Foundation and Supplemental TopicsGeneral Routing PrinciplesAlthough your PIX Firewall is not a router, it does need to provide certain routing and switching functionality. Whenever your PIX Firewall processes valid traffic, it must determine which interface provides the correct path for the destination network. It may also have to tag the traffic for the appropriate VLAN. Not only can your PIX Firewall route valid traffic, you can also configure it to forward multicast traffic. Sending multicast traffic to a multicast broadcast address enables multiple systems to receive a data stream that otherwise would have to be sent to each individual system. This chapter focuses on the following three features that enable your PIX Firewall to effectively route and switch traffic:
Ethernet VLAN TaggingTo pass traffic between the different virtual LANs (VLANs) on your switched network, Ethernet packets can be tagged with a VLAN identifier that indicates the VLAN to which the traffic belongs. Ethernet tagging enables you to pass traffic for different VLANs across the same Layer 2 interface. The following sections explain how to use Ethernet VLAN tagging with your PIX Firewall. Understanding VLANsAt the Ethernet layer, you can partition your network using VLANs. These VLANs limit the scope of broadcast traffic on your network because each VLAN represents an individual broadcast domain. By dividing your switched network using VLANs, you improve the security of your network by limiting the scope of broadcast traffic that is vital for the operation of your network, such as Address Resolution Protocol (ARP) traffic and Dynamic Host Configuration Protocol (DHCP) traffic. Understanding Trunk PortsUsually, you configure a switch as a member of a specific VLAN. This automatically associates all of the regular Ethernet traffic received on that port with that VLAN. Sometimes, however, you may want a single port to receive traffic from multiple VLANs. A switch port that accepts traffic from multiple VLANs is known as a trunk port. To differentiate between the different VLANs, each packet is tagged with a specific VLAN identifier. This identifier informs the switch to which VLAN the traffic needs to be forwarded. By using trunk lines on your switch, your PIX Firewall can send and receive traffic from multiple VLANs using only a single physical interface. Understanding Logical InterfacesYour PIX Firewall has a limited number of physical interfaces. This limits the number of Layer 3 networks to which the PIX Firewall can be directly connected. If you use VLANs to segment your network into smaller broadcast domains, each of these VLANs represents a different Layer 3 network. By using logical interfaces, you can accommodate multiple VLANs by using trunk lines on your switch ports and configuring multiple logical interfaces on a single physical interface on your PIX Firewall. Logical interfaces overcome the physical interface limitation by enabling a single physical interface to handle multiple logical interfaces. Table 9-2 shows the maximum number of interfaces allowed using a restricted license, while Table 9-3 shows the maximum number of interfaces allowed for an unrestricted license.
Note VLANs are not supported on the PIX 501 and PIX 506/506E. Note The maximum number of logical interfaces that you can use is equal to the total number of interfaces available minus the total number of physical interfaces that you currently have configured on your PIX Firewall. Unique VLAN tags differentiate the traffic to each logical interface. Currently, the PIX Firewall supports configuring multiple 802. 1Q VLANs on a physical port and the ability to send and receive 802. 1Q tagged packets. The PIX Firewall does not perform any trunk negotiations or participate in bridging protocols. To create a logical interface on the PIX Firewall, you use the interface command, the syntax for which is as follows: interface hardware-id vlan-id [ physical | logical ] [ shutdown ] The parameters for the interface command are shown in Table 9-4.
Suppose that interface Ethernet0 on your PIX Firewall is connected to VLAN 30 and that you want to configure three logical interfaces on that same physical interface for VLAN 40 through VLAN 42. The commands to accomplish this are as follows: pix515a(config)# interface Ethernet0 vlan30 physical pix515a(config)# interface Ethernet0 vlan40 logical pix515a(config)# interface Ethernet0 vlan41 logical pix515a(config)# interface Ethernet0 vlan42 logical Note The VLAN assigned to the physical interface represents the native VLAN. You do not need to assign a VLAN to the physical interface to assign logical interfaces to an interface. Managing VLANsAfter you create your logical interfaces, you also need to assign the following parameters to each logical interface:
Using the nameif interface command, you can assign an interface name and a security level to a logical interface. The syntax for the nameif command is as follows:
nameif { hardware-id | vlan-id } interface-name security-level
Table 9-5 shows the parameters for the nameif command.
Finally, you need to complete your logical interface configuration by assigning an IP address to the logical interface. To assign an IP address to an interface, you use the ip address command. The syntax for this command is as follows: ip address interface-name ip-address Note The interface-name corresponds to the name that you assigned with the nameif command. IP RoutingAt the IP layer, your PIX Firewall routes traffic based on the IP addresses in the network traffic. It does not provide all the functionality of a router, but it does enableyou to define the following two types of routes:
Static RoutesStatic routes are manually configured routes that do not frequently change. They essentially direct your PIX Firewall to send traffic destined for a specific network to a specific router that has connectivity to the destination network. Static routes are perhaps best explained by using a network example. Figure 9-1 illustrates a simple network configuration with hosts on both the 10. 10. 10. 0 and 10. 10. 20. 0 networks. Figure 9-1.Static Routes When you configure the inside interface on the PIX Firewall with a Class C address of 10. 10. 10. 1, the PIX Firewall automatically creates a route that enables it to send traffic for the 10. 10. 10. 0 network to the inside interface (identified by the keyword CONNECT when viewing the routes). The PIX Firewall may also receive traffic for the host whose IP address is 10. 10. 20. 10. By default, if the PIX Firewall receives traffic for 10. 10. 20. 10, it will not know where to send it. To enable the PIX Firewall to know where to send traffic for 10. 10. 20. 10, you can configure a static route using the route command. The syntax for the route command is as follows: route interface-name destination-ip netmask gateway [ metric ] The parameters for the route command are explained in Table 9-6. Using the network in Figure 9-1, you can define a static route for the 10. 10. 20. 0 network using the following command: pix515a(config)# route inside 10.
Instead of using the address of a gateway router when you are configuring a static route, you can specify the IP address of one of the PIX Firewall''s own interfaces. When you create a route in this manner, the PIX Firewall does not have a destination IP address to which to send the traffic. Therefore, the PIX Firewall broadcasts an ARP request on the specified interface to determine the address to which to send the traffic. Any router that has a route to the destination address can generate a proxy ARP (using its own interface''s Ethernet address), enabling the PIX Firewall to update its ARP cache with an entry for the IP address of the traffic. The PIX Firewall uses this proxy ARP to then send the traffic to the router that has a route to the destination IP address. Note Although you can configure the PIX Firewall to generate an ARP request to determine the destination address to which to send traffic, this configuration is not recommended. ARP is an unauthenticated protocol and this configuration can pose a security risk. Static routes are stored in your PIX Firewall configuration and restored when your PIX Firewall is reloaded. To view the routes on your PIX Firewall, you use the show route command. This command displays all the routes in the PIX Firewall''s routing table, such as shown in Example 9-1. Example 9-1.Output of the show route Command pix515a# show route intf5 0. The static routes with the keyword CONNECT indicate routes that are automatically created when you define the IP address for an interface. The routes with the OTHER keyword indicate static routes that have been manually entered. Sometimes you may want to remove the static routes that you have already configured. You can do this using the clear route command. Note You can also remove individual routes by placing the no keyword in front of the original command used to create the static route. Dynamic RoutesBesides creating static routes manually, the PIX Firewall also supports some dynamic routing functionality. Dynamic routes are created based on routing protocols that automatically add entries into the PIX Firewall''s routing table. The PIX Firewall supports the following two different routing protocols, but only one can be active on a single PIX Firewall: The PIX Firewall can learn new routes based on the RIP routing broadcasts, but the PIX Firewall does not have the functionality to propagate these learned routes to other devices. With OSPF, the PIX Firewall learns new routes, and it can also propagate that information to other devices. Note Authentication should be used with all routing protocols whenever possible. Route redistribution between OSPF and other protocols (such as RIP) is a prime target for attackers. By subverting the routing information, an attacker can potentially bypass your defined security configuration. Configuring RIPTo enable the PIX Firewall to learn new routes based on RIP routing updates, you use the rip command. The syntax for the rip command is as follows:
rip if-name default | passive [ version { 1 | 2 }] [ authentication { text | md5 } key key id ]
Table 9-7 describes the various parameters for the rip command.
