Skip navigation.
Home

How to Configure Cisco PIX Firewall Part II


Please find below a step by step process to configure the PIX Firewall from scratch. A simple scenario is given here where you have a corporate network with a PIX Firewall connected to the Internet through the Outside Interface, Internal Network through the Inside interface and DMZ through the DMZ Network. This paper would assist you in a simple step by step, near complete configuration for a PIX Firewall running a midsized corporate network

This is part II of the How to Configure Pix Firewall, a step by step approach.
This is in continuation of the Part I of the series.

The Simple Network Diagram:

A Simple Network Diagram





Network Address Translation:

Let us take a simple scenario to explain this section. Let us say that all the computers in the inside network want internet access. NAT also allows you to keep your internal IP hidden from the outside network. To achieve this you need to implement address translation. You do this using the “nat” and “global” commands.

The NAT command:

Pixfirewall (config) # nat (inside) 1 0.0.0.0 0.0.0.0

In this example, the nat (inside) 1 10.0.0.0 255.255.255.0 command means that all outbound connections from a host within the specified network, 10.1.1.0, can pass through the PIX Firewall (with address translation).

Global command:

Pixfirewall (config) #global (outside) 1 192.168.1.10-192.168.1.50

This means that use the IP address from 192.168.1.10 to 192.168.1.50 for NATing the traffic coming from the inside interface.

There is also another simple way for allowing internet /outside access to the inside network using PAT or port address translation. What this would do is hide all the internal networks behind the outside interface of the PIX firewall and transmit traffic using Port Address Translation. One limitation to this approach is that at a time it can process only less than 64000 client computers. But in most cases, this is more than enough.

PAT using Global:

Pixfirewall (config) # global (outside) 1 interface

Now, let us configure the two servers in the dmz network, the webserver and the mailserver. The wish list is to allow traffic from anywhere to reach the webserver on http, https and ftp and traffic from anywhere to reach the mail server on the smtp port.

To do this we need to setup statics and access-lists.

Setting up Static’s:

Pixfirewall (config) #static (dmz,outside) 192.168.1.2 172.16.16.2 netmask 255.255.255.255 0 0

Pixfirewall (config) # static (dmz,outside) 192.168.1.4 172.16.16.4 netmask 255.255.255.255 0 0

Having configured the statics, now let us move on to configure the object-groups that would be used in configuring the access-list

Configuring object-groups:

Pixfirewall (config) #object-group service webservices tcp
Pixfirewall (config-service) # port-object eq http
Pixfirewall (config-service) # port-object eq https
Pixfirewall (config-service) # port-object eq ftp
Pixfirewall (config-service) # exit

Pixfirewall (config) #

Now let us configure the access-lists to allow access to the dmz networks from outside and also to the other interfaces:

Configuring Access-list:

Pixfirewall (config) # access-list external permit tcp any host 192.168.1.2 object-group webservices

Pixfirewall (config) # access-list external permit tcp any host 192.168.1.4 eq smtp.

Pixfirewall (config) #access-list external deny ip any any

(This is a any any drop rule. Place this at the end of the access-lists. This acl won’t allow any other traffic that is not explicitly allowed to get into the firewall. This is often helpful in checking the number of hits on this acl from outside for troubleshooting or analysis purposes.)

Pixfirewall (config) #access-list internal permit ip 172.16.16.0 255.255.255.0 10.1.1.0 255.255.255.0

Pixfirewall (config) # access-list internal deny ip any any

Pixfirewall (config) # access-list dmz permit ip 10.1.1.0 255.255.255.0 172.16.16.0 255.255.255.0

Pixfirewall (config) #access-list dmz deny ip any any

Now map these access-lists to access-groups for these access-lists to work properly:

Configuring Access Groups:

Pixfirewall (config) #access-group external in interface outside
Pixfirewall (config) # access-group internal in interface inside
Pixfirewall (config) #access-group dmz in interface ethernet2

With this we have configured the PIX firewall for a normal office setup.

These commands will be helpful in checking the configuration of the pix firewall and also in troubleshooting, analysis and fine tuning.

