Configuring the Cisco PIX Firewall
Configuring the Cisco PIX Firewall
Basic Config
The PIX firewall is a standalone device that is totally dedicated to secure stateful packet inspection. Its logic is engineered around Adaptive Security Algorithm (ASA), and every inbound packet is checked against the ASA and the connection state information.
PIX1 is connected to R1 by the inside interface, the outside interface is connected to a managed router through a 10Mbs connection and the DMZ is on ethernet2. Use the IP address 144.254.1.230 for the inside interface, 9.1.1.124 for the outside interface and 9.1.2.124 for the DMZ.
PIX(config)#hostname PIX1
PIX1(config)#nameif ethernet0 outside security0 ? Sets the security for the interfaces, 0 for outside and 100 for inside always
PIX1(config)#nameif ethernet1 inside security100
PIX1(config)#nameif ethernet2 dmz security50 ? Security levels should all be different for each interface otherwise they can not pass traffic to one another
PIX1(config)#interface ethernet0 auto ? These commands enable the interfaces, without them they are admin down
PIX1(config)#interface ethernet1 auto
PIX1(config)#interface ethernet2 auto
PIX1(config)#ip address outside 192.168.1.2 255.255.255.0
PIX1(config)#ip address inside 10.1.1.1 255.255.255.0
PIX1(config)#ip address dmz 172.168.1.1 255.255.255.0
Define the enable password and the telnet password.
PIX1(config)#enable password ccIEenable
PIX1(config)#passwd ccIEsimple
All inside hosts should be able to ping, but only the inside network is permitted to telnet to the PIX.
PIX1(config)#icmp permit any echo inside ? By default the PIX will not permit ICMP and telnet to any interface
PIX1(config)#icmp permit any echo-reply inside
PIX1(config)#telnet 10.1.1.0 255.255.255.0 inside ? This command allows telnet sessions from the inside interface
Configure the PIX outside interface to disregard pings without using an access-list
PIX1(config)#icmp deny any echo outside ? By default the PIX will not permit ICMP and telnet to any interface
PIX1(config)#icmp deny any echo-reply outside
Configure NAT
Configure NAT on the PIX so that inside users can reach the internet and the DMZ.
PIX1(config)#global (outside) 1 192.168.1.20-192.168.1.250 netmask 255.255.255.0 ? Range of address that NAT will use for the public address space
PIX1(config)#global (dmz) 1 172.16.1.20-172.16.1.250 netmask 255.255.255.0
PIX1(config)#nat (inside) 1 10.1.1.0 255.255.255.0 0 0 ? IP addresses on the inside that will be used with NAT and translated to the global address space
PIX1(config)#nat (inside) 1 10.1.2.0 255.255.255.0 0 0 ? IP addresses on another routed segment behind the firewall
Assume there is a host on the inside network with an IP address of 192.168.1.192. Make the host’s IP address appear on the outside as is.
PIX1(config)#nat (inside) 0 access-list 101 ? The nat 0 command disables the translation process
PIX1(config)#access-list 101 permit ip host 192.168.1.192 any
Configure PAT translation on the PIX
PIX1(config)#global (outside) 10 interface ? Uses the IP address of the outside interface to provide PAT
or
PIX1(config)#global (outside) 10 192.168.1.3 netmask 255.255.255.0 ? Uses the IP address stated to provide PAT
PIX1(config)#nat (inside) 10 0.0.0.0 0.0.0.0 ? This command states to have all IP addresses on the inside be translated to the global list
Configure Static Translations
Allow static translations for the following servers that reside in the inside network and DMZ to the outside interface. 10 is inside, 172 is DMZ and 192 is outside.
PIX1(config)#static (inside, outside) 192.168.1.10 10.1.1.10 netmask 255.255.255.255 0 0
PIX1(config)#static (inside, outside) 192.168.1.11 10.1.1.11 netmask 255.255.255.255 0 0
PIX1(config)#static (dmz, outside) 192.168.1.12 172.16.1.12 netmask 255.255.255.255 0 0
Configure the PIX to allow the above servers to be reached from the outside interface.
