ITSY 2301 Firewalls and Network Security Fall 2009

Lab 6 Basic Cisco PIX Hardware Firewall Configuration

Purpose:

To configure a PIX firewall to include Inside, Outside, and DMZ interfaces and networks. NAT is included in the configuration, as is a Conduit (old ACL) statement.

Topology:

See the ITSY2301 standard PIX topology diagram. Confirm the cabling of the PIX, the router and switch.

Preliminary:

The PIX device has 3 Ethernet interfaces and no Serial interface. When the router is added to the topology, the PIX and the router will be connected by a crossover Ethernet cable to by-pass the need for a switch. Load the Boston router with the Basic Boston router configuration. Check the IP address of the External Host. Be sure that it can ping all the router interfaces. It will not be able to ping the PIX at this point.

PIX security appliances have closed interfaces by default. ACLs are required to allow traffic to pass through. NAT and PAT are used to add protection to the inside network(s).

PIX devices can have privilege levels and other hardening measures to further protect the hardware and the network(s).

The (Cisco) IOS we are using is not password-protected by default. Many configuration commands are the same or very similar to the router. Watch for differences.

Also remember that PIX devices do not dynamically route. Although they provide another layer of “Defense-in-Depth”, a router is still necessary to connect networks, subnets and Vlans.

Note: when using “show run” or “write terminal”, you can exit the command by typing a “q” for quit.

To escape from the interactive commands on a PIX reload, use Ctrl+Z.

NOTE: Start with the basic Boston router configuration, with these modifications:

The e0 interface address is now 172.16.1.2 (there is no serial interface in use)

The e1 interface address is now 11.0.13.1 (moved the External Host to E1 interface)

Be sure to save your work in a text file as you may need this PIX lab configuration again.

Command Description from Cisco.com

interface The interface command identifies the speed and duplex settings of the network interface boards.

ip address if_nameip_address [netmask] The ip address command defines the IP address of each interface.

nameif hardware_idif_name security_level The nameif command defines a name of an interface. This command can be used to assign interface names if there are more than two network interface circuit boards on the PIX Firewall. The first two interfaces have the default names inside and outside. The inside interface has a default security level of 100, the outside interface has a default security level of 0. The clear nameif command reverts nameif command statements to default interface names and security levels.

reload The reload command reboots the PIX Firewall and reloads the configuration from a bootable floppy disk or, if a diskette is not present, from Flash memory.

route if_name ip_address netmask gateway_ip[metric] Use the route command to enter a default or static route for an interface.

show history The show history command displays previously entered commands.

show memory The show memory command displays a summary of the maximum physical memory and current free memory available to the PIX Firewall operating system. Memory in the PIX Firewall is allocated as needed.

show running-config The show run command displays the current configuration on the terminal.

show version The show version command displays the following details of the PIX Firewall unit: software version operating time since last reboot processor type Flash memory type interface boards serial number (BIOS ID)activation key value timestamp for when the configuration was last modified

write erase The write erase command clears the Flash memory configuration.

write memory The write memory command stores the current configuration in Flash memory, along with the ctivation key value and timestamp for when the configuration was last modified.

write terminal The write terminal command displays the current configuration on the terminal.


Directions:

Step 1 Start with a fresh, blank configuration

enable

Password: <Enter (no password yet)

config t

write erase (to erase previous configurations)

reload (this reload is much faster)

Step 2 Before you start, see what the “blank” configuration looks like

enable

show run

Answer Reflection question 1.

Step 3 Name the PIX device and several external devices. We will be able to refer to them by name later.

config t

hostname BostonPIX

name 200.0.1.2 bastionhost

name 200.0.1.3 dns-server

name 10.0.1.2 insidehost

Step 4. Look at the changes and save your configuration

Show run (did you notice that you do not have to leave config mode?)

write memory

Step 5. Name the DMZ interface and change its security level to 50

nameif e2 dmz security50

show nameif

Answer Reflection Question 2.

Step 6. Turn the interfaces on at FastEthernet speed, full duplex.

interface e0 10full (This is different from the other interfaces! Do you)

(know why? Ask!)

interface e1 100full

interface e2 100full

show interface

What are the other choices for enabling the interfaces?

