Pix Firewall

PIX Firewall
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1

What Is a Firewall?
A firewall is a
system or group
of systems that
manages access
between two
networks.
Firewall Technologies
Firewall operations
are based on one of
three technologies:
• Packet filtering
• Proxy server
• Stateful packet
filtering
Packet Filtering
Limits information into a network based

on destination and source address
ACL
Proxy Server
Requests
connections
between a client
on the inside of
the firewall and
the outside
Stateful Packet Filtering
Limits information
into a network
based not only
on destination
and source
address, but also
on packet data
content
PIX Firewall—What Is it?
• Stateful firewall with high security and fast

performance
• Adaptive security algorithm provides stateful
security
• Cut-through proxy eliminates application-layer
bottlenecks
• Secure, real-time, embedded operating system
Adaptive Security Algorithm
• Provides “stateful” connection control through
the PIX Firewall
• Tracks source and destination ports and
addresses, TCP sequences, and additional
TCP flags
• TCP sequence numbers are randomized to
minimize the risk of attack
• Tracks UDP and TCP session state
• Connections allowed out—allows return
session back flow (TCP ACK bit)
ASA Security Level Example
Outside network
Internet e0
• Security level 0
• Interface name = outside
e0
PIX Firewall
e2
e1
Inside network Perimeter network
e1 e2
• Security level 100 • Security level 50
• Interface name = inside • Interface name = pix/intf2
Cut-Through Proxy Operation
1. The user makes a
2. The PIX Firewall
request to an
Internal/ intercepts the connection.
IS resource.
external 3. The PIX Firewall prompts the
user user for a username and
password, authenticates the
3. Username and Password Required user, and checks the security
PIX Firewall policy on a RADIUS or TACACS+
Enter username for CCO at www.com server.
IS resource
Cisco
User Name: student Secure
Password: 123@456 4. The PIX Firewall initiates
a connection from the
OK Cancel PIX Firewall to the
destination IS resource.
5. The PIX Firewall directly connects the

internal or external user to the IS
resource via ASA.
Authenticates once at the application layer (OSI Layer 7) for each supported service
Connection is passed back to the PIX Firewall high-performance ASA engine, while maintaining
session state
Stateful Failover
172.26.26.0 /24
Internet .50
Backbone, web,
FTP, and
TFTP server
.1 192.168.0.0 /24
Failover cable
e0 .2 e0 .7
e3 .1 172.17.0.0 /24 e3 .7
Primary e2 .7
PIX Firewall e2 .1 Secondary
e1 .1 PIX Firewall e1 .7 .2
172.16.0.0/24 DMZ
10.0.0.0 /24
.3
Summary
• There are three firewall technologies: packet

filtering, proxy server, and stateful packet
filtering.
• The PIX Firewall features include: Secure
operating system, Adaptive Security Algorithm,
cut-through proxy, stateful failover, and stateful
packet filtering.
PIX Command Line Interface

Access Modes
The PIX Firewall has

four administrative
access modes:
• Unprivileged mode
• Privileged mode
• Configuration mode
• Monitor mode
enable Command
pixfirewall>
enable
• Enables you to enter different
access modes
pixfirewall> enable
password:
pixfirewall# configure terminal
pixfirewall(config)#
pixfirewall(config)# exit
pixfirewall#
enable password and passwd
Commands
pixfirewall#
enable password password
• The enable password command is used to
control access to the privileged mode.
pixfirewall#
passwd password
• The passwd command is used to set a
Telnet password.
hostname and ping
Commands
hostname newname
• hostname command
pixfirewall (config)# hostname

proteus
proteus(config)# hostname
pixfirewall
ping [if_name] ip_address
• ping command
pixfirewall(config)# ping 10.0.0.3

10.0.0.3 response received -- 0Ms
write Commands
The following are the write commands:

• write net
• write erase
• write floppy
• write memory
• write standby
• write terminal
show Commands
The following are show commands:

