Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring the PIX Firewall Presented by Drew Spesard.

Published byHope Parker Modified over 8 years ago

Similar presentations

Presentation on theme: "Configuring the PIX Firewall Presented by Drew Spesard."— Presentation transcript:

1 Configuring the PIX Firewall Presented by Drew Spesard

2

3 Firewall Design Criteria Hosts offering public services/access are insecure Internal network hosts should not offer public services/access Private networks and hosts should not be visible Stateful connection awareness

4 Demilitarized Zone (DMZ) Firewall Design - PIX with 2 Interfaces

5 Firewall Design - PIX with 3 Interfaces

6 Network Address Translation (NAT) Translates IP addresses within private "internal" networks to "legal" IP addresses for transport over public "external" networks (such as the Internet). Multiple translation schemes are available: –“Many-to-One” or Port Address Translation (PAT) –“Many-to-Many” with pools of public IP addresses –Combination of PAT and pools

7 Port Address Translation (PAT) Many “internal” IP addresses can be translated into a shared, single “external” IP address. The PIX maintains “stateful” information about every IP session and creates a table that maintains source and destination TCP/UDP ports for each outbound IP session. This way, multiple IP sessions can share a single “external” IP address.

8 Port Address Translation Assume the following connections are made from the internal network to the Internet: Source IP: 10.1.1.19:4003, Dest IP: 209.30.130.12:23 Source IP: 10.1.1.42:2014, Dest IP: 199.1.1.30:80 Source IP: 10.1.2.34:3356, Dest IP: 200.1.2.3:110 SRC: 10.1.1.19:4003 DST: 209.30.130.12:23 As packet returns from external host with destination IP address = 200.200.200.1, the PIX will find the destination port in its connection table and forward the packet to the correct inside host. 200.200.200.1 SRC: 209.30.130.12:23 DST: 200.200.200.1:23004 SRC: 10.1.1.42:2014 DST: 199.1.1.30:80 SRC: 199.1.1.30:80 DST: 200.200.200.1:21234 SRC: 10.1.1.34:3356 DST: 200.1.2.3:110 SRC: 200.1.2.3:110 DST: 200.200.200.1:20008 PIX Translation Table: 10.1.1.34:3356 - 200.200.200.1:23708 10.1.1.42:2014 - 200.200.200.1:23834 10.1.1.19:4003 - 200.200.200.1:23804

9 Configuring NAT First, we create ‘nat’ statements that define the IP addresses of hosts on the “inside” that are allowed to translate to “outside” addresses: nat (inside) 1 192.168.0.0 255.255.0.0 0 0 nat (inside) 1 10.1.0.0 255.0.0.0 0 0 nat (dmz) 1 10.1.0.0 255.0.0.0 Now, we create “external/public” address ranges/pools to which inside addresses will be translated. The “statement id” links the ‘global’ statement with a ‘nat’ statement: global (outside) 1 34.1.1.99-34.1.1.99 netmask 255.255.255.255 global (outside) 1 34.1.1.20-34.1.1.98 netmask 255.255.255.0 Because ‘global’ PAT statement has higher IP address than the pool, it will only be used when the pool is exhausted. NOTE: Global ranges can not include the PIX interface addresses. Unlike Cisco IOS NAT, you can not overload on the outside interface of the PIX.

10 Configuring NAT By default, the PIX Firewall prevents all outside connections from accessing inside hosts or servers. To allow inbound connections to specific IP addresses, use the ‘static’ and ‘conduit’ statements: The ‘static’ command defines which outside addresses are statically translated specific inside hosts. static (inside,outside) 34.1.1.201 10.1.1.201 netmask 255.255.255.255 static (dmz,outside) 34.1.1.15 10.1.2.15 netmask 255.255.255.255 The ‘conduit’ statement defines the services that are allowed for the ‘static’ translation: conduit permit ip host 34.1.1.201 any conduit permit tcp host 34.1.1.15 eq smtp any conduit permit tcp host 34.1.1.15 eq pop3 any

11 Configuring NAT The ‘show xlate’ command shows active translations and helps identify that NAT is working properly: pix-fw# sh xlate PAT Global 34.1.1.99(23792) Local 10.1.14.137 flags r PAT Global 34.1.1.99(23776) Local 10.1.252.143 flags r PAT Global 34.1.1.99(23856) Local 10.1.252.105 flags r PAT Global 34.1.1.99(23840) Local 10.1.250.128 flags r PAT Global 34.1.1.99(23824) Local 10.1.251.100 flags r PAT Global 34.1.1.99(23808) Local 10.1.114.109 flags r Global 34.1.1.23 Local 192.168.88.69 nconns 0 econns 0 flags - Global 34.1.1.24 Local 10.1.251.131 nconns 0 econns 0 flags - Global 34.1.1.25 Local 10.1.14.101 nconns 0 econns 0 flags - Global 34.1.1.26 Local 10.1.28.101 nconns 0 econns 0 flags - Global 34.1.1.27 Local 10.1.250.102 nconns 0 econns 0 flags -

