After clear all things in part I, now we have to continue setting for our network's safe, but surely before concerning about getting to work first. Well, basically PIX 501, which has only 2 interfaces: ethernet0 & ethernet1, can have only outside and inside network. Security level has been fixed as 0-minimum and 100-highest respectively. This is fixed value for PIX 501. What we have to know next is configuration on the network; assume that we place PIX 501 behind router and we have 1 web server inside the network. Actually we should place web server on outside network, but for learning, we do this way first.
Here is our step to get things done:-
- Set hostname, password
- Configure IP addresses on interfaces, then enable them
- Configure a route
- Set firewall rules
- Port forwarding to web server
For setting hostname & password, we need to get into config shell; one thing which is so cool about CISCO IOS shell is no fixed command as long as you can type unambiguous command. For example, 'configure terminal' command can be substitue with 'config t' or 'conf t' or 'conf ter' or even 'con t' but only 'con' will not work since there is not enough information.
pixfirewall# config t pixfirewall(config)# pixfirewall(config)# hostname 10PIX 10PIX(config)# 10PIX(config)# password qwerty 10PIX(config)# 10PIX(config)# enable password qwerty 10PIX(config)#
After setting basic stuffs, we need to go on next step; IP addresses on each interfaces. First we set link speed, name, and set security which is fixed in this case anyway on each interface:-
10PIX(config)# interface ethernet0 100full 10PIX(config)# interface ethernet1 100full 10PIX(config)# nameif ethernet0 outside 0 10PIX(config)# nameif ethernet1 inside 100
Next we have to set IP on each interface and set the route to our gateway (192.168.10.10) to be able to access the Internet.
10PIX(config)# ip address outside 192.168.10.11 255.255.255.0 10PIX(config)# ip address inside 10.1.1.1 255.255.255.0 10PIX(config)# 10PIX(config)# route outside 0 0 192.168.10.10 1 10PIX(config)#
What we need next is associating a network with a pool of global IP address.
nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]] [norandomseq]
global [(if_name)] nat_id global_ip[-global_ip] [netmask global_mask]
From these 2 commands: nat & global, nat will identify nat_id and global will provide an IP address for each outbound connection for a particular nat_id.
10PIX(config)# nat (inside) 1 10.1.1.0 255.255.255.0 0 0 10PIX(config)# global (outside) 1 192.168.10.12 10PIX(config)#
0 0 at the end of nat command indicates no maximum connection and limit; all outbound connections will be represented by IP 192.168.10.12 on outside. [it can be represented in a range too] After having the route ready, it's time to set DHCP server for inside network; it's pretty straight forward here.
10PIX(config)# dhcpd address 10.1.1.10-10.1.1.31 inside 10PIX(config)# dhcpd dns 192.168.10.10 10PIX(config)# dhcpd lease 604800 10PIX(config)# dhcpd ping_timeout 500 10PIX(config)# dhcpd enable inside 10PIX(config)#
Up to this point, we almost ready to leave console behind and never have to use it again. There are 2 choices here: telnet or ssh. Telnet is much faster, but ssh is more secure. It's up to your decision what to pick. What we should do really is allowing only inside network to do this job, not outside. So we can make sure of security up to particular level. However, in this case, for study, let's try to allow ssh connection from outside network [which is still private network anyway.]
10PIX(config)# telnet 10.1.1.0 255.255.255.0 inside 10PIX(config)# telnet timeout 5 10PIX(config)# ssh 10.1.1.0 255.255.255.0 inside 10PIX(config)# ssh 192.168.10.0 255.255.255.0 outside 10PIX(config)# ssh timeout 5
By the fact that, we allowed telnet and ssh connection. It works just fine with telnet since there is no security concern. ssh, however, is another story. ssh required to have RSA key to use secure connection. What we need is to generate an RSA key and save into flash memory; it takes you a while--about half an hour for me
10PIX(config)# domain-name cisco.com 10PIX(config)# ca generate rsa key 2048 10PIX(config)# ca save all 10PIX(config)#
You may view newly created RSA public key by:-
10PIX(config)# sh ca mypubkey rsa
Now we are able to connect ssh session; if you have any trouble, then 'debug ssh' might be your friend. Next thing we have to do is setting port forwarding; since PIX 501 doesn't have any extra interface, DMZ is not a solution here. Our web and ftp server is on 10.1.1.14.
static [(high_if, low_if)] [tcp| udp] low_if_ip high_if_ip [netmask][max_conns [em_limit]] [norandomseq]
Just remember a bit that, this is for NAT enabled; high is indicated higher security. interface == firewall IP on that interface
10PIX(config)# static (inside,outside) tcp interface www 10.1.1.14 www netmask 255.255.255.255 0 0 10PIX(config)# static (inside,outside) tcp interface ftp 10.1.1.14 ftp netmask 255.255.255.255 0 0 10PIX(config)# access-list acl_in permit tcp any interface outside eq www 10PIX(config)# access-list acl_in permit tcp any host 192.168.10.101 eq ssh 10PIX(config)# access-list acl_in permit tcp any interface outside eq ftp 10PIX(config)# access-group acl_in in interface outside
Now we put access-list on as well, just for sake of security because we allow what we shouldn't already. However, that's what firewall for, right? Once we create access-list, we have to apply that on the interface by:-
access-group acl_name in interface interface-name
So far we set all neccessary settings; you may have to play around a bit to understand deeper of how PIX works. To be able to solve a problem, we have to know what is going:-
10PIX(config)# show xlate 10PIX(config)# show conn 10PIX(config)# show access-host 10PIX(config)# show running-config
This allows you to check what is wrong, then you will be able to start solving from that; one more thing you need to know is to disable our commands. It's damn easy by putting 'no' in front of command we put. You may check by 'show run' which will show every single command you put in.
Have fun with manipulate PIX configuration and have a safe network, of course. =)
If you have trouble with PIX, just ask.
Note: very good command resource reference at cisco.com