Ch01: Configuring Cisco PIX Firewalls

From Linux Home Networking
Jump to: navigation, search

Contents

Introduction

Sometimes you may have a Cisco PIX 501 firewall protecting your DSL based home network. This chapter covers how to configure it and in addition, there are a number of fully commented sample PIX configurations in the appendix in which each line is explained.

It is important to remember that the PIX 501 has two Ethernet interfaces. The named "outside" should always be connected to the Internet and the one labeled "inside" should be connected to your home network. The "outside" interface may sometimes be referred to as the "unprotected" interface and the "inside" interface is frequently referred to as the "protected" one.

Network Address Translation (NAT)

Network address translation is a method used to help conserve the limited number of IP addresses available for internet purposes. The Introduction to Networking page explains the concept in more detail in addition to other fundamental topics. We will return to the NAT discussion, specifically how to configure it, later on this page, but first a very basic introduction on how to configure and use the PIX.

Accessing the PIX command line

There are many ways to access the PIX command line. Here are the few most common methods

Via The Console Port

Your Cisco PIX will come with a console cable that will allow you to configure your PIX using terminal emulation software such as Hyperterm. Once you've set up your PIX with an IP address you'll be able to access it via Telnet.

Via Telnet

  • One easy way to get access to any device on your network is using the /etc/hosts file. Here you list all the IP addresses of important devices that you may want to access with a corresponding nickname. Here is a sample in which the PIX firewall "pixfw" has the default IP address of 192.168.1.1 on its inside protected interface:
#
# Do not remove the following line, or various programs
# that require network functionality will fail.
#
127.0.0.1 localhost.localdomain localhost
192.168.1.1 pixfw
192.168.1.100 bigboy mail.my-site.com
  • Once connected to the network you can access the PIX via telnet
[root@bigboy tmp]# telnet pixfw
Trying 192.168.1.1...
Connected to pixfw.
Escape character is '^]'.
  • You'll be prompted for a password and will need another password to get into the privileged "enable" mode. If you are directly connected to the console, you should get a similar prompt too. There is no password in a fresh out of the box PIX and simply hitting the "Enter" key will be enough.
User Access Verification

Password:
Type help or '?' for a list of available commands.
pixfw> enable
Password: ********
pixfw#
  • Use the "write terminal" command to see the current configuration. You will want to change your "password" and "enable password" right after completing your initial configuration, this will be covered later.
# wr term
Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password dsjf5sdfgsjrgjwk encrypted
passwd sdffg8324dgrggjd encrypted
hostname pixfw
fixup protocol ftp 21
...
...
  • ALL PIX configuration commands need to be done in configuration mode, by issuing the "configure terminal" command from enable mode prompt.
pixfw# conf t
pixfw(config)# "Enter commands here"
pixfw(config)# exit
pixfw#
  • You can usually delete commands in the configuration by adding the word "no" to the beginning of the command you want to delete. Some commands that can only have a single value won't accept a "no" to change them and will just be over-written when you issue the new command.
In the example below, we change the PIX's name and then delete one of many access control list (ACL) entries attached to the outside (Internet) interface.
pixfw# conf t
pixfw(config)# no access-list inbound permit tcp any any eq www
pixfw(config)# hostname firewall
firewall(config)# exit
firewall#
  • One of the first things you should do is change the default passwords for the PIX.
pixfw# conf t
pixfw(config)# enable password enable-password-here
pixfw(config)# passwd telnet-password-here
pixfw(config)# exit
pixfw#

Note: The console password is the one used to gain access from the console or through telnet.

  • When you've finished configuring, you can permanently save your changes by using the "write memory" command:
pixfw# wr mem
Building configuration...
Cryptochecksum: 3af43873 d35d6f06 51f8c999 180c2342
[OK]
pixfw#

Sample PIX Configuration: DHCP

Your pix can be configured to work with DHCP in many ways. Here are some examples.

Configuring DSL PPPoE DHCP

DHCP and DSL require you to get a pppoe password and username from your ISP. Most ISPs have a homepage where you can register to get the username and password, ask customer service for the URL. You should substitute this username and password for "dsl-username" and "dsl-password" below. The VPDN group statements just assign a username, password, authentication type to a profile, in this case "ISP". The configuration steps are relatively straight forward. (Remember to be in config mode)


ip address outside pppoe setroute
ip address inside 192.168.1.1 255.255.255.0
vpdn group ISP request dialout pppoe
vpdn group ISP localname dsl-username
vpdn group ISP ppp authentication pap
vpdn username dsl-username password dsl-password

In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet, you will have to set the default gateway on all your servers to be 192.168.1.1 You must be using PIX IOS version 6.2 or greater for this to work.