12 PIX Firewall Authentication/Proxy The PIX Firewall uses ‘cut-through’ proxy. Users authenticate once, and then they are allowed through the firewall until timeouts are reached. No proxy server information is configured on client host (via browser or other means). The proxy service only uses an external authentication host (RADIUS or TACACS). There is no capability for ‘local’ users (like Cisco IOS). Outbound or Inbound connections (including DMZ) can be authenticated.

13 User Authentication/Proxy How It Works 4. If authentication is successful, then the user can potentially communicate through the PIX Firewall without any limitations (assuming no other ACL prevent communications. 1. User launches Web browser, Telnet, or FTP to make connection to outside network. 2. If the PIX is configured to authenticate certain IP addresses, it will intercept the Web, Telnet, or FTP session and prompt the user for authentication. Then it authenticates users via a RADIUS or TACACS server. RADIUS or TACACS Server

14 User Authentication/Proxy How It Works In order to authenticate, users must first attempt to make a connection through the PIX via Telnet, FTP, or Web. The PIX intercepts the connection and displays the authentication prompt: >telnet 209.30.130.140 Trying 209.30.130.140... Open PIX Firewall Username: dspesard Password: ftp> open www.cisco.com Connected to cio-sys.cisco.com. 220-PIX Firewall 220 User (cio-sys.cisco.com:(none)): dspesard 331-Password: 331 Password:

15 Configuring Authentication/Proxy First, define the radiusor tacacsserver that will provide user authentication information: radius-server (inside) host 10.1.1.201 test1234 timeout 5 Define the specific source and/or destination IP address ranges for which authentication is to occur: aaa authentication any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 radius Define specific IP addresses that do not require authentication (for instance, outbound mail and DNS servers): aaa authentication except outbound 10.1.1.32 255.255.255.255 0.0.0.0 0.0.0.0 radius Define timeout values. After the absolute or inactvity timer expires, users must re-authenticate. timeout uauth 3:00:00 absolute uauth 0:15:00 inactivity

16 Viewing Authentication/Proxy Information To see current users that have authenticated use the ‘show uauth’ command. pix-fw# sh uauth CURRENT MAX TOTAL uxlate_cnt 1 9 4000 uauth_cnt 14 106 user 'dspesard' at 192.168.1.138, authenticated user 'jsmith' at 10.1.1.45, authenticated

17 PIX Firewall Redundancy / Failover The PIX Firewall can be configured for failover, but not for load-balancing. That is, if one PIX fails, another PIX can assume the responsibility of forwarding packets. One of the firewalls is set up as the ‘Primary’ and the other is set up as the ‘Secondary’. This is accomplished via a hardware serial cable that connects the two units. One end of the cable is labeled ‘Primary’ and the other end is labeled as ‘Secondary’. ALL changes to the Firewall configuration(s) should be performed in the Primary, because the configuration is replicated to Secondary. When (2) PIX Firewalls are configured for ‘failover’, one unit is ‘Active’ and the other unit is in ‘Standby’ mode (and does not forward packets).

18 PIX Firewall Failover If (2) Firewalls share the exact same configuration, how does IP addressing work for the interfaces? Within the configuration, a regular interface is assigned AND a standby IP address is configured. The ‘Active’ unit uses the regularly assigned IP address, and the ‘Standby’ unit uses the IP address defined by the ‘standby’ command. When the ‘Active’ unit fails, the ‘Standby’ unit assumes the ‘normal’ IP address (and ‘Active’ status); when the failed unit becomes available again, it assumes ‘Standby’ status and the standby IP addresses. The units monitor each other via the ‘failover’ cable and via the LAN ports on the units. If any failure is detected on the ‘Active’ unit (Power supply, NIC card, etc.), then the standby unit will become ‘Active’. A PIX Firewall is deemed to be failed in the event that (3) keepalives are not received.

