Cisco’s PIX firewall is one of the more common hardware devices used to protect smallto medium-size networks from outside attacks. Correctly configured PIX also helps you maintain some level of control over resources that internal users can access. In this article, we’ll walk through the steps to get a PIX firewall up and running in a useful configuration. We’ll be using the relatively lightweight PIX 501 for our example setup. The PIX 501 includes a console port, a WAN port, four 10/100 Ethernet ports, and it supports up to 10 internal IP addresses as well as optional DES encryption. We’ll be installing under PIX management software version 6.2(1). Your configuration steps may differ slightly from the ones presented in this article if you’re using a different version of the software. Getting started First of all, physically install your PIX where you’ll be able to connect it to both the network and directly to a Windows-based PC via a serial cable. The new PIX operating system includes two methods of management, either from the command line or the Pix Device Manager (PDM), a Web-based GUI that can handle almost the entire configuration process. Of course, you’ll have to use the command line to set up an IP address for the PIX before you actually are able to use the PDM. The default IP address The PIX 501 assigns an address of to the PIX to be accessed from the internal network. In the likely case that we are willing to accept this default, we could skip the command line setup on this particular unit. We’ll walk through the IP assignment process here to give a more thorough overview of the configuration steps for other PIX models. To begin the configuration process, you must connect your administrative PC to the PIX via HyperTerminal. Simply link the PIX’s console port to the PC via the serial cable. In HyperTerminal, set the baud rate to 9600. Once connected, the PIX ask you to do some basic configuration via a number of prompts at the command line. The command line setup process Listing A provides a transcript of our sample setup routine for our PIX 501. The items in bold are our responses to the prompts. We’ve also included a few notes about some of the questions.

Listing A
Pre-configure PIX Firewall now through interactive prompts [yes]? yes

Enable password [<use current password>]: admin123

Note: The password that will be used to make configuration changes to the PIX.
Clock (UTC): Year [2008]: 2008 Month [Aug]: Aug Day [8]: 7 Time [11:15:30]: 11:15:00

Note: Set the date and time on the PIX.
Inside IP address:

Note: The IP address (on the local network) that will be used on the LAN side of the PIX, as well as the default gateway for the devices on the network.
Inside network mask: Host name: Mypix

Note: The subnet mask that goes along with your internal IP address Note: Assigns a name to your firewall. You’ll see this question every time you use the command line.
Domain name:

Note: This is your domain name. Configuring this will expedite the routing of internal packets.
IP address of host running PIX Device Manager:

Note: Restricts what devices are allowed to configure the PIX via the GUI

The following configuration will be used: Enable password: admin123 Clock (UTC): 11:15:00 Aug 7 2008 Inside IP address: Inside network mask: Host name: Mypix Domain name: IP address of host running PIX Device Manager: Use this configuration and write to flash? yes Building configuration... Cryptochecksum: 988d9391 701b1c05 1175826a 1278dea5 [OK] End of Listing A

--------------------------------------------------------------------------------------------------------Getting current If you have a new PIX, you should check the version of the management software installed on it using the version command at the command prompt. To do an upgrade, you’ll need to download the newest images from the Cisco support Web site. You’ll need a support contract on your firewall to successfully download the upgrade. It is always recommended support contracts on single points of failure in a network; the contracts aren’t terribly expensive considering how much they can end up saving you. If you do not

have a support contract, you’ll have to register your product and purchase a contract on the Customer Registration page. As of this writing, the most current PIX software image available is 6.2.1 / 6.3.x (login required) and the PIX Device Manager is in version 2.0.1 / PDM v3.0(2) (login required). Going to the new PDM is critical if you want to use VPNs because version 1.x does not support their configuration. The files are named pix621.bin and pdm-201.bin, respectively. The PIX software Installing the newest version of the PIX software is as easy as following these steps: 1. 1. Save the PIX files into a directory accessible by your TFTP server. If you need a TFTP server, Cisco provides one for free. 2. 2. Connect via HyperTerminal to make sure the serial link is still working. 3. 3. Reboot the PIX by either power cycling it or issuing a reboot command at the command line. 4. 4. When a message appears indicating that the configuration is about to load from flash, press [Esc] to put the PIX into monitor mode. 5. 5. Provide the PIX with some information about its addressing and where it can find your TFTP server, as well as the name of the binary to install. We entered the information in Table A for our set up. Table A Value Purpose address Internal address of the PIX. server IP address of my TFTP server. file pix621.bin Name of the file to download. tftp Starts the TFTP transfer of the new image. When the install routine is complete, elect to save this image to flash. The unit will reboot with the new PIX software loaded. Updating the PDM software My PIX 501 came with version 1.x of the PDM, which is out-of-date. To upgrade it, I used the copy tftp:// flash:pdm command at the PIX prompt to update the GUI tool. Move to the GUI Once you’ve completed the basic configuration, you’ll be able to use the PDM to complete the installation. From the workstation with the IP address that you provided in the command-line configuration, you can browse to your PIX using HTTPS. For my installation, I will browse to The PDM works with any browser that

