For review only.

Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights2003, Cisco Systems, Inc. All rights reserved. © reserved.

1 FNS 1.0—8-1

Module 8
PIX Firewall

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-2

Learning Objectives
Upon completion of this chapter, you will be able to perform the following tasks: • Identify and describe the PIX Firewall models, features, controls, connectors, and interfaces. • Describe the key features of the Firewall Services Module for the Cisco Catalyst 6500 Switch and the Cisco 7600 Series Internet Router. • Explain the PIX Firewall licensing options. • Describe the PIX Firewall access modes. • Navigate the PIX Firewall’s user interface and examine the PIX Firewall’s status. • Describe the ASA security levels.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-3

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Learning Objectives (cont)
Upon completion of this chapter, you will be able to perform the following tasks:
• Describe and execute the basic configuration commands. • Configure the PIX Firewall as a DHCP client. • Describe the PIX Firewall’s DHCP server feature. • Explain the routing functionality of the PIX Firewall. • Configure the PIX Firewall to work with RIP. • Configure the PIX Firewall to forward multicast traffic.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-4

Overview
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

This module will introduce the concept of the network firewall. Second, the Cisco PIX Firewall will be introduced. This will include an overview of the various PIX Firewall models, their features, and their capabilities. The student will learn the six basic commands to configure the PIX as well as routing, multicast, and DHCP capabilities.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-5

Key terms
• • • • • • • • • • • •
© 2003, Cisco Systems, Inc. All rights reserved.

Perimeter Trusted Untrusted DMZ Stateful Packet Filtering Proxy Server Common Criteria FIPS ASA Finesse Failover SMR
FNS 1.0—8-6

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Intro to Firewalls

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-7

Definition of a Firewall
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

A firewall provides a single point of defense between networks and to protect one network from the other. It is a system or group of systems that enforces an access control policy between two or more networks
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-8

Firewall Technologies
Firewall operations are based on one of three technologies:
• Packet filtering
– Limits information into a network based on the destination and source address.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

• Proxy server
– Requests connections between a client on the inside of the firewall and the Internet.

• Stateful packet filtering
– Limits information into a network based not only on the destination and source address, but also on the packet data content.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-9

Cisco Firewall Lineup
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-10

Dedicated Firewall Appliance
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-11

Integrated Router Firewall
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-12

Integrated Switch Firewall
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-13

Security Certifications and Evaluations

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-14

Evaluation Assurance Levels (EAL)
Description
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

EAL1 EAL2 EAL3 EAL4 EAL5 - 7
© 2003, Cisco Systems, Inc. All rights reserved.

minimal level of independently assured security low to moderate level of independently assured security moderate level of independently assured security moderate to high level of independently assured security specific requirements, yet to be implemented needed only in the most restrictive govt. environments
FNS 1.0—8-15

FIPS Security Levels
Description
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

1 2 3 4

Lowest level of security. requirements are specified for a cryptographic module L1 plus tamper-evident coatings or seals, locks on removable covers or doors L2 plus detecting and responding to attempts at physical access, use or modification of the cryptographic module Highest level of security useful for operation in physically unprotected environments

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-16

The Cisco PIX Firewall

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-17

PIX Firewall—What Is it?
The PIX Firewall, now called the PIX Security Appliance, is a stateful firewall with high security and fast performance. The following are its characteristics:
• Secure, real-time, embedded operating system— no UNIX or NT security holes. • ASA provides stateful security. • Cut-through proxy eliminates application-layer bottlenecks.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-18

PIX Security Appliance—What Can it do?
• Traffic inspection – Layer 3 Packet Filtering • ACLs and Turbo ACLs • Object grouping – Layer 4 Stateful inspection • NAT and PAT – Static and Dynamic – Inside and Outside • VPN – Site-to-Site and Remote Access – Pre-shared keys and CA support • Filtering – ActiveX, Java, and URL • AAA – TACACS+ and RADIUS – Auth-proxy and PPPoE • SNMP
© 2003, Cisco Systems, Inc. All rights reserved.