• show history
• show memory
• show version show?
• show xlate
• show cpu usage
• show interface
• show ip address
PIX Configuration
Commands

Six Primary Configuration
Commands
• nameif
• interface
• ip address
• nat
• global
• route
nameif command
nameif hardware_id if_name security_level
• The nameif command assigns a name to each

interface on the PIX Firewall and specifies its security
level.
pixfirewall(config)# nameif ethernet2

dmz sec50
interface command
interface hardware_id hardware_speed

• The interface command configures the speed and duplex.
pixfirewall(config)# interface ethernet0 100full

pixfirewall(config)# interface ethernet1 100full
• The outside and inside interfaces are set for 100 Mbps Ethernet
full-duplex communication.
ip address command
ip address if_name ip_address [netmask]
• The ip address command assigns an IP address to
each interface.
pixfirewall(config)# ip address dmz

172.16.0.1 255.255.255.0
PIX Firewall
Translations

Sessions in an IP World
In an IP world, a network session is a

transaction between two end systems.
It is carried out over two transport layer
protocols:
• TCP (Transmission Control Protocol)
• UDP (User Datagram Protocol)
TCP
• TCP is a connection-oriented,
reliable-delivery, robust, and high performance
transport layer protocol.
• TCP features
– Sequencing and acknowledgement of data
– A defined state machine (open connection,
data flow, retransmit, close connection)
– Congestion management and avoidance
mechanisms
TCP Initialization—Inside
to Outside
Private network The PIX Firewall checks for Public network
Source addr 10.0.0.3 a translation slot. If one is 192.168.0.20
not found, it creates one
Destination addr 172.30.0.50 after verifying NAT, global, 172.30.0.50
access control, and
Source port 1026 authentication or 1026
Destination port 23 authorization, if any. If OK, 23
a connection is created.
Initial sequence # 49091 49769
#1
Ack PIX Firewall #2
10.0.0.3 Flag Syn Syn 172.30.0.50
Start the embryonic
No data connection counter
#4 172.30.0.50 172.30.0.50
#3
10.0.0.3
The PIX Firewall follows the 192.168.0.20
Adaptive Security Algorithm:
23 • (Src IP, Src Port, 23
Dest IP, Dest Port ) check
1026 1026
• Sequence number check
IP header 92513 92513
• Translation check
TCP header 49092 49770
If the code bit is not syn-ack,
Syn-Ack PIX drops the packet. Syn-Ack
TCP Initialization—Inside to
Outside (cont.)
Private network Public network
Source addr 10.0.0.3 192.168.0.20
Reset the embryonic
Destination addr 172.30.0.50 counter for this client. It 172.30.0.50
then increments
Source port 1026 1026
the connection counter
Destination port 23 for this host. 23
Initial sequence # 49092 49770
Ack 92514 92514
#5 Flag Ack PIX Firewall Ack #6

10.0.0.3 172.30.0.50
Data flows Strictly follows the

Adaptive Security
Algorithm
IP header
TCP header
UDP
• Connectionless protocol
• Efficient protocol for some services
• Resourceful but difficult to secure
UDP (cont.)
Private network The PIX Firewall checks for Public network

a translation slot. If one is
Source addr 10.0.0.3 not found, it creates one 192.168.0.20
Destination addr 172.30.0.50 after verifying NAT, global, 172.30.0.50

access control, and
Source port 1028 authentication or 1028
authorization, if any. If OK,
Destination port 45000 a connection is created. 45000
#1 PIX Firewall #2
10.0.0.3 172.30.0.50
All UDP responses arrive
from outside and within UDP
user-configurable timeout.
#4 (default=2 minutes) #3
172.30.0.50 The PIX Firewall follows the 172.30.0.50
Adaptive Security Algorithm:
10.0.0.3 192.168.0.20
• (Src IP, Src Port,
45000 Dest IP, Dest Port ) check 45000
1028 • Translation check 1028
IP header
TCP header
Static Translations
Internet
Perimeter router
192.168.0.1
192.168.0.2
PIX Firewall
10.0.0.1
10.0.0.10 DNS Server
pixfirewall(config)# static (inside, outside)