PIX1(config)#access-list allowServers permit tcp any host 192.168.1.10 eq www ? The IP address configured is the global and not the inside address
PIX1(config)#access-list allowServers permit tcp any host 192.168.1.11 any eq smtp
PIX1(config)#access-list allowServers permit tcp any host 192.168.1.12 any eq ftp
PIX1(config)#access-list allowServers permit tcp any host 192.168.1.12 any eq ftp-data
PIX1(config)#access-group allowServers in interface outside
Configure Logging, SNMP and NTP
Configure logging on the PIX by forwarding traffic to 10.0.1.100 with a trap level of 7 and a facility of 20. Do not have logging to the console.
PIX1(config)#logging on
PIX1(config)#logging host 10.0.1.100
PIX1(config)#logging trap 7
PIX1(config)#logging facility 20
PIX1(config)#no logging console
Configure the PIX to allow only 192.168.1.8 SNMP workstation to view stats on the PIX. Set the location to Centreville VA, the community string to ccie_pix and enable traps.
PIX1(config)#snmp-server host inside 192.168.1.8
PIX1(config)#snmp-server location Centreville, VA
PIX1(config)#snmp-server community ccie_pix
PIX1(config)#snmp-server enable traps
Configure NTPMD5 authentication with the server 192.168.1.7 and key of ccie_ntp.
PIX1(config)#ntp authenticate
PIX1(config)#ntp authentication-key 1234 md5 ccie_ntp
PIX1(config)#ntp server 192.168.1.7 key 1234 source inside prefer
PIX1(config)#ntp trusted-key 1234
Configure DHCP
Configure the PIX such that users on the inside network that are configure for DHCP receive an IP address, WINS, DNS and default gateway.
PIX1(config)#dhcpd address 192.168.1.100-192.168.1.200
PIX1(config)#dhcpd dns 150.100.1.40
PIX1(config)#dhcpd domain ccie-dhcp.com
PIX1(config)#dhcpd wins 150.100.1.41
PIX1(config)#dhcpd enable inside
Access-list Control
Allow the following dynamic traffic to be allowed to go through the firewall, http on tcp port 8080. You should block the regular port. Also ensure mail guard and DNS guard is enabled.
PIX1(config)#no fixup protocol http
PIX1(config)#fixup protocol http 8080 ? The fixup command allows the following traffic to go through the PIX firewall because some of these protocols bring up a second session on a dynamic port, this command keeps track of these sessions
PIX1(config)#fixup protocol smtp 25 ? This is a default command and enables the mail guard feature
PIX1(config)#fixup protocol dns ? This is a default command and enables the DNS guard feature
PIX1(config)#access-list outsideAccessIn permit icmp any 130.100.26.0 255.255.255.0
PIX1(config)#access-list outsideAccessIn permit tcp any host 130.100.26.8
PIX1(config)#access-group outsideAccessIn in interface outside ? This example is applying traffic coming into the outside interface, from less to more secure
PIX1(config)#access-list insideAccessOut deny tcp any 130.100.26.0 255.255.255.0
PIX1(config)#access-list insideAccessOut permit any any
PIX1(config)#access-group insideAccessOut in interface inside ? Keeps inside addresses from contacting the network 130.100.26.0
Configure the PIX to block Java and ActiveX applets from outside networks.
PIX1(config)#filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
PIX1(config)#filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
Configure Default Routing
Configure a default route to the internet router
PIX1(config)#route outside 0.0.0.0 0.0.0.0 192.150.50.1 1
Configure RIP with MD5 Authentication
PIX1(config)#ip address outside 192.168.1.0 255.255.255.0
PIX1(config)#ip address inside 10.1.1.0 255.255.255.0
PIX1(config)#rip outside passive version 2 authentication md5 ccie 1 ?Sets this outside interface to only listen to updates
PIX1(config)#rip outside default version 2 authentication md5 ccie 1 ? Injects a default route to the
PIX1(config)#rip inside passive version 2
PIX1(config)#rip inside default version 2
Configure OSPF with MD5 Authentication
Configure the PIX to run OSPF on the inside interface in area 0 and with MD5 authentication. Configure the PIX to run OSPF on the outside interface as an ABR in area 1 and with MD5 authentication. Ensure that the inside interface knows about the routes on the outside but not vice versa.
