Cisco Secure Pix Firewall Administration Cspfa: Lab Manual

Cisco Secure Pix Firewall Administration
CSPFA
Lab Manual
Developed by:
Shaik Mohammad Rafi
Contact :- rafi.shaik4 @ gmail.com
PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

Page 1
LABS OUTLINE
1- Basic PIX Firewall Commands …………………………………………2

2- Static NAT ……………………………………………………….……..11
3- Dynamic NAT…………………………………………………………..13
4- PAT ……………………………………………………………………..15
5- PAT with Outside Interface Address …………………………………...17
6- Port Redirection ………………………………………………………...19
7- NAT 0 …………………………………………………………………..21
8- DHCP Server and DHCP Client ………………………………………..23
9- Syslog Server …………………………………………………………...26
10- Oubound, ACL and ICMP ACL ………………………………………..29
11- Secure Shell …………………………………………………………….35
12- Filter Java, ActiveX, URL ……………………………………………...38
13- Fixup HTTP, FTP, H.323 ………………………………………………40
14- TCP Intercept Max Connections and Embroynic Connections ..……….42
15- Intrusion Detection System ……………………………………………..44
16- AAA Server …………………………………………………………….46
17- Virtual Http and Telnet………………………………………………….50
18- IPSec Implementation …………………………………………………..53
19- Certificate Authority Server …………………………………………….55
20- Password Recovery ………………….………………………………….56
21- IOS and PDM Upgradation……………………………………………...57
22- Object Grouping ………………………………………………………...58
23- Object Grouping on PIX Deveice Manager……………………………..61

Page 2
BASIC PIXFIREWALL COMMANDS
ESPpix > enable

Password:
ESPpix # config ter
ESPpix (config)# enable password esp
ESPpix (config)# exit
ESPpix # exit
Logoff
ESPpix> ena
Password: ****
ESPpix# show enable password

enable password 0YvvkDz2sdCxrJJB encrypted
Note!!! Enable password can not be removed but we can recover it from TFTP server
(PASSWORD RECOVERY).
Telnet password can be set and clear in both privilege and configuration mode.
Telnet Is Only Allowed From Inside Interface E1
ESPpix# config t
ESPpix(config)# passwd pix
ESPpix# sh passwd
passwd H8FagjK1gVCNRzBO encrypted
ESPpix# clear passwd
ESPpix# sh passwd (cisco is default password for telnet)

passwd 2KFQnbNIdI.2KYOU encrypted
ESPpix# conf t
ESPpix(config)#Telnet 10.0.0.1 [netmask]
Note!!!! Enable you to specify which host can access the pix firewall console via
telnet.
ESPpix(config)#kill [telnet-id]
Note!!!! To terminate a telnet session

ESPpix(config)#who
Note!!!!! It enable you to view which ip address are currently accessing the pix.

Page 3
ESPpix# conf t
ESPpix(config)# int e1 shutdown
ESPpix# sh int e1
interface ethernet1 "inside" is admi
Hardware is i82559 ethernet, address is 0008.a34d.7499 (cable is attached)
IP address 10.1.3.1, subnet mask 255.0.0.0
MTU 1500 bytes, BW 10000 Kbit full duplex
ESPpix(config)# interface e1 10full

ESPpix(config)# sh int e1
interface ethernet1 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0008.a34d.7497
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
ESPpix(config)# int e0 shut

interface ethernet0 "outside" is administratively down, line protocol is down
ESPpix(config)# int e0 10baset
ESPpix(config)# int e0 10baseT

ESPpix(config)#sh int e0
interface ethernet0 "outside" is up, line protocol is up
ESPpix(config)# ip address inside 10.0.0.1 255.0.0.0
interface ethernet1 "inside" is up, line protocol is up
ESPpix(config)# ip address outside 20.0.0.1 255.0.0.0
interface ethernet0 "outside" is up, line protocol is down

