TAZ Forum Community

2: Basic PIX configuration

There are only 6 steps that need to be taken to enable the PIX to be able to send packets to the outside world, known by some as the PIX SIX, they are:

Hostname
Interface
Nat-Control
Nat
Global
Route

Hostname:

This assigns a host name to the PIX and should be called something that is meaningful for that particular PIX. The prompt will change to what you call the PIX when you set this and is set in the configuration mode with the command ‘hostname <name>’, like so:



Notice ‘pixfirewall’ now becomes ‘London’. Usually the firewall may be named after its geographic location, the service/project it is protecting etc. I look at it in such a way that if you have 3 different telnet sessions open to three different PIX’s you will always know exactly what you are configuring.

The hostname can be up to 63 alphanumeric characters in either uppercase of lowercase and defaults to ‘pixfirewall’ out of the box or when the ‘wr erase’ command is used followed by a reload.

Interface:

The interface command differs per PIX operating system, in version 7 it acts much like a Cisco router and drops you in to the ‘config-if’ sub context. On version 6.3 and earlier the prompt will not change and the command should be issued all on the one line. For this paper we are using version 7

The Interface or ‘int’ for short is the configuration command we use to allow us to alter the configuration of the PIX interfaces. We can assign it an IP address, subnet mask etc from this sub context.



Notice with version 7 the prompt now changes to ‘config-if’ to let us know we are configuring an InterFace.

We can now configure the interface with a name, IP address, speed settings and duplex settings amongst others.



Although it is already named outside by default the above example is to show the relevant command. ‘nameif’ as is fairly obvious, is used to assign a name to the interface.

Next we need to assign an IP address and subnet mask:



If you make a mistake whilst entering this command, simply re-enter the correct information. The ‘clear configure ip’ command will clear ALL interfaces IP addresses to no IP address.

Interfaces can also be configured to pick up a DCHP assigned IP address, by using the ‘dhcp’ command.



The PIX will now pick up a DCHP IP address on the OUTSIDE interface.

There are various DHCP commands we can use to view information about the DHCP IP address, such as the lease time etc



And



The above will both provide you with information about the DHCP server and details about the IP address that the interface has been assigned.

To stop the interface from getting a DHCP IP address we use the ‘no’ command before the dhcp command. So:



*Most of the commands you issue via the CLI can be disabled by re-entering them with the word ‘no’ in front of them.*

Next we need to assign a security level to the interfaces (the INSIDE and OUTSIDE interfaces have a precompiled security level, but for this example we will set them anyway).
A security level can be between 0 and 100, with 100 being the highest and most trusted. See part one if you want to read more about security levels.

To set it we use the ‘security-level’ command:




By default interfaces with the same security level can not communicate, to enable it use the ‘same-security-traffic’ command. This may be handy when you have a DMZ and you want it to be able to communicate with the INSIDE network without NAT being preformed.



Next we need to tell the interface what speed and duplex settings we want it to operate at. By default all interfaces are set to automatic detection and will try to detect the best speed and duplex settings to work at. However sometimes you may need to configure them manually.

The speeds for an Ethernet cable you can choose from are 10, 100, auto or nonegotiate.

10 = 10BASE-T
100 = 100BASE-T
Auto = automatically sets the speed
Nonegotiate = for small form factor pluggable media types (SFP) and sets the speed to 1000Mbps.




Network Address Translation (NAT)

As this paper is about configuring a PIX and not explaining how network protocols work I will very briefly explain about NAT.

Network Address Translation enables you to prevent external hosts from learning your internal IP addresses.
It accomplishes this by translating internal IP address, which is not routable over the internet, in to a globally unique IP address, which is routable over the internet. If you assigned your PC an IP address of 192.168.2.2 and tried to put it directly on the internet you would neither be able to receive or send traffic as the first router would drop your packets as soon as it saw your IP address.

This poses a problem for anyone with more than one computer behind a single connection, as if the above is true we would need an external IP address for every single computer on our network – which is obviously not possible as all the valid IP addresses would be used up very quickly.

Enter NAT.

Providing certain criteria are met the PIX will translate internal addresses to an external address as per your configuration. To anyone looking from the internet it will look like you have an external IP assigned to you and in most cases will never find out your internal address.

When an outbound IP packet that is sent from a device on the INSIDE network reaches your PIX which has NAT configured the source address is extracted and then compared with a table of existing translations. If the source address is not already in this table, it is now translated to an address taken from our external pool of addresses called a Global Pool. The table is now updated and the packet is forwarded on with our new external IP address in the source address part of the frames header.

This entry will stay in the translation table for three hours by default (this can be changed manually) if no activity is detected for this translation after the three hours it is removed and the external IP is free to be used for another host.

Configuring NAT

To configure NAT we first need to tell the PIX which hosts/networks on our INSIDE interface are allowed to be translated and them we tell it what we would like them to be translated to.