• Routing – Static and Dynamic – Passive RIP and OSPF – Multicast • DHCP – Client and Server – Relay support • Failover – Serial or LAN Based – Stateless or Stateful • IDS and Attack Guards – TCP reset and Shunning • Logging – Local, Console and Syslog • Multimedia Support – IP Telephony and H.323
FNS 1.0—8-19

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Finesse Operating System and ASA
• Finesse OS eliminates the risks associated with general-purpose operating systems. • ASA provides “stateful” connection security: – It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags. – It randomizes initial TCP sequence numbers. • By default, ASA allows connections originating from hosts on inside (higher security level) interfaces. • By default, ASA drops connection attempts originating from hosts on outside (lower security level) interfaces. • ASA supports authentication, authorization, and accounting. • Finesse OS eliminates the risks associated with general-purpose operating systems.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-20

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Functions of the ASA
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

• Implements stateful connection control through the PIX Firewall. • Allows outbound connections without an explicit configuration for each internal system and application (an outbound connection is a connection originating from a host on a more protected network and destined for a host on a less-protected network). • Monitors return packets to ensure that they are valid. • Randomizes the TCP sequence number to minimize the risk of attack.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-21

ASA Security Level Example
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-22

Cut-Through Proxy Operation
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-23

For review only. Please do not distribute
FNS 1.0—8-24

Failover

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

Network Address Translation (NAT)
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Besides stateful inspection, one of the primary PIX functions is NAT
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-25

PIX Firewall Family
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-26

Summary Specifications
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

PIX version 6.3 and the VAC+ provide much improved performance over version 6.2
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-27

PIX Firewall 501
• Designed for small offices and teleworkers
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved.

• 3,500 simultaneous connections • 60 Mbps cleartext throughput • 133 MHz processor • 16 MB of SDRAM • Supports one 10 BaseT interface (outside) and a 4port 10/100 switch (inside) • 3 Mbps 3DES throughput • 5 simultaneous VPN peers
FNS 1.0—8-28

PIX Firewall 501 Front Panel LEDs
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved.

Power

Link/Act

VPN tunnel

100 MBPS

FNS 1.0—8-29

PIX Firewall 501 Back Panel
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved.

4-port 10/100 switch (RJ-45)

Console port (RJ-45)

Security lock slot

10BaseT (RJ-45)

Power connector

FNS 1.0—8-30

PIX Firewall 506E
• Designed for small and remote offices • 10,000 simultaneous connections • 20 Mbps cleartext throughput • 300-MHz Intel Celeron processor • 32 MB RAM • Supports two interfaces (10BaseT) • 16 Mbps 3DES throughput • 25 simultaneous VPN peers
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-31

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

PIX Firewall 506E Front Panel LEDs
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Power LED

Network LED

Active LED

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-32

PIX Firewall 506E Back Panel
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

ACT(ivity)  LED

ACT(ivity)  LED LINK LINK LED LED

Power switch

10BaseT (RJ­45)

10BaseT (RJ­45)

USB port Console  Port (RJ­45)

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-33

PIX Firewall 515E
• Designed for small to medium businesses • 128,000 simultaneous connections • 188 Mbps cleartext throughput • 433-MHz Intel Pentium Celeron processor • 64 MB RAM • Supports six interfaces • Supports failover • 63 Mbps 3DES throughput • 2,000 IPSec tunnels
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-34

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

PIX Firewall 515E Front Panel LEDs
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Power LED

Network LED

Active failover firewall

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-35

PIX Firewall 515E Back Panel
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

100 Mbps LED LINK LINK LED  LED

100 Mbps LED FDX LED LINK LED

Failover connector FDX LED

10/100BaseTX Ethernet 1 (RJ­45)

10/100BaseTX Ethernet 0 (RJ­45)

Console port (RJ­45)

Power switch

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-36

PIX Firewall 515E Quad Card
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Using the quad card requires the PIX Firewall 515E­UR license.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-37

PIX Firewall 515E Two Single-Port Connectors
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Using two single­port connectors requires the PIX Firewall 515E­UR license.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-38