Page 4
ESPpix# sh ip address
System IP Addresses:
ip address outside 20.0.0.1 255.0.0.0
ip address inside 10.0.0.1 255.0.0.0
Current IP Addresses:
ESPpix# sh route
outside 0.0.0.0 0.0.0.0 172.23.103.2 1 OTHER static
inside 10.0.0.0 255.0.0.0 10.0.0.1 1 CONNECT static
inside 10.1.3.0 255.255.255.0 10.1.3.1 1 OTHER static
outside 20.0.0.0 255.0.0.0 20.0.0.1 1 CONNECT static
ESPpix#
ESPpix# conf t
ESPpix(config)# hostname ESPpix
ESPpix(config)# exit
ESPpix# sh nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ESPpix # conf t
ESPpix(config)# nameif e0 remote 0
ESPpix (config)# nameif e1 local 100
Error!
security 100 is reserved for the "inside" interface
Type help or '?' for a list of available commands.
ESPpix(config)# nameif e1 local 99

ESPpix# sh nameif
nameif ethernet0 remote security0

nameif ethernet1 local security99
ESPpix# sh int e0
interface ethernet0 "remote" is up, line protocol is down


Page 5
ESPpix# sh int e1
interface ethernet1 "local" is up, line protocol is up

ESPpix # conf t
ESPpix(config)# no nameif
ESPpix# show nameif

ESPpix# conf t
ESPpix(config)# clock set 14:15:05 aug 14 2002
ESPpix # sh clock
14:15:13 Aug 14 2002
ESPpix# ping 10.0.0.1
10.0.0.1 ronse received -- 0ms

ESPpix# ping 10.0.0.10
10.0.0.10 NO ronse received -- 1000ms

ESPpix# show running-configration(Show Running Configuration In Router

IOS)
OR
ESPpix#write terminal (Show Running Configuration In Router IOS)

Page 6
ESPpix#write terminal (Show Running Configuration In Router IOS)
Building configuration...
: Saved
:
PIX Version 6.1(1)
hostname ESPpix
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip audit info action alarm
[OK]
ESPpix# sh config (Show Startup Config In Router Ios)

No Configuration
ESPpix# write memory (Copy Running To Startup Config)
Building configuration...
Cryptochecksum: 8b14435d fdfe0df4 7427e2a0 d180be47
[OK]

Page 7
ESPpix(config)# sh config
: Saved
:
PIX Version 6.1(1)
hostname ESPpix
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.23.103.3
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.23.103.3 10.1.3.103 netmask 255.255.255.255 0 0
conduit permit icmp any any
!
terminal width 80
Cryptochecksum:8b14435dfdfe0df47427e2a0d180be47
For default setting of interfaces
ESPpix(config)# clear config primary
interface ethernet1 "inside" is up, line protocol is up

interface ethernet0 "outside" is up, line protocol is down


Page 8
ESPpix(config)# reload
Proceed with reload? [confirm]
Rebooting....
CISCO SYSTEMS PIX-501

Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08
Compiled by morlee
16 MB RAM
PCI Device Table.

Bus Dev Func VendID DevID Class Irq
00 00 00 1022 3000 Host Bridge
00 11 00 8086 1209 Ethernet 9
00 12 00 8086 1209 Ethernet 10
Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
Platform PIX-501
Flash=E28F640J3 @ 0x3000000
Use BREAK or ESC to interrupt flash boot.

Use SPACE to begin flash boot immediately.
Reading 2466304 bytes of image from flash.
16MB RAM
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000
mcwa i82559 Ethernet at irq 9 MAC: 0008.a34d.7497
mcwa i82559 Ethernet at irq 10 MAC: 0008.a34d.7499
-----------------------------------------------------------------------
|| ||
|| ||
|||| ||||
..:||||||:..:||||||:..
ciscoSystems
Private Internet eXchange
-----------------------------------------------------------------------
Cisco PIX Firewall
Cisco PIX Firewall Version 6.1(1)
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled

Page 9
Websense: Enabled
Inside Hosts: 10
Throughput: Limited
ISAKMP peers: 5
Global 172.23.103.3 will be Port Address Translated
Cryptochecksum(changed): 0d9f0939 c71dd298 c4f8f08b 9992ed30
Cannot select private keyType help or '?' for a list of available commands.
ESPpix# write erase (Erase Startup Configuration)