192.168.0.18 10.0.0.10
• Packet from 10.0.0.10 has source address of 192.168.0.18
• Permanently maps a single IP address
• Recommended for internal service hosts like a DNS server
Dynamic Translations
• Configures dynamic translations

– nat (inside) 1 0.0.0.0 0.0.0.0
– global (outside) 1 192.168.0.20-192.168.0.254
netmask 255.255.255.0
Internet 192.168.0.1
192.168.0.2
Global Pool
10.0.0.1 192.168.0.20-192.168.0.254
10.0.0.3
Connections vs. Translations
• Translations—xlate
– IP address to IP address translation
– 65,536 translations supported
• Connections—conns
– TCP or UDP sessions
xlate Command
clear xlate [global_ip [local_ip]]
• The clear xlate command clears the contents of

the translation slots.
Summary
• The PIX Firewall manages the TCP and UDP

protocols through the use of a translation table.
• Static translations assign a permanent IP address to
an inside host. Mapping between local and global
addresses is done dynamically with the nat
command.
• Dynamic translations use NAT for local clients and
their outbound connections and hides the client
address from others on the Internet.
NAT terminology when using
the PIX
NAT terminology
– an inside (or local) network is the network,
from which we translate addresses (local
addresses)
– an outside (or global) network is the network,
to which we translate local addresses which
become global addresses
– a translation is a one-to-one mapped pair of
(local, global) IP addresses
NAT terminology when using
the PIX
– a translation slot (xlate slot)is a software
structure inside PIX/OS used to describe active
translations
– a connection slot is a software structure inside
PIX/OS describing an active connection (many
connection slots can be bound to a translation
slot)
– the translation table (xlate table) is the
software structure inside PIX/OS containing all
active translation and connection slot
objects
NAT Example
Inside Outside
Source addr 10.0.0.3 Source addr 192.168.0.20
Destination addr 200.200.200.10 Destination addr 200.200.200.10
Source port 49090 Source port 49090
Destination port 23 Destination port 23
10.0.0.3 192.168.0.20
Internet
10.0.0.3
Inside Local Global

10.0.0.4 IP Address IP Pool
10.0.0.3 192.168.0.20
Translation table
10.0.0.4 192.168.0.21
nat command
nat [(if_name)] nat_id local_ip
[netmask]
• The nat command defines which addresses can
be translated.
pixfirewall(config)# nat (inside)

1 0.0.0.0 0.0.0.0
global command
global[(if_name)] nat_id {global_ip[-global_ip]
[netmask global_mask]} | interface
• Works with the nat command to assign a registered or public IP
address to an internal host with the same nat_id.
pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0

pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254
• When internal hosts access the outside network through the firewall,
they are assigned addresses from the 192.168.0.20–192.168.0.254
range.
Two Interfaces with NAT (Multiple
Internal Networks)
Internet Pod perimeter router
.1
192.168.0.0/24 e0 outside .2
security level 0
PIX Firewall
e1 inside .1
10.0.0.0 /24 security level 100
172.26.26.50
Backbone, 10.1.0.0 /24

web, FTP, and TFTP server
pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0

pixfirewall(config)# global(outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240
pixfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.240
• Use separate nat_id’s to assign different global address pools.

• The mask used in the nat and global commands is not a mask for host ranges but the mask
for each address .
Three Interfaces with NAT
Internet Pod perimeter router
.1
192.168.0.0/24 e0 outside .2 172.16.0.0/24
security level 0 Bastion host, and
PIX Firewall web and FTP server
e2 dmz .1 .2
e1 inside .1 security level 50
security level 100
172.26.26.50
10.0.0.0 /24
Backbone, web,
FTP, and TFTP server .3
Inside host, and
web and FTP server
pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0

pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0
• Inside users can start outbound connections to both the DMZ and the Internet.
• DMZ users can start outbound connections to the Internet.
Port Address Translation
PAT Global
192.168.0.15
Source addr 10.0.0.2 192.168.0.15 Source addr