PIX1(config)#routing interface outside
PIX1(config-routing)#ospf message-digest-key 1 md5 cisco_outside
PIX1(config-routing)#ospf authentication message-digest
PIX1(config)#routing interface inside
PIX1(config-routing)#ospf message-digest-key 1 md5 cisco_inside
PIX1(config-routing)#ospf authentication message-digest
PIX1(config)#router ospf 1
PIX1(config-router)#network 10.1.1.0 255.255.255.0 area 0
PIX1(config-router)#area 0 authentication message-digest
PIX1(config-router)#redistribute ospf 2
PIX1(config)#router ospf 2
PIX1(config-router)#network 192.168.1.0 255.255.255.0 area 1
PIX1(config-router)#area 1 authentication message-digest
Configuring Multicast Support
Configure the PIX to forward multicast packets from the DMZ to the inside interface.
PIX1(config)#multicast interface dmz
PIX1(config)#multicast interface inside
PIX1(config-multicast)#igmp forward interface dmz
Configure the PIX to forward multicast packets from the inside interface (10.0.0.11) to the outside interface multicast group 230.1.1.2.
PIX1(config)#multicast interface outside
PIX1(config)#multicast interface inside
PIX1(config-multicast)#mroute 10.0.0.11 255.255.255.255 inside 230.1.1.2 255.255.255.255 outside
Configuring AAA Services
Configure TACACS+ on a CiscoSecure ACS workstation with the IP address of 192.168.1.7 and a secret key of cisco6727. Configure the PIX to use authentication to this device. Ensure access-lists are used to only allow telnet and www access to the firewall for IP users. Enable authentication for ssh, serial and telnet for the console access also. Accounting and Authorization should also be enabled for this device
PIX2(config)#aaa-server TACACS+ protocol tacacs+
PIX2(config)#aaa-server TACACS+ (inside) host 192.168.1.7 cisco6727 timeout 5
PIX2(config)#aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
PIX2(config)#aaa authentication include any outbound 0.0.0.0 0.0.0.0 192.168.1.0 255.255.255.0 TACACS+
PIX2(config)#aaa accounting include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
PIX2(config)#aaa authentication telnet console TACACS+
PIX2(config)#aaa authentication ssh console TACACS+
PIX2(config)#aaa authentication serial console TACACS+
Configuring SSH
Configure the PIX to accept SSH connections. Make sure sessions are killed after two hours of inactivity. Limit only VLAN_D hosts for SSH to the PIX. The domain name is cisco.com. Set all passwords to cisco.
PIX1(config)#domain-name cisco.com
PIX1(config)#ca generate ccie-key rsa key 2048
PIX1(config)#ssh 144.254.4.0 255.255.255.192 inside
PIX1(config)#ssh timeout 120
PIX1(config)#enable password cisco
PIX1(config)#passwd cisco
Configuring VPN Client Remote Access
1. Define the AAA Server
PIX2(config)#aaa-server TACACS+ protocol tacacs+
PIX2(config)#aaa-server TACACS+ (inside) host 192.168.1.7 cisco6727 timeout 5
2. Configure the IKE Policy
PIX2(config)#isakmp enable outside ? Configures the outside interface for the IKE policy
PIX2(config)#isakmp identify address ? Command used to identify to the peer when it connects to it whether to use its IP address or hostname, this must match
PIX2(config)#isakmp policy 10 authentication pre-share ? Specifies the authentication method to use preshared keys applied by a dynamic crypto map
PIX2(config)#isakmp policy 10 encryption des ? Specifies the policies encryption algorithm
PIX2(config)#isakmp policy 10 hash md5 ? Indicates the hash algorithm
PIX2(config)#isakmp policy 10 group 2 ? Defines the Diffie-Hellman group 1 or 2, 1 is used for VPN client 2.56 and 2 is for VPN client 3.x
PIX2(config)#isakmp policy 10 lifetime 86400 ? Specifies the lifetime of the IKE security association before it expires in seconds
3. Configuring Extended Authentication (Xauth) – Allows IPSec VPNs using TACACS+ or Radius as the user authentication method.