PIX Firewall 525
• Designed for enterprise • 280,000 simultaneous connections • 360 Mbps cleartext throughput • 600-MHz Intel Pentium III processor • 256 MB RAM • Supports eight interfaces • Supports failover • 70 Mbps 3DES throughput • 2,000 IPSec tunnels
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-39

PIX Firewall 525 Front Panel LEDs
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Power LED

Active LED
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-40

PIX Firewall 525 Back Panel
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

ACT(ivity)  ACT(ivity)  LED LED 100Mbps LINK LINK LED  LED  LED

Failover connection

10/100BaseTX Ethernet 1 (RJ­45)

USB port 10/100BaseTX Ethernet 0 (RJ­45) Console port (RJ­45)

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-41

PIX Firewall 535
• Designed for enterprise and service providers • 500,000 simultaneous connections • 1.7 Gbps cleartext throughput • 1 GHz Intel Pentium III processor • 1 GB RAM • Maximum of 10 interfaces • Supports failover • 96 Mbps 3DES throughput • 2,000 IPSec tunnels
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-42

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

PIX Firewall 535 Front Panel LEDs
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Power

ACT

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-43

PIX Firewall 535—Board Install
DB-15 failover

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

USB port Console RJ-45

Slot 8 Slot 7

Slot 6

Slot 4 Slot 5

Slot 2 Slot 3

Slot 1 Slot 0

Bus 2
(32-bit/33 MHz)

Bus 1

Bus 0

(64-bit/66 MHz) (64-bit/66 MHz)

• 1FE • 4FE • VAC
© 2003, Cisco Systems, Inc. All rights reserved.

• 1GE-66

FNS 1.0—8-44

PIX Firewall 535 Back Panel
DB­15 failover

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

USB  port Console RJ­45

Slot 8 Slot 6 Slot 7

Slot 4 Slot  3

Slot 2

Slot 1 Slot 0

Slot 5

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-45

FWSM
• Designed for high end enterprise and service providers • Runs in Catalyst 6500 switches and 7600 Series routers • Based on PIX Firewall technology • PIX Firewall 6.0 feature set (some 6.2) • 1 million simultaneous connections • Over 100,000 connections per second • 5 Gbps throughput • Up to 4 can be stacked in a chassis, providing 20 Gbps throughput • 1 GB DRAM • Supports 100 VLANs • Supports failover
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-46

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

FWSM in the Catalyst 6500 Switch
Supervisor engine Redundant supervisor engine Slots 1-9 (top to bottom) 48 Port 10/100 Ethernet Switch fabric module 16 Port GBIC FWSM Power supply 2 Power supply 1 ESD ground strap connector
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-47

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Fan assembly

FWSM in the Cisco 7609 Internet Router
Supervisor engine Fan assembly

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

FWSM

Switch fabric module

Slots 1-9 (right to left)

Power supply 1 ESD ground strap connection
© 2003, Cisco Systems, Inc. All rights reserved.

Power supply 2

FNS 1.0—8-48

License Types
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

• Unrestricted—Allows installation and use of the maximum number of interfaces and RAM supported by the platform. • Restricted—Limits the number of interfaces supported and the amount of RAM available within the system. • Failover—Places the PIX Firewall in a failover mode for use along side another PIX Firewall with an Unrestricted license.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-49

Adding VPN Capabilities
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

• DES Activation Key—Provides 56-bit DES. • 3DES Activation Key—Provides 168-bit 3DES and AES (v6.3)

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-50

Getting Started

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-51

How to configure the PIX?
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

• Command Line Interface (CLI) – Local—Console – Remote—Telnet or Secure Shell (SSH) • Graphic User Interface – PIX Device Manager (PDM) • SSL connection – VPN/Security Management Solution (VMS) • SSL connection

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-52

Access Modes
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

The PIX Firewall has four administrative access modes:
• Unprivileged mode • Privileged mode • Configuration mode • Monitor mode (CLI only) Setup mode (Optional)