By configuring RIP on a specific PIX Firewall interface, your firewall watches for RIP routing updates. It then uses this information to update its routing table. The information cannot be distributed by the PIX Firewall to other devices. The PIX Firewall can, however, broadcast the address of one of its interfaces as a default route. To turn off RIP on a specific interface, you use the no keyword in front of the original RIP configuration command. You can also remove all the RIP configuration commands from your configuration by using the clear rip command. Suppose that you want to enable RIP on the outside interface by using MD5 authentication, using MYKEY as the key and a key_id of 2. The command to accomplish this is as follows: Pix515a(config)# rip outside passive version 2 authentication md5 MYKEY 2 Note Because authentication is supported only with RIP version 2, you must specify version 2 in the command. The default is RIP version 1. OSPF OverviewRoute propagation and greatly reduced route convergence times are two of the many benefits that occur by using OSPF. OSPF is widely deployed in large internetworks because of its efficient use of network bandwidth and its rapid convergence after changes in topology. The PIX Firewall implementation supports intra-area, interarea, and external routes. The distribution of static routes to OSPF processes and route redistribution between OSPF processes are also included. Note The PIX 501 does not support OSPF functionality. An OSPF router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that redistributes traffic or imports external routes (Type 1 or Type 2) between routing domains is called an Autonomous System Boundary Router (ASBR). An ABR uses link-state advertisements (LSAs) to send information about available routes to other OSPF routers. Using ABR Type 3 LSA filtering, you can have separate private and public areas, with the PIX Firewall acting as an ABR. Type 3 LSAs (interarea routes) can be filtered from one area to another. This lets you use NAT and OSPF together without advertising private networks. The PIX Firewall OSPF supported features are as follows:
Note Your PIX Firewall can filter only Type 3 LSAs. If you configure your PIX Firewall to function as an ASBR in a private network, then information about your private networks will be sent to the public interfaces, because Type 5 LSAs describing private networks will be flooded to the entire autonomous system (including the public areas) unless you configure two separate OSPF processes. OSPF CommandsTo configure OSPF on your PIX Firewall, you use various commands. To enable OSPF on your PIX Firewall, you use the router ospf command. The syntax is as follows: router ospf pid The pid represents a unique identification for the OSPF routing process in the range from 1 to 65535. Each OSPF routing process on a single PIX Firewall must be unique, and PIX Firewall Version 6. 3 supports a maximum of two different OSPF routing processes. After you issue the router ospf command, the PIX command prompt enters a subcommand mode indicated by a command prompt similar to the following: pix515a(config-router)# In subcommand mode, you can configure various OSPF parameters (see Table 9-8).
Using the network command, you can define which interfaces will be running OSPF. Using the network command also enables you to add networks to or remove networks from the OSPF routing process and define OSPF area information for each network. The syntax for the network command is as follows: network prefix-ip-address netmask area area-id The parameters for the network command are shown in Table 9-9.
OSPF advertises routes to networks. To prevent information about your private network from being advertised, you need to filter LSAs. The prefix-list and area commands enable you to filter Type 3 LSA advertisements. This filtering is based on the prefix list defined by the prefix-list command. Once configured, only the specified prefixes are sent from one area to another, and all other prefixes are restricted to their OSPF area. The syntax for the prefix-list command is as follows:
prefix-list list-name [ seq seq-number ] { permit|deny prefix/len}
Note Unlike the other OSPF configuration commands, the prefix-list command is executed from normal configuration mode instead of the OSPF subcommand mode. Table 9-10 shows the parameters for the prefix-list command.
After configuring a prefix list, you apply that prefix list to an area by using the area command. Filtering can be applied to traffic going into or coming out of an OSPF area or to both the incoming and outgoing traffic for an area. The syntax for the area command is as follows:
area area-id filter-list prefix { prefix-list-name in | out }
The parameters for the area command are shown in Table 9-11.
