TheTAZZone - Internet Chaos

Cisco PIX – Basic PIX configuration

ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

[size=150][u][b]2: Basic PIX configuration[/b][/u][/size]

There are only 6 steps that need to be taken to enable the PIX to be able to send packets to the outside world, known by some as the PIX SIX, they are:

[b][i]Hostname
Interface
Nat-Control
Nat
Global
Route[/b][/i]

[b][u]Hostname:[/b][/u]

This assigns a host name to the PIX and should be called something that is meaningful for that particular PIX. The prompt will change to what you call the PIX when you set this and is set in the configuration mode with the command ‘hostname ’, like so:

[code]pixfirewall>en
password:
pixfirewall#conf t
pixfirewall(config)# hostname London
London(config)#
[/code]

Notice ‘pixfirewall’ now becomes ‘London’. Usually the firewall may be named after its geographic location, the service/project it is protecting etc. I look at it in such a way that if you have 3 different telnet sessions open to three different PIX’s you will always know exactly what you are configuring.

The hostname can be up to 63 alphanumeric characters in either uppercase of lowercase and defaults to ‘pixfirewall’ out of the box or when the ‘wr erase’ command is used followed by a reload.

[b][u]Interface:[/u][/b]

The interface command differs per PIX operating system, in version 7 it acts much like a Cisco router and drops you in to the ‘config-if’ sub context. On version 6.3 and earlier the prompt will not change and the command should be issued all on the one line. For this paper we are using version 7

The Interface or ‘int’ for short is the configuration command we use to allow us to alter the configuration of the PIX interfaces. We can assign it an IP address, subnet mask etc from this sub context.

[code]London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)#
[/code]

Notice with version 7 the prompt now changes to ‘config-if’ to let us know we are [b]config[/b]uring an [b]I[/b]nter[b]F[/b]ace.

We can now configure the interface with a name, IP address, speed settings and duplex settings amongst others.

[code]London (config-if)# nameif outside[/code]

Although it is already named outside by default the above example is to show the relevant command. ‘nameif’ as is fairly obvious, is used to assign a name to the interface.

Next we need to assign an IP address and subnet mask:

[code]London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address 80.80.80.80 255.255.0.0
[/code]

If you make a mistake whilst entering this command, simply re-enter the correct information. The ‘clear configure ip’ command will clear ALL interfaces IP addresses to no IP address.

Interfaces can also be configured to pick up a DCHP assigned IP address, by using the ‘dhcp’ command.

[code]London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address dhcp
[/code]

The PIX will now pick up a DCHP IP address on the OUTSIDE interface.

There are various DHCP commands we can use to view information about the DHCP IP address, such as the lease time etc

[code]London# sh ip address outside dhcp lease[/code]

And

[code]London# sh ip address outside dhcp server[/code]

The above will both provide you with information about the DHCP server and details about the IP address that the interface has been assigned.

To stop the interface from getting a DHCP IP address we use the ‘no’ command before the dhcp command. So:

[code] London (config-if)# no ip address dhcp[/code]

*Most of the commands you issue via the CLI can be disabled by re-entering them with the word ‘no’ in front of them.*

Next we need to assign a security level to the interfaces (the INSIDE and OUTSIDE interfaces have a precompiled security level, but for this example we will set them anyway).
A security level can be between 0 and 100, with 100 being the highest and most trusted. See part one if you want to read more about security levels.

To set it we use the ‘security-level’ command:

[code]London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address 80.80.80.80 255.255.0.0
London (config-if)# security-level 0
[/code]

By default interfaces with the same security level can not communicate, to enable it use the ‘same-security-traffic’ command. This may be handy when you have a DMZ and you want it to be able to communicate with the INSIDE network without NAT being preformed.

[code]
London (config-if)# same-security-traffic
[/code]

Next we need to tell the interface what speed and duplex settings we want it to operate at. By default all interfaces are set to automatic detection and will try to detect the best speed and duplex settings to work at. However sometimes you may need to configure them manually.