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-53

enable and enable password Commands
pixfirewall>
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

enable [priv_level]
• Enables you to enter other access modes. pixfirewall(config)#

enable password pw [level priv_level] [encrypted]
• Used to control access to the privileged mode.

pixfirewall> enable password: pixfirewall# enable password password
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-54

configure terminal and exit Commands
pixfirewall#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

configure terminal
• Used to start configuration mode to enter configuration commands from a terminal. pixfirewall#

exit
• Used to exit from an access mode.

pixfirewall# configure terminal pixfirewall(config)# exit pixfirewall# exit pixfirewall>
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-55

hostname Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

hostname newname
• Changes the hostname in the PIX Firewall command line prompt.

pixfirewall (config)# hostname proteus proteus(config)# hostname pixfirewall

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-56

Configuring the PIX Firewall

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-57

Setup Dialog
pixfirewall (config)# setup Pre-configure PIX Firewall now through interactive prompts [yes]? <Enter> Enable Password [<use current password>]: ciscopix Clock (UTC) Year [2002]: <Enter> Month [Aug]: <Enter> Day [27]: 12 Time [22:47:37]: 14:22:00 Inside IP address: 10.0.P.1 Inside network mask: 255.255.255.0 Host name: pixP Domain name: cisco.com IP address of host running PIX Device Manager: 10.0.P.11 Use this configuration and write to flash? Y
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-58

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Viewing and Saving the Configuration
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

The following commands enable you to view or save the configuration:
• show running-config • write memory • show startup-config

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-59

write erase and tftp-server Commands
pixfirewall(config)#

write erase
• Clears the Flash memory configuration.

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)# write erase Erase PIX configuration in Flash memory? [confirm]
pixfirewall(config)#

tftp-server [if_name] ip_address path
• Specifies the IP address of a TFTP configuration server.

pixfirewall(config)# tftp-server 10.0.0.11 pixfirewall/config/test_config
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-60

write net and configure net Commands
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

write net [server_ip]:[filename]
• Stores the current running configuration to a file on a TFTP server. pixfirewall(config)#

configure net [server_ip]:[filename]
• Merges the current running configuration with the configuration file specified in the tftp-server command.

pixfirewall(config)# tftp-server 10.0.0.11 pixfirewall/config/test_config pixfirewall(config)# write net:
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-61

name Command
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

name ip_address name
• Configures a list of name-to-IP address mappings on the PIX Firewall.

pixfirewall(config)# name 172.16.0.2 bastionhost
• Configures a list of name-to-IP address mappings on the PIX Firewall.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-62

reload Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

reload [noconfirm]
• Reboots the PIX Firewall and reloads the configuration.

pixfirewall (config)# reload Proceed with reload?[confirm] y Rebooting... PIX Bios V2.7..
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-63

Examining the PIX Firewall Status

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-64

show memory Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

show memory
• Displays system memory usage information.

pixfirewall# show memory 67108864 bytes total, 50589696 bytes free

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-65

show version Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

show version

pixfirewall(config) # • Displays the PIX Firewall’s software version, operating time since its last reboot, processor type, Flash memory type, interface boards, serial number (BIOS identification), and activation key value.

pixfirewall# show version Cisco Secure PIX Firewall Version 6.2(1) . . .

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-66

show ip address Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall# show ip address Building configuration…… System IP Addresses: ip address outside 192.168.0.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0 Current IP Addresses: ip address outside 192.168.0.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-67

show interface Command
pixfirewall# show interface

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

interface ethernet0 “outside” is up, line protocol is up hardware is i82557 ethernet, address is 0060.7380.2f16 ip address 192.168.0.2, subnet mask 255.255.255.0 MTU 1500 bytes, BW 1000000 Kbit half duplex 1184342 packets input, 1222298001 bytes, 0 no buffer received 26 broadcasts, 27 runts, 0 giants 4 input errors, 0 crc, 4 frame, 0 overrun, 0 ignored, 0 abort 1310091 packets output, 547097270 bytes, 0 underruns 0 unicast rpf drops 0 output errors, 28075 collisions, 0 interface resets 0 babbles, 0 late collisions, 117573 deferred 0 lost carrier, 0 no carrier (0/1) (0/1) input queue (curr/max blocks): hardware (128/128) software output queue (curr/max blocks): hardware (0/2) software