10.0.0.2 Destination 172.30.0.50 172.30.0.50 Destination addr
addr
Source port 49090 2000 Source port
Destination
port 23 23 Destination port
Internet
Source addr 10.0.0.3 192.168.0.15 Source addr
Destination Destination
172.30.0.50 172.30.0.50
addr addr
Source port 49090 2001 Source port

10.0.0.3
Destination Destination
port 23 23
port
PAT Example
pixfirewall(config)# ip address (inside) 10.0.0.1
255.255.255.0
pixfirewall(config)# ip address (outside) 192.168.0.2
255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0
192.168.0.1
Perimeter router
pixfirewall(config)# global (outside) 1 192.168.0.9 netmask
192.168.0.1
255.255.255.0
192.168.0.2
PIX Firewall Bastion host • Assign a single IP address (192.168.0.9) as a
global pool
10.0.0.1 172.16.0.2
• Source addresses of hosts in network
Engineering Sales 10.0.0.0 are translated to 192.168.0.9 for
outgoing access
10.0.1.0 10.0.2.0 • Source port changes to a unique number
greater than 1024
Information systems
PAT Using Outside Interface
Address
pixfirewall(config)# ip address (inside) 10.0.0.1
255.255.255.0
pixfirewall(config)# ip address (outside) 192.168.0.2
255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0
Perimeter router 192.168.0.1
192.168.0.1 pixfirewall(config)# global (outside) 1 interface
192.168.0.2
PIX Firewall Bastion host
• Use the interface option to enable use of the
10.0.0.1 172.16.0.2 outside interface ip address as the PAT
address.
Engineering Sales
• Source addresses of hosts in network
10.0.0.0 are translated to 192.168.0.2 for
10.0.1.0 10.0.2.0 outgoing access.
• The source port is changed to a unique
number greater than 1024.
Information systems
Augmenting a Global Pool
with PAT
pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0
pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254
Perimeter router netmask 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.19 netmask
255.255.255.0
192.168.0.1
192.168.0.2
PIX Firewall • When hosts on the 10.0.0.0 network access
Bastion host
the outside network through the firewall,
10.0.0.1 172.16.0.2 they are assigned public addresses from the
Engineering 192.168.0.20-192.168.0.254 range.
Sales
• When the addresses from the global pool
10.0.1.0 10.0.2.0 are exhausted, PAT begins.
• Make sure PAT address is not part of global
10.0.0.0 pool.
Information systems
route
route if_name ip_address netmask gateway_ip
[metric]
• The route command defines a static or default route for an
interface.
pixfirewall(config)# route outside 0.0.0.0

0.0.0.0 192.168.0.1 1
Other Configuration
Commands
• static
• conduit
• name
• fixup protocol
Statics and Conduits
• The static and conduit commands allow

connections from a lower security
interface to a higher security interface.
• The static command is used to create a
permanent mapping between an
inside IP address and a global
IP address. Outside
Security 0
• The conduit command is an

exception in the ASA’s Inside
inbound security Security 100
policy for a given host.

static Command
static [(internal_if_name, external_if_name)]
global_ip local_ip [netmask network_mask]
[max_conns[em_limit]][norandomseq]
• Maps a local IP address to a global IP address
Perimeter router
pixfirewall(config)# static
192.168.0.1
(inside,outside) 192.168.0.10 10.0.0.3
netmask 255.255.255.255 0 1000 192.168.0.2
• Packet sent from 10.0.0.3 has a source PIX Firewall
address of 192.168.0.10 10.0.0.1
• Permanently maps a single IP address
(external access)
• Recommended for internal service hosts 10.0.0.3
conduit Command
pixfirewall(config) #
conduit permit|deny protocol global_ip