The speeds for an Ethernet cable you can choose from are 10, 100, auto or nonegotiate.

10 = 10BASE-T
100 = 100BASE-T
Auto = automatically sets the speed
Nonegotiate = for small form factor pluggable media types (SFP) and sets the speed to 1000Mbps.

[code]London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address 80.80.80.80 255.255.0.0
London (config-if)# security-level 0
London (config-if)# speed 100
London (config-if)# duplex full
[/code]

[b][u]Network Address Translation (NAT)[/b][/u]

As this paper is about configuring a PIX and not explaining how network protocols work I will very briefly explain about NAT.

Network Address Translation enables you to prevent external hosts from learning your internal IP addresses.
It accomplishes this by translating internal IP address, which is not routable over the internet, in to a globally unique IP address, which is routable over the internet. If you assigned your PC an IP address of 192.168.2.2 and tried to put it directly on the internet you would neither be able to receive or send traffic as the first router would drop your packets as soon as it saw your IP address.

This poses a problem for anyone with more than one computer behind a single connection, as if the above is true we would need an external IP address for every single computer on our network – which is obviously not possible as all the valid IP addresses would be used up very quickly.

Enter NAT.

Providing certain criteria are met the PIX will translate internal addresses to an external address as per your configuration. To anyone looking from the internet it will look like you have an external IP assigned to you and in most cases will never find out your internal address.

When an outbound IP packet that is sent from a device on the INSIDE network reaches your PIX which has NAT configured the source address is extracted and then compared with a table of existing translations. If the source address is not already in this table, it is now translated to an address taken from our external pool of addresses called a Global Pool. The table is now updated and the packet is forwarded on with our new external IP address in the source address part of the frames header.

This entry will stay in the translation table for three hours by default (this can be changed manually) if no activity is detected for this translation after the three hours it is removed and the external IP is free to be used for another host.

[b][u]Configuring NAT[/b][/u]

To configure NAT we first need to tell the PIX which hosts/networks on our INSIDE interface are allowed to be translated and them we tell it what we would like them to be translated to.

We can configure NAT on a global level with the command ‘nat-control’. If we enter the nat-control command we are telling the PIX that all addresses need to be translated before packets can be sent out of another interface.

The opposite is ‘no nat-control’ which means that all hosts can send packets and only where a specific NAT rule has been entered will a translation take place. No nat-control is the default.

There are two types of NAT policies on a PIX; Inside NAT Policy and Outside NAT Policy.

As their names suggest if Inside NAT Policy is enabled all INSIDE hosts need to have an inside NAT rule configured, likewise it Outside NAT is enabled all OUTSIDE addresses must have an outside rule configured

We configure NAT by telling the PIX, which interface the hosts/network is on that we want to translate:

[code]London (config)# nat (inside) 1 0.0.0.0 0.0.0.0[/code]

The above tells the PIX that we want to perform [b]nat[/b] on the [b](inside)[/b] interface, the [b]1[/b] is the ‘nat group’ we have assigned it, this will be come apparent later, the [b]0.0.0.0 0.0.0.0[/b] tells the PIX that we want to perform NAT on everything that is attached to the INSIDE interface. We could substitute this with 192.168.2.2 255.255.255.255 which would say that the host with that exact IP address needs to be NAT’ed or we could use 192.168.1.0 255.255.255.0 which would say that everything between192.168.0.1 and 192.168.0.255 needs to be translated.

*The 0.0.0.0 0.0.0.0 can be abbreviated to 0 0 however this can look a bit confusing to anyone not comfortable configuring a PIX so you may want to use 0.0.0.0 0.0.0.0.*

So now we have told it what IP addresses that require translating we need to tell the PIX what we want them translated to.
To do this we use the ‘global’ command.