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-68

show cpu usage Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

show cpu usage
• Displays CPU use.

pixfirewall# show cpu usage CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-69

ping Command
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

ping [if_name] host
• Determines if other IP addresses are visible from the PIX Firewall.

pixfirewall(config)# ping 10.0.0.11 10.0.0.11 response received -- 0Ms 10.0.0.11 response received -- 0Ms 10.0.0.11 response received -- 0Ms

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-70

Time Setting and NTP Support

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-71

clock Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

clock set hh:mm:ss {day month | month day} year
• Sets the PIX Firewall clock.

pixfirewall(config)# clock set 21:0:0 apr 1 2002

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-72

Setting Daylight Savings Time and Time Zones
pixfirewall(config)# For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]
• Displays summertime hours during the specified summertime date range. pixfirewall(config)#

clock timezone zone hours [minutes]
• Sets the clock display to the time zone specified.

pixfirewall(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00
• Specifies that summertime starts on the first Sunday in April at 2 a.m. and ends on the last Sunday in October at 2 a.m.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-73

ntp Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

ntp server ip_address [key number] source if_name [prefer]
• Synchronizes the PIX Firewall with a network time server.

pixfirewall(config)# ntp server 10.0.0.12 key 1234 source inside prefer

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-74

Basic PIX Firewall Configuration

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-75

PIX Firewall Basic Commands
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved.

• nameif • interface • ip address • nat • global • route

FNS 1.0—8-76

nameif Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

nameif hardware_id if_name security_level
• Assigns a name to each perimeter interface on the PIX Firewall and specifies its security level.

pixfirewall(config)# nameif ethernet2 dmz sec50

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-77

interface Command
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

interface hardware_id [hardware_speed] [shutdown]
• Enables an interface and configures its type and speed.

pixfirewall(config)# interface ethernet0 100full pixfirewall(config)# interface ethernet1 100full
• The outside and inside interfaces are set for 100 Mbps Ethernet full-duplex communication.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-78

ip address Command
pixfirewall(config)#

ip address if_name ip_address [netmask]
• Assigns an IP address to each interface. pixfirewall(config)#

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

ip address outside dhcp [setroute] [retry retry_cnt]
• Enables the DHCP client feature on the outside interface.

pixfirewall(config)# ip address outside dhcp pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0
• The outside interface obtains an IP address from a DHCP server, but the DMZ interface is assigned the static address of 172.16.0.1
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-79

nat Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

nat [(if_name)] nat_id address [netmask][timeout hh:mm:ss]
• Enables IP address translation.

pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-80

global Command
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

global[(if_name)] nat_id {global_ip[-global_ip] [netmask global_mask]} | interface
• Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall.

pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254
• When internal hosts access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20–192.168.0.254 range.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-81

route Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

route if_name ip_address netmask gateway_ip [metric]
• Defines a static or default route for an interface.

pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-82

Routing and Multicast

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-83

Static Routes
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)# route inside 10.1.1.0 255.255.255.0 10.0.0.3 pixfirewall(config)# route outside 0 0 192.168.0.1

pixfirewall(config)# show route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 OTHER static inside 10.1.1.0 255.255.255.0 10.0.0.3 1 OTHER static inside 10.0.0.0 255.255.255.0 10.0.0.1 1 CONNECT static outside 192.168.0.2 255.255.255.0 192.168.0.1 1 CONNECT static

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-84

Dynamic Routes
• The PIX Firewall accepts encrypted RIP version 2 multicast updates. For example, it could learn the route to network 172.30.30.0 from Router A. • The PIX Firewall broadcasts IP address 10.0.0.1 as the default route for devices on the inside interface.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)# rip outside passive version 2 authentication md5 MYKEY 2 pixfirewall(config)# rip inside default
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-85

