Denise Richards On The PIX Firewall!

Many of our readers are now pursuing the Cisco Security Specialist 1 certificate, and still others are simply wondering how to configure the mighty PIX Firewall. The PIX Firewall is without a doubt the way to secure enterprise networks. Used in conjunction with the IOS Firewall Feature Set (now known as Cisco Secure Integrated Software) running on a Cisco router, Cisco's security solution is far superior to weak software applications that run on Unix or NT. RouterGod Online Magazine reporter John Riehl sought out beautiful Denise Richards to help us learn how to configure the PIX Firewall. John is a Cisco instructor and holds the CCSP and CISSP certificates. When not teaching Cisco, John likes to tell wild stories about his days in the circus where he was known as the Polish Invisible Man. When not being beautiful, Denise practices kickboxing and enjoys watching American Chopper on TV. Let's join JR as he interviews Denise about the PIX Firewall.
RFC 1918 Addresses are used to protect the innocent.

With her hair up, Denise now meets the
business casual dress code at
most workplaces.

Well hello Denise, thanks for agreeing to help us learn how to configure the PIX Firewall.

Denise

It's my pleasure Yuriy, let's cut right to the chase and talk about the PIX. The PIX is not a router, it can not participate in dynamic routing protocols. The PIX in it's most basic form is simply a box with 2 Ethernet interfaces. One interface is "inside" and one interface is "outside". Traffic can not flow from the outside interface to the inside interface unless you specifically allow it. Traffic can not flow from the inside interface to the outside interface unless you configure Network Address Translation. Traffic initiated from the inside may return through the outside interface.

So the PIX is really just a couple of NIC cards?

Denise

Not so fast Comrade! The PIX uses the Adaptive Security Algorithm to perform Stateful Packet Inspection on traffic leaving the Firewall. The PIX uses a real time, embedded operating system to track the propriety of thousands of simultaneous connections.

Oh My God! This sounds too complicated! Let's forget about it, maybe you should tell us how a console cable works or maybe which end of a power cord plugs into the wall...

Denise

Ha Ha! Don't be such a baby! The PIX is easy! It uses a Command Line Interface, not one of those complicated GUI's like Checkpoint! The PIX has 3 command modes: User Mode, Privileged Mode and "Global" Config Mode. There is no concept of Interface Config Mode and the cool thing is that SHOW commands can be used at Global Config! By default the PIX interfaces are shutdown. To do a "no shut" on the outside interface you would use the following command: interface ethernet0 auto. To give it an IP address you would use a command like this: ip address outside 192.168.1.1 255.255.255.0

Wow! You really know your PIX Firewalls!

Denise

What do you think, I'm just a hot babe? Now lets configure Network Address Translation. It consists of 2 steps, defining the inside users eligible for outbound connections and defining the pool of global IP addresses to be translated into. If you wanted all your users to use NAT the command would be: nat (inside) 1 0.0.0.0 0.0.0.0 The "1" in this command is the "NAT ID", it must match the NAT ID in the global command, which I'll show you in a minute. The fields 0.0.0.0 and 0.0.0.0 are IP Address and Netmask respectively. The PIX will let you abbreviate a default field with a single zero Here is an example:
nat (inside) 1 0 0

The next step is to define the pool of global IP addresses. Let's say that you have the range 192.168.1.2 through 192.168.1.6/24 The command would be:
global (outside) 1 192.168.1.2-192.168.1.6 netmask 255.255.255.0

Don't forget that the IP address of the PIX's outside interface cannot be in the pool of global addresses.

So now the users on the inside can get out. In a small network, how does the inside traffic that is destined for the outside world know about the PIX?

Denise

If it's a small network, like one subnet and no internal router, just configure all the workstations Default Gateway with the IP address of the PIX's inside interface. If there is an internal router between the PIX and your users, the workstations will naturally have the router as the Default Gateway and the router will have a default static route pointing to the PIX. If there are internal networks on the other side of your internal router (from the PIX's perspective), you have to tell the PIX about them.

How do you do that? How does the PIX know where to forward packets for those networks that are not directly connected?

Denise

It's easy, you do it with a static route statement. Say the PIX is directly connected to the 10.1.1.0/24 network. The 10.1.2.0/24 network is on the other side of a router with an IP address of 10.1.1.3 You would add the following command:
route inside 10.1.2.0 255.255.255.0 10.1.1.3

PIX Facts

PIX 535 - 500,000 Connections
PIX 525 - 280,000 Connections
PIX 515 - 125,000 Connections

OK, I see how inside traffic makes it to the PIX, but how does the PIX know what to do with the outbound traffic?

Denise

You would configure a static default route, say the next hop router is at 192.168.1.254, the command would be:
route outside 0.0.0.0 0.0.0.0 192.168.1.254

What if I have a web server inside at 10.1.1.7 but it is known globally with the legal address of 192.168.3.22?

Denise

You would use a "static" to allow this translation from the outside to the inside, here's how:
static (inside, outside) 192.168.3.22 10.1.1.7 Just writing the static is not enough though, you have to expressly grant permission for traffic to flow inward, you do it with a "conduit". A conduit is like an extended access-list except the source and destination fields are reversed. Here's the conduit that corresponds with the above static:
conduit permit tcp host 192.168.3.22 eq 80 any Notice that conduits use the Global address and not the local (inside) address from the static command.