Erase PIX configuration in flash memory? [confirm]
ESPpix#
ESPpix #write net
ESPpix #write floppy
ESPpix #write standby
ESPpix#show history
ESPpix#show memory
ESPpix#show version
ESPpix#show xlate
ESPpix#show cpu usage
ESPpix#name 172.16.2.1 Bastionhome (To assign a name on ip address)
ESPpix(config)#route outside 0.0.0.0 0.0.0.0 192.168.0.1 (To specify the default

or static route)

Page 10
NAT ON PIXFIREWALL
Static NAT
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
Windows 98 Operating System

PIX IOS V6.2
File Name :pix622.bin
PIXFirewall Configuration:
ESPpix(config)# static (inside,outside) 20.0.0.51 10.0.0.1

ESPpix(config)# static (inside,outside) 20.0.0.52 10.0.0.2
ESPpix(config)# conduit permit icmp host 20.0.0.51 host 20.0.0.4
ESPpix(config)# conduit permit icmp host 20.0.0.52 host 20.0.0.4
At Machine 10.0.0.1:
Go the Command Prompt & type “ping 20.0.0.4” OR

Can browse to web server of and type 20.0.0.4
Repeat same procedure on the Machine 10.0.0.2 & verify result
Verification Commands:
ESPpix(config)# show static

ESPpix(config)# show xlate
ESPpix(config)# show conduit

Page 11
NAT ON PIXFIREWALL
Dynamic NAT
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:

PIX IOS V6.2
File Name: pix622.bin
ESPpix(config)# nat (inside) 1 0 0

ESPpix(config)# global (outside) 1 20.0.0.51-20.0.0.60
ESPpix(config)# conduit permit icmp any any

ESPpix(config)# show global

ESPpix(config)# show nat

Page 12
NAT ON PIXFIREWALL
Port Address Translation
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:

PIX IOS V6.2

ESPpix(config)# global (outside) 1 20.0.0.50



Page 13
NAT ON PIXFIREWALL
PAT WITH OUTISDE INTERFACE ADDRESS
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
PIX IOS V6.2
Esppix(config)# ip address inside 10.0.0.10 255.0.0.0
Esppix(config)# ip address outside 20.0.0.10 255.0.0.0
Esppix(config)# int e1 10full
Esppix(config)# nat (inside) 1 10.0.0.0. 255.0.0.0
Esppix(config)# global (outside) 1 interface e0
Esppix(config)# conduit permit icmp any any
Esppix(config)# debug icmp trace
Esppix(config)# show global
Esppix(config)# show nat
Esppix(config)# show xlate
Esppix(config)# show conduit

Page 14
PORT REDIRECTION
10.0.0.10 20.0.0.10
Temporary E1 E0
WWW
Server
20.0.0.4
10.0.0.1
10.0.0.2
20.0.0.60
Translated
Local
Address
WWW
Server
REQUIREMENTS:

PIX IOS V6.2

ESPpix(config)# int e1 10full
ESPpix(config)# static (inside,outside) tcp 20.0.0.60 8080 10.0.0.1 80
Go to Internet Explorer & browse to the http://20.0.0.60 & the pix will directs you to the
temporary webserver.


Page 15
NAT ON PIXFIREWALL
NAT 0
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
PIX IOS V6.2
PIX IOS filename “pix622.bin”
ESPpix(config)# nat (inside) 0 10.0.0.1 255.0.0.0
ESPpix(config)# debug icmp trace

Page 16
DYNAMIC HOST CONFIGURATION ON PIXFIREWALL
PC A
10.0.0.51 10.0.0.10
to E1
10.0.0.60
PC B
REQUIREMENTS:

PIX IOS V6.2
File Name : pix622.bin
PIXFirewall as DHCP Server (For Inside Interface Only)
ESPpix(config)# dhcpd address 10.0.0.51-10.0.0.60