global_mask [operator port[port]] foreign_ip
foreign_mask[operator port[port]]
• A conduit maps specific IP address and TCP/UDP connection
from the outside host to the inside host.
Perimeter router
192.168.0.1
pixfirewall(config)# conduit permit 192.168.0.2
tcp host 192.168.0.10 eq ftp any PIX Firewall
10.0.0.1
• The conduit statement is backwards from an ACL.
10.0.0.3
Port Redirection
static [(internal_if_name, external_if_name)] {tcp|udp}
{global_ip|interface}global-port local_ip local-port[netmask
mask][max_conns[emb_limit [norandomseq]]]
• Allows outside users to connect to a particular IP address or port and
have the PIX redirect traffic to the appropriate inside server.
pixfirewall(config)# static (inside,outside) tcp
192.168.0.9 8080 172.16.0.2 www netmask
255.255.255.255 0 0
• The external user directs an HTTP port 8080 request to the
PIX Firewall PAT address, 192.168.0.9. The PIX Firewall
redirects this request to host 172.16.0.2 port 80.
172.16.0.2
http://192.168.0.9:8080 http://172.16.0.2:80
Web Server
Conduit Example
Internet
pixfirewall(config)# nameif ethernet0 outside
sec0
pixfirewall(config)# nameif ethernet1 inside
sec100
pixfirewall(config)# nameif ethernet2 dmz sec50
192.168.0.0/24 pixfirewall(config)# ip address outside
192.168.0.2 255.255.255.0
e0 .2 pixfirewall(config)# ip address inside 10.0.0.1
Bastion 255.255.255.0
e2 .2 host pixfirewall(config)# ip address dmz 172.16.0.1
.1 255.255.255.0
e1 .1 172.16.0.0/24 pixfirewall(config)# nat (inside) 1 10.0.0.0
255.255.255.0
10.0.0.0/24 pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254 netmask
255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-
172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside)
192.168.0.11 172.16.0.2
pixfirewall(config)# conduit permit tcp host
192.168.0.11 eq http any
Another Conduit Example
pixfirewall(config)# nameif ethernet0 outside sec0
pixfirewall(config)# nameif ethernet1 inside sec100
Internet pixfirewall(config)# nameif ethernet2 dmz sec50
pixfirewall(config)# nameif ethernet3 partnernet
sec40
pixfirewall(config)# ip address outside 192.168.0.2
255.255.255.0
pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0
192.168.0.0/24
pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0
e0 .2
e3 e2 .2 Bastion pixfirewall(config)# ip address partnernet
host 172.18.0.1 255.255.255.0
.1 .1 pixfirewall(config)# nat (inside) 1 10.0.0.0
172.18.0.0/24 e1 .1 172.16.0.0/24 255.255.255.0
pixfirewall(config)# global (outside) 1
Partnernet DMZ 192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-
172.16.0.254 netmask 255.255.255.0
10.0.0.0/24 pixfirewall(config)# static (dmz,outside)
192.168.0.11 172.16.0.2
192.168.0.11 eq http any
pixfirewall(config)# static (dmz,partnernet)
172.18.0.11 172.16.0.2
172.18.0.11 eq http any
Fixup Protocol Command
PIX has a protocol fixup feature to recognize
applications running on non-standard ports
fixup protocol <protocol> <port>[-
<port>]
NAT uses the fixup information for badly
behaved protocols to handle those connections
properly
fixup protocol ftp 2021
fixup protocol sqlnet 1600
Attack Guards
The PIX has special handling for DNS and SMTP
using the fixup protocol command.
fixup protocol DNS <port>[-<port>]
fixup protocol SMTP <port>[-<port>]
DNS will only allow one response back to a
query.
SMTP will only allow RFC 821 specified
commands such as HELO, MAIL, RCPT, DATA,
RSET, NOOP, and QUIT.
Defending against
denial-of-service attacks
The PIX can defend against inbound SYN-
flooding (excess connection requests) attacks
with the option for maximum number of
embryonic (SYN only) connections per
translation slot
static (int_if_name, out_if_name) global_ip