Dynamic Routes (cont.)
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

rip if_name default | passive [version [1 | 2]] [authentication [text | md5 key key_id]]
• Changes RIP settings.

pixfirewall(config)# rip outside passive version 2 authentication md5 MYKEY 2 pixfirewall(config)# rip outside default version 2 authentication md5 MYKEY 2 pixfirewall(config)# rip inside passive pixfirewall(config)# rip dmz passive version 2 
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-86

Multicast

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-87

For review only. Please do not distribute
FNS 1.0—8-88

IP Multicasting

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

The PIX Firewall and IP Multicasting
• IP multicasting – Is the transmission of an IP datagram to a set of hosts identified by a single IP destination address. – Conserves bandwidth. • Internet Group Management Protocol (IGMP) – Is an integral part of the IP protocol. – Is used by IP hosts to report their host group memberships to multicast routers. • In a multicasting environment, the PIX Firewall – Supports Stub Multicast Routing (SMR), also known as IGMP proxying. – Does not operate as a full multicast router. – Forwards IGMP messages between hosts and multicast routers. – Does not require the construction of GRE tunnels for passing multicast traffic.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-89

Allowing Hosts to Receive Multicast Transmissions
pixfirewall (config)#

multicast interface interface_name [max-groups number]
• Enables multicast support on the specified interface and places the interface in multicast promiscuous mode. pixfirewall(config-multicast)#

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

igmp forward interface interface_name
• Enables forwarding of all IGMP host reports and leaves messages received on the interface specified. pixfirewall(config-multicast)#

igmp join-group group
• Enables the PIX Firewall to join a multicast group.

pixfirewall(config)# multicast interface dmz pixfirewall(config-multicast)# exit pixfirewall(config)# multicast interface inside pixfirewall(config-multicast)# igmp forward interface dmz pixfirewall(config-multicast)# igmp join-group 224.1.1.1
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-90

Inside Receiving Hosts Example
1. Host 10.0.0.11 sends an IGMP report:
Source 10.0.0.11 Destination 224.1.1.1 IGMP group 224.1.1.1

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

1. 2.

The PIX Firewall accepts the packet and IGMP places the inside interface on the output list for the group. The PIX Firewall forwards the packet to the multicast router:
Source 172.16.0.1 Destination 224.1.1.1 IGMP group 224.1.1.1

1.

The router places the input interface on the output list for the group. 2. Packets from the multicast server arrive at the router, which forwards them to the necessary interfaces. 3. The PIX Firewall accepts the packets and forwards them to the interfaces for pixfirewall(config)# multicast interface dmz the group.

pixfirewall(config-multicast)# exit pixfirewall(config)# multicast interface inside pixfirewall(config-multicast)# igmp forward interface dmz
FNS 1.0—8-91

© 2003, Cisco Systems, Inc. All rights reserved.

Forwarding Multicasts from a Transmission Source
pixfirewall(config)# For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

mroute src smask in-if-name dst dmask out-if-name
• Specifies a static multicast route.

pixfirewall(config)# multicast interface outside pixfirewall(config-multicast)# exit pixfirewall(config)# multicast interface inside pixfirewall(config-multicast)# mroute 10.0.0.11 255.255.255.255 inside 230.1.1.2 255.255.255.255 outside pixfirewall(config-multicast)# exit pixfirewall(config)# multicast interface dmz pixfirewall(config-multicast)# mroute 172.16.0.2 255.255.255.255 dmz 230.1.1.2 255.255.255.255 outside pixfirewall(config-multicast)# exit
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-92

Inside Multicast Transmission Source Example
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)# multicast interface outside pixfirewall(config-multicast)# exit pixfirewall(config)# multicast interface inside pixfirewall(config-multicast)# mroute 10.0.0.11 255.255.255.255 inside 230.1.1.2 255.255.255.255 outside
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-93

Configuring Other IGMP Options
pixfirewall(config-multicast)#

igmp version 1 | 2
• Sets the version of IGMP to be used. pixfirewall(config-multicast)#

