How to configure Cisco firewall PIX 525 (1)

Cisco firewall Pix 525 was an "ancien" product and you might find some materials published decades ago. Based on a pix 525, I'll recap the firewall rules to guide you how to configure NAT, static mapping, access control, to let you have confidence in cisco other firewall products like ASA.

1. The diagram for the configuration of cisco pix 525

2. Use the below command to erase all the configurations in each lab.

R1#write erase

R1#reload

System configuration has been modified. Save? [yes/no]: no

(Note: if select 'yes', the current running configuration would be saved to NVRAM negating the whole purpose of erasing the startup configuration. The router would bootup with current configuration)

Proceed with reload? [confirm]

********************

When startup, select 'no' for below:

         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

3. Preconfigure the following on all devices

conf  t

host xxx

no ip domain-lookup

line con 0

  logg syn

  no exec-t

line vty 0 4

  logg syn

  no exec-t

  privi level 15

  no login

4. When Pix comes up, it will ask for password when 'enable', just enter (no password)

pixfirewall> en
Password: 
pixfirewall# 

5. Configure R1(Internet):

conf t

int lo0
ip address 1.1.1.1 255.255.255.255
int f0/0
ip address 202.1.1.10 255.255.255.0
no sh

6. Configure R2(Inside):

conf t

int lo0
ip address 2.2.2.2 255.255.255.255
int f0/0
ip address 10.10.10.12 255.255.255.0
no sh

ip route 0.0.0.0 0.0.0.0 10.10.10.1

7. Configure R7(Inside):

conf t

int lo0
ip address 7.7.7.7 255.255.255.255
int f0/0
ip address 10.10.10.17 255.255.255.0
no sh

ip route 0.0.0.0 0.0.0.0 10.10.10.1

8. Configure R3(DMZ):

conf t

int lo0
ip address 3.3.3.3 255.255.255.255
int f0/0
ip address 172.16.1.13 255.255.255.0
no sh

ip route 0.0.0.0 0.0.0.0 172.16.1.1

9. Configure PIX 525:

pix3(config)# int e0
pix3(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
pix3(config-if)# no sh
pix3(config-if)# ip address 202.1.1.1 255.255.255.0

pix3(config-if)# int e1
pix3(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
pix3(config-if)# no sh
pix3(config-if)# ip address 10.10.10.1 255.255.255.0

pix3(config-if)# int e2
pix3(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
pix3(config-if)# security-level 50
pix3(config-if)# ip address 172.16.1.1 255.255.255.0
pix3(config-if)# no sh

10. Configure only allow subnet 10.10.10.0/24 to telnet to the PIX from inside interface.

By default, telnet service is disable on PIX.

Before configure, we get from R2:

R2-Inside#telnet 10.10.10.1      
Trying 10.10.10.1 ... 
% Connection timed out; remote host not responding

After configure in PIX with below:

pix3(config)# telnet 10.10.10.0 255.255.255.0 inside 

R2-Inside#telnet 10.10.10.1
Trying 10.10.10.1 ... Open


User Access Verification

Password: cisco     (---> By default the password is cisco)
Type help or '?' for a list of available commands.
pix3> 

11. Configure the natting for all internal users to access the Internet

Network address translation (NAT)

The nat command translate the inside network addresses or interfaces. It basically specifies a range of addresses that would be translated into global address. The global command sets the IP of global interfaces or outside interfaces which will be known to the outside world or Internet.

Before natting, we cannot telnet to R1-Internet from R2-Inside.

R2-Inside#telnet 202.1.1.10                  
Trying 202.1.1.10 ... 
% Connection refused by remote host

Configure nat on pix for access from higher security to lower security:

(We can also use static mapping between internal private IP and external public IP, but it's not recommended due to the full occupancy of a public IP for an internal user. So it's recommended to use dynamic NAT, i.e., PAT from higher security area to lower one.)

Main three steps:

1. Declare the global address exposed to external for an internal ip address.

        pix3(config)# global (outside) 10 interface
        INFO: outside interface address added to PAT pool

2. Declare the internal ip address to access external using the global address as in step 1.

        pix3(config)# nat (inside) 10 0.0.0.0 0.0.0.0

3. Enable the service passing PIX by access control

        Let's take telnet as example.

        access-list from_inside extended permit tcp any 202.1.1.0 255.255.255.0 eq telnet

        access-group from_inside in interface inside

After above three steps, we can telnet to external from internal:

R2-Inside#telnet 202.1.1.10
Trying 202.1.1.10 ... Open

R1-Internet#

We can use sh xlate to check the translation:

pix3(config)# sh xlate
1 in use, 1 most used
PAT Global 202.1.1.1(1024) Local 10.10.10.12(31769) 

pix3(config)# sh conn 
1 in use, 1 most used
TCP out 202.1.1.10:23 in 10.10.10.12:31769 idle 0:03:18 bytes 368 flags UIO

pix3(config)# sh nat

NAT policies on Interface inside:
  match ip inside any outside any
    dynamic translation to pool 10 (202.1.1.1 [Interface PAT])
    translate_hits = 3, untranslate_hits = 5
  match ip inside any inside any
    dynamic translation to pool 10 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any dmz any
    dynamic translation to pool 10 (No matching global)
    translate_hits = 0, untranslate_hits = 0

pix3(config)#packet-tracer input inside tcp 10.10.10.12 34000 202.1.1.10 23 detail

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x46ea3b0, priority=1, domain=permit, deny=false
        hits=329, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW 
Config:
Additional Information:
in   202.1.1.0       255.255.255.0   outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from_inside in interface inside
access-list from_inside extended permit tcp any 202.1.1.0 255.255.255.0 eq telnet 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x4202eb0, priority=12, domain=permit, deny=false
        hits=2, user_data=0x4725318, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=202.1.1.0, mask=255.255.255.0, port=23

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x46ed808, priority=0, domain=permit-ip-option, deny=true
        hits=89, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 10 (202.1.1.1 [Interface PAT])
    translate_hits = 8, untranslate_hits = 11
Additional Information:
Dynamic translate 10.10.10.12/34000 to 202.1.1.1/1026 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0x4749d00, priority=1, domain=nat, deny=false
        hits=7, user_data=0x46fa870, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7      
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 10 (202.1.1.1 [Interface PAT])
    translate_hits = 8, untranslate_hits = 11
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x46fb1c0, priority=1, domain=host, deny=false
        hits=13, user_data=0x46fa870, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x46b3c98, priority=0, domain=permit-ip-option, deny=true
        hits=5, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 90, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 202.1.1.10 using egress ifc outside
adjacency Active
next-hop mac address 001e.7aa4.45b8 hits 87

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

pix3(config)#

12. Configure ping external from internal

ping uses ICMP and it's connectionless. So we cannot do the way like telnet (connection oriented) only setting one direction, we need to control both directions separately for icmp request and icmp echo reply.

pix3(config)# access-list from_inside permit icmp any 

pix3(config)# access-group from_inside in interface inside

pix3(config)# access-list from_outside permit icmp any any 

pix3(config)# access-group from_outside in interface outside

R2-Inside#ping 202.1.1.10  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2-Inside#    

13. Configure DMZ to access internal network

If you’ve used NAT before, you’ll recognize that servers on the inside that need to be connected to from the outside will need static mappings. The static command creates a permanent mapping (called a static translation slot or “xlate”) between a local IP address and a global IP address. Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level.

- When NAT exists between two interfaces the command takes the form of “static (high,low) low high” .

- Without address translation, the format of the static command becomes different: “static (high,low) high high”.
 

Configure on pix for access from lower security to higher security:

Main two steps:

(We might need to add static routing from pix to r2, but due to the direct connectivity, there's no need.

1. Declare the static mapping between IP of lower security and IP of higher security. Usually between dmz and internal, we do it without address translation, with the format static (high,low) high high:

        pix3(config)# static (inside,dmz) 10.10.10.12 10.10.10.12 netmask 255.255.255.255

2. Enable the service passing PIX by access control

        Let's take ping and telnet from dmz to internal as examples:

        access-list from_dmz permit tcp any 10.10.10.0 255.255.255.0 eq telnet

        access-list from_dmz permit icmp any any

        access-group from_dmz in interface dmz


R3-dmz#ping 10.10.10.12

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.12, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R3-dmz#telnet 10.10.10.12
Trying 10.10.10.12 ... Open

R2-Inside#

Or we can do this way:
access-list 105 permit ip host 10.10.10.12 172.16.1.0 255.255.255.0 
nat (inside) 0 access-list 105

nat_id 0 means no translation.

14. Configure external to access dmz

It's from lower security area to higher one, the same way as in previous 13. dmz to internal with static mapping.

Use public 202.1.1.13 mapped to dmz private address 172.16.1.13:

pix3(config)#static (dmz,outside) 202.1.1.13 172.16.1.13 netmask 255.255.255.255

pix3(config)# access-list from_outside permit tcp any 202.1.1.13 255.255.255.255 eq telnet

pix3(config)# access-group from_outside in interface outside      /// already done in step 12. 

R1-Internet#ping 202.1.1.13

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.13, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R1-Internet#telnet 202.1.1.13
Trying 202.1.1.13 ... Open

R3-dmz#

15. Interanal to dmz

It's from high to low, so we need to follow the way in 11.

Main three steps:

1. Declare the global address exposed to dmz for an internal ip address.

        pix3(config)# global (dmz) 10 interface
        INFO: dmz interface address added to PAT pool

2. Declare the internal ip address to access dmz using the global address as in step 1.

        pix3(config)# nat (inside) 10 0.0.0.0 0.0.0.0

3. Enable the service passing PIX by access control

        Let's take telnet as example.

        access-list from_inside extended permit tcp any 172.16.1.0 255.255.255.0 eq telnet

        access-group from_inside in interface inside

R2-Inside#telnet 172.16.1.13
Trying 172.16.1.13 ... Open

R3-dmz#

16. Summary

High to low:

- Global address (pool) in low area

- Internal address in high area

- Access control (access-list + access-group)

Low to High:

- Static mapping between low and high

- Access control (access-list + access-group)

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值