Configuring Cable Modem DHCP

DHCP configuration for cable modems is much simpler, there is no password requirement like with regular DSL. The command to let your PIX get a DHCP IP address from your ISP is as follows:

ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0

In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet, you will have to set the default gateway on all your servers to be 192.168.1.1

NAT Configuration with DHCP

Here we allow any traffic coming in on the inside (private/protected) interface to be NAT-ted to the IP address of the outside (Public/unprotected) interface of the firewall. If DSL - DHCP has assigned an address of 97.158.253.12 to your firewall then the traffic passing through the firewall, from your protected PCs, will appear to be coming from address 97.158.253.12. This is frequently called many-to-one NAT.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Dynamic DNS Port Forwarding Entries

It is possible to host your own website on a DHCP DSL / cable modem connection using dynamic DNS. There are many providers to choose from.

Once you have registered with a dynamic DNS provider, you will need to configure your firewall. Here we allow all incoming www traffic (on TCP port 80) destined for the firewall's interface to be forwarded to the web server at 192.168.1.100 on port 80 (www).

access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
access-group inbound in interface outside
static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.255

Once configured, you will be able to hit your webserver using the firewall's outside interface's IP address as the destination. eg: http://firewall-outside-ip-address. Remember, it's not possible to hit your firewall's public NAT IP address from servers on your home network. You'll have to ask a friend to check it out.

Here are some additional TCP ports you may be interested in:

Protocol Port Type
FTP 20, 21 TCP
SMTP Mail 25 TCP
POP3 Mail 110 TCP
HTTPS / SSL 443 TCP
DNS 53 UDP

How To Get Static IPs For DSL Cheaply

Many ISP DSL providers offer cheap DHCP (dynamic IP) service. Due to competition they'll even throw in a DSL modem and even a router for free. This service frequently isn't available for users with static IPs which the ISPs frequently feel are businesses. If you really want static IP addresses and are willing to pay the higher monthly fee, then you can reduce your installation costs by:

  • Ordering DHCP DSL first with the free modem and/or router
  • Upgrade to static IPs a week later. They probably won't ask about the modem and/or router, and it becomes bundled in free.

Sample PIX configuration: DSL - Static IPs

PPPOE authentication is only required for DSL DHCP. Once you go for static IPs, the vpdn statements won't be required. In this example, the ISP has assigned the Internet subnet 97.158.253.24 with a mask of 255.255.255.248 (/29). The IP address selected for the PIX is 97.158.253.25, the default gateway is 97.158.253.30

If you are converting from dynamic to static IP addresses, you do not need the vpdn PIX command statements for static IPs

ip address outside 97.158.253.25 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 97.158.253.30

In this example, the IP address of the PIX is 192.168.1.1. As the PIX will be acting as your default gateway to the internet, you will have to set the default gateway on all your servers to be 192.168.1.1

Note: When you receive your own /29 allocation all the IPs are exclusively yours whether you use them or not. This can be viewed as being wasteful in the eyes of some ISPs. Some service providers now use PPPoE with DHCP IP address reservations based on your MAC address. It appears to be an attempt to conserve on IP addresses by placing many customers on a large shared network that allows the ISP to add and subtract allocated IPs at will. This means that the ISP, and not its customers, are in possession of all unused IP addresses.

Outgoing Connections NAT Configuration

Here we allow connections originating from servers connected to the inside (private/protected) interface with an IP address in the range 192.168.1.0 to 192.168.1.255 to be NAT-ted to the IP address of the outside (Public/unprotected) interface of the firewall which is 97.158.253.25 :

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0

This is another application of many-to-one NAT.

Incoming Connections NAT Configuration

It is possible to dedicate a single public IP address to a single server on your home network. This is called one-to-one NAT.

Here we allow the firewall to handle traffic to a second IP address, namely 97.158.253.26. We then allow all incoming traffic to be forwarded to the protected web server which has an IP address of 192.168.1.100. Only www and DNS (Port 53) traffic is allowed to access it via an access control list applied to the outside interface.

access-list inbound permit icmp any any
access-list inbound permit tcp any host 97.158.253.26 eq www
access-list inbound permit tcp any host 97.158.253.26 eq 53
access-list inbound permit udp any host 97.158.253.26 eq 53
access-group inbound in interface outside
static (inside,outside) 97.158.253.26 192.168.1.100 netmask 255.255.255.255 0 0

Once configured, you will be able to hit your webserver using the firewall's outside interface's IP address as the destination. eg: http://one-to-one-NAT-ip-address. Remember, it's not possible to hit your firewall's public NAT IP address from servers on your home network. You'll have to ask a friend to check it out.

How To Configure Your PIX To Accept Telnet

The telnet command can be used to configure your PIX to accept telnet sessions. By default, it allows connections on the inside interface from the 192.168.1.0 network, as seen below:

telnet 192.168.2.0 255.255.255.0 inside

Of course, if you change the IP address of the inside interface, you may have to change the statement above.

You can also allow access to the outside interface with a similar command. In the case below we're allowing access from the network 64.251.19.0. I generally wouldn't recommended this, but in some cases the need to do it is unavoidable.

telnet 64.251.19.0 255.255.255.0 outside

As an added precaution, you can set the PIX to automatically log out telnet sessions that have been inactive for a period of time. Here is an example of a 15 minute timeout period.

telnet timeout 15
How To Make Your PIX A DHCP Server

Enabling your PIX to be a DHCP server for your home network requires very few statements. First you have to enable the feature on the desired interface, which is usually the "inside" interface. The next step is to set the range of IP addresses the PIX's "inside" interface will manage, and finally, you need to state the IP address of the DNS server the DHCP clients will use.

The default DNS address the PIX provides its DHCP clients is the IP address of the "inside" protected interface. If the PIX is configured to get it's Internet IP address from your ISP, then the PIX will automatically become a caching DNS server for your home network. This means that in this case you don't have to use the DNS statement.

dhcpd enable inside
dhcpd address 192.168.1.20-192.168.1.30 inside
dhcpd dns 192.168.1.100


Basic PIX Troubleshooting

There are many ways to troubleshoot your PIX. Here are just a few

The "show interfaces" Command

The show interfaces command will show you the basic status of the PIX's interfaces. I've included some sample output below:

pixfw# show interface
interface ethernet0 "outside" is up, line protocol is up
 Hardware is i82559 ethernet, address is 0009.e89c.fdaa
 IP address 97.158.253.25, subnet mask 255.255.255.248
 MTU 1500 bytes, BW 10000 Kbit half duplex
       5776596 packets input, 569192486 bytes, 0 no buffer
       Received 5315835 broadcasts, 0 runts, 0 giants
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       435752 packets output, 74618166 bytes, 0 underruns
       0 output errors, 3988 collisions, 0 interface resets
       0 babbles, 0 late collisions, 6978 deferred
       2 lost carrier, 0 no carrier
       input queue (curr/max blocks): hardware (128/128) (0/77)
       output queue (curr/max blocks): hardware (0/53) software (0/1)
...
...
pixfw#

Your basic physical connectivity should be OK if the interfaces are seen as being in an "up" state with line protocol being "up". If line protocol is down, you probably have your PIX incorrectly cabled to the Internet or your home network.

If the interfaces are seen as "administratively down", then the PIX configuration will most likely have the interfaces configured as being "shutdown" like this:

interface ethernet0 10baset shutdown

This can be easily corrected. First use the "write terminal" command to confirm the shutdown state. Then you should enter "config" mode and reenter the "interface" command without the word "shutdown" at the end.

pixfw(config)# interface ethernet0 10baset

The "show interfaces" is also important as it shows you whether you have the correct IP addresses assigned to your interfaces and also the amount of traffic and errors associated with each.

The "show xlate" Command

This command will show whether the PIX is doing NAT translations correctly. Double check your configuration if there are no translations immediately after trying to access the Internet. NAT failure could also be due to bad cabling which will prevent Internet bound traffic from reaching the PIX at all.

pixfw# sh xlate
3 in use, 463 most used
PAT Global 97.158.253.25(38448) Local 192.168.1.105(3367)
PAT Global 97.158.253.25(25838) Local 192.168.1.105(2971)
PAT Global 97.158.253.25(26306) Local 192.168.1.105(3610)
pixfw#


Using syslog

A really good method for troubleshooting access control lists (ACLs) and also to view the types of methods people are using to access your site is to use syslog. The Ch05 Troubleshooting Linux with syslog chapter explains how to configure a Linux server as a centralized syslog server. The appendix has sample syslog configurations for the PIX.

Other Things To Check

Always make sure your PIX has a:

  • correct default route. The default is the one with the lots of zeros.
pixfw# show route
       outside 0.0.0.0 0.0.0.0 97.158.253.30 1 DHCP static
       outside 12.210.24.0 255.255.252.0 12.210.27.161 1 CONNECT static
       inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
pixfw#
  • default gateway that you can "ping". In the case above the gateway is 97.158.253.30.