PIX Firewall Configuration Basics

Adaptive Security Algorithm

The Adaptive Security Algorithm (ASA) uses a “stateful” approach to connection security. ASA checks each inbound packet against connection state information stored in memory.

The ASA follows a set of rules:

No packets can cross the firewall without a connection and state, and the connection and state must be recorded in the ASA table.

Outbound connections (connections from a higher security to a lower security interface) are allowed, except those specifically denied using outbound lists.

Inbound connections (connections from a lower security to a higher security interface) are denied, except those specifically allowed using conduits.

Any packet attempting to bypass the previous rules is dropped and logged to Syslog.

All ICMP packets are denied unless specifically permitted using the conduit permit icmp command.

PIX Firewall Configuration Basics

Anyone familiar with configuring Cisco routers using Cisco’s IOS will be at home when configuring a PIX Firewall. The command-line interface (CLI) is similar for the two products, but as mentioned earlier, it is not exactly the same. There are a number of differences, such as the ability to enter any command while in configuration mode on the PIX Firewall. Here, you’ll start your configuration by first changing from user to enable mode, then to configuration mode:

toddfw>enable

toddfw#config t

toddfw(config)#^Z

toddfw#disable

toddfw>

First, you enter privileged mode using the enable command, and then you enter configuration mode using the config t command. Notice how the prompt changes, just as during router configuration. Then you enter ^Z (Ctrl-Z) to go back to privileged mode, after which you enter the disable command to go back to user mode (called unprivileged mode). Now, you need to set an enable password:

toddfw>enable

toddfw#config t

toddfw(config)#enable password todd

toddfw(config)#^Z

toddfw#show password

Notice that you set the password from privileged mode. Also, when you enter the show passwd command, the password is shown encrypted.

328 Appendix A Introduction to the PIX Firewall

Configuring Interfaces

Now, let’s configure some interfaces! You need to assign duplex settings, interface names, and IP addresses. Take a look at a simple firewall:

This PIX Firewall has two interfaces: one internal and one external. The internal interface is meant to have IP address 172.16.10.1, and the external interface is to have the IP address 192.168.30.1. Here is how you configure these interfaces:

toddfw#config t

toddfw(config)#nameif ethernet0 inside sec100 toddfw(config)#nameif ethernet1 outside sec0 toddfw(config)#interface ethernet0 auto toddfw(config)#interface ethernet1 auto

toddfw(config)#ip address inside 172.16.10.1 255.255.255.0 toddfw(config)#ip address outside 192.168.30.1 255.255.255.0 toddfw(config)#^Z

toddfw#

In this example, you use three commands to configure these interfaces: the nameif command, the interface command, and the ip address command. Let’s take a closer look at the arguments for each of these commands and how these arguments are used.

The nameif Command

The nameif command is used to give the interface a name and specify its security level. It has the following syntax:

nameif hardware_id if_name security_level

The interface name is then used throughout the configuration whenever referencing that interface.

The security_level parameter specifies the security level of the interface on a scale of 0 to 100. You use 0 for the outside network and 100 for the inside network. DMZ or perimeter networks have some number between 1 and 99. You’ll learn more about security levels in the “Configuring Access through the PIX Firewall” section later in this appendix.

The interface Command

The interface command is used to specify the speed on the interface and can be used to enable or disable the interface. It has the following syntax:

interface hardware_id hardware_speed

In the previous example, you set each Ethernet interface to auto. You can set the interface to 10-megabit half duplex using the following command:

toddfw(config)#interface ethernet0 10baset

Or you can set the interface to 100-megabit full duplex using this command:

toddfw(config)#interface ethernet0 100full

The ip address Command

The ip address command, as you might expect, is used to assign an IP address to the interface. Here is its syntax:

ip address if_name ip_address [netmask]

Unlike with a router, where you use an interface-configuration mode to set the IP address on an interface, for the PIX Firewall, you specify the name you gave that interface using the name-if command. Other than this difference, the command is similar to the router command and is straightforward.

Default Gateway Assignment

One last thing you need to do is to assign a default gateway using the route command (mentioned in the “Static Route” section earlier in this appendix). Here is how you set the default gateway:

toddfw(config)#route outside 0.0.0.0 0.0.0.0 192.168.30.2

toddfw(config)#^Z

toddfw#

Testing the Configuration with Ping and ARP

Now that you have the IP addresses configured, you can do a bit of testing. Let’s start with a ping:

toddfw#ping inside 172.16.10.45

172.16.10.45 response received -- Oms 172.16.10.45 response received -- Oms 172.16.10.45 response received -- Oms toddfw#

Note that you specify the name of the interface closest to the ping target. The ping command makes three attempts to reach the specified IP address.

If you want to ping through a PIX Firewall, you must create an ICMP conduit, covered in the “Configuring Inbound Access” section later in this appendix.