153 machine on the Internet was found to exhibit the exact same behavior. The Cisco PIX firewall provides a level of protection right out of the box without complex configuration, testing, or troubleshooting. By using the conduit andor static commands covered later in this chapter, we can set up special configurations that allow inbound connections to occur through the firewall. Thus, our mail server, web server, and FTP server can be contacted and deliver information to or from the outside world. Before we foray further into the practice of punching holes in the PIX firewall, we will take our sample configuration and add some more restrictions to our inside Ethernet hosts. Lets say that we have decided, in our role as the network administrators, that we wish to deny outbound web access from the single internal host 192.168.2.100 and from the range of hosts from 192.168.2.128 to 192.168.2.254. Further, we have deemed the telnet protocol to be troublesome and wish to deny all hosts on the inside network telnet access, except our own workstation 192.168.2.2. The following configuration parameters accomplish these tasks: outbound 11 deny 192.168.2.100 255.255.255.255 80 outbound 11 deny 192.168.2.128 255.255.255.128 80 outbound 11 permit 192.168.2.2 255.255.255.255 23 outbound 11 deny 192.168.2.0 255.255.255.0 23 apply inside 11 outgoing_src The 11 following the outbound command refers to the access list used to group the firewall instructions. The masks following the IP addresses, such as the 255.255.255.128 following 192.168.2.128, refer to a netmask, or a whole range of hosts, rather than just to an individual node. Some immediate differences appear when you compare the preceding access lists to those that would be found on any ordinary Cisco routing product running IOS. Most noticeable is that PIX Firewall uses a single hostnetwork pair to control access, whereas IOS uses a double hostnetwork pair. For example, you might find something like the following on an Internet- connected serial interface on a Cisco 7500 to produce the same results as the first line in our PIX firewall: access-list 101 deny tcp 192.168.2.100 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 Also, the PIX uses the apply keyword to activate or deactivate the access control provided by the outbound directives. In addition to checking where packets come from, as in our example, we can check the destinations of our packets. To illustrate, lets say that site 1.1.1.1 on the Internet has unsavory materials on it and you wish to block all access to this site from your network. The following configuration accomplishes this: outbound 12 deny 1.1.1.1 255.255.255.255 apply inside 12 outgoing_dest Youll notice a couple of things. First, we used another outbound access list numbered 12 to handle the new configuration. We feel it best to separate the outgoing destinations firewalls from the outgoing source destinations. Although not required, it does help keep things more 154 orderly when these access lists get large, which is certainly going to happen over time. Second, we left off the port parameter. By doing so, we effectively cut all communication attempts with host 1.1.1.1 on any port. By using the principles we illustrated in the two firewall configuration examples, you can construct large and sometimes complicated firewalls, granting access and denying access to as granular or as wide an audience as you desire. Keep in mind that the shorter the list of access items, the faster the machinery handles packets, and the easier it will be for you when a problem with the firewall eventually explodes. Remember to use as large a network as possible grouping related machines in a single network, so that there is no need to enter 32 separate commands where one would have sufficed.

9.3.4 Testing, Tracing, and Debugging

To facilitate debugging and testing, the PIX firewall comes with a suite of test utilities. We will cover in brief the operation of the major ones.

9.3.4.1 debug

The debug command can be used to test the configuration of the PIX firewall and to check the ongoing operation of the unit whenever you suspect a connectivity problem. To enable the tracing function, execute the command debug trace on to the PIX firewall. Results will be echoed to the console as ICMP packets are received or transmitted. For instance, using a machine on our inside network 192.168.2.2 to ping a machine on our outside network 1.251.174.155 produced the following output: 1.251.174.155 - 2.241.11.254 192.168.2.2 1.251.174.155 - 2.241.11.254 192.168.2.2 Each ping packet is represented by a pair of log entries: one for the initial ICMP request and one for the returning response. Pinging from the inside network to the outside PIX interface address will not produce a response, nor will pinging from a machine on the outside network to the PIXs inside interface address. This is normal behavior. Using our sample networks, if we were to ping from 192.168.2.2 to 1.251.174.156, we would not get a response. Likewise, pinging from 1.251.174.155 to 192.168.2.2 or 2.241.11.254 will fail.

9.3.4.2 xlate

The xlate command stands for translate, and displays the current assignments of the inside network addresses to the global pool of addresses. Since these assignments are temporary and will eventually disappear, the status reported by xlate can be different from minute to minute. The command is of great assistance when debugging problems with connectivity across the PIX firewall. It provides some very comprehensive output, including the idle time of a connection, the bytes transferred, and the ports used to build it. Heres some output after we started a telnet session across the PIX as well as launching Netscape Navigator: 155 sh xlate Global 2.241.11.254 Local 192.168.2.2 nconns 10 econns 0 flags pvA TCP out 3.96.12.2-80 in 192.168.2.2-1700 idle 0:00:17 Bytes 365 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1699 idle 0:00:18 Bytes 365 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1698 idle 0:00:19 Bytes 365 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1697 idle 0:00:19 Bytes 365 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1696 idle 0:00:22 Bytes 370 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1695 idle 0:00:22 Bytes 371 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1694 idle 0:00:22 Bytes 367 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1693 idle 0:00:22 Bytes 371 Flags E TCP out 3.96.12.2-80 in 192.168.2.2-1692 idle 0:00:30 Bytes 323 Flags E TCP out 3.96.12.2-23 in 192.168.2.2-2049 idle 0:00:03 Bytes 1086 Flags UFHIO As you can see, there were a ton of port 80 connections established. Most of these are single graphic files located at the web servers main page 3.96.12.2. Netscape, as with most of the other popular browsers, initiates many requests for each graphic after it has pulled down the contents of the main HTML page. The last line of the output is our telnet session, as evidenced by the port 23 hanging on the end of the address.

9.3.4.3 arp

Sometimes when debugging network configurations, such as those involving the PIX firewall, you need to determine what the PIX can see. Using the address resolution protocol, which handles the translation of Ethernet addressing into IP addresses, the PIX provides a fine tool for tracking down the physical machinery to which the PIX firewall is talking. The arp command, logically enough, provides a list of Ethernet and IP addresses for both of the PIXs interfaces. When things get confused as to what host is doing what on the network, and what access permissions it should be allowed to have through the PIX to the Internet, the arp command becomes helpful. Heres an example of the output of our rather tiny example world detailed earlier in the chapter: sh arp outside 4.96.12.9 00:34:08:93:1b:76 outside 4.241.10.209 00:77:70:62:5b:ee outside 4.96.12.100 00:05:02:65:27:fb outside 2.96.12.1 00:00:0c:65:de:10 outside 2.96.12.2 00:20:af:67:8c:77 outside 2.96.12.62 00:e0:1e:33:33 outside 2.96.12.43 00:32:9a:00:33:9f outside 2.96.12.23 00:32:97:0e:23:56 outside 3.96.12.33 08:00:07:4f:23:c5 inside 192.168.128.1 00:10:4b:45:1b:12 inside 192.168.129.2 00:40:22:33:3a:3d inside 192.168.129.3 00:a0:22:4c:c6:23 inside 192.168.128.4 00:05:f2:28:23:7b inside 192.168.129.5 00:40:32:31:33:1c inside 192.168.129.6 00:de:08:bf:ec:05 inside 192.168.129.7 00:60:8c:dd:c0:89

9.3.4.4 show interface

To check the physical Ethernet interfaces on the PIX, the show interface command provides some summary information. Here is the output of the command for illustration: