blogger
/
mycapsules
1
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31 Commits
1 Branch
0 Tags
74 MiB
Tree: 83e5df5d6e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '83e5df5d6e'
${ noResults }
mycapsules/_posts/older/2008-12-12-configuring-pix-...

107 lines
7.6 KiB
Raw Normal View History Unescape

initial migration
10 years ago
---
layout: post
title: Configuring PIX 501 -- part II
created: 1229016351
categories:
- pix
- firewall
- cisco
---
<p>After clear all things in part I, now we have to continue setting for our network's safe, but surely before concerning about getting to work first. Well, basically PIX 501, which has only 2 interfaces: ethernet0 &amp; ethernet1, can have only outside and inside network. Security level has been fixed as 0-minimum and 100-highest respectively. This is fixed value for PIX 501. What we have to know next is configuration on the network; assume that we place PIX 501 behind router and we have 1 web server inside the network. Actually we should place web server on outside network, but for learning, we do this way first.</p> <p>Here is our step to get things done:-</p> <ol> <li>Set hostname, password </li> <li>Configure IP addresses on interfaces, then enable them </li> <li>Configure a route </li> <li>Set firewall rules </li> <li>Port forwarding to web server </li> </ol> <p>For setting hostname &amp; password, we need to get into config shell; one thing which is so cool about CISCO IOS shell is no fixed command as long as you can type unambiguous command. For example, 'configure terminal' command can be substitue with 'config t' or 'conf t' or 'conf ter' or even 'con t' but only 'con' will not work since there is not enough information.</p> <pre class="c-sharp" name="code">pixfirewall# config t
pixfirewall(config)#
pixfirewall(config)# hostname 10PIX
10PIX(config)#
10PIX(config)# password qwerty
10PIX(config)#
10PIX(config)# enable password qwerty
10PIX(config)#</pre>
<p>After setting basic stuffs, we need to go on next step; IP addresses on each interfaces. First we set link speed, name, and set security which is fixed in this case anyway on each interface:-</p>
<pre class="c-sharp" name="code">10PIX(config)# interface ethernet0 100full
10PIX(config)# interface ethernet1 100full
10PIX(config)# nameif ethernet0 outside 0
10PIX(config)# nameif ethernet1 inside 100</pre>
<p>Next we have to set IP on each interface and set the route to our gateway (192.168.10.10) to be able to access the Internet.</p>
<pre class="c-sharp" name="code">10PIX(config)# ip address outside 192.168.10.11 255.255.255.0
10PIX(config)# ip address inside 10.1.1.1 255.255.255.0
10PIX(config)#
10PIX(config)# route outside 0 0 192.168.10.10 1
10PIX(config)#</pre>
<p>What we need next is associating a network with a pool of global IP address.</p>
<pre class="c-sharp" name="code">nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]] [norandomseq]</pre>
<pre class="c-sharp" name="code">global [(if_name)] nat_id global_ip[-global_ip] [netmask global_mask] </pre>
<p>From these 2 commands: nat &amp; global, nat will identify nat_id and global will provide an IP address for each outbound connection for a particular nat_id.</p>
<pre class="c-sharp" name="code">10PIX(config)# nat (inside) 1 10.1.1.0 255.255.255.0 0 0
10PIX(config)# global (outside) 1 192.168.10.12
10PIX(config)#</pre>
<p><strong>0 0 </strong>at the end of nat command indicates no maximum connection and limit; all outbound connections will be represented by IP 192.168.10.12 on outside. [it can be represented in a range too] After having the route ready, it's time to set DHCP server for inside network; it's pretty straight forward here.</p>
<pre class="c-sharp" name="code">10PIX(config)# dhcpd address 10.1.1.10-10.1.1.31 inside
10PIX(config)# dhcpd dns 192.168.10.10
10PIX(config)# dhcpd lease 604800
10PIX(config)# dhcpd ping_timeout 500
10PIX(config)# dhcpd enable inside
10PIX(config)# </pre>