We can configure NAT on a global level with the command ‘nat-control’. If we enter the nat-control command we are telling the PIX that all addresses need to be translated before packets can be sent out of another interface.

The opposite is ‘no nat-control’ which means that all hosts can send packets and only where a specific NAT rule has been entered will a translation take place. No nat-control is the default.

There are two types of NAT policies on a PIX; Inside NAT Policy and Outside NAT Policy.

As their names suggest if Inside NAT Policy is enabled all INSIDE hosts need to have an inside NAT rule configured, likewise it Outside NAT is enabled all OUTSIDE addresses must have an outside rule configured

We configure NAT by telling the PIX, which interface the hosts/network is on that we want to translate:



The above tells the PIX that we want to perform nat on the (inside) interface, the 1 is the ‘nat group’ we have assigned it, this will be come apparent later, the 0.0.0.0 0.0.0.0 tells the PIX that we want to perform NAT on everything that is attached to the INSIDE interface. We could substitute this with 192.168.2.2 255.255.255.255 which would say that the host with that exact IP address needs to be NAT’ed or we could use 192.168.1.0 255.255.255.0 which would say that everything between192.168.0.1 and 192.168.0.255 needs to be translated.

*The 0.0.0.0 0.0.0.0 can be abbreviated to 0 0 however this can look a bit confusing to anyone not comfortable configuring a PIX so you may want to use 0.0.0.0 0.0.0.0.*

So now we have told it what IP addresses that require translating we need to tell the PIX what we want them translated to.
To do this we use the ‘global’ command.



The above command tells the PIX that we are assigning global IP addresses on the (outside) from NAT group 1 and the range of address available are 80.80.80.81 – 80.80.80.200

Our configuration so far:



So now all hosts on the INSIDE interface will be translated to an address between 80.80.80.81 to 80.80.80.200 whenever the send traffic from the INSDIE interface to the OUTSIDE interface.

*If the NAT command is used there MUST be a GLOBAL command, otherwise NAT will not work*

We can use static NAT’s that NAT a specific IP address either on the INSIDE or OUTSIDE interface to another IP on a different interface but this will be covered later in the Advanced PIX Configuration papers.

Route

Just like a router we need to tell the PIX where to send traffic destined for unknown and known IP addresses. We do this by configuring Static and/or Default Routes.

A static route is basically saying ‘To send a packet to the specified network, send it to this router’

A default route tells the PIX where to send traffic destined for an IP address/network not in its routing table. We normally configure a default route to state where internet traffic should go. It is impossible to enter every IP address on the internet in to the PIX’s routing table but it is easy to enter out internal networks in to it. So we say that, if there is no entry in the routing table, then the traffic is destined for the internet so send it here. If when the packet gets to the gateway it is not destined for the internet and has an internal IP, it will be dropped for reasons mentioned earlier.



The above is an example of a default route. It is saying to route traffic out the outside interface if the IP address is not in the routing table 0.0.0.0. 0.0.0.0 to the router with the IP address of 192.168.2.1 which is 1 hop away.



The above is an example of a static route. This is telling the PIX that any traffic arriving on the inside interface destined for the 10.10.10.0 network should be sent to the router with the IP address of 10.10.10.1 which is 1 hop away.



There we have our finished initial BASIC configuration. We have named an interface, assigned it an IP address and subnet mask, told it what speed to operate at, told it that we want to NAT all hosts on the INSIDE interface to the external IP addresses of 80.80.80.81-200, we have gave it a default route to tell it where to send unknown traffic and we have told it where to send traffic destined for the internal network of 10.10.10.0.

Obviously the IP addresses are just for demonstration purposes and all interfaces will need to be configured as above for the PIX to work.

Part three will be ‘slightly advanced PIX configuration’. :

Another great tutorial, Nokia!

But, as always, I have a question (hehe ):

Why did that suddenly change to 'configuration-if' if it was 'config-if' before that?

As I said last time... I'm looking forward to the next tut!

Sorry - typo!

Will change it now!

There's another instance of it above the one you corrected

Other than that.... GREAT tut!

Hi
That basic configuration info for a Pix was very informative. Could you please tell me how can i block a particular website (I know the ip addresses) in a Pix version 6.3(3). could you please provide the steps as i am novice to any pix configuration.
thanks in advance
Jerome
IN

You can add an ipaddress on the outside interface and deny all traffic; however, if you do it for one you'll probably have to do it for many. I would suggest - if this is a large environment - using a url filter like websense. Makes life a whole lot eaiser

You would have to put an ACL on the Inside interface to stop users connecting to the website - or as dino said use a web filter of some kind.

If you post the IP of the web site you want to block and the internal IP range you want to stop accessing this site, I wil post the exact command you will need to enter into the PIX, for you.

Damn I did say outside didn't I. Sorry bout that

Hi
Thanks for the immediate reply and help

Actually i want to block orkut.com (72.14.209.86) for the internal ip range 192.168.12.0/24

thanks in advance

Regards
Jerome

Orkut.com is going to be more than one IP address.