supports Java and JavaScript, but Internet Explorer 5.0 or higher is recommended. You’ll be asked to provide a username and password to access the PDM. The PIX PDM does not use a username, but it does use the password field, which needs to match the enable password that we configured during the command-line setup. For our configuration, this password is “admin”. The PDM will ask you whether or not you want to install the PDM software. Choosing either Grant Always or Grant This Session will allow the connection either every time or just this once, respectively. The other option is to deny the session by clicking Deny. We’ll choose the Grant Always option. Next, the PDM informs us that since this is the first time the PDM has been used, it must do a one-time configuration. We’ll allow this by choosing the Proceed button. The PDM then loads the configuration from your PIX and populates the various GUI screens with that information. The final result is the opening screen for the PDM, shown in Figure A. Figure A

The PDM provides a number of configuration screens. The tabs Each of the PDM’s tabs represent a different service.

• •

· Access Rules: Shows your network access policy listed as rules. If you have used Checkpoint’s policy editor software, the look and feel of this tab will be somewhat familiar. · Translation Rules: Shows your NAT and PAT (port address translation) rules. · VPN: Lets you set up your VPN configuration.

• • •

· Hosts/Networks: Lets you edit the list of hosts and networks defined for a selected interface. Access rules reference these hosts and networks. · System Properties: Lets you make changes to the configuration of network interfaces. · Monitoring: Lets you watch various aspects of the system.

Basic configuration The PIX needs to have certain parameters supplied to it before it can begin its work. While some of these parameters, such as the internal IP address, were defined during the initial command line configuration, the PIX still needs some vital information, such as the outside interface IP address and Access rules. Setting up the outside interface On our PIX 501, the inside interface is set to and the outside interface is configured to obtain an IP address from my ISP’s DHCP server. If you want to assign a static IP address to this interface, you can do this from the PDM’s System Properties tab, as shown in Figure B. Figure B

You can configure the interface from the System Properties tab.

As you can see in the Interfaces table shown in Figure B, we have two interfaces on my PIX 501: inside and outside. These interface names were assigned during the initial system configuration; the inside interface name can be changed to anything you want. To change the IP address of an interface, select the interface entry in the list and then click the Edit button at the bottom of the screen to open the Edit Interface screen shown in Figure C. we’ve set the IP address of the WAN interface to and retained the name “outside.” Figure C

Making addressing changes is easy with the PDM. We click OK and return to the main PDM window, where the now-active Apply To PIX button will let me save my changes in this session. To make our changes permanent, we’ll need to save them to flash on the PIX. As shown in Figure D, the PDM lets you know when a flash save is needed; simply clicking the message will write the new configuration to the PIX. Once you save to flash, the message goes away.

Figure D

The PDM lets you know when you need to save to flash. Access rules Access rules form the basis of the PIX’s security policies and need to be carefully administered. Many organizations have access rules that allow certain traffic, such as SMTP, to traverse the firewall from the outside, or they block the use of a specific service, such as IM, from inside the firewall. Let’s suppose you want to block access to a specific Web site, such as First, you need to look up the IP address for, which happens to be On the PDM’s Access Rules tab, right-click anywhere and choose Add from the shortcut menu. In Figure E, I have configured the PIX to deny all traffic from the inside interface to the IP address on the outside. Figure E

Blocking access to a Web site is a snap with the PDM. When I click OK, I get a message indicating that the host does not exist on the outside network, and PDM offers to let me set it up, as you can see in Figure F. Figure F

The PDM helps you set up a new external host. To check this operation, I can click on Outside Interface in the Hosts/Network tab and see (Figure G) that the White House has been added as a host. Figure G is now on the hosts list.

Compatibility and responsibility Remember to administer your PIX responsibly by saving your configuration every so often and keeping a hard copy. You will have to rebuild a PIX configuration from scratch in the middle of a frantic day as a result of a very simple mistake.

Sign up to vote on this title
UsefulNot useful