ESPpix(config)# dhcpd dns 10.0.0.30
ESPpix(config)# dhcpd wins 10.0.0.40
ESPpix(config)# dhcpd domain esp.com
ESPpix(config)# dhcp lease 3000
ESPpix(config)# dhcpd enable inside
At Machine PCA:
Go to the command prompt & type a command “ipconfig /release” it will release the
current IP address & type “ipconfig /renew” and type “ipconfig” again it will show you
the IP address which you will get from the DHCP server.
Repeat same procedure on Machine PCB & verify results.
ESPpix(config)# show dhcpd

ESPpix(config)# clear dhcpd
ESPpix(config)# debug dhcpd events
ESPpix(config)# debug dhcpd packet
ESPpix(config)# debug dhcpd detail
ESPpix(config)# debug dhcpd error

Page 17
PIXFirewall as DHCP Server (For Outside Interface Only)
DHCP Server
E0
20.0.0.4
20.0.0.51
to
20.0.0.60
ESPpix(config)# ip address outside dhcp
ESPpix(config)# debug dhcpd events

ESPpix(config)# debug dhcpd packet
ESPpix(config)# debug dhcpd detail
ESPpix(config)# debug dhcpd error

Page 18
SYSLOG SERVER
10.0.0.10 20.0.0.10
E1 E0
Syslog
Server
20.0.0.4
10.0.0.1
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:

PIX IOS V6.2
PIX IOS filename “pix622.bin”
Kiwi Syslog Software
ESPpix(config)# logging host inside 10.0.0.1

ESPpix(config)# logging trap 7
ESPpix(config)# logging on
At PIXFirewall:
You can verify this lab by typing any command OR

You can type invalid password of the privilege mode OR
You can telnet from any inside machine.

Page 19
ESPpix(config)# show logging

Page 20
OUTBOUND ACL
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Esppix(config)# int e0 10baset
Esppix(config)# outbound 1 permit 10.0.0.1 255.255.255.255 http
Esppix(config)# outbound 1 deny 10.0.0.2 255.255.255.255 http
Esppix(config)# apply (inside) 1 outgoing_src
OR
Esppix(config)# outbound 1 permit 20.0.0.4 255.255.255.255 http
Esppix(config)# apply (inside) 1 outgoing_dest
Go to Internet Explorer & type address “20.0.0.4” in Address bar & repeat same procedure on Machine
10.0.0.2
Esppix(config)# sh apply
Esppix(config)# sh outbound
Esppix(config)# clear outbound

Page 21
ACCESS CONTROL LIST
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
Local
WWW
Server
ESPpix(config)# access-list esp permit tcp host 10.0.0.1 any eq www

ESPpix(config)# access-list esp deny tcp host 10.0.0.2 any eq www
ESPpix(config)# access-group esp in interface inside
Go to the Internet Explorer and type and type “20.0.0.4” in address bar
Repeat same procedure on Machine 10.0.0.2 & verify result.
ESPpix(config)# show access-list

ESPpix(config)# show access-group
ESPpix(config)# clear access-list

Page 22
ICMP ACCESS CONTROL LIST
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
AAA
Server
REQUIREMENTS:

PIX IOS V6.2, 500 Series PIX
IOS file name “pix622.bin”

ESPpix(config)# icmp deny 0 0 inside
ESPpix(config)# icmp deny 0 0 outside
At Machine 10.0.0.1
Go to the command prompt & ping the inside interface which is “ping 10.0.0.10”
& at machine 20.0.0.4 repeat same procedure & type “ping 20.0.0.10”
Verification Command:
ESPpix(config)# show icmp

ESPpix(config)# clear icmp

Page 23
SECURE SHELL
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
AAA
Server
REQUIREMENTS:
PIX IOS V6.2, 500 Series
Putty Software
ESPpix(config)# domain-name esp.com
ESPpix(config)# ca generate rsa key 1024
ESPpix(config)# ssh 10.0.0.1 inside
ESPpix(config)# ssh 20.0.0.4 255.255.255.255 outside
ESPpix(config)# aaa-server esp protocol tacacs+

ESPpix(config)# aaa-server esp (inside) host 10.0.0.2 cisco
ESPpix(config)# aaa authentication ssh console esp
ESPpix(config)# show ssh