<p>Up to this point, we almost ready to leave console behind and never have to use it again. There are 2 choices here: <em>telnet</em> or <em>ssh</em>. <em>Telnet</em> is much faster, but <em>ssh</em> is more secure. It's up to your decision what to pick. What we should do really is allowing only inside network to do this job, not outside. So we can make sure of security up to particular level. However, in this case, for study, let's try to allow <em>ssh</em> connection from outside network [which is still private network anyway.]</p>
<pre class="c-sharp" name="code">10PIX(config)# telnet 10.1.1.0 255.255.255.0 inside
10PIX(config)# telnet timeout 5
10PIX(config)# ssh 10.1.1.0 255.255.255.0 inside
10PIX(config)# ssh 192.168.10.0 255.255.255.0 outside
10PIX(config)# ssh timeout 5</pre>
<p>By the fact that, we allowed <em>telnet</em> and <em>ssh</em> connection. It works just fine with telnet since there is no security concern. <em>ssh</em>, however, is another story. <em>ssh</em> required to have RSA key to use secure connection. What we need is to generate an RSA key and save into flash memory; it takes you a while--about half an hour for me</p>
<pre class="c-sharp" name="code">10PIX(config)# domain-name cisco.com
10PIX(config)# ca generate rsa key 2048
10PIX(config)# ca save all
10PIX(config)# </pre>
<p><img height="368" alt="PIX obtaining RSA key" src="http://mycapsules.com/sites/default/files/2008/12/image_3.png" width="642" border="0" /> </p>
<p>You may view newly created RSA public key by:-</p>
<pre class="c-sharp" name="code">10PIX(config)# sh ca mypubkey rsa</pre>
<p>Now we are able to connect <em>ssh</em> session; if you have any trouble, then <em>'debug ssh'</em> might be your friend. Next thing we have to do is setting port forwarding; since PIX 501 doesn't have any extra interface, DMZ is not a solution here. Our web and ftp server is on 10.1.1.14.</p>
<pre class="c-sharp" name="code">static [(high_if, low_if)] [tcp| udp] low_if_ip high_if_ip [netmask][max_conns [em_limit]] [norandomseq]</pre>
<p>Just remember a bit that, this is for NAT enabled; high is indicated higher security. interface == firewall IP on that interface</p>
<pre class="c-sharp" name="code">10PIX(config)# static (inside,outside) tcp interface www 10.1.1.14 www netmask 255.255.255.255 0 0
10PIX(config)# static (inside,outside) tcp interface ftp 10.1.1.14 ftp netmask 255.255.255.255 0 0
10PIX(config)# access-list acl_in permit tcp any interface outside eq www
10PIX(config)# access-list acl_in permit tcp any host 192.168.10.101 eq ssh
10PIX(config)# access-list acl_in permit tcp any interface outside eq ftp
10PIX(config)# access-group acl_in in interface outside</pre>
<p>Now we put access-list on as well, just for sake of security because we allow what we shouldn't already. However, that's what firewall for, right? Once we create access-list, we have to apply that on the interface by:-</p>
<pre class="csharp" name="code">access-group <i>acl_name</i> in interface <i>interface-name</i></pre>
<p>So far we set all neccessary settings; you may have to play around a bit to understand deeper of how PIX works. To be able to solve a problem, we have to know what is going:-</p>
<pre class="csharp" name="code">10PIX(config)# show xlate
10PIX(config)# show conn
10PIX(config)# show access-host
10PIX(config)# show running-config</pre>
<p>This allows you to check what is wrong, then you will be able to start solving from that; one more thing you need to know is to disable our commands. It's damn easy by putting 'no' in front of command we put. You may check by 'show run' which will show every single command you put in.</p>
<p>Have fun with manipulate PIX configuration and have a safe network, of course. =) </p>
<p>If you have trouble with PIX, just ask.</p>
<p><u>Note</u>: very good command resource reference at <a href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/config/commands.htm" target="_blank">cisco.com</a></p>