Running two separate OSPF processes on your PIX Firewall enables you to perform address filtering when your PIX Firewall is configured as an ASBR. LSA Type 5 advertisements pass between areas on the same OSPF process (and cannot be filtered like LSA Type 3 advertisements), but they do not pass between separate OSPF processes. Using two OSPF processes can be advantageous in various situations, such as the following:
When using two OSPF processes, one process is usually configured for the external interface while the other process handles the private interfaces. Each OSPF process is configured by using a separate router ospf command with a different process identification (PID) number for each process. In some situations, it may be advantageous to distribute route advertisements between separate OSPF processes, such as to enable routes received on the public interface to pass to the OSPF process running on the private interfaces. To redistribute routes between different OSPF processes or domains, you use the redistribute ospf subcommand, the syntax for which is as follows: redistribute ospf pid Because the redistribute ospf command is executed from the OSPF subcommand mode, pid identifies the OSPF process identification (PID) whose LSA Type 3 advertisements you want forwarded to the current OSPF process. Configuring OSPFFigure 9-2 shows a typical OSPF deployment configuration. In this configuration the PIX Firewall is operating as an ABR. Because you do not want the information about private networks sent out on the public interface, LSA filtering is applied to the Internet interface. NAT is applied only to the inside interface (for the private networks). Figure 9-2.PIX OSPF Network In this configuration, the inside interface learns routes from both the DMZ and the outside interface, but you do not want private routes to be propagated to either the DMZ or the public interfaces. Configuring OSPF on your PIX Firewall requires you to perform the following steps:
Using the configuration shown in Figure 9-2, the following commands configure OSPF based on the scenario described: pix515a(config)# router ospf 1 pix515a(config-router)# area 0 filter-list prefix ten in pix515a(config-router)# network 192. Note If you configure your PIX Firewall as an ASBR, then you need to configure multiple OSPF processes on the firewall if you want to perform address filtering. When configuring OSPF, you should also enable one of the following authentication mechanisms: You enable authentication for each area individually by using the following command: area area-id authentication [ message-digest ] Next, you need to define the authentication to be used for communication with the specific routers with which each area will be communicating. You do so by defining a virtual-link using the area command. Continuing with the example shown in Figure 9-2, to enable MD5 authentication with a key ID of 4 and a key of Ab1&05K! for area 172. 16. 1. 0 when communicating with router 172. 16. 1. 250, you would use the following commands: pix515a(config)# router ospf 1 pix515a(config-router)# area 172. Note To enable password authentication (using a password of R5!s4&Px* ) for the same router (instead of using MD5), you would use the following commands: pix515a(config)# router ospf 1 pix515a(config-router)# area 172. Viewing the OSPF ConfigurationAfter setting up OSPF on your PIX Firewall, it is helpful to be able to view the configuration. Using the show ospf command, you can view your entire OSPF configuration. When you enter this command, you see output similar to Example 9-2, depending on the OSPF features that you have configured. Example 9-2.Output from the show ospf Command pix515a# show ospf Routing Process "ospf 1" with ID 192. Multicast RoutingIP multicasting is a mechanism that conserves network bandwidth by delivering a stream of information simultaneously to multiple recipients. Some common applications that take advantage of IP multicasting include the following:
IP multicasting actually involves sending an IP packet to a single multicast IP address. Routers send Internet Group Management Protocol (IGMP) query messages to locate hosts that belong to any multicast groups (wishing to receive specific multicast traffic). Any host that wishes to receive multicast traffic must join the multicast group by using an IGMP report message that indicates all the multicast groups to which it belongs. When a host no longer wishes to receive a multicast data stream, it sends an IGMP Leave message to the multicast router. You can configure your PIX Firewall to act as a Stub Multicast Router (SMR) because it forwards requests only between end hosts and multicast routers. Instead of supporting the functionality of a fully operational multicast router, the PIX Firewall functions only as an IGMP proxy agent. To illustrate the configuration tasks associated with configuring your PIX Firewall as an SMR, you need to understand the following topics:
Multicast CommandsConfiguring multicast functionality on your PIX Firewall requires you to understand various multicast configuration commands. The major multicast configuration commands are as follows:
multicast interface CommandThe multicast interface command identifies the interface that will pass multicast traffic. It also enables the multicast subcommand mode in which the other multicast commands must be entered. The syntax for this command is multicast interface interface-name [ max-groups number ] The parameters for this command are shown in Table 9-12.
mroute CommandTo configure your PIX Firewall to forward multicast traffic when the multicast router is on the inside interface, you need to use the mroute command. The syntax for this command is as follows: mroute source source-mask in-interface dest dest-mask out-interface The parameters for the mroute command are shown in Table 9-13.