ESPpix(config)# show ssh session
ESPpix(config)# ssh disconnect session_id
ESPpix(config)# show ca mypubkey rsa

Page 24
Or if you want secure shell from outside interface you have to specify the outbound
interface which is 20.0.0.10 in the hostname parameter of Putty

Page 25
FILTER JAVA APPLETS & ACTIVEX
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Requirements:

PIX IOS V6.2, 500 Series

ESPpix(config)# global (outside) 1 20.0.0.51-20.0.0.60
Filter Java
ESPpix(config)# filter java 80 0 0 0 0
Filter ActiveX
ESPpix(config)# filter activex 80 0 0 0 0
Go to the Internet Explorer and type and type “20.0.0.4” in address bar
Repeat same procedure on Machine 10.0.0.2 & verify result.

Page 26
FIXUP PROTOCOL
PROTOCOL EFFECT CHANGING A PORT
HTTP No change In working condition both
for 80 & change port.
FTP The Connection for the In working condition only
requested web server cannot for the change port
be established.
H.323 No Change You Can’t be able to
change the port
(Used to mark up or to fix drawbacks in the existing protocol going from inside to outside)
10.0.0.10 20.0.0.10
20.0.0.1
10.0.0.1
HTTP
Server
E1 E0
20.0.0.2
FTP
Server
HTTP FIXUP
ESPpix(config)# no fixup protocol http 80
Still you can view the web site
ESPpix(config)# fixup protocol http 8080
You can view the website that is either
running on port 80 or 8080
FTP FIXUP
ESPpix(config)# no fixup protocol ftp 21
Now you are unable to view the ftp site
ESPpix(config)# fixup protocol ftp 2021
Now you are able to view the ftp site at port
2021
H.323 FIXUP
ESPpix(config)# no fixup protocol h323 1720
Still you can call on NetMeeting

Page 27
TCP Intercept Maximum Connection
10.0.0.10 20.0.0.10
E1 E0
20.0.0.1
20.0.0.50
10.0.0.1
20.0.0.2
FTP
Server
REQUIREMENTS:

PIX IOS V6.2
ESPpix(config)# static (inside,outside) 20.0.0.50 10.0.0.1 1 0

ESPpix(config)# conduit permit ip any any
Go to the Internet Explorer & browse to “ftp://20.0.0.50” & copy the folder to the local
hard disk & at the same time go to Machine 20.0.0.2 & browse to the “ftp://20.0.0.5”
after some interval of time it will unable to retrieve the desired page.

ESPpix(config)# show conn

Page 28
INTRUSION DETECTION SYSTEM
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.1
20.0.0.2
REQUIREMENTS:

PIX IOS V6.2
Esppix(config)# logging host (inside) 10.0.0.1

Esppix(config)# logging trap 7
Esppix(config)#logging on
Esppix(config)# ip audit name outbound-info info action alarm drop reset

Esppix(config)# ip audit interface outside outbound-info
Go to command prompt & type “ping 20.0.0.10” or you can ping to the internal host also
& see the logging messages on the Syslog Server.
Esppix(config)# show ip audit count

Esppix(config)# no ip audit interface outside outbound-info
Esppix(config)# no ip audit name outbound-info

Page 29
AAA WITH PIXFIREWALL
10.0.0.10 20.0.0.10
E1 E0
AAA
Server
20.0.0.4
10.0.0.1
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Pixfirewall Configuration:
Esppix(config)# aaa-server main protocol tacacs+

Esppix(config)# aaa-server main (inside) host 10.0.0.1 cisco
Esppix (config)# aaa authentication any outbound 0 0 0 0 main
Esppix(config)# aaa authorization any outbound 0 0 0 0 main
Esppix(config)# aaa accounting any outbound 0 0 0 0 main
For Authorization:

Page 30
For Accounting:
Go to Internet Explorer and type address in Address bar 20.0.0.4

The new window is prompt, give the user name & password & verify results
Esppix(config)# sh uauth
Esppix(config)# clear uauth
Esppix(config)# clear aaa-server

