Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.

Published byJustina Fowler Modified over 8 years ago

Similar presentations

Presentation on theme: "Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005."— Presentation transcript:

1 Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005

2 PIX with 3 interfaces - 3 security zones Purpose - This is the most used PIX config. in use in most enterprise networks today - It allows company servers sitting on the DMZ interface to be accessed from the public network while other computers sitting on the inside remain secured and inaccessible by intruders. Firewall policy rules - Inside users can initiate connections to the outside and DMZ. - Outside users can initiate connections only to the DMZ but not to the inside. - DMZ servers can only initiate connections to the outside but not to the inside.

3 Pix with 3 interfaces - 3 security zones Outside Inside DMZ

4 Our environment of work

5 Our setup

6 Our setup - Simplified

7 Config. on Switch S2 - Vlan

8 Config. on Router R5

9 Config. on Router R6

10 Detailed config. command On the Cisco PIX Firewall nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 interface ethernet0 100basetx interface ethernet1 100basetx interface ethernet2 100basetx ip address outside 209.165.201.3 255.255.255.224 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0 fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 arp timeout 14400 names name 192.168.0.2 webserver pager lines 24 logging console 7 nat (inside) 1 10.0.0.0 255.255.255.0 nat (dmz) 1 192.168.0.0 255.255.255.0 global (outside) 1 209.165.201.10-209.165.201.30 global (outside) 1 209.165.201.5 global (dmz) 1 199.168.0.10-199.168.0.20 static (dmz,outside) 209.165.201.6 webserver

11 Detailed config. command On the Cisco PIX Firewall access-list acl_out permit tcp any host 209.165.201.6 eq http Access-group acl_out in interface outside rip outside passive version 2 rip outside default version 2 rip inside passive version 1 rip dmz passive version 2 route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 mtu outside 1500 mtu inside 1500 mtu dmz 1500 telnet 10.0.0.199 inside telnet timeout 5 terminal width 80

12 Config. on Pix firewall

13 Scenario of traffic from inside to the outside – Telnet to the router R4 “This traffic is allowed”

14 Scenario of traffic from inside to the outside – ping to the router R4 “This traffic is allowed”

15 Scenario of traffic from outside to the inside – Telnet to Router R6 “Dest. Unreachable, since R6 is using private ip”

16 Scenario of traffic from outside to the DMZ – ping to Router R5 “Only http traffic is allowed to the dmz from outside”

17 Scenario of traffic from outside to the DMZ – Status on the Pix firewall after ping to Router R5 “Only http traffic is allowed to the dmz from outside”

18 Scenario of traffic from outside to the DMZ – Telnet to Router R5 “Telnet is no allowed to the dmz from outside”

19 Scenario of traffic from outside to the DMZ – Status on the Pix firewall after telnet to Router R5 “Telnet is no allowed to the dmz from outside”

20 Conclusion This lab project has shown an example of how to configure a stateful packet filter - Cisco PIX Firewall. The set up of the Cisco PIX firewall through the 3 security zones scheme is used today in complex networks and can provide an effective security protection for enterprise networks.

Download ppt "Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005."

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
192.168.0.0/30 Host Name : R1 Serial 0/0/0.1.2 Host Name : R2 Router Lab 3 : 2 - Routers Connection DTE DCE.

/30 Host Name : R1 Serial 0/0/0.1.2 Host Name : R2 Router Lab 3 : 2 - Routers Connection DTE DCE.
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy.

KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
PIX Firewall. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive.

PIX Firewall. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Classic IOS Firewall using CBACs.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Classic IOS Firewall using CBACs.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

Similar presentations

Ads by Google