RouterGod Celebrity Interview Series
Denise Richards on the PIX Firewall
(Very Basic Configuration. Part 1)
Many of our readers are now pursuing the Cisco Security
Specialist 1 certificate, and still others are simply wondering how to
configure the mighty PIX Firewall. The PIX Firewall is without a doubt the
way to secure enterprise networks. Used in conjunction with the IOS
Firewall Feature Set (now known as Cisco Secure Integrated Software) running on
a Cisco router, Cisco's security solution is far superior to weak software
applications that run on Unix or NT. RouterGod Online Magazine reporter
John Riehl sought out beautiful Denise Richards to help us learn how to
configure the PIX Firewall. John is a Cisco instructor and holds the CCSP
and CISSP certificates. When not teaching Cisco, John likes to tell wild
stories about his days in the circus where he was known as the Polish Invisible Man.
When not being beautiful, Denise practices
kickboxing and enjoys watching American Chopper on TV. Let's join JR as he interviews
Denise about the PIX Firewall.
RFC 1918 Addresses are used to protect the innocent.
Meet Sexy Singles
Well hello Denise, thanks for agreeing to help us learn how to configure the PIX Firewall.
It's my pleasure Yuriy, let's cut right to the chase and talk about the PIX. The PIX is not a router, it can not participate in dynamic routing protocols. The PIX in it's most basic form is simply a box with 2 Ethernet interfaces. One interface is "inside" and one interface is "outside". Traffic can not flow from the outside interface to the inside interface unless you specifically allow it. Traffic can not flow from the inside interface to the outside interface unless you configure Network Address Translation. Traffic initiated from the inside may return through the outside interface.
So the PIX is really just a couple of NIC cards?
Not so fast Comrade! The PIX uses the Adaptive Security Algorithm to perform Stateful Packet Inspection on traffic leaving the Firewall. The PIX uses a real time, embedded operating system to track the propriety of thousands of simultaneous connections.
Oh My God! This sounds too complicated! Let's forget about it, maybe you should tell us how a console cable works or maybe which end of a power cord plugs into the wall...
Ha Ha! Don't be such a baby! The PIX is easy! It uses a Command Line Interface, not one of those complicated GUI's like Checkpoint! The PIX has 3 command modes: User Mode, Privileged Mode and "Global" Config Mode. There is no concept of Interface Config Mode and the cool thing is that SHOW commands can be used at Global Config! By default the PIX interfaces are shutdown. To do a "no shut" on the outside interface you would use the following command: interface ethernet0 auto. To give it an IP address you would use a command like this: ip address outside 192.168.1.1 255.255.255.0
Wow! You really know your PIX Firewalls!
What do you think, I'm just a hot babe? Now lets configure Network
Address Translation. It consists of 2 steps, defining the inside
users eligible for outbound connections and defining the pool of global
IP addresses to be translated into. If you wanted all your users
to use NAT the command would be: nat (inside) 1 0.0.0.0 0.0.0.0
The "1" in this command is the "NAT ID", it must
match the NAT ID in the global command, which I'll show you in a
minute. The fields 0.0.0.0 and 0.0.0.0 are IP Address and Netmask
respectively. The PIX will let you abbreviate a default field with
a single zero Here is an example:
The next step is to define the pool of global IP addresses.
Let's say that you have the range 192.168.1.2 through
192.168.1.6/24 The command would be:
Don't forget that the IP address of the PIX's outside interface cannot be in the pool of global addresses.
So now the users on the inside can get out. In a small network, how does the inside traffic that is destined for the outside world know about the PIX?
If it's a small network, like one subnet and no internal router, just configure all the workstations Default Gateway with the IP address of the PIX's inside interface. If there is an internal router between the PIX and your users, the workstations will naturally have the router as the Default Gateway and the router will have a default static route pointing to the PIX. If there are internal networks on the other side of your internal router (from the PIX's perspective), you have to tell the PIX about them.
How do you do that? How does the PIX know where to forward packets for those networks that are not directly connected?
It's easy, you do it with a static route statement. Say the PIX
is directly connected to the 10.1.1.0/24 network. The 10.1.2.0/24
network is on the other side of a router with an IP address of
10.1.1.3 You would add the following command:
PIX 535 - 500,000
OK, I see how inside traffic makes it to the PIX, but how does the PIX know what to do with the outbound traffic?
configure a static default route, say the next hop router is at
192.168.1.254, the command would be:
What if I have a web server inside at 10.1.1.7 but it is known globally with the legal address of 192.168.3.22?
would use a "static" to allow this translation from the
outside to the inside, here's how:
Back to RouterGod Online Magazine
Copyright 2000 - 2005 RouterGod Online Magazine