Page 31
VIRTUAL HTTP AND TELNET
10.0.0.10 20.0.0.10
E1 E0
AAA
Server
20.0.0.4
10.0.0.1
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Pixfirewall Configuration:
Esppix(config)# aaa-server main protocol tacacs+

Esppix(config)# aaa-server main (inside) host 10.0.0.1 cisco
Esppix(config)# aaa authentication any outbound 0 0 0 0 main
Esppix(config)# aaa authentication include 1/8 outbound 0 0 0 0 main
Esppix(config)# aaa authorization include 1/8 outbound 0 0 0 0 main
Esppix(config)# virtual http 20.0.0.8
Esppix(config)# virtual telnet 20.0.0.9

Page 32
For Virutal HTTP:
First go to the web browser and type 20.0.0.8 and provide the right username and
password.
Press OK button, then the following error comes,
“Error: 501 Not Implemented”
Now you are authenticated to non-telnet, non-ftp and non-http service

Go to the command prompt and ping 20.0.0.4, now the ronse will come.
For Virtual Telnet:
Go to the command prompt and type ‘telnet 20.0.0.9’, you will be prompted for username
and password, provide it and the message will come ‘Authentication Successful’
Now you can ping to 20.0.0.4
Esppix(config)# sh aaa
Esppix(config)# sh aaa-server
Esppix(config)# sh uauth
Esppix(config)# sh virtual

Page 33
IPSEC BETWEEN PIXFIREWALL & ROUTER
Outside E0
11.0.0.1 11.0.0.2
PIX Firewall Router ESPA
PIXFirewall Configuration:-
ESPpix(config)# isakmp enable outside

ESPpix(config)# isakmp policy 2 encryption des
ESPpix(config)# isakmp policy 2 hash md5
ESPpix(config)# isakmp policy 2 authentication pre-share
ESPpix(config)# isakmp policy 2 group 2
ESPpix(config)# isakmp key cisco123 address 11.0.0.2

ESPpix(config)# access-list 101 permit ip 11.0.0.1 255.255.255.255 11.0.0.2
255.255.255.255
ESPpix(config)# crypto ipsec transform-set pix -des -md5-hmac

ESPpix(config)# crypto map pixmap 1 ipsec-isakmp
ESPpix(config)# crypto map pixmap 1 match address 101
ESPpix(config)# crypto map pixmap 1 set peer 11.0.0.2
ESPpix(config)# crypto map pixmap 1 set transform-set pix
ESPpix(config)# crypto map pixmap 1 set pfs group2
ESPpix(config)#
Apply Crypto Map:-
ESPpix(config)# crypto map pixmap interface outside
ESPA Configuration:
ESPA(config)#access-list 101 permit ip 11.0.0.0 0.255.255.255 11.0.0.0 0.255.255.255

ESPA(config)#crypto isakmp policy 1
ESPA(config-isakmp)#authentication pre-share
ESPA(config-isakmp)#encryption des
ESPA(config-isakmp)#group 2
ESPA(config-isakmp)#hash md5
ESPA(config-isakmp)#exit
Key:
ESPA(config)#crypto isakmp key cisco123 address 11.0.0.1

Page 34
IP SEC:
ESPA(config)#crypto ipsec transform-set ESPAset -des -md5-hmac

ESPA(cfg-crypto-trans)#exit
ESPA(config)#crypto map ESPAmap 1 ipsec-isakmp

ESPA(config-crypto-map)#match address 101
ESPA(config-crypto-map)#set peer 11.0.0.1
ESPA(config-crypto-map)#set transform-set ESPAset
ESPA(config-crypto-map)#set pfs group2
ESPA(config-crypto-map)#^Z
ESPA#
Apply Crypto Map:
ESPA(config)#int e0
ESPA(config-if)# crypto map ESPAmap
ESPA# show crypto isakmp policy

ESPA# show crypto isakmp sa
ESPA# show crypto ipsec sa

Page 35
CA SSERVER WITH PIXFIREWALL
Certificate Authority
Server
10.0.0.10
E0
PIX Firewall
Computer
10.0.0.1
REQUIREMENTS:
Windows 98/2000 Operating System

