330 Appendix A Introduction to the PIX Firewall

Finally, let’s check the contents of the ARP cache to make sure that the MAC address for the host you pinged in the preceding example is present:

toddfw#show arp

inside 172.16.10.45 00d0.b78f.3553

toddfw#

Saving Your Configuration

Those of you who remember the old router commands for saving and displaying the configuration files will find this refreshing. To save the current firewall configuration to flash memory, do the following:

toddfw#write memory

Building configuration…

[OK]

toddfw#

You can also save the configuration to a floppy disk or to a TFTP (Trivial File Transfer Protocol) server on the network.

To erase the configuration stored in flash memory, you can use this command:

toddfw#write erase

Erase PIX configuration in Flash Memory? [confirm] y

toddfw#

And finally, to show the current running configuration, use this command:

toddfw#write terminal

Building configuration…

…

If you remember these commands from the old IOS days, great! You are so old that you probably drive 10 miles per hour under the speed limit in the left lane, with your turn signal on! If you know the new router commands such as show running-config and copy running-config startup-config, well, once upon a time, this is how we used to do it.

Configuring Access through the PIX Firewall

Now that you’ve mastered the basics of firewall configuration, named and addressed the interfaces, and saved your configuration, the next task at hand is to configure access through the PIX

Firewall. As mentioned earlier, when interfaces are defined, they are given a security level number between 0 and 100. 0 is used for the outside interface, and 100 is used for the inside interface. Perimeter or DMZ interfaces are assigned numbers between 1 and 99.

As traffic goes between interfaces, it is placed into one of two categories: outbound or inbound. Which category it falls into depends on the security levels of the interfaces it is traversing:

Outbound connections are for higher security to lower security interfaces.

Inbound connections are for lower security to higher security interfaces.

The PIX Firewall uses different methods for passing traffic in each of these categories. Let’s look at each category and talk about how to allow traffic in that direction.

Configuring Outbound Access

You may recall from the introduction of the ASA earlier in this appendix that outbound connections are allowed unless specifically prohibited. However, you need to do a bit of configuration to start traffic flowing in outbound situations. In most instances, you use the nat and global commands to accomplish this.

The PIX Firewall anticipates that you are using Network Address Translation (NAT). Although it is possible to run the firewall without using NAT, Cisco strongly recommends against it. Use NAT on the firewall if at all possible.

To configure outbound access using the nat and global commands, you must first start with a diagram of your PIX Firewall, showing all interfaces and their associated names and security levels. Consider the diagram shown here:

Here is a summary of the configuration of this PIX Firewall:

Now you must decide where you will have outbound access. Remember that outbound access is where traffic originates on an interface with a higher security level destined for an interface with a lower security level. This occurs in only the following situations:

Inside to outside

332 Appendix A Introduction to the PIX Firewall

There will never be outbound traffic originating on the outside interface because its security level is 0. Traffic from the outbound interface can never go to another interface with a lower security level!

The nat Command

You use the nat command to specify each higher security level interface you want to be able to access lower security level interfaces. Here is your configuration:

toddfw#config t

toddfw(config)#nat (inside) 1 0 0

toddfw(config)#nat (perimeter) 1 0 0

toddfw(config)#^Z

toddfw#

Notice that, once again, you did not specify the outside interface, because outbound connections cannot originate there. Each nat command allows users of the specified interface (in parentheses) to access lower security interfaces. So, in this example, the first nat command allows users on the inside interface to access both the perimeter and outside interfaces. The second nat command allows users on the perimeter interface to access the outside interface (the only other interface with a lower security level).

The global Command

Now you need to configure the lower-level interfaces with the global command to finalize the outbound traffic configuration. Here is the configuration:

toddfw#config t

toddfw(config)#global (outside) 1 192.168.30.2 netmask 255.255.255.0

toddfw(config)#global (perimeter) 1 192.168.40.10-192.168.40.100

netmask 255.255.255.0

toddfw(config)#^Z

toddfw#

In this configuration, you’ve done two different things. First, you’re assuming that the outbound interface IP address is a registered Internet address and that you do not have an unlimited number of registered Internet addresses to use for NAT. Therefore, in the preceding configuration of the external or outbound interface, you’re using Port Address Translation (PAT). With PAT, each outbound client connection can use a separate port on the single translated address, allowing you to service more than 64,000 connections from a single IP address!

On the perimeter interface (where you’re translating and have essentially unlimited address space), you have specified a range of addresses to be used in translation when this interface is accessed from other interfaces (in this outbound case, from the inside interface). The “Outbound Access Control” section later in this appendix discusses limiting outbound user access using access control lists (ACLs).

Configuring Inbound Access

Great! With the outbound connections configured, you’re halfway done. Recall that inbound connections are denied unless specifically allowed. This is the opposite of outbound behavior. You need to do a bit of configuration to allow any inbound connections. You use the static and conduit commands to accomplish this.

As with outbound access, let’s begin with a diagram. Consider the network shown here:

Web server

With many configuration tasks, using a network diagram can help prevent configuration errors. It’s always easier to start with a diagram of the PIX Firewall showing all the interfaces, their names, and their security levels. Put this information in a table and then decide where inbound and outbound access must be configured.

This example uses the same configuration as the diagram for outbound access, with the addition of a web server in the DMZ at IP address 192.168.40.2. You want to allow external users to access this server through the outbound interface. Here is the configuration you must add:

toddfw#config t

toddfw(config)#static (perimeter, outside) 192.168.30.5 192.168.40.2 netmask

255.255.255.255

toddfw(config)#conduit permit host 192.168.30.5 eq www any toddfw(config)#^Z

toddfw#

You may need to do a clear xlate before configuring inbound access—to ensure that the translation entry isn’t already taken dynamically—so that you can do the static translation.

Let’s take a closer look at the static and conduit commands, as well as another command you can add for protocol control: fixup protocol.

334 Appendix A Introduction to the PIX Firewall

The static Command

In the preceding example, the static command statically translates the outside address 192

.168.30.5 to the perimeter address 192.168.40.2. You then register the address 192.168.30.5 in your external DNS server as the IP address of your web server to be accessed from the Internet (not the actual server at 192.168.40.2).

The static command specifies the involved interfaces and addresses using the following formula:

static (inside, outside) outside_addr inside_addr

Remember this formula! Everyone all together: inside, outside, outside, inside. Inside, outside, outside, inside. Again? Inside, outside, outside, inside. Good! If you follow this formula, you can’t go wrong with the static commands on the exam. (But be aware that this static functionality changes with NAT disabled!)

The conduit Command

The conduit command in the preceding example looks similar to the access-list syntax from the IOS; however, the two are not interchangeable. This conduit command permits any host to access the static address 192.168.30.5 on the www port.

The conduit commands can become more complex as you add interfaces. Additionally, some services require multiple conduit statements, including the following services:

The fixup protocol Command

Do you know every potential security hole on every service you must allow through the firewall? I certainly don’t! The PIX Firewall allows you to use the fixup protocol command to further control Application-layer protocols.

For example, suppose that you want to add a mail server to your network diagram at 192.168.40.6, but you also want to use the PIX Mail Guard feature with this server. The Mail Guard feature allows only certain SMTP commands to be sent to the mail server. Here is the configuration:

toddfw#config t