151 nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password testing password testing hostname lab-test-1 no failover names pager lines 24 syslog output 20.3 no syslog console syslog host 192.168.2.2 interface ethernet0 auto interface ethernet1 auto ip address outside 1.251.174.156 255.255.255.248 ip address inside 192.168.2.1 25.255.255.0 arp timeout 14400 global outside 1 2.241.11.249-2.241.11.251 global outside 2 2.241.11.252-2.241.11.254 nat inside 2 192.168.2.128 255.255.255.128 age 10 route outside 0.0.0.0 0.0.0.0 1.251.174.154 1 no rip outside passive no rip outside default no rip inside passive no rip inside default timeout xlate 24:00:00 conn 12:00:00 udp 00:02:00 timeout rpc 00:10:00 h323 00:05:00 uauth 00:05:00 no snmp-server location no snmp-server contact snmp-server community public telnet 192.168.2.2 255.255.255.255 mtu outside 1500 mtu insde 1500 The two nameif commands assign short names to the two interfaces: outside and inside . Then, the two interface commands define the speed at which the interfaces operate. We used the auto keyword to have the hardware automatically sync to the Ethernet it is attached to. The ip address commands use the assigned names to establish the network configuration for the internal and external networks. The internal network we chose was part of the unroutable RFC 1918 network 192.168.0.0, which is traditionally used for hosts requiring Network Address Translation NAT on an interior network protected by a firewall such as the PIX. As Figure 9-1 depicts, we dont have an internal router. The network that we used for testing was very small and an internal router was not necessary. You can see this in the configuration by studying the route command entry, which points the default route 0.0.0.0 to the gateway to which the PIX would send external traffic 1.251.174.154. Logically enough, you are always required to specify an outside router. The rip command sets whether the PIX should or should not broadcast default routing information using the RIP protocol to either the inside or outside interface. Our sample configuration disables all RIP route propagation since we had such a small example. Should you have an internal router that extends the network to other locations, you would need to set the default internal route mentioned above to the router responsible for accessing the rest of 152 the network, and you may be required to set up RIP routes on the PIX so that it can see everything that may need access to the outside network. The timeout commands are used to set how much time must pass before a translation slot or a connection slot is cleared. The timeout is specified in the format hours:minutes:seconds. The PIX derives strength in its security by creating dynamic translations between internal hosts on unroutable networks to external routable hosts and disguising this process from the external peer. By lengthening the timeouts to several hours or even days, you lose some of the security because outside attackers have longer to study a peer-to-peer connection and could have enough time to stage a compromise. Further, if you lengthen the timeouts, internal hosts that are vying for external addresses may find addresses not available and hence connections could be slowed down or ceased. It is up to the network administrator to analyze the network for average use patterns and to adjust the timeouts appropriately. The telnet and syslog host commands set a host address from which telnets may connect to the PIX and where logging information is to be sent. Only inside network addresses may be used to connect to the PIX. As in our example, we set up the administrators workstation at IP address 192.168.2.2 as our only point of access into the PIX. The configuration allows for a mask to be entered after the address so that a whole range may be allowed telnet access. In our example, our PIX is connected to a DMZ network in address range of 1.251.174.15229. Our ISP assigned us the range of 2.241.11.24829, routed to our PIXs address at 1.251.174.156 as per the ip address definition above. We decided to split this network into two ranges, some for dynamic NAT translation slots, and some for use with static translation slots called conduits described later in this chapter. From the configuration we presented, you can see that the two global commands define these two ranges. We will be using range 1 2.241.11.249-2.241.11.251 for our conduits, and range 2 2.241.11.252-2.241.11.254 for our dynamic NAT hosts. The NAT configuration is accomplished by the nat command in the example configuration. Thus, the internal hosts in the range 192.168.2.128-192.168.2.254 will be able to obtain dynamic NAT addressing from the PIX in the second range 2.241.11.252-2.241.11.254.

9.3.3 Firewall Configuration on the PIX

Although PIX access control is somewhat similar in form to the IOS-based access lists, the PIX uses a combination of the keywords outbound , apply , and show outbound to accomplish the same types of tasks. While standard Cisco routers require explicit commands to shut out incoming traffic, the Dynamic Address Translation feature of PIX normally blocks inbound traffic to machines on the inside network by default. Because of this, there are no inbound packet filtering commands. There are inbound commands, however, that allow connections, even though the firewall is in place. We will cover these shortly. We tested the default behavior of the PIX by using the configuration previously illustrated and carrying out several tests, the results of which are summarized here. We logged on to a machine on the outside network 1.251.174.155 and tried to ping one of the translation table addresses: one of the test machines we set up on the inside network that was dynamically given a NAT address in the second global pool 2.241.11.254. The connection was denied. The PIX also barred us from opening a connection to a known port on the inside machine, even directly after an outbound connection was made from that unit. A 153 machine on the Internet was found to exhibit the exact same behavior. The Cisco PIX firewall provides a level of protection right out of the box without complex configuration, testing, or troubleshooting. By using the conduit andor static commands covered later in this chapter, we can set up special configurations that allow inbound connections to occur through the firewall. Thus, our mail server, web server, and FTP server can be contacted and deliver information to or from the outside world. Before we foray further into the practice of punching holes in the PIX firewall, we will take our sample configuration and add some more restrictions to our inside Ethernet hosts. Lets say that we have decided, in our role as the network administrators, that we wish to deny outbound web access from the single internal host 192.168.2.100 and from the range of hosts from 192.168.2.128 to 192.168.2.254. Further, we have deemed the telnet protocol to be troublesome and wish to deny all hosts on the inside network telnet access, except our own workstation 192.168.2.2. The following configuration parameters accomplish these tasks: outbound 11 deny 192.168.2.100 255.255.255.255 80 outbound 11 deny 192.168.2.128 255.255.255.128 80 outbound 11 permit 192.168.2.2 255.255.255.255 23 outbound 11 deny 192.168.2.0 255.255.255.0 23 apply inside 11 outgoing_src The 11 following the outbound command refers to the access list used to group the firewall instructions. The masks following the IP addresses, such as the 255.255.255.128 following 192.168.2.128, refer to a netmask, or a whole range of hosts, rather than just to an individual node. Some immediate differences appear when you compare the preceding access lists to those that would be found on any ordinary Cisco routing product running IOS. Most noticeable is that PIX Firewall uses a single hostnetwork pair to control access, whereas IOS uses a double hostnetwork pair. For example, you might find something like the following on an Internet- connected serial interface on a Cisco 7500 to produce the same results as the first line in our PIX firewall: access-list 101 deny tcp 192.168.2.100 0.0.0.0 0.0.0.0 255.255.255.255 eq 80 Also, the PIX uses the apply keyword to activate or deactivate the access control provided by the outbound directives. In addition to checking where packets come from, as in our example, we can check the destinations of our packets. To illustrate, lets say that site 1.1.1.1 on the Internet has unsavory materials on it and you wish to block all access to this site from your network. The following configuration accomplishes this: outbound 12 deny 1.1.1.1 255.255.255.255 apply inside 12 outgoing_dest Youll notice a couple of things. First, we used another outbound access list numbered 12 to handle the new configuration. We feel it best to separate the outgoing destinations firewalls from the outgoing source destinations. Although not required, it does help keep things more