Cisco firewall Pix 525 was an "ancien" product and you might find some materials published decades ago. Based on a pix 525, I'll recap the firewall rules to guide you how to configure NAT, static mapping, access control, to let you have confidence in cisco other firewall products like ASA.
1. The diagram for the configuration of cisco pix 525
2. Use the below command to erase all the configurations in each lab.
R1#write erase
R1#reload
System configuration has been modified. Save? [yes/no]: no
(Note: if select 'yes', the current running configuration would be saved to NVRAM negating the whole purpose of erasing the startup configuration. The router would bootup with current configuration)
Proceed with reload? [confirm]
********************
When startup, select 'no' for below:
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: no
3. Preconfigure the following on all devices
conf t
host xxx
no ip domain-lookup
line con 0
logg syn
no exec-t
line vty 0 4
logg syn
no exec-t
privi level 15
no login
4. When Pix comes up, it will ask for password when 'enable', just enter (no password)
pixfirewall> en
Password:
pixfirewall#
5. Configure R1(Internet):
conf t
int lo0
ip address 1.1.1.1 255.255.255.255
int f0/0
ip address 202.1.1.10 255.255.255.0
no sh
6. Configure R2(Inside):
conf t
int lo0
ip address 2.2.2.2 255.255.255.255
int f0/0
ip address 10.10.10.12 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.10.10.1
7. Configure R7(Inside):
conf t
int lo0
ip address 7.7.7.7 255.255.255.255
int f0/0
ip address 10.10.10.17 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.10.10.1
8. Configure R3(DMZ):
conf t
int lo0
ip address 3.3.3.3 255.255.255.255
int f0/0
ip address 172.16.1.13 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 172.16.1.1
9. Configure PIX 525:
pix3(config)# int e0
pix3(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
pix3(config-if)# no sh
pix3(config-if)# ip address 202.1.1.1 255.255.255.0
pix3(config-if)# int e1
pix3(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
pix3(config-if)# no sh
pix3(config-if)# ip address 10.10.10.1 255.255.255.0
pix3(config-if)# int e2
pix3(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
pix3(config-if)# security-level 50
pix3(config-if)# ip address 172.16.1.1 255.255.255.0
pix3(config-if)# no sh
10. Configure only allow subnet 10.10.10.0/24 to telnet to the PIX from inside interface.
By default, telnet service is disable on PIX.
Before configure, we get from R2:
R2-Inside#telnet 10.10.10.1
Trying 10.10.10.1 ...
% Connection timed out; remote host not responding
After configure in PIX with below:
pix3(config)# telnet 10.10.10.0 255.255.255.0 inside
R2-Inside#telnet 10.10.10.1
Trying 10.10.10.1 ... Open
User Access Verification
Password: cisco (---> By default the password is cisco)
Type help or '?' for a list of available commands.
pix3>
11. Configure the natting for all internal users to access the Internet
Network address translation (NAT)
The nat command translate the inside network addresses or interfaces. It basically specifies a range of addresses that would be translated into global address. The global command sets the IP of global interfaces or outside interfaces which will be known to the outside world or Internet.
Before natting, we cannot telnet to R1-Internet from R2-Inside.
R2-Inside#telnet 202.1.1.10
Trying 202.1.1.10 ...
% Connection refused by remote host
Configure nat on pix for access from higher security to lower security:
(We can also use static mapping between internal private IP and external public IP, but it's not recommended due to the full occupancy of a public IP for an internal user. So it's recommended to use dynamic NAT, i.e., PAT from higher security area to lower one.)
Main three steps:
1. Declare the global address exposed to external for an internal ip address.
pix3(config)# global (outside) 10 interface
INFO: outside interface address added to PAT pool
2. Declare the internal ip address to access external using the global address as in step 1.
pix3(config)# nat (inside) 10 0.0.0.0 0.0.0.0
3. Enable the service passing PIX by access control
Let's take telnet as example.
access-list from_inside extended permit tcp any 202.1.1.0 255.255.255.0 eq telnet
access-group from_inside in interface inside
After above three steps, we can telnet to external from internal:
R2-Inside#telnet 202.1.1.10
Trying 202.1.1.10 ... Open
R1-Internet#
We can use sh xlate to check the translation:
pix3(config)# sh xlate
1 in use, 1 most used
PAT Global 202.1.1.1(1024) Local 10.10.10.12(31769)
pix3(config)# sh conn
1 in use, 1 most used
TCP out 202.1.1.10:23 in 10.10.10.12:31769 idle 0:03:18 bytes 368 flags UIO
pix3(config)# sh nat
NAT policies on Interface inside:
match ip inside any outside any
dynamic translation to pool 10 (202.1.1.1 [Interface PAT])
translate_hits = 3, untranslate_hits = 5
match ip inside any inside any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any dmz any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
pix3(config)#packet-tracer input inside tcp 10.10.10.12 34000 202.1.1.10 23 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x46ea3b0, priority=1, domain=permit, deny=false
hits=329, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 202.1.1.0 255.255.255.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from_inside in interface inside
access-list from_inside extended permit tcp any 202.1.1.0 255.255.255.0 eq telnet
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4202eb0, priority=12, domain=permit, deny=false
hits=2, user_data=0x4725318, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=202.1.1.0, mask=255.255.255.0, port=23
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x46ed808, priority=0, domain=permit-ip-option, deny=true
hits=89, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 10 (202.1.1.1 [Interface PAT])
translate_hits = 8, untranslate_hits = 11
Additional Information:
Dynamic translate 10.10.10.12/34000 to 202.1.1.1/1026 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0x4749d00, priority=1, domain=nat, deny=false
hits=7, user_data=0x46fa870, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 10 (202.1.1.1 [Interface PAT])
translate_hits = 8, untranslate_hits = 11
Additional Information:
Forward Flow based lookup yields rule:
in id=0x46fb1c0, priority=1, domain=host, deny=false
hits=13, user_data=0x46fa870, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x46b3c98, priority=0, domain=permit-ip-option, deny=true
hits=5, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 90, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 202.1.1.10 using egress ifc outside
adjacency Active
next-hop mac address 001e.7aa4.45b8 hits 87
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
pix3(config)#
12. Configure ping external from internal
ping uses ICMP and it's connectionless. So we cannot do the way like telnet (connection oriented) only setting one direction, we need to control both directions separately for icmp request and icmp echo reply.
pix3(config)# access-list from_inside permit icmp any
pix3(config)# access-group from_inside in interface inside
pix3(config)# access-list from_outside permit icmp any any
pix3(config)# access-group from_outside in interface outside
R2-Inside#ping 202.1.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2-Inside#
13. Configure DMZ to access internal network
If you’ve used NAT before, you’ll recognize that servers on the inside that need to be connected to from the outside will need static mappings. The static command creates a permanent mapping (called a static translation slot or “xlate”) between a local IP address and a global IP address. Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level.
- When NAT exists between two interfaces the command takes the form of “static (high,low) low high” .
- Without address translation, the format of the static command becomes different: “static (high,low) high high”.
Configure on pix for access from lower security to higher security:
Main two steps:
(We might need to add static routing from pix to r2, but due to the direct connectivity, there's no need.
1. Declare the static mapping between IP of lower security and IP of higher security. Usually between dmz and internal, we do it without address translation, with the format static (high,low) high high:
pix3(config)# static (inside,dmz) 10.10.10.12 10.10.10.12 netmask 255.255.255.255
2. Enable the service passing PIX by access control
Let's take ping and telnet from dmz to internal as examples:
access-list from_dmz permit tcp any 10.10.10.0 255.255.255.0 eq telnet
access-list from_dmz permit icmp any any
access-group from_dmz in interface dmz
R3-dmz#ping 10.10.10.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.12, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R3-dmz#telnet 10.10.10.12
Trying 10.10.10.12 ... Open
R2-Inside#
Or we can do this way:
access-list 105 permit ip host 10.10.10.12 172.16.1.0 255.255.255.0
nat (inside) 0 access-list 105
nat_id 0 means no translation.
14. Configure external to access dmz
It's from lower security area to higher one, the same way as in previous 13. dmz to internal with static mapping.
Use public 202.1.1.13 mapped to dmz private address 172.16.1.13:
pix3(config)#static (dmz,outside) 202.1.1.13 172.16.1.13 netmask 255.255.255.255
pix3(config)# access-list from_outside permit tcp any 202.1.1.13 255.255.255.255 eq telnet
pix3(config)# access-group from_outside in interface outside /// already done in step 12.
R1-Internet#ping 202.1.1.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.13, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R1-Internet#telnet 202.1.1.13
Trying 202.1.1.13 ... Open
R3-dmz#
15. Interanal to dmz
It's from high to low, so we need to follow the way in 11.
Main three steps:
1. Declare the global address exposed to dmz for an internal ip address.
pix3(config)# global (dmz) 10 interface
INFO: dmz interface address added to PAT pool
2. Declare the internal ip address to access dmz using the global address as in step 1.
pix3(config)# nat (inside) 10 0.0.0.0 0.0.0.0
3. Enable the service passing PIX by access control
Let's take telnet as example.
access-list from_inside extended permit tcp any 172.16.1.0 255.255.255.0 eq telnet
access-group from_inside in interface inside
R2-Inside#telnet 172.16.1.13
Trying 172.16.1.13 ... Open
R3-dmz#
16. Summary
High to low:
- Global address (pool) in low area
- Internal address in high area
- Access control (access-list + access-group)
Low to High:
- Static mapping between low and high
- Access control (access-list + access-group)