local_ip [max_conn [max_embr]][norandomseq]
AAA and SYN Floodguards
AAA Floodguard protects against DoS attacks of authorization
requests. It is enabled by default.
Floodguard enable | disable
SYN Floodgaurd protects against DoS half-open connection attacks.
Nat(inside) 1 0 0 [max_conns [em_limit]]
static(inside,outside) 200.1.1.1 10.1.1.1 netmask
255.255.255.255 [max_conns [em_limit]]
Max_conns is the maximum connections permitted to hosts
accessed from local_ip.
Em_limit is the maximum embryonic connections permitted to hosts
accessed from local_ip.
Summary
• The PIX Firewall has four administrative access

modes: unprivileged, privileged, configuration, and
monitor.
• Interfaces with a higher security level can access
interfaces with a lower security level, while
interfaces with a lower security level cannot access
interfaces with a higher security level unless given
permission.
• The primary commands necessary to configure the
PIX Firewall are the following: nameif, interface, ip
address, nat, global, static, conduit, and route.
Summary (continued)
• The nat and global commands work together to hide
internal IP addresses.
• The nat 0 command allows an address to go out of
the PIX untranslated while providing ASA security
features for inbound requests.
• The static and conduit commands work together to
provide access though the PIX.
• The PIX firewall supports protocol redirection and
has advanced protocol handling features.
• The PIX firewall has DoS attack guards and
Floodguards.
Configuring Failover

Failover
Primary
PIX Firewall
Internet
failover
cable
The primary and secondary units
must:
• be the same model number.
• have identical software versions and Secondary
activation key types. PIX Firewall
• have the same amount of Flash
memory and RAM.
IP Address for Failover
on PIX Firewalls
Primary PIX Firewall

(active/standby)
(system IP/failover IP)
192.168.0.0 /24 10.0.0.0 /24
Internet
.1 e0 .2 e1 .1 .3
e0 .7 e1 .7
Secondary PIX Firewall

(standby/active)
(failover IP/system IP)
Configuration Replication
Configuration replication occurs:

• When the standby firewall completes its initial
bootup.
• As commands are entered on the active
firewall.
• By entering the write standby command.
Failover and Stateful Failover
• Failover
– Connections are dropped.
– Client applications must reconnect.
– Provides redundancy .
• Stateful failover
– Connections remain active.
– No client applications need to reconnect.
– Provides redundancy and stateful connection.
failover Commands
failover
• The failover command enables failover between the active and standby PIX
Firewalls.
failover ip address if_name ip_address
• The failover ip address command creates an IP address for the standby
PIX Firewall.
pixfirewall# failover ip address inside 10.0.0.4
failover link [stateful_if_name]
• The failover link command enables stateful failover.
failover [active]
• The failover active command makes a PIX Firewall the primary firewall.
failover poll Command
failover poll seconds
•Specifies how long failover waits before sending special
failover “hello” packets between the primary and standby units
over all network interfaces and the failover cable.
pixfirewall(config)# failover poll 10

•Failover waits ten seconds before sending special failover "hello“
packets.
show failover Command
Before failover After failover

pixfirewall(config)# show failover pixfirewall(config)# show failover
Failover On Failover On
Cable status: Normal Cable status: Normal
Reconnect timeout 0:00:00 Reconnect timeout 0:00:00
This host: Primary - Active This host: Primary - Standby
Active time: 360 (sec) Active time: 0 (sec)
Interface dmz (172.16.0.1): Normal Interface dmz (172.16.0.4): Normal
Interface outside (192.168.0.2): Normal Interface outside (192.168.0.4): Normal
Interface inside (10.0.0.1): Normal Interface inside (10.0.0.4): Normal
Other host: Secondary - Standby Other host: Secondary - Active
Active time: 0 (sec) Active time: 150 (sec)
Interface dmz (172.16.0.4): Normal Interface dmz (172.16.0.1): Normal
Interface outside (192.168.0.4): Normal Interface outside (192.168.0.2): Normal
Interface inside (10.0.0.4): Normal Interface inside (10.0.0.1): Normal
Stateful Failover Logical Update Statistics Stateful Failover Logical Update Statistics
Link : dmz Link : dmz
Summary
• The primary and secondary PIX Firewalls are the two