PIX IOS v6.2
ESPpix(config)# name 10.0.0.1 computer

ESPpix(config)# domain-name cisco.com
ESPpix(config)# ca generate rsa key 1024
ESPpix(config)# ca identity computer 10.0.0.1:/certserv/mscep/mscep.dll
ESPpix(config)# ca configure computer ra 1 10 crloptional
ESPpix(config)# ca authenticate computer
ESPpix(config)# ca enroll computer esppassword
For password you have to go to the Internet Explorer and type

http://10.0.0.1/certsrv/mscep/mscep.dll the page returns with a password supply that
password in the CA Enroll command
ESPpix(config)# show ca identity

ESPpix(config)# show ca configure
ESPpix(config)# show ca certificate
ESPpix(config)# show ca mypubkey rsa

Page 36
PASSWORD RECOVERY:
10.0.0.1
10.0.0.10
E1
TFTP
Server
First save the password.

Reboot the PIX & press Ctrl+Break or Esc the prompt will be like this
Monitor> interface 1
Monitor> address 10.0.0.10
Monitor> server 10.0.0.1
Monitor> file np61.bin
Monitor> ping 10.0.0.1
Monitor> tftp
After performing its function it will prompt you for

Do you wish to erase the passwords? [yn] y

Page 37
IOS & PDM UPDATION:
10.0.0.1
10.0.0.10
E1
TFTP
Server

ESPpix(config)# copy tftp flash
ESPpix(config)# sh ver
At CLI you will be prompted for the following parameters:

Address or name of remote host [127.0.0.1]? 10.0.0.1
Source file name [cdisk]? pix622.bin
copying tftp://10.0.0.1/pix622.bin to flash:image
[yes|no|again]? Y
For PDM UPDATION
ESPpix(config)# copy tftp flash:pdm
ESPpix(config)# sh ver
At CLI you will be prompted for the following parameters:

Address or name of remote host [127.0.0.1]? 10.0.0.1
Source file name [cdisk]? pdm-211.bin
copying tftp://10.0.0.1/pdm-202.bin to flash:pdm
[yes|no|again]? y
Erasing current PDM file
Writing new PDM file
In case of updating or changing the PIX IOS you should have to reboot the PIX.
In case of updating or changing the PIX PDM you should not have to reboot the
PIX.

Page 38
OBJECT GROUPING
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
Local
WWW
Server
REQUIREMENTS:


Esppix(config)# static (inside,outside) 20.0.0.21 10.0.0.1
Esppix(config)# static (inside,outside) 20.0.0.22 10.0.0.2
ICMP-Type:
Esppix(config)#object-group icmp-type icmpobject

Esppix(config-icmp-type)# icmp-object echo
Esppix(config-icmp-type)# icmp-object echo-reply
Esppix(config-icmp-type)#exit
Esppix(config)# access-list 1 permit icmp any any object-group icmpobject
Esppix(config)# access-group 1 in interface outside

Page 39
Go to command prompt and type ‘ping 20.0.0.4’ and repeat same procedure at machine
20.0.0.4 and type ‘ping 20.0.0.1’
Network-Type:
Esppix(config)# object-group network ftpobject

Esppix(config-network)# network-object host 20.0.0.1
Esppix(config-network)# exit
Esppix(config)# access-list 1 permit tcp object-group ftpobject any eq ftp

Go to the Internet Explorer and type “ftp://20.0.0.21” in address bar the ftp site brings up
to the screen but if you want to access another server or another service at the same
server, you can’t have such permissions.
Protocol-Type:
Esppix(config)# object-group protocol protoobject

Esppix(config-protocol)# protocol-object udp
Esppix(config-protocol)# protocol-object tcp
Esppix(config-network)# exit
Esppix(config)# access-list 1 permit object-group protoobject any any

This object-group only allow traffic of tcp and udp but not others like ICMP for outside
users.
Service-Type:
Esppix(config)# object-group service servobject1 tcp