Useful Commands:

show config

show blocks

show checksum

show conn

show cpu usage

show history

show memory

show processes

show routing

show running-config

show startup-config

show tech-support

show tcpstat

show traffic

show uauth/clear uauth

show version

show xlate/clear xlate

Note: There is a lot that you can do with the PIX firewall. This document is just a simple guide for a easy setup. It covers most popular setups. In case you need any further information please refer to Cisco website at http://www.cisco.com

Further reference:

You can also refer to the Getting Started document for more detailed information from the Cisco Website:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html

Cisco PIX Firewall Command Reference, version 6.3

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_book09186a008017284e.html

A Final Note:

Feel free to ask questions and if it is in my ability I will answer it. If you like this article, then do leave your suggestions and feedback.



If you find any typos or errors in this document, do bring it to the author’s attention through the COMMENT column. It will be in the best interest of the readers of this document.

Thank you for your time.

Excellent !

Dont stop writing like that. Had you same article for routers and switches and other concepts of Firewall. let your fans know. Great Job.

THANKS!

Excellent article! Really appreciate you taking the time to write it. Contains a wealth of information that I'm currently in need of in such an easily digestable writing style.

Good article

Thank you for posting such an excellent and simple to read document/article. These are the kinds of things which are hard to understand for so many people. But you presented the topic in an easy to understand format.

Good deal
Praveen Jhurani

internet access from inside

hi,

I am trying to setup this pix, it is very simple config but cant access internet from inside. can you see and help

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd ai5xyBqhN9xv5MUp encrypted
hostname ikpix
domain-name inventknowledge.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 93.97.178.108 255.255.248.0
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 93.97.178.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username amad password heR8A4sahZ8qD6Ks encrypted privilege 15
terminal width 80

Internet access from Inside

I hope you changed your passwords since you provided the hashes to everyone on the Internet.

Your problem need not be

Your problem need not be necessarily be the Pix device. Check your default gateway on your internal machine, and see if traffic is reaching the Pix when you try to access the internet. You can do show logging, on the pix to see if the Pix is receiving traffic from your local network. If it does then the logging might tell you why it is getting dropped. If it still doesnt work, please paste the output of the show logging here, it might assist in troubleshooting.
You havent configured any access-lists, so it might be a good idea to also configure a couple of access-lists. Remember to tie the access-lists to your access-groups.

Thanks for this article

Hi,
Thanks so much for this article its so helpful. Am configuring PIX for the first time and am still having some difficulties in letting it work well. Though i have some success i still cant get this to work as i want it to. Please can you help me with this? send you reply to me on vwarhe@gmail.com.

I'm trying to configure a cisco pix for my office network. i have the these
interfaces opened: inside security 100, outside security 1, dmz4 security
80 and dmz3 security 60.On the inside network i have my MAIL, AAA, DNS
servers and staffs computers. On dmz4 i have a WEB server and a Barracuda
machine, On my dmz3 i have my dail-up clients, dmz2 i have my wireless users. the IP address are as
follows:

Inside interface = 172.17.0.1
dmz4 interface = 172.17.1.1
dmz 3 interface = 172.17.2.1
dmz2 interface = 172.17.3.1
Outside interface = 80.88.132.145
Mail server = 10.0.0.2
AAA server = 10.0.0.3
DNS server = 10.0.0.1
Users computers = 10.0.0.**
Web servers = 172.17.1.2
Barracuda machine = 172.17.1.3
Dial-up = 172.17.2.**

I want the Web server and the barracuda on Dmz 4 interface to be able to
access the Mail server on the inside, wireless users on dmz2 and also dial-up user on dmz3 should be
able to connect to the Mail server, AAA server, and Web server. Also i want
users and the mail server on the inside interface to be able to access the
Web server and the barracuda and also go outside.

I also want to configure VPN so staffs can connect to the network from
outside and get their mails from the mail server.

Can you please help me with the right commands, steps to take and how to
do this please. if you can write the config for me i will appreciate it very
much.

Thanks.

Search



 

Web

www.secmanager.com