to provide in its NTP packets for the PIX Firewall to accept synchronization with that NTP server. The Cisco PIX Firewall requires the NTP server to provide this key number in its NTP packets, which provides protection against synchronizing the PIX system clock with an NTP server that is not trusted.NTP configuration on the PIX can be verified and viewed by using the following show commands:
To remove the NTP configuration, use the clear ntp command. PIX Firewall System ClockThe second method of configuring the time setting on the PIX Firewall is by using the system clock. The system clock is usually set when you answer the initial setup interview question when you are configuring a new Cisco PIX Firewall. You can change it later using the clock set command: Three characters are used for the month parameter. The year is a four-digit number. For example, to set the time and date to 17:51 and 20 seconds on April 9, 2003, you would enter the following: NoteThe system clock, unlike NTP, is not synchronized with other network devices.Cisco PIX Firewall Version 6.2 includes improvements to the clock command. The clock command now supports daylight saving (summer) time and time zones. To configure daylight saving time, enter the following command: Table 6-11 describes the parameters for the clock command.
The following clock summer-time command specifies that summer time starts on the first Sunday in April at 2 A.M. and ends on the last Sunday in October at 2 A.M.: You can check your clock configuration by simply entering the show clock command as shown in Example 6-9 below: Example 6-9. show clock Sample Output
Configuring Login Banners on the PIX FirewallPIX Firewall Version 6.3 introduces support for message-of-the-day (MOTD), EXEC, and login banners, similar to the feature included in Cisco IOS Software. Banner size is limited only by available system memory or Flash memory.You can create a message as a warning for unauthorized use of the firewall. In some jurisdictions, civil and/or criminal prosecution of crackers who break into your system are made easier if you have incorporated a warning banner that informs unauthorized users that their attempts to access the system are in fact unauthorized. In other jurisdictions, you may be forbidden to monitor the activities of even unauthorized users unless you have taken steps to notify them of your intent to do so. One way of providing this notification is to put the information into a banner message configured with the PIX banner command.Legal notification requirements are complex and vary in each jurisdiction and situation. Even within jurisdictions, legal opinions vary, and this issue should be discussed with your own legal counsel. In cooperation with counsel, you should consider which of the following information should be put into your banner:
From a security, rather than a legal, point of view, your login banner usually should not contain any specific information about your router, its name, its model, what software it is running, or who owns it; such information may be abused by crackers.The banner messages can be displayed when a user enters privileged EXEC mode, upon line activation, on an incoming connection to a virtual terminal, or as a message of the day. To create a banner message, use the following command: Table 6-12 describes the parameters of the banner command.
Example 6-10. A Sample Configuration of the banner CommandTo replace a banner, use the no banner command before adding the new lines. The no banner { exec | login | motd} command removes all the lines for the banner option specified. The no banner command removes all the lines for the banner option specified and does not selectively delete text strings. The clear banner command removes all the banners. Sample PIX ConfigurationExample 6-11 shows sample output for a PIX configuration. Included are some of the commands discussed in this chapter. Example 6-11. Sample PIX Configuration
![]() |