Esppix(config-service)# port-object range 1024 65535
Esppix(config-service)# exit
Esppix(config)# object-group service servobject2 tcp

Esppix(config-service)# port-object eq http
Esppix(config-service)# exit
Esppix(config)# access-list 1 permit tcp any object-group servobject1 any object-group

servobject2

Page 40
This object group permit the outside users to access only http service and if they have
port range from 1024 65535
Esppix(config)# show object-group

Esppix(config)# show access-list
Esppix(config)# show access-group
Esppix(config)# clear access-list

Esppix(config)# clear access-group
Esppix(config)# clear object-group

Page 41
OBJECT GROUPING ON PDM
10.0.0.10 20.0.0.10
E1 E0
10.0.0.1
20.0.0.4
10.0.0.2
Local
WWW
Server
REQUIREMENTS:

Esppix(config)# http server enable
Esppix(config)# http 10.0.0.1

Page 42
Page 43
Page 44
Press OK Button
Press Apply to PIX
Press OK Button

Page 45
Page 46
Esppix(config)# sh access-list
Esppix(config)# sh access-group
Esppix(config)# sh object-group
User have only privilege to access the webserver at 20.0.0.21

Page 47

Cisco Secure Pix Firewall Administration Cspfa: Lab Manual

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Secure Pix Firewall Administration Cspfa: Lab Manual

Uploaded by

Copyright:

Available Formats

Cisco Secure Pix Firewall Administration

Shaik Mohammad Rafi

Contact :- rafi.shaik4 @ gmail.com

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

1- Basic PIX Firewall Commands …………………………………………2

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

ESPpix > enable

ESPpix# show enable password

Telnet Is Only Allowed From Inside Interface E1

ESPpix# clear passwd

ESPpix# sh passwd (cisco is default password for telnet)

Note!!!! To terminate a telnet session

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

ESPpix(config)# interface e1 10full

ESPpix(config)# int e0 shut

ESPpix(config)# int e0 10baseT

ESPpix(config)# ip address inside 10.0.0.1 255.0.0.0

ESPpix(config)# ip address outside 20.0.0.1 255.0.0.0

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

ESPpix(config)# nameif e1 local 99

nameif ethernet0 remote security0

interface ethernet0 "remote" is up, line protocol is down

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

interface ethernet1 "local" is up, line protocol is up

ESPpix# show nameif

nameif ethernet0 outside security0

10.0.0.1 ronse received -- 0ms

ESPpix# ping 10.0.0.10

10.0.0.10 NO ronse received -- 1000ms

ESPpix# show running-configration(Show Running Configuration In Router

ESPpix#write terminal (Show Running Configuration In Router IOS)

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

ESPpix# sh config (Show Startup Config In Router Ios)

ESPpix# write memory (Copy Running To Startup Config)

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

For default setting of interfaces

ESPpix(config)# clear config primary

interface ethernet1 "inside" is up, line protocol is up

interface ethernet0 "outside" is up, line protocol is down

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

Proceed with reload? [confirm]

CISCO SYSTEMS PIX-501

PCI Device Table.

Use BREAK or ESC to interrupt flash boot.

Cisco PIX Firewall Version 6.1(1)

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

Global 172.23.103.3 will be Port Address Translated

Cryptochecksum(changed): 0d9f0939 c71dd298 c4f8f08b 9992ed30

ESPpix# write erase (Erase Startup Configuration)

ESPpix #write net

ESPpix #write floppy

ESPpix #write standby

ESPpix#show cpu usage

ESPpix#name 172.16.2.1 Bastionhome (To assign a name on ip address)

ESPpix(config)#route outside 0.0.0.0 0.0.0.0 192.168.0.1 (To specify the default

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

Windows 98 Operating System

ESPpix(config)# static (inside,outside) 20.0.0.51 10.0.0.1

Go the Command Prompt & type “ping 20.0.0.4” OR

ESPpix(config)# show static

ESPpix(config)# show conduit

PIX / FIREWALL LAB MANUAL BY SHAIK MOHAMMD RAFI

Windows 98 Operating System