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

igmp query-interval seconds
• Configures the frequency at which IGMP query messages are sent by the interface. pixfirewall(config-multicast)#

igmp query-max-response-time seconds
• Sets the maximum query response time (for IGMP version 2 only).

pixfirewall(config-multicast)# igmp version 2 pixfirewall(config-multicast)# igmp query-interval 120 pixfirewall(config-multicast)# igmp query-maxresponse-time 50
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-94

Viewing Your SMR Configuration
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

show multicast [interface interface_name]
• Displays all or per interface multicast settings. pixfirewall(config)#

show igmp [group | interface interface_name][detail]
• Displays multicast-related information about one or more groups. pixfirewall(config)#

show mroute [dst [src]]
• Displays multicast routes.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-95

Debugging Your SMR Configuration
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved.

debug igmp
• Enables debugging for IGMP events. pixfirewall(config)#

debug mfwd
• Enable debugging for multicast forwarding events.

FNS 1.0—8-96

DHCP

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-97

PIX DHCP
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved.

Client

Server

FNS 1.0—8-98

DHCP
The PIX Firewall’s DHCP server can be used to dynamically assign
• An IP address and subnet mask. • The IP address of a DNS server. • The IP address of a WINS server. • A domain name. • The IP address of a TFTP server. • A lease length.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-99

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

DHCP Server
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved.

1. DHCPDISCOVER—The client seeks an address 2. DHCPOFFER—The server offers 10.0.0.3 3. DHCPREQUEST—The client requests 10.0.0.3 4. DHCPACK—The server acknowledges the assignment of 10.0.0.3

FNS 1.0—8-100

Configuring the PIX Firewall as a DHCP Server
• Step 1—Assign a static IP address to the inside interface. • Step 2—Specify a range of addresses for the DHCP server to distribute. • Step 3—Specify the IP address of the DNS server (optional). • Step 4—Specify the IP address of the WINS server (optional). • Step 5—Specify the IP address of the TFTP server (optional). • Step 6—Specify the lease length (default = 3,600 seconds). • Step 7—Specify the ping timeout value (optional). • Step 8—Configure the domain name (optional). • Step 9—Enable DHCP.
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-101

dhcpd address Command
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

dhcpd address ip1[-ip2][if_name]
• Specifies a range of addresses for DHCP to assign.

pixfirewall(config)# dhcpd address 10.0.0.2–10.0.0.15 inside
• The DHCP server assigns addresses 10.0.0.2–10.0.0.15 to DHCP clients on the inside. Addresses are assigned in numerical order beginning with 10.0.0.2.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-102

dhcpd dns Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

dhcpd dns dns1 [dns2]
• Specifies the IP address of the DNS server the client will use (optional)

pixfirewall(config)# dhcpd dns 10.0.0.20
• The DHCP server notifies the DHCP client that 10.0.0.20 is the address of the DNS server to use

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-103

dhcpd wins Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

dhcpd wins wins1 [wins2]
• Specifies the IP address of the WINS server that the client will use (optional)

pixfirewall(config)# dhcpd wins 10.0.0.21
• The DHCP server notifies the DHCP client that it will use 10.0.0.21 as its WINS server

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-104

dhcpd option Commands
pixfirewall(config)#
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

dhcpd option 66 ascii {server_name | server_ip_str}
• Enables the PIX Firewall to distribute the IP address of a TFTP server for IP Phone connections pixfirewall(config)#

dhcpd option 150 ip server_ip1 [server_ip2]
• Enables the PIX Firewall to distribute the IP addresses of a list of TFTP servers for IP Phone connections

pixfirewall(config)# dhcpd option 150 ip 10.0.0.11

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-105

dhcpd lease Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

dhcpd lease lease_length
• Specifies the lease length to grant the client • Default = 3,600 seconds

pixfirewall(config)# dhcpd lease 3600
• The DHCP clients can use their allocated leases for 3600 seconds