19 PIX Firewall Failover Design Traffic flows through Activer Unit Standby Unit monitors Active, but doesn’t forward packets Normal Scenario: Both PIX Firewalls UP

20 PIX Firewall Failover Design ‘Standby’ Unit becomes ‘Active’ and Traffic begins to flow through it. Failed Scenario: ‘Active’ Unit Failed

21 Configuring Failover Enable failover capability by issuing the following command: failover Establish amount of time after failure that the newly ‘active’ unit will allow all traffic to pass in order to build a translation table. failover timeout 0:00:00 Configure failover IP addresses for each interface: failover ip address outside 34.1.1.2 failover ip address inside 10.1.1.2 failover ip address DMZ 10.1.2.2

22 Viewing Failover Information Use the ‘show fail’ command to view failover information: Note that Primary is active in the following example: pix-fw# show fail Failover On Cable status: Normal Reconnect timeout 0:00:00 This host: Primary - Active Active time: 248355 (sec) Interface DMZ (10.1.2.1): Normal Interface outside (34.1.1.1): Normal Interface inside (10.1.1.1): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface DMZ (10.1.2.2): Normal Interface outside (34.1.1.2): Normal Interface inside (10.1.1.2): Normal

23 Viewing Failover Information Use the ‘show fail’ command to view failover information: Secondary has become active in following example. Note that ‘Active’ unit always has the same IP addresses: pix-fw# show fail Failover On Cable status: Normal Reconnect timeout 0:00:00 This host: Secondary - Active Active time: 248355 (sec) Interface DMZ (10.1.2.1): Normal Interface outside (34.1.1.1): Normal Interface inside (10.1.1.1): Normal Other host: Primary - Standby Active time: 0 (sec) Interface DMZ (10.1.2.2): Normal Interface outside (34.1.1.2): Normal Interface inside (10.1.1.2): Normal

24 Outbound/Inbound Access Lists Inbound and Outbound access lists can be used to allow certain hosts to have access through the firewall for specific services. In addition to NAT and CONDUIT statements, access lists offer flexibility to configure the firewall to match the desired security policy. outbound 1 deny 0.0.0.0 0.0.0.0 0 tcp outbound 1 deny 0.0.0.0 0.0.0.0 0 udp outbound 1 permit 10.1.8.2 255.255.255.255 0 tcp outbound 1 deny 0.0.0.0 0.0.0.0 0 esp outbound 1 permit 10.0.0.0 255.0.0.0 110 tcp outbound 1 permit 10.0.0.0 255.0.0.0 25 tcp apply (inside) 1 outgoing_src

25 PIX Version 4.2(2)201 Beta nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 enable password Bpbmt9ggUUsdgS3m encrypted passwd jNIlGQCinDgAduNQ encrypted hostname pix-fw fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 failover failover timeout 0:00:00 failover ip address outside 34.1.1.2 failover ip address inside 10.1.1.2 failover ip address DMZ 10.1.2.2 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ip address outside 34.1.1.1 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 ip address DMZ 10.1.2.1 255.255.255.0 arp timeout 14400 global (outside) 1 34.1.1.20-34.1.1.98 netmask 255.255.255.0 global (outside) 1 34.1.1.99-34.1.1.99 netmask 255.255.255.255 nat (inside) 1 192.168.0.0 255.255.0.0 0 0 nat (inside) 1 10.1.0.0 255.255.0.0 0 0 …continued Example Configuration

26 static (inside,outside) 34.1.1.202 10.1.1.202 netmask 255.255.255.255 0 0 static (dmz,outside) 34.1.1.200 10.1.2.200 netmask 255.255.255.255 0 0 conduit permit tcp host 34.1.1.202 eq smtp any conduit permit tcp host 34.1.1.202 eq pop3 any conduit permit icmp any any conduit permit tcp host 34.1.2.200 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default no rip DMZ passive no rip DMZ default route outside 0.0.0.0 0.0.0.0 34.1.1.5 1 timeout xlate 3:00:00 conn 1:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 3:00:00 absolute uauth 0:15:00 inactivity radius-server (inside) host 10.1.1.205 test1234 timeout 5 aaa authentication except outbound 10.1.1.0 255.255.255.0 0.0.0.0 0.0.0.0 radius aaa authentication any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 radius telnet 10.0.0.0 255.0.0.0 telnet timeout 5 mtu outside 1500 mtu inside 1500 mtu DMZ 1500 floodguard 3 fragguard no tcpchecksum auth-prompt PIX Firewall Cryptochecksum:72641c500bbb1cd6b804758765c27614 : end

Download ppt "Configuring the PIX Firewall Presented by Drew Spesard."

Similar presentations

1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0.

1mbehring_pix_rev5 © 1999, Cisco Systems, Inc. Internetworking with PIX™ PIX IOS 5.0.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy.

KBOM Aim Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:

ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Similar presentations

Ads by Google