Do an nslookup www.orkut.com and you'll see. I got three entries back, and they could change at any time.

Non-authoritative answer:
Name: orkut.com
Addresses: 72.14.209.85, 72.14.209.86, 72.14.209.87

Your best bet is to use a URL content filter such as Squid or Websense.

But the syntax for the ACL you want to use is this:

Look at one of Nokia's other PIX articles on how to add a remark to this. I don't remember right now. This will let you know WHY you blocked these IP addresses later when you're looking at the ruleset again.

Make sure you put all of your DENY rules at the top, since the PIX processes the rules in order.



Or you can create an access-group to keep the IP addresses you want to block in. I call mine BLOCKED_IPS. I don't remember the proper syntax for it right now.

Still, if you're going to be blocking websites, you need to look for a URL content filtering system.

Hola,

Saftey First - The first thing you need to do is log on to the PIX and issue the 'sh run' command - copy and paste the output into notepad and save it somewhere on your PC. If something goes wrong you just need to paste this back in.

The second thing to do is to identify the name of the access-list applied to the inside interface, one way to do this is by again issuing the 'show run' command:

On one of my buckshee firewalls, about half way down the config I get the following:



Which tells me there is an access-list called INSIDE_IN filtering inbound traffic on the INSIDE interface.

(Yours may be called something different - I think the default is inside_access_in but just look for the one that has 'inside' as the very last word as this is the interface it is applied to)

Once you know the name of the access list that is on the inside interface (there can only be one ACL per interface) issue the command 'sh access-list NAME OF ACCESS LIST' command:



As stated by Burn if you want to deny something from the inside network going to the outside you need to put the deny ACE at the top of the ACL - the PIX processes the ACE's in the order they are in so if you were to put it at the bottom of the above ACL as the "permit IP any any" would be read first the PIX would permit the traffic before it even got to the deny ACE.

So to add the ACE you will need to use the following commands: (as Burn stated)



If you now issue the 'sh access-list ACL NAME' command you can verify the ACE's have been written properly:



So now when packets come into the INSIDE interface the PIX will scroll through the ACL until it comes to an action it can do - if the packet is not addressed to 72.14.209.85-87 the first rule the PIX will come across that it can use will be 'permit IP any any' and the packet will be allowed - if the packet is addresses to 72.14.209.85-87 the PIX will act on the first three rules respectively and deny the connection.

BEFORE writing it to memory test that workstations on the inside network can still get to the internet and then test it to see if they can get to the web site or not. Once you are 100% happy, issue the 'wr mem' command to write the running config to the start-up config.

What this wont stop your users from doing is using some external proxies that cache web pages from viewing the web site - the connection will be between the user and the proxy so the destination IP will be different from the ones you have blocked - also Ask Jeeves used to show websites within the Ask Jeeves page so again the connection will be between the user and Ask Jeeves so the ACL will not work. (this may have changed, I haven't been to Ask Jeeves in a long time)

Blocking web sites with an ACL is good if your user knowledge level is low but it should not be relied upon 100% - if it is important to really restrict URLs then your best method will be to buy either a Websense Enterprise URL filter (supported by PIX version 5.3 and later) or a N2H2 Sentian URL filter (supported by PIX version 6.2 and later) - the PIX will not support any other URL filter.

//If you want to keep track of how often someone tried to view the web page you just have to issue the 'sh access-list ACL NAME' command and look at the "hitcnt=???" (Hit Count) next to the specific ACL.

Hi
Thanks guys for the detailed instructions. I will be trying out the same and post the feedback later.
Thanks again
Regards
Jerome

At work we have got PIX A is connected to another PIX B, i have got control on the PIX A only, how can I find what is the NAT table for PIX A that shows me private addresses (inside) which were NATed to public ip addresses (outside) ?

1- What command should I use ?

2- if at work our PIX A design is similar to the link below (i.e. inside interface and outside interface have got private ip addresses ):

http://www.ciscopress.com/articles/arti ... 31464&rl=1
Figure 6.1

Can I find out what are public ip addresses ?

Regards

Hello mate,

'sh nat' will show you all the NAT's you have set up
'sh conn' will show you all current connections
'sh xlate' will show you all the current translations (NAT's) taking place




Thats probably a good setup as it sounds like you have a perimeter network - in this configuration the PIX itself won't have an external routable IP, but it should have an IP on a different subnet to the rest of your internal LAN - say 10.0.0.0 for your internal network and 192.168.10.0 for the perimeter network - there will probably be something after the PIX though that has the external IP, it could be a router, firewall etc - this is what you will need to look at to see what your public IP(s) is/are.

Thanks nokia
At work, I have been asked to find out with the are the private ip addresses than have been NATed to public addresses, since the perimeter network not under my control how can I do that ?

when I used : "show conn",,,it showed some public ip addresses,

Aren't these public ip addresses not related to NAT ?,as they are related to TCP connections