firewalls used for failover. The primary PIX Firewall
is usually active, while the secondary PIX Firewall is
usually standby, but during failover the primary PIX
Firewall goes on standby while the secondary
becomes active.
• The configuration of the primary PIX Firewall is
replicated to the secondary PIX Firewall during
configuration replication.
• During failover, connections are dropped, while
during stateful failover, connections remain active.
Access Control
Configuration and
Content Filtering
Access Control List
• An ACL enables you to determine what traffic
will be allowed or denied through the PIX
Firewall.
• ACLs are applied per interface (traffic is
analyzed inbound relative to an interface).
• The access-list and access-group commands are
used to create an ACL.
• The access-list and access-group commands are
an alternative for the conduit and outbound
commands.
ACL Usage Guidelines
• Higher to lower security level
– Use an ACL to restrict outbound traffic.
– The ACL source address is the actual (un-
translated) address of the host or network.
• Lower to higher security level
– Use an ACL to restrict inbound traffic.
– The destination host must have a statically
mapped address.
– The ACL destination address is the “global
ip” assigned in the static command.
access-list Command
access-list acl_name [deny | permit] protocol

{src_addr | local_addr} {src_mask |
local_mask} operator port {destination_addr
| remote_addr} {destination_mask |
remote_mask} operator port
• Enables you to create an ACL
• ACLs associated with IPSec are known as “crypto” ACLs
pixfirewall(config)# access-list dmz1 deny

tcp 192.168.1.0 255.255.255.0 host
192.168.0.1 lt 1025
• ACL “dmz1” denies access from the 192.168.1.0 network
to TCP ports less than 1025 on host 192.168.0.1
access-group Command
access-group acl_name in interface

interface_name
• Binds an ACL to an interface
• The ACL is applied to traffic inbound to an
interface
pixfirewall(config)# access-group
dmz1 in interface dmz
• ACL “dmz1” is bound to interface “dmz”
ACLs Versus Conduits
ACL Conduit
A conduit creates an exception to the PIX
An ACL applies to a single interface, Firewall Adaptive Security Algorithm by
affecting all traffic entering that interface permitting connections from one interface to
regardless of its security level. access hosts on another.
c
o
n
d
ACL u
i
t
It is recommended to use ACLs to maintain future compatibility.

Convert Conduits to ACLs
conduit permit | deny protocol global_ip global_mask [operator

port [port]] foreign_ip foreign_mask[operator port[port]]
access-list acl_name [deny | permit] protocol {src_addr | local_addr}
{src_mask | local_mask} operator port {destination_addr | remote_addr}
{destination_mask | remote_mask} operator port
• global_ ip = destination_addr
• foreign_ip = src_addr
pixfirewall(config)# conduit permit tcp host 192.168.0.10

eq www any
pixfirewall(config)# access-list acl_in permit tcp any

host 192.168.0.10 eq www
ACLs
pixfirewall(config)# nat (dmz) 1 0 0

pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask
255.255.255.0
pixfirewall(config)# static (inside,dmz) 172.16.0.10 10.0.0.3 netmask
255.255.255.255
pixfirewall(config)# static (inside,dmz) 172.16.0.12 10.0.0.4 netmask
255.255.255.255
pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0
172.16.0.10 255.255.255.255 eq ftp
172.16.0.12 255.255.255.255 eq smtp
any eq www
pixfirewall(config)# access-group 102 in interface dmz
• Users on the DMZ are able to access the Internet, the internal FTP server, and the
internal mail server.
Deny Web Access
to the Internet
nameif ethernet0 outside sec0
nameif ethernet1 inside sec100
access-list acl_out deny tcp any any eq www
access-list acl_out permit ip any any
access-group acl_out in interface inside
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 192.168.0.20-192.168.0.254
netmask 255.255.255.0
• Denies web traffic on port 80 from the inside network to the Internet
• Permits all other IP traffic from the inside network to the Internet
www
IP Internet
Internet
Permit Web Access
to the DMZ
nameif ethernet0 outside sec0
Internet nameif ethernet1 inside sec100
nameif ethernet2 dmz sec50
ip address outside 192.168.0.2
255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
192.168.0.0/24 static (dmz,outside) 192.168.0.11
172.16.0.2
.2 Web server
access-list acl_in_dmz permit tcp any
.2 host 192.168.0.11 eq www
.1 access-list acl_in_dmz deny ip any any
.1 172.16.0.0/24 access-group acl_in_dmz in interface
10.0.0.0/24 outside
• The ACL acl_in_dmz permits web traffic