PIX2(config)#crypto map mymap client authentication TACACS+ ? Xauth is enabled by the crypto map that is tied to the AAA server group name
PIX2(config)#crypto map mymap interface outside ? This command is used to apply the crypto map to the interface
4. Creating a Dynamic Crypto Map
PIX2(config)#crypto dynamic-map dynmap 10 set transform-set ccie ? This command creates the transform set
PIX2(config)#crypto ipsec transform-set ccie esp-des esp-md5-hmac ? Sets the ESP encryption and authentication transform set
PIX2(config)#crypto map mymap 10 ipsec-isakmp dynamic dynmap ? Adds the dynamic crypto map set to a static crypto map set
5. Create Access Lists, Define the pool of IP addresses and Configure NAT
PIX2(config)#access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
PIX2(config)#ip local pool ippool 192.168.2.1 – 192.168.2.254 ? Defines the IP addresses to be used after clients on the outside are authenticated
PIX2(config)#nat (inside) 0 access-list 101 ? Ensures that inside addresses do not get translated into outside address for VPN clients
6. Configure Cisco VPN Client 3.x Policy Attributes to Download to the Cisco VPN Client
PIX2(config)#vpngroup vpn address-pool ippool
PIX2(config)#vpngroup vpn dns-server 156.46.10.10
PIX2(config)#vpngroup vpn wins-server 10.1.1.1
PIX2(config)#vpngroup vpn default-domain cisco.com
PIX2(config)#vpngroup vpn split-tunnel 101 ? Allows the client to access the internet via its connection instead of encrypting everything
PIX2(config)#vpngroup vpn pfs ? Configures Perfect Forward Security such that each new IPSec key is not based on previous keys
PIX2(config)#vpngroup vpn idle-time 1800 ? Specifies the inactivity timeout for a tunnel
PIX2(config)#vpngroup vpn password group-password ? Specifies the VPN group’s preshared key for the group password entered during client config
7. Permitting IPSec Traffic
PIX2(config)#sysopt connection permit-ipsec ? Allows IPSec inbound sessions to always be permitted
Configuring VPN’s Between Two PIX
1. Configure the IKE Policy
PIX1(config)#isakmp enable outside ? Configures the outside interface for the IKE policy
PIX1(config)#isakmp policy 10 authentication pre-share ? Specifies the authentication method to use preshared keys applied by a dynamic crypto map
PIX1(config)#isakmp policy 10 encryption des ? Specifies the policies encryption algorithm
PIX1(config)#isakmp policy 10 hash md5 ? Indicates the hash algorithm
PIX1(config)#isakmp policy 10 group 1 ? Defines the Diffie-Hellman group 1 or 2, 1 is used for VPN client 2.56 and 2 is for VPN client 3.x
PIX1(config)#isakmp policy 10 lifetime 86400 ? Specifies the lifetime of the IKE security association before it expires in seconds
2. Configure the Preshared Keys
PIX1(config)#isakmp identify address ? Command used to identify to the peer when it connects to it whether to use its IP address or hostname, this must match
PIX1(config)#isakmp key cisco1234 address 130.100.26.1 netmask 255.255.255.255
3. Creating the IPSec Parameters
PIX1(config)#crypto ipsec transform-set myset esp-des esp-sha-hmac ? Sets the ESP encryption and authentication transform set
PIX1(config)#crypto map newmap 10 ipsec-isakmp ? Creates the crypto map and ties it to isakmp
PIX1(config)#crypto map newmap 10 match address 101
PIX1(config)#crypto map newmap 10 set peer 130.100.26.1
PIX1(config)#crypto map newmap 10 set transform-set myset
PIX1(config)#crypto map newmap interface outside
PIX1(config)#access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
PIX2(config)#isakmp enable outside
PIX2(config)#isakmp policy 10 authentication pre-share
PIX2(config)#isakmp policy 10 encryption des
PIX2(config)#isakmp policy 10 hash md5
PIX2(config)#isakmp policy 10 group 1
PIX2(config)#isakmp policy 10 lifetime 86400
PIX2(config)#isakmp identify address
PIX2(config)#isakmp key cisco1234 address 130.100.1.1 netmask 255.255.255.255
PIX2(config)#crypto ipsec transform-set myset esp-des esp-sha-hmac
PIX2(config)#crypto map newmap 10 ipsec-isakmp
PIX2(config)#crypto map newmap 10 match address 101
PIX2(config)#crypto map newmap 10 set peer 130.100.1.1
PIX2(config)#crypto map newmap 10 set transform-set myset
PIX2(config)#crypto map newmap interface outside
PIX2(config)#access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Creating a IPSec Tunnel with a Certificate Authority (CA)
1. Ensure the PIX date and time, hostname and domain name and DNS are configured
PIX1(config)#clock set 144159 12 April 2004
PIX1(config)#hostname PIX1
PIX1(config)#domain-name smif101.com
PIX1(config)#name 172.18.1.121 pkitest1 ? Creates a host to IP mapping
2. Generate the Local Key Pairs and Assign the CA
PIX1(config)#ca generate rsa key 1024 ? When entered you are prompted to enter a modules length, Cisco recommends at least 1024
PIX1(config)#ca identity myca httppkitest180certsrvmscepmscep.dll
PIX1(config)#ca configure myca ra 2 2 ? Configures the registration authority mode to that of a Microsoft CA Server
PIX1(config)#ca authenticate myca ? Authenticates to the CA so it can download the public key
PIX1(config)#ca enroll myca mypassword ? Requests to download you router’s certificate from the CA, it will be followed by several questions
3. Configure the Internet Key Exchange policy to authenticate via the CA
PIX2(config)#isakmp policy 10 authentication rsa-sig ? Sets authentication type back to rsa-sig, this is the default
Configure Intrusion Detection
Configure PIX according to the following IDS policy For the outside interface, enable all informational signatures but drop the packet, and send a message to the syslog server. Attack signatures should be enabled on both the outside and inside interface. More specifically, for the outside interface, drop the packet, send syslog message, and generate TCP resets in both directions. For the inside interface, drop the packet and send an alert to the syslog server. Disable the audit signature 1101.