[code]London (config)# global (outside) 1 80.80.80.81 – 80.80.80.200 netmask 255.255.255.0[/code]

The above command tells the PIX that we are assigning [b]global[/b] IP addresses on the [b](outside)[/b] from NAT group [b]1[/b] and the range of address available are [b] 80.80.80.81 – 80.80.80.200 [/b]

Our configuration so far:

[code] London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address 80.80.80.80 255.255.0.0
London (config-if)# security-level 0
London (config-if)# speed 100
London (config-if)# duplex full
London (config-if)# end
London# conf t
London (config)# nat (inside) 1 0.0.0.0 0.0.0.0
London (config)# global (outside) 1 80.80.80.81 – 80.80.80.200 netmask 255.255.255.0[/code]

So now all hosts on the INSIDE interface will be translated to an address between 80.80.80.81 to 80.80.80.200 whenever the send traffic from the INSDIE interface to the OUTSIDE interface.

*If the NAT command is used there MUST be a GLOBAL command, otherwise NAT will not work*

We can use static NAT’s that NAT a specific IP address either on the INSIDE or OUTSIDE interface to another IP on a different interface but this will be covered later in the Advanced PIX Configuration papers.

[b][u]Route[/b][/u]

Just like a router we need to tell the PIX where to send traffic destined for unknown and known IP addresses. We do this by configuring Static and/or Default Routes.

A static route is basically saying ‘To send a packet to the specified network, send it to this router’

A default route tells the PIX where to send traffic destined for an IP address/network not in its routing table. We normally configure a default route to state where internet traffic should go. It is impossible to enter every IP address on the internet in to the PIX’s routing table but it is easy to enter out internal networks in to it. So we say that, if there is no entry in the routing table, then the traffic is destined for the internet so send it here. If when the packet gets to the gateway it is not destined for the internet and has an internal IP, it will be dropped for reasons mentioned earlier.

[code]London (config)# route outside 0.0.0.0. 0.0.0.0 192.168.2.1 1[/code]

The above is an example of a default route. It is saying to [b]route[/b] traffic out the [b]outside[/b] interface if the IP address is not in the routing table [b]0.0.0.0. 0.0.0.0[/b] to the router with the IP address of [b]192.168.2.1[/b] which is [b]1[/b] hop away.

[code]London (config)# route inside 10.10.10.0 255.255.255.0 10.10.10.1 1[/code]

The above is an example of a static route. This is telling the PIX that any traffic arriving on the [b]inside[/b] interface destined for the [b]10.10.10.0[/b] network should be sent to the router with the IP address of [b]10.10.10.1[/b] which is [b]1[/b] hop away.

[code] London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address 80.80.80.80 255.255.0.0
London (config-if)# security-level 0
London (config-if)# speed 100
London (config-if)# duplex full
London (config-if)# end
London# conf t
London (config)# nat (inside) 1 0.0.0.0 0.0.0.0
London (config)# global (outside) 1 80.80.80.81 – 80.80.80.200 netmask 255.255.255.0
London (config)# route outside 0.0.0.0. 0.0.0.0 192.168.2.1 1
London (config)# route inside 10.10.10.0 255.255.255.0 10.10.10.1 1
London (config)# end
London#wr mem[/code]

There we have our finished initial BASIC configuration. We have named an interface, assigned it an IP address and subnet mask, told it what speed to operate at, told it that we want to NAT all hosts on the INSIDE interface to the external IP addresses of 80.80.80.81-200, we have gave it a default route to tell it where to send unknown traffic and we have told it where to send traffic destined for the internal network of 10.10.10.0.

Obviously the IP addresses are just for demonstration purposes and all interfaces will need to be configured as above for the PIX to work.

Part three will be ‘slightly advanced PIX configuration’. :

One Response to Cisco PIX – Basic PIX configuration

  1. Sweetie Bracelet December 1, 2010 at 3:21 pm

    ehternet cables are still the ones that i use for my home networking applications ;;”

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertise

If you'd like to advertise on The Mutt ( aka TheTAZZone.com ) feel free to contact us at: administration[at]thetazzone.com

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.