Step 7. Configure the interface IP addresses.

ip address inside 10.0.1.1 255.255.255.0

ip address dmz 200.0.1.1 255.255.255.0

ip address outside 172.16.1.1 255.255.255.0

Step 8. Confirm the addresses and save your work.

show ip address

System IP Addresses:

ip address outside 172.16.1.1 255.255.255.0

ip address inside 10.0.1.1 255.255.255.0

ip address dmz 200.0.1.1 255.255.255.0

Current IP Addresses:

ip address outside 172.16.1.1 255.255.255.0

ip address inside 10.0.1.1 255.255.255.0

ip address dmz 200.0.1.1 255.255.255.0

write memory


Step 9. Create NAT translations for information leaving the network.

Check your PIX lab topology.

Answer Reflection Question 3.

global (outside) 1 172.16.1.20-172.16.1.254 netmask 255.255.255.0

nat (inside) 1 10.0.1.0 255.255.255.0

route outside 0 0 172.16.1.1

What is the purpose of the line, “route outside”? What do the 0s represent?

Show global

Show nat

What does these commands show?

Step 10. Show any routing information and save your work.

show route

Sample output:

outside 0.0.0.0 0.0.0.0 172.16.1.1 1 OTHER static

inside 10.0.1.0 255.255.255.0 10.0.1.1 1 CONNECT static

dmz 200.0.1.0 255.255.255.0 200.0.1.1 1 CONNECT static

outside 172.16.1.0 255.255.255.0 172.16.1.1 1 CONNECT static

write mem to save your work on the PIX

Step 11. Test the operation of the global and NAT statements:

a. Open a web browser on the Inside Host (configured with IP address 10.0.1.2).

b. Use the web browser to access the Boston Web server at IP address 11.0.11.1:

http://11.0.11.1

Your attempt to show the Boston web page should fail. The Boston router does not know how to return information to the PIX yet.


c. Observe the translation table in HyperTerminal:

show xlate

The display should look like this:

1 in use, 1 most used

Global 172.16.1.20 Local insidehost

The PIX chooses a low-end global address to represent the inside host.

Step 12. Test the Inside, Outside, and DMZ Interface Connectivity:

First you must enable/permit ping. We will use an old ACL method, the Conduit command.

conduit permit icmp any any

Then ping the inside interface from inside the PIX:

ping 10.0.1.1

10.0.1.1 response received —— 10ms

10.0.1.1 response received —— 10ms

10.0.1.1 response received —— 10ms

Ping the inside host:

ping insidehost

insidehost response received —— 10ms

insidehost response received —— 10ms

insidehost response received —— 10ms

Ping the outside interface:

ping 172.16.1.1

172.16.1.2 response received —— 10ms

172.16.1.2 response received —— 10ms

172.16.1.2 response received —— 10ms

e. Ping the backbone router:

ping 172.16.1.2

172.16.1.2 response received —— 10ms

172.16.1.2 response received —— 10ms

172.16.1.2 response received —— 10ms


f. Ping the DMZ interface:

ping 200.0.1.1

200.0.1.1 response received —— 10ms

200.0.1.1 response received —— 10ms

200.0.1.1 response received —— 10ms

Ping the bastion host:

ping bastionhost

bastionhost response received —— 10ms

bastionhost response received —— 10ms

bastionhost response received —— 10ms

Step 12. Save your work on the PIX

Wr mem ( write memory) to save your configuration on the PIX again

Step 14. Test connectivity from the Inside Host to the External Host

Show xlate

Clear xlate

Ping 11.0.13.2

Show xlate

Was the ping successful?

The pings should know where to go, but they don’t know how to get back yet.

Turn debugging on and watch the action.

Debug icmp trace

Ping 11.0.13.2

Undebug all

Be sure to save your configuration to your workstation. You will use this Basic configuration for the next lab.


Reflection Questions

1. How is the “blank” configuration different from that of our routers? This IOS is slightly dated. Newer IOSes have a more “router configuration” look and feel.

2. What is the Inside default security level and what does it mean?

What is the Outside default security level and what does it mean?

3. Why are the IP addresses of the NAT statement in Step 9 in the 172.16.1.x range?

4. Why is the DMZ web server called the “Bastion Host”?

5. Try pinging from the External Host to the PIX 10.0.1.1 interface. Were you successful? Consult the textbook to find out why not.