156 sh interface interface ethernet0 outside is up, line protocol is up Hardware is i82557 ethernet, address is 00:a0:c9:48:33:23 IP address 1.251.174.154, subnet mask 255.255.255.248 MTU 1500 bytes, BW 100000 Kbit half duplex 2053034 packets input, 486927215 bytes, 0 no buffer Received 1068648 broadcasts, 0 runts, 0 giants 269 input errors, 124 CRC, 145 frame, 0 overrun, 124 ignored, 0 abort 1014642 packets output, 98109936 bytes, 26 underruns interface ethernet1 inside is up, line protocol is up Hardware is i82557 ethernet, address is 00:a0:c9:34:23:23 IP address 192.168.128.1, subnet mask 255.255.252.0 MTU 1500 bytes, BW 10000 Kbit half duplex 1095847 packets input, 103598967 bytes, 0 no buffer Received 95886 broadcasts, 0 runts, 0 giants 22 input errors, 22 CRC, 0 frame, 0 overrun, 22 ignored, 0 abort 975558 packets output, 387229999 bytes, 0 underruns

9.4 Configuring the Other VPN Capabilities

So far, in our discussion of the PIX firewall, we have demonstrated its use and configuration as a packet filtration firewall and as a dynamic lookup and translation mechanism that hides the identity of internal machines. In this section we will briefly discuss how to build a virtual private network between two PIX units, thus connecting private networks with the Internet as a transport medium.

9.4.1 Offering Services to the Internet Through Conduits and the static Command

The conduit command is a short-circuit mechanism that lets hosts on the outside network bypass the PIXs adaptive security mechanism to connect to hosts on the inside network. This isnt really as scary as it may sound. It is frequently required and actually very normal to punch holes in the firewall for specific, known services, the security of which can be monitored and tested before the hole is opened. You can put in an exception to the PIXs adaptive security system either by using the conduit command or as the last parameter of the static command an example of which is detailed below. But Cisco recommends that the conduit command be used. Let us say that we have a mail-exchanging Unix host on our outside network 1.251.174.155 and an SMTPPOP host on our inside network 192.168.2.3. We wish to accomplish two things: 1. Map the address of our internal SMTP server statically to the translation table address 1.241.11.254 the first one chosen by PIX. 2. Create a conduit that allows SMTP traffic to flow from that static address to our outside mail-exchanging host. Heres the pair of commands needed to produce the desired effect: static 2.241.11.254 192.168.2.3 mailhost inside, outside 2.241.11.254 192.168.2.3 32 24 157 The static command merely assigns a fixed address so that the mail server wont continually get a NAT-assigned address from the pool. It is difficult to send mail to a machine whose address is always changing. The mailhost command is a variant of the conduit command that allows incoming port 25 traffic to the static translation slot assigned to the mail server at 192.168.2.3. It is different from conduit because it actually looks at the directive and arguments being passed to the mail server HELO, MAIL, RCPT, DATA, RSET, NOOP, or QUIT. It allows only the most basic of commands, thereby reducing the threat of an outsider sending unwanted commands in attempts to compromise the machine. Now lets assume that we have a web server that we want to assign a fixed address to and create a conduit for, much like the mail host in the previous example. We would perform essentially the same tasks to allow only port 80 traffic to the unit: static 2.241.11.257 192.168.2.99 conduit inside, outside 2.241.11.257 80 tcp 0 0 The 0 0 part on the end is a PIX shorthand for the default network pointing to everything. Hence, this pair of commands would allow any host anywhere on the outside interface to come in through the PIX only using tcp port 80, but only to the address at 2.241.11.257, which is statically linked to internal host 192.168.2.99.

9.4.2 Tunneling with the link Directive

The most stellar application of the PIX firewall is to create a ready-made tunnel. To create a virtual private network per the guidelines detailed in this book, a private encrypted tunnel needs to be created between two separate sites. The PIX firewall, in addition to its deployment as a packet restriction firewall and a dynamic translation mechanism, can also be used in this capacity through the link command. Of course, at least two PIX units are required to create the link. The link command establishes an encrypted link between two PIX units, thus letting the two sites carry on secure communications over their outside networks. Currently, you can link together up to 64 different PIX firewall sites in this fashion. Cisco calls this security mechanism a private link feature, and requires the installation of a separate encryption card in the PIX unit, along with the appropriate PIX software. All PIX firewalls that you intend to use for tunnels must be installed with both of these components. The private link operates by scanning packets that arrive at its inside interface. Packets that match the PIXs list of route link configurations are encrypted and encapsulated in a UDP frame, then sent off across the outside interface. The PIX uses port 1123 to exchange its private link information. When the encrypted bundle arrives at the destination unit, the packet is unwrapped, decrypted, and forwarded on to the inside interface. As an example using our networks, lets assume that we added another PIX firewall to our San Francisco office. The networks the service provider allocated were 5.182.95.24829 for the outside interface and 6.242.188.024 for the global pool. Our administrator in San Francisco decided to assign the address 5.182.95.250 to the PIXs outside interface. The configuration of the rest of the machine is similar to the first site we discussed. In the configuration example below, we link together the two PIX units using their outside Ethernet interfaces with a special secret key shared by both systems.