156 sh interface interface ethernet0 outside is up, line protocol is up Hardware is i82557 ethernet, address is 00:a0:c9:48:33:23 IP address 1.251.174.154, subnet mask 255.255.255.248 MTU 1500 bytes, BW 100000 Kbit half duplex 2053034 packets input, 486927215 bytes, 0 no buffer Received 1068648 broadcasts, 0 runts, 0 giants 269 input errors, 124 CRC, 145 frame, 0 overrun, 124 ignored, 0 abort 1014642 packets output, 98109936 bytes, 26 underruns interface ethernet1 inside is up, line protocol is up Hardware is i82557 ethernet, address is 00:a0:c9:34:23:23 IP address 192.168.128.1, subnet mask 255.255.252.0 MTU 1500 bytes, BW 10000 Kbit half duplex 1095847 packets input, 103598967 bytes, 0 no buffer Received 95886 broadcasts, 0 runts, 0 giants 22 input errors, 22 CRC, 0 frame, 0 overrun, 22 ignored, 0 abort 975558 packets output, 387229999 bytes, 0 underruns

9.4 Configuring the Other VPN Capabilities

So far, in our discussion of the PIX firewall, we have demonstrated its use and configuration as a packet filtration firewall and as a dynamic lookup and translation mechanism that hides the identity of internal machines. In this section we will briefly discuss how to build a virtual private network between two PIX units, thus connecting private networks with the Internet as a transport medium.

9.4.1 Offering Services to the Internet Through Conduits and the static Command

The conduit command is a short-circuit mechanism that lets hosts on the outside network bypass the PIXs adaptive security mechanism to connect to hosts on the inside network. This isnt really as scary as it may sound. It is frequently required and actually very normal to punch holes in the firewall for specific, known services, the security of which can be monitored and tested before the hole is opened. You can put in an exception to the PIXs adaptive security system either by using the conduit command or as the last parameter of the static command an example of which is detailed below. But Cisco recommends that the conduit command be used. Let us say that we have a mail-exchanging Unix host on our outside network 1.251.174.155 and an SMTPPOP host on our inside network 192.168.2.3. We wish to accomplish two things: 1. Map the address of our internal SMTP server statically to the translation table address 1.241.11.254 the first one chosen by PIX. 2. Create a conduit that allows SMTP traffic to flow from that static address to our outside mail-exchanging host. Heres the pair of commands needed to produce the desired effect: static 2.241.11.254 192.168.2.3 mailhost inside, outside 2.241.11.254 192.168.2.3 32 24