155 sh xlate Global 2.241.11.254 Local 192.168.2.2 nconns 10 econns 0 flags pvA TCP out 3.96.12.2-80 in 192.168.2.2-1700 idle 0:00:17 Bytes 365 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1699 idle 0:00:18 Bytes 365 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1698 idle 0:00:19 Bytes 365 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1697 idle 0:00:19 Bytes 365 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1696 idle 0:00:22 Bytes 370 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1695 idle 0:00:22 Bytes 371 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1694 idle 0:00:22 Bytes 367 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1693 idle 0:00:22 Bytes 371 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1692 idle 0:00:30 Bytes 323 Flags E TCP out 3.96.12.2-23 in 192.168.2.2-2049 idle 0:00:03 Bytes 1086 Flags UFHIO As you can see, there were a ton of port 80 connections established. Most of these are single graphic files located at the web servers main page 3.96.12.2. Netscape, as with most of the other popular browsers, initiates many requests for each graphic after it has pulled down the contents of the main HTML page. The last line of the output is our telnet session, as evidenced by the port 23 hanging on the end of the address.

9.3.4.3 arp

Sometimes when debugging network configurations, such as those involving the PIX firewall, you need to determine what the PIX can see. Using the address resolution protocol, which handles the translation of Ethernet addressing into IP addresses, the PIX provides a fine tool for tracking down the physical machinery to which the PIX firewall is talking. The arp command, logically enough, provides a list of Ethernet and IP addresses for both of the PIXs interfaces. When things get confused as to what host is doing what on the network, and what access permissions it should be allowed to have through the PIX to the Internet, the arp command becomes helpful. Heres an example of the output of our rather tiny example world detailed earlier in the chapter: sh arp outside 4.96.12.9 00:34:08:93:1b:76 outside 4.241.10.209 00:77:70:62:5b:ee outside 4.96.12.100 00:05:02:65:27:fb outside 2.96.12.1 00:00:0c:65:de:10 outside 2.96.12.2 00:20:af:67:8c:77 outside 2.96.12.62 00:e0:1e:33:33 outside 2.96.12.43 00:32:9a:00:33:9f outside 2.96.12.23 00:32:97:0e:23:56 outside 3.96.12.33 08:00:07:4f:23:c5 inside 192.168.128.1 00:10:4b:45:1b:12 inside 192.168.129.2 00:40:22:33:3a:3d inside 192.168.129.3 00:a0:22:4c:c6:23 inside 192.168.128.4 00:05:f2:28:23:7b inside 192.168.129.5 00:40:32:31:33:1c inside 192.168.129.6 00:de:08:bf:ec:05 inside 192.168.129.7 00:60:8c:dd:c0:89

9.3.4.4 show interface

To check the physical Ethernet interfaces on the PIX, the show interface command provides some summary information. Here is the output of the command for illustration: 156 sh interface interface ethernet0 outside is up, line protocol is up Hardware is i82557 ethernet, address is 00:a0:c9:48:33:23 IP address 1.251.174.154, subnet mask 255.255.255.248 MTU 1500 bytes, BW 100000 Kbit half duplex 2053034 packets input, 486927215 bytes, 0 no buffer Received 1068648 broadcasts, 0 runts, 0 giants 269 input errors, 124 CRC, 145 frame, 0 overrun, 124 ignored, 0 abort 1014642 packets output, 98109936 bytes, 26 underruns interface ethernet1 inside is up, line protocol is up Hardware is i82557 ethernet, address is 00:a0:c9:34:23:23 IP address 192.168.128.1, subnet mask 255.255.252.0 MTU 1500 bytes, BW 10000 Kbit half duplex 1095847 packets input, 103598967 bytes, 0 no buffer Received 95886 broadcasts, 0 runts, 0 giants 22 input errors, 22 CRC, 0 frame, 0 overrun, 22 ignored, 0 abort 975558 packets output, 387229999 bytes, 0 underruns

9.4 Configuring the Other VPN Capabilities

So far, in our discussion of the PIX firewall, we have demonstrated its use and configuration as a packet filtration firewall and as a dynamic lookup and translation mechanism that hides the identity of internal machines. In this section we will briefly discuss how to build a virtual private network between two PIX units, thus connecting private networks with the Internet as a transport medium.

9.4.1 Offering Services to the Internet Through Conduits and the static Command

The conduit command is a short-circuit mechanism that lets hosts on the outside network bypass the PIXs adaptive security mechanism to connect to hosts on the inside network. This isnt really as scary as it may sound. It is frequently required and actually very normal to punch holes in the firewall for specific, known services, the security of which can be monitored and tested before the hole is opened. You can put in an exception to the PIXs adaptive security system either by using the conduit command or as the last parameter of the static command an example of which is detailed below. But Cisco recommends that the conduit command be used. Let us say that we have a mail-exchanging Unix host on our outside network 1.251.174.155 and an SMTPPOP host on our inside network 192.168.2.3. We wish to accomplish two things: 1. Map the address of our internal SMTP server statically to the translation table address 1.241.11.254 the first one chosen by PIX. 2. Create a conduit that allows SMTP traffic to flow from that static address to our outside mail-exchanging host. Heres the pair of commands needed to produce the desired effect: static 2.241.11.254 192.168.2.3 mailhost inside, outside 2.241.11.254 192.168.2.3 32 24