PIX1(config)#ip audit name attack-outside attack action alarm drop
PIX1(config)#ip audit name information-inside info action alarm drop
PIX1(config)#ip audit name attack-inside attack action alarm reset
PIX1(config)#ip audit interface inside attack-inside
PIX1(config)#ip audit interface inside information-inside
PIX1(config)#ip audit interface outside attack-outside
PIX1(config)#ip audit info action alarm
PIX1(config)#ip audit attack action alarm
PIX1(config)#ip audit signature 1101 disable
Configuring PIX Failover
Configure two PIX’s to perform LAN based Stateful Failover
PIX1(config)#ip address outside 192.168.1.1 255.255.255.0
PIX1(config)#ip address inside 10.1.1.1 255.255.255.0
PIX1(config)#clock set 130101 may 25 2004 ? Synchronize the time between the PIX’s
PIX1(config)#nameif ethernet3 myfailover security55 ? Configures a failover physical LAN interface
PIX1(config)#interface ethernet3 100full
PIX1(config)#ip address myfailover 172.17.1.1 255.255.255.0
PIX1(config)#failover ? Enables the failover process
PIX1(config)#failover poll 8 ? The amount in seconds to trigger a failover when there is a problem, default is 15
PIX1(config)#failover ip address outside 192.168.1.2 ? IP addresses of the standby PIX
PIX1(config)#failover ip address inside 10.1.1.2
PIX1(config)#failover ip address myfailover 172.17.1.2
PIX1(config)#failover link myfailover ? Specifies the LAN interface that will be used for determining failover and sending traffic
PIX1(config)#no failover ? Disables the process to enable the following commands
PIX1(config)#failover lan unit primary ? This command states that it is the primary PIX
PIX1(config)#failover lan interface myfailover ? Specifies the LAN interface to use for LAN based Stateful Failover
PIX1(config)#failover lan key ccie1234 ? Optional encryption key for communication between PIX’s
PIX1(config)#failover lan enable
PIX1(config)#failover
PIX2(config)#nameif ethernet3 myfailover security55
PIX2(config)#interface ethernet3 100full
PIX2(config)#ip address myfailover 172.17.1.2 255.255.255.0
PIX2(config)#failover ip address myfailover 172.17.1.1 255.255.255.0
PIX2(config)#failover lan unit secondary
PIX2(config)#failover lan interface myfailover
PIX2(config)#failover lan key ccie1234
PIX2(config)#failover lan enable
PIX2(config)#failover
Advanced PIX Configurations
Point to a WebSense server, which has the address 10.0.6.80 (this will take all outbound URL requests and send them to the WebSense server)
PIX1(config)#url-server (inside) host 10.0.6.80 timeout 5
PIX1(config)#filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
Block IP spoofing attacks on both the inside and out interfaces.
PIX1(config)#ip verify reverse-path interface outside
PIX1(config)#ip verify reverse-path interface inside
When PIX inside hosts request FTP, POP, or HTTP services, speed up the response to their requests.
PIX1(config)#service resetinbound ? This command significantly reduces the delay for IDENT processing