on port 80 from the Internet to the DMZ
web server.
• The ACL acl_in_dmz denies all other IP
traffic from the Internet.
icmp Command
icmp permit | deny [host] src_addr [src_mask]
[type] int_name
• Enables or disables pinging to an interface
pixfirewall(config)# icmp deny any echo-reply

outside
pixfirewall(config)# icmp permit any unreachable
outside
• All ping requests are denied at the outside interface, and all
unreachable messages are permitted at the outside interface
Summary
• ACLs enable you to determine which systems can

establish connections through your PIX Firewall.
• Cisco recommends migrating from conduits to ACLs.
• Existing conduits can easily be converted to ACLs.
• With ICMP ACLs, you can disable pinging to a PIX
Firewall interface so that your PIX Firewall cannot be
detected on your network.
• The PIX Firewall can work with URL-filtering software to
control and monitor Internet activity.

Pix Firewall

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Pix Firewall

Cargado por

Copyright:

Formatos disponibles

PIX Firewall

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1

Limits information into a network based

• Stateful firewall with high security and fast

5. The PIX Firewall directly connects the

• There are three firewall technologies: packet

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-13

The PIX Firewall has

pixfirewall (config)# hostname

pixfirewall(config)# ping 10.0.0.3

The following are the write commands:

The following are show commands:

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-20

• The nameif command assigns a name to each

pixfirewall(config)# nameif ethernet2

interface hardware_id hardware_speed

pixfirewall(config)# interface ethernet0 100full

pixfirewall(config)# ip address dmz

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-25

In an IP world, a network session is a

Initial sequence # 49092 49770

Ack 92514 92514

#5 Flag Ack PIX Firewall Ack #6

Data flows Strictly follows the

Private network The PIX Firewall checks for Public network

Destination addr 172.30.0.50 after verifying NAT, global, 172.30.0.50

10.0.0.10 DNS Server

pixfirewall(config)# static (inside, outside)

• Configures dynamic translations

clear xlate [global_ip [local_ip]]

• The clear xlate command clears the contents of

• The PIX Firewall manages the TCP and UDP

Destination addr 200.200.200.10 Destination addr 200.200.200.10

Source port 49090 Source port 49090

Destination port 23 Destination port 23

Inside Local Global

pixfirewall(config)# nat (inside)

pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0

Backbone, 10.1.0.0 /24

pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0

• Use separate nat_id’s to assign different global address pools.

pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0

Source addr 10.0.0.2 192.168.0.15 Source addr

Source port 49090 2001 Source port

pixfirewall(config)# route outside 0.0.0.0

• The static and conduit commands allow

• The conduit command is an

policy for a given host.

• Maps a local IP address to a global IP address

conduit permit|deny protocol global_ip

• The conduit statement is backwards from an ACL.

static (int_if_name, out_if_name) global_ip

• The PIX Firewall has four administrative access

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-62

Primary PIX Firewall

Secondary PIX Firewall

Configuration replication occurs:

pixfirewall(config)# failover poll 10

Before failover After failover

• The primary and secondary PIX Firewalls are the two

access-list acl_name [deny | permit] protocol

pixfirewall(config)# access-list dmz1 deny

access-group acl_name in interface

It is recommended to use ACLs to maintain future compatibility.