A Sample Configuration Configuring the PIX as a Gateway
151 nameif ethernet0 outside security0
nameif ethernet1 inside security100 enable password testing
password testing hostname lab-test-1
no failover names
pager lines 24 syslog output 20.3
no syslog console syslog host 192.168.2.2
interface ethernet0 auto interface ethernet1 auto
ip address outside 1.251.174.156 255.255.255.248 ip address inside 192.168.2.1 25.255.255.0
arp timeout 14400 global outside 1 2.241.11.249-2.241.11.251
global outside 2 2.241.11.252-2.241.11.254 nat inside 2 192.168.2.128 255.255.255.128
age 10 route outside 0.0.0.0 0.0.0.0 1.251.174.154 1
no rip outside passive no rip outside default
no rip inside passive no rip inside default
timeout xlate 24:00:00 conn 12:00:00 udp 00:02:00 timeout rpc 00:10:00 h323 00:05:00 uauth 00:05:00
no snmp-server location no snmp-server contact
snmp-server community public telnet 192.168.2.2 255.255.255.255
mtu outside 1500 mtu insde 1500
The two nameif commands assign short names to the two interfaces:
outside
and
inside
. Then, the two interface commands define the speed at which the interfaces operate. We used
the
auto
keyword to have the hardware automatically sync to the Ethernet it is attached to. The ip address commands use the assigned names to establish the network configuration for
the internal and external networks. The internal network we chose was part of the unroutable RFC 1918 network 192.168.0.0, which is traditionally used for hosts requiring Network
Address Translation NAT on an interior network protected by a firewall such as the PIX.
As Figure 9-1
depicts, we dont have an internal router. The network that we used for testing was very small and an internal router was not necessary. You can see this in the configuration
by studying the route command entry, which points the default route 0.0.0.0 to the gateway to which the PIX would send external traffic 1.251.174.154. Logically enough, you are
always required to specify an outside router.
The rip command sets whether the PIX should or should not broadcast default routing information using the RIP protocol to either the
inside
or
outside
interface. Our sample configuration disables all RIP route propagation since we had such a small example. Should
you have an internal router that extends the network to other locations, you would need to set the default internal route mentioned above to the router responsible for accessing the rest of
152
the network, and you may be required to set up RIP routes on the PIX so that it can see everything that may need access to the outside network.
The timeout commands are used to set how much time must pass before a translation slot or a
connection slot is cleared. The timeout is specified in the format hours:minutes:seconds. The PIX derives strength in its security by creating dynamic translations between internal hosts on
unroutable networks to external routable hosts and disguising this process from the external peer. By lengthening the timeouts to several hours or even days, you lose some of the security
because outside attackers have longer to study a peer-to-peer connection and could have enough time to stage a compromise. Further, if you lengthen the timeouts, internal hosts that
are vying for external addresses may find addresses not available and hence connections could be slowed down or ceased. It is up to the network administrator to analyze the network for
average use patterns and to adjust the timeouts appropriately.
The telnet and syslog host commands set a host address from which telnets may connect to the PIX and where logging information is to be sent. Only inside network addresses may be used
to connect to the PIX. As in our example, we set up the administrators workstation at IP address 192.168.2.2 as our only point of access into the PIX. The configuration allows for a
mask to be entered after the address so that a whole range may be allowed telnet access. In our example, our PIX is connected to a DMZ network in address range of 1.251.174.15229.
Our ISP assigned us the range of 2.241.11.24829, routed to our PIXs address at 1.251.174.156 as per the
ip
address definition above. We decided to split this network into two ranges, some for dynamic NAT translation slots,
and some for use with static translation slots called conduits described later in this chapter.
From the configuration we presented, you can see that the two
global
commands define these two ranges. We will be using range 1 2.241.11.249-2.241.11.251 for our conduits, and range
2 2.241.11.252-2.241.11.254 for our dynamic NAT hosts. The NAT configuration is accomplished by the
nat
command in the example configuration. Thus, the internal hosts in the range 192.168.2.128-192.168.2.254 will be able to obtain dynamic NAT addressing from
the PIX in the second range 2.241.11.252-2.241.11.254.