You are on page 1of 8

PIX LAB - 1

Basic Firewall configurations (Configure ip address and change security levels) PIX(Config)# interface Ethernet0 auto PIX(Config)# interface Ethernet1 auto PIX(Config)# ip address inside 192.168.0.254 255.255.255.0 PIX(Config)# ip address outside 10.1.1.1 255.0.0.0 PIX(Config)# nameif ehternet0 Outside security50 PIX(Config)# nameif ehternet1 Inside security90

LAB - 2
Manage inside to outside and outside to inside access on Firewall

(Telnet, FTP, HTTP from inside to outside without translation ) PIX(config)# nat 0 0 0 (Telnet, FTP, HTTP from inside to outside with translation )

PIX(config)# nat 1 192.168.0.0 255.255.255.0 PIX(config)# global 1 16.1.1.1-16.1.1.10 Ping inside to outside router fail bkz routing table of outside router is incomplete Add static router on outside router Outside(config)# ip route 16.0.0.0 255.0.0.0 10.1.1.1

LAB - 3 (Outside to inside Access)


PIX(config)# static 16.1.1.1 192.168.0.253 PIX(config)# conduite permit ip any any

LAB - 4 (Port Address Translation)


PIX(config)# nat 1 192.168.0.0 255.255.255.0 PIX(config)# global 1 16.1.1.1

LAB - 5 (Policy NAT)


PIX(config)# access-list 101 permit tcp any host 10.1.1.2 eq 23 PIX(config)# access-list 102 permit tcp any host 10.1.1.2 eq 80 PIX(config)# access-list 103 permit tcp any host 10.1.1.2 eq 21 PIX(config)# nat 1 access-list 101 PIX(config)# nat 2 access-list 102 PIX(config)# nat 3 access-list 103 PIX(config)# global 1 16.1.1.1 PIX(config)# global 2 17.1.1.1 PIX(config)# global 3 18.1.1.1

(Port Redirection) LAB - 6


(Change Telnet Server port from 23 to 2323) PIX(config)# static tcp 16.1.1.1 23 192.168.0.253 2323 PIX(config)# access-list 101 permit tcp any host 16.1.1.1 eq 23 PIX(config)# access-group 101 in interface outside

LAB - 7 (NTP Server)

Router(config)# clock set 09:00 12 mar 2006 Router(config)# ntp master Router(config)# ntp authenticate Router(config)# ntp authentication-key 1234 md5 cisco Router(config)# ntp trusted-key 1234 PIX(config)# ntp authentication-key 1234 md5 cisco PIX(config)# ntp authenticate PIX(config)# ntp trusted-key 1234 PIX(config)# ntp server 192.168.0.10 source inside prefer PIX(config)# show ntp status PIX(config)# show ntp association

LAB - 8 (PIX as DHCP Server)

PIX(config)# dhcpd address 192.168.0.10-192.168.0.50 inside PIX(config)# dhcpd enable inside (To obtain ip address form DHCP Server on Client) On Command prompt C:\> ipconfig / renew C:\> ipconfig / release

LAB - 9 (Syslog Server)

PIX(config)# logging on PIX(config)# logging host inside 192.168.0.253 PIX(config)# logging trap level 7

LAB - 10 ( IDS on PIX Firewall )


PIX(config)# logging on

PIX(config)# logging host inside 192.168.0.253 PIX(config)# logging trap level 7 PIX(config)# ip audit name cisco attack action alarm PIX(config)# ip audit interface inside cisco (To verify from inside pc ping 192.168.0.254 t l 5000) Pix will send message on syslog server Large ICMP Packet

LAB - 11 (Object Group ACL)

PIX(config)# object-group network corvit PIX(config-network)# network object host 192.168.0.253 PIX(config-network)# network object host 192.168.0.252 PIX(config-network)# network object host 192.168.0.251 PIX(config)# object-group network cisco PIX(config-network)# network object host 10.1.1.2 PIX(config-network)# network object host 10.1.1.3 PIX(config-network)# network object host 10.1.1.4 PIX(config)# object-group service tcp irfan PIX(config-service)# port-object eq 23 PIX(config-service)# port-object eq 21 PIX(config-service)# port-object eq 80 PIX(config)# access-list 101 permit tcp object-group corvit object-group cisco object-group irfan PIX(config)# nat 1 access-list 101 PIX(config)# global 1 16.1.1.1-16.1.1.10

LAB - 12 (Authentication, Authorization and Accounting form ACS Server)

(Authentication of outside client while accessing inside LAN) PIX(config)# static 16.1.1.1 192.168.0.253 PIX(config)# access-list 101 permit tcp any host 16.1.1.1 eq 23 PIX(config)# access-list 101 permit tcp any host 16.1.1.1 eq 80 PIX(config)# access-group 101 in interface outside PIX(config)# aaa-server corvit protocol tacacs PIX(config)# aaa-server corvit host 192.168.0.253 cisco PIX(config)# aaa authentication include telnet outside 192.168.0.253 255.255.255.255 corvit PIX(config)# aaa authentication include http outside 192.168.0.253 255.255.255.255 corvit PIX(config)# aaa authorization include telnet outside 192.168.0.253 255.255.255.255 corvit PIX(config)# aaa authorization include http outside 192.168.0.253 255.255.255.255 corvit PIX(config)# aaa accounting include telnet outside 192.168.0.253 255.255.255.255 corvit PIX(config)# aaa accounting include http outside 192.168.0.253 255.255.255.255 corvit ( create user1 on ACS and allow for telnet and create user2 and allow for http)

LAB - 13 (Local Authentication & Authorization on PIX)

(Create user1 with privilege level 15 and create user2 with privilege level 10 on PIX ) PIX(config)# username user1 password cisco privilege 15 PIX(config)# username user2 password corvit privilege 10 PIX(config)# aaa authentication enable console LOCAL PIX(config)# aaa authorization command local PIX(config)# privilege show level 10 command access-list PIX(config)# privilege configure level 10 mode enable command configure PIX(config)# privilege configure level 10 configure command access-list PIX(config)# privilege configure level 10 command nat

LAB - 14 (Site to Site VPN)

PIX PIX(Config)# interface Ethernet0 auto PIX(Config)# interface Ethernet1 auto PIX(Config)# ip address inside 192.168.0.254 255.255.255.0 PIX(Config)# ip address outside 10.1.1.1 255.0.0.0 PIX(Config)# isakmp enable outside PIX(Config)# isakmp policy 10 authentication pre-share PIX(Config)# isakmp policy 10 hash md5 PIX(Config)# isakmp policy 10 encryption des PIX(Config)# isakmp policy 10 group 2 PIX(Config)# isakmp key cisco address 10.1.1.2 PIX(Config)# access-list 101 permit ip host 192.168.0.253 host 11.1.1.2 PIX(Config)# crypto ipsec transform-set tset esp-des PIX(Config)# crypro map smap 10 ipsec-isakmp PIX(Config)# crypro map smap 10 match address 101 PIX(Config)# crypro map smap 10 set peer 10.1.1.2 PIX(Config)# crypro map smap 10 set transform-set tset PIX(Config)# crypro map smap interface outside PIX(Config)# nat 0 access-list 101 PIX(Config)# cysopt connection permit-ipsec PIX(Config)# route outside 11.0.0.0 255.0.0.0 10.1.1.2 Router Router(config)# crypto isakmp policy 10 Router(config-isakmp)# authentication per-share Router(config-isakmp)# hash md5 Router(config-isakmp)# group 2 Router(config-isakmp)# encryption des Router(config)# crypto isakmp key cisco address 10.1.1.1 Router(config)# access-list 101 permit ip host 11.1.1.2 host 192.168.0.253 Router(config)# crypto ipsec transform-set tset esp-des Router(config)# crypto map smap 10 ipsec-isakmp Router(config-map)# set transform-set tset Router(config-map)# set peer 10.1.1.1 Router(config-map)# match address 101 Router(config)# ip route 192.168.0.0 255.255.255.0 10.1.1.1 Router(config)# interface e 0 Router(config-if)# crypto map smap

LAB - 15 (Remote VPN)

PIX(Config)# interface Ethernet0 auto PIX(Config)# interface Ethernet1 auto PIX(Config)# ip address inside 192.168.0.254 255.255.255.0 PIX(Config)# ip address outside 10.1.1.1 255.0.0.0 PIX(Config)# isakmp enable outside PIX(Config)# isakmp policy 10 authentication pre-share PIX(Config)# isakmp policy 10 hash md5 PIX(Config)# isakmp policy 10 encryption des PIX(Config)# isakmp policy 10 group 2 PIX(Config)# isakmp key cisco address 0.0.0.0 PIX(Config)# crypto ipsec transform-set tset esp-des esp-md5-hmac PIX(Config)# crypto dynamic-map dmap 5 set transform-set tset PIX(Config)# crypto map smap 10 ipsec-isakmp dynamic dmap PIX(Config)# crypto map smap interface outside PIX(Config)# sysopt connection permit-ipsec PIX(Config)# vpngroup corvit password cisco PIX(Config)# ip local pool pool1 11.1.1.1-11.1.1.10 PIX(Config)# vpngroup corvit address-pool pool1 PIX(Config)# crypto map smap client configuration address respond PIX(Config)# route outside 11.0.0.0 255.0.0.0 10.1.1.1 PIX(Config)# static 192.168.0.253 192.168.0.253 PIX(Config)# access-list 101 permit ip any host 192.168.0.253 PIX(Config)# nat 0 access-list 101 LAB - 16 (LAN to LAN VPN with CA)

PIX(Config)# clock set 11:10:00 april 11 2006 PIX(Config)# clock time-zone GMT 0 PIX(Config)# domain cisco.com PIX(Config)# names PIX(Config)# name 10.1.1.1 pix.cisco.com

PIX(Config)# PIX(Config)# PIX(Config)# PIX(Config)# PIX(Config)# PIX(Config)# PIX(Config)# PIX(Config)# PIX(Config)#

name 10.1.1.2 a.cisco.com name 10.1.1.5 ca.cisco.com ping a.cisco.com ping ca.cisco.com ca generate key rsa 512 ca identity test1 10.1.1.5:/certsrv/mscep/mscep.dll ca configure test1 ra 2 2 crloptional ca authenticate test 1 ca enroll test 1 (paste password here)

Router(config)# clock set 11:10:00 april 11 2006 Router(config)# clock time-zone GMT 0 Router(config)# ip domain-lookup Router(config)# ip domain-name cisco.com Router(config)# ip name-server 10.1.1.5 Router(config)# crypto rsa key generate Router(config)# crypto ca identity test1 Router(config-identity)# crl optional Router(config-identity)# enrollment mode ra Router(config-enroll)#enrollment url http://10.1.1.5/certsrt/mscep/mscep.dll Router(config)# crypto ca authenticate test1 Router(config)# crypto enroll test1 Password: (paste password here)