Note To clear static multicast routes created with the mroute command, you use the clear mroute command. To actually stop the PIX Firewall from forwarding multicast traffic, you use the no keyword in front of your original mroute command. igmp forward CommandTo join a multicast group, the host IGMP message must reach the multicast router. The igmp forward command enables you to cause one PIX Firewall interface to pass IGMP messages to another interface. The syntax for this command is as follows: igmp forward interface interface-name The parameters for the igmp forward command are shown in Table 9-14.
igmp join-group CommandTo statically configure the PIX Firewall to join a multicast group, you can use the igmp join-group command. This command is useful if you have clients who are unable to send the IGMP messages on their own. The syntax for this command is as follows: igmp join-group group The only parameter for the igmp join-group command is the multicast group (multicast address) that is statically being joined. Multicast addresses use the entire range of 224. 0. 0. 0 through 239. 255. 255. 255 (Class D addresses); however, you can configure a value only in the range of 224. 0. 0. 2 through 239. 255. 255. 255 for the igmp join-group command. Note The multicast address 224. 0. 0. 0 is the base address for IP multicasting, and 224. 0. 0. 1 is permanently assigned to a group that includes all IP hosts. igmp access-group CommandTo limit which multicast groups (addresses) are allowed on a specific interface, you use the igmp access-group command. To use this command, you must first create an access list (using the access-list command) that defines the allowed multicast addresses. The syntax for this command is as follows: igmp access-group access-list-id igmp version CommandTo define the IGMP version, you use the igmp version command. The syntax for this command is as follows: igmp version 1|2 Note The default version for IP multicasting is 2. igmp query-interval CommandTo configure the frequency, in seconds, at which IGMP query messages are sent by an interface, you use the igmp query-interval command. The default value is 60, but you can specify a value from 1 to 65535. The syntax for this command is as follows: igmp query-interval seconds Note To set the query interval back to the default value, you use the no igmp query-interval command. igmp query-max-response-time CommandWhen using IGMP version 2, you can specify the maximum query response time, in seconds, using the igmp query-max-response-time . The default value is 10, but you can configure a value in the range from 1 to 65535. Note To set the query interval back to the default value, you use the no igmp query-max-response-time command. Inbound Multicast TrafficAllowing inbound multicast traffic involves the configuration shown in Figure 9-3. In this configuration, the multicast router is located outside the PIX Firewall and the hosts that want to receive multicast traffic are being protected by the PIX Firewall. Figure 9-3.Inbound Multicast Configuration Because the hosts that need to receive the multicast traffic are separated from the multicast router by your PIX Firewall, you need to configure the PIX Firewall to forward IGMP reports from the hosts protected by the firewall to the multicast router. You also need to forward multicast transmissions from the multicast router. The following configuration steps enable this multicast configuration:
Assume that you want to allow protected hosts to join the multicast group 224. 0. 1. 100 from a multicast router that is located outside the protected network. To accomplish this, you would use the following commands: pix515a(config)# access-list 120 permit udp any host 224. Outbound Multicast TrafficAllowing outbound multicast traffic involves the configuration shown in Figure 9-4. In this configuration, the multicast transmission source is located inside the PIX Firewall and the hosts that want to receive multicast traffic are not protected by the PIX Firewall. Figure 9-4.Outbound Multicast Configuration When the multicast transmission source is on the protected or secure interface of the PIX Firewall, you must specifically configure the PIX Firewall to forward the multicast transmissions. The following configuration steps enable this multicast configuration:
Suppose that your multicast router is located at 10. 10. 10. 100 and broadcasting to the multicast group 230. 0. 1. 100. To get the PIX Firewall to forward multicast transmissions from this multicast router to the outside interface, you would use the following commands: pix515a(config)# multicast interface outside pix515a(config-multicast) exit pix515a(config)# multicast interface inside pix515a(config-multicast)# mroute 10. Debugging MulticastNot only can you configure IP multicasting, you can also debug the operation of your IP multicasting configuration. The commands that you use to do so fall into the following two categories:
Commands to View the Multicast ConfigurationYou can use the following commands to view your multicast configuration:
The show multicast command displays the multicast settings for either a specific interface or all the interfaces. The syntax for this command is as follows: show multicast [ interface interface-name ] If you do not specify an interface, then the information for all the PIX Firewall interfaces is displayed. The show igmp command displays information about either a specific IGMP group or all the IGMP groups for a specific interface. The syntax for this command is as follows: show igmp [ group | interface interface-name ] [ detail ] The final command that you can use to view your multicast configuration is show mroute , which displays the current multicast routes. Its syntax is as follows: show mroute [destination [source]] Commands to Debug Multicast TrafficAfter you configure IP multicasting on your PIX Firewall, you may need to debug multicast traffic to identify configuration problems. Two commands that are useful for debugging multicast traffic are as follows: Note To disable either of these debugging commands, simply place a no in front of the command (for instance, no debug igmp ). |