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-106

dhcpd ping_timeout Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

dhcpd ping_timeout timeout
• Specifies the length of time the DHCP server waits before allocating an address to a client. • Default = 750 milliseconds

pixfirewall(config)# dhcpd ping_timeout 10000
• The DHCP server waits 10000 milliseconds (10 seconds) before allocating an address to a client.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-107

dhcpd domain Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

dhcpd domain domain_name
• Specifies the domain name the client will use (optional)

pixfirewall(config)# dhcpd domain cisco.com

• The DHCP server notifies the client that the domain name is cisco.com

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-108

dhcpd enable Command
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

dhcpd enable [if_name]
• Enables the DHCP daemon within the PIX Firewall to listen for DHCP client requests on the enabled interface

pixfirewall(config)# dhcpd enable inside
• The DHCP server feature is enabled on the inside interface

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-109

debug dhcpd and clear dhcpd Commands
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)#

debug dhcpd event | packet
• Displays information associated with the DHCP server pixfirewall(config)#

clear dhcpd • Removes all dhcpd command statements from the configuration
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-110

dhcpd auto_config Command
pixfirewall(config)#

dhcpd auto_config[client_ifx_name]
• Enables the PIX Firewall to automatically configure DNS, WINS, and domain name values from the DHCP client to the DHCP server.

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

pixfirewall(config)# ip address outside dhcp pixfirewall(config)# dhcpd address 10.0.0.51-10.0.0.60 inside pixfirewall(config)# dhcpd enable inside pixfirewall(config)# dhcpd auto_config
• The PIX Firewall obtains its outside IP address and other configuration parameters from a DHCP server on its outside interface. • The PIX Firewall distributes IP addresses from the 10.0.0.51–10.0.0.60 range to its own DHCP clients, the hosts on its inside interface. • The PIX Firewall passes other configuration parameters it obtained from the DHCP server on its outside interface to the hosts on its inside interface.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-111

Summary

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-112

Summary
• There are currently five PIX Firewall models in the 500 series: 501, 506E, 515E, 525, and 535. • Your PIX Firewall license determines its level of service in your network and the number of interfaces it supports. • Restricted, Unrestricted, and Failover licenses are available for PIX Firewall models 515E, 525, and 535. • Based on PIX Firewall technology, the Firewall Services Module for the Cisco Catalyst 6500 Switch and Cisco 7600 Series Internet Routers provides an alternative to the PIX Firewall appliance
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-113

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Summary (cont.)
• The PIX Firewall has four administrative access modes: unprivileged, privileged, configuration, and monitor. • Interfaces with a higher security level can access interfaces with a lower security level, while interfaces with a lower security level cannot access interfaces with a higher security level unless given permission. • Using the PIX Firewall general maintenance commands help you to manage the PIX Firewall. The commands include the following: enable, write, show, and reload. • The basic commands necessary to configure the PIX Firewall are the following: nameif, interface, ip address, nat, global, and route. • The PIX Firewall can function as a DHCP client and DHCP server.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-114

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Summary (cont.)
• You can add static routes to the PIX Firewall to enable access to networks connected outside a router on any interface. • The PIX Firewall can be configured to listen for RIP version 1 or RIP version 2 routing broadcasts. • The PIX Firewall cannot pass RIP updates between interfaces. • When RIP version 2 is configured in passive mode, the PIX Firewall accepts RIP version 2 multicast updates with the IP destination of 224.0.0.9. • The PIX Firewall transmits default route updates using an IP destination of 224.0.0.9 if configured for the RIP version 2 default mode.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-115

For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

Summary (cont.)
For review only. Please do not distribute

DRAFT May 2003. All rights reserved.

• The PIX Firewall supports Stub Multicast Routing, which enables it to pass multicast traffic. • The PIX Firewall can be configured to forward multicasts from a transmission source on a higher security level interface to receivers on a lower security level interface. • The PIX Firewall can also be configured to allow hosts on a higher security level interface to receive multicasts from a host on a lower security level interface.

© 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—8-116

© 2003, Cisco Systems, Inc. All rights reserved.

117

Sign up to vote on this title
UsefulNot useful