You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
27 lines
7.3 KiB
27 lines
7.3 KiB
10 years ago
|
---
|
||
|
|
layout: post
|
||
|
|
title: Configuring PIX Firewall -- part I
|
||
|
|
created: 1226212803
|
||
|
|
categories:
|
||
|
|
- pix
|
||
|
|
- firewall
|
||
|
|
- cisco
|
||
|
|
---
|
||
|
|
<p>Well, after playing with PIX firewall simulator for a while to get used to all command in different shells. Thus, it's time to set on the real one. What I have is PIX 501; I bought off of craiglist.org only $70.  First thing we have to know is removing old password and restoring or clearing factory configuration.</p> <p>Well, what is a requirement in order to remove the password is:-<a href="http://mycapsules.com/sites/default/files/2008/11/image_6.png" target="_"><img border="0" alt="Cisco PIX Firewall - # show version" title="Cisco PIX Firewall - # show version" align="right" src="http://mycapsules.com/sites/default/files/2008/11/image_thumb_2.png" width="240" height="145" /></a></p> <ul> <li>PIX itself for sure </li> <li>Console cable </li> <li>PIX Password Lockout Utility - this is depending on PIX software you are running--beware of BIOS version which is not the same thing, you can see when you try to login to PIX shell as figure on the right. (But surely you couldn't get in because of unknown password) <ul> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/np70.bin">np70.bin</a> (7.x and 8.0 release) </li> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/np63.bin">np63.bin</a> (6.3 release) </li> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/np62.bin">np62.bin</a> (6.2 release) </li> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/np61.bin">np61.bin</a> (6.1 release) </li> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/np60.bin">np60.bin</a> (6.0 release) </li> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/np53.bin">np53.bin</a> (5.3 release) </li> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/np52.bin">np52.bin</a> (5.2 release) </li> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/np51.bin">np51.bin</a> (5.1 release) </li> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/np50.bin">np50.bin</a> (5.0 release) </li> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/np44.bin">np44.bin</a> (4.4 release) </li> <li><a href="http://mycapsules.com/sites/default/files/2008/11/cisco-pwd-tool/nppix.bin">nppix.bin</a> (4.3 and earlier releases) </li> </ul> </li> <li>TFTP server </li> <li>HyperTerminal in Win XP or PuTTy application for accessing PIX </li> <li>Time!! It's actually taking < 10min for whole process. </li> </ul> <p>For TFTP server, I recommend you this, <a title="http://sourceforge.net/projects/tftp-server/" href="http://sourceforge.net/projects/tftp-server/">http://sourceforge.net/projects/tftp-server/</a>, easy to use, freeware and open-source, what else can you ask for. For setting up you, just have to go through installation wizard.</p> <p><a href="http://mycapsules.com/sites/default/files/2008/11/image_8.png" target="_"><img border="0" title="TFTP server status" alt="TFTP server status" align="right" src="http://mycapsules.com/sites/default/files/2008/11/image_thumb_3.png" width="240" height="132" /></a>Then, you have to edit a bit in configuration file.</p>
|
||
|
|
|
||
|
|
<pre name="code" class="c-sharp">
|
||
|
|
[HOME]
|
||
|
|
c:\myHome
|
||
|
|
[TFTP-OPTIONS]
|
||
|
|
Read=Y
|
||
|
|
</pre>
|
||
|
|
|
||
|
|
<p>Afterward, putting PIX Password Lockout Utility in home directory of TFTP server and restart the service or start stand-alone command in the menu to be able to see server status while doing all this.</p> <p>So far, we have TFTP server ready. Now we need to access PIX by connecting console cable and ethernet0 interface to gateway or router which TFTP server connected to.</p> <div align="center"><img border="0" alt="Network Diagram" src="http://mycapsules.com/sites/default/files/2008/11/image_2_1.png" width="403" height="308" /><br />Fig 1. Network Diagram</div> <p>Once you set all this up, get yourself into terminal/PuTTY. Then you have to interrupt boot process for monitor shell by pressing BREAK or ESC.</p> <blockquote><font style="font-family: courier; font-size: 9px"> <p>Cisco Secure PIX Firewall BI0S (4.2) #6: Mon Aug 27 15:09:54 PDT 2001 <br />Platforn PIX-501 <br />Flash=E28F660J3 @ Ox3000000 </p> <p>Use BREAK or ESC to interrupt flash boot. <br />Use SPACE to begin flash boot immediately. <br />Flash boot interrupted. <br />0: i8255X @ PCI(bus:0 dev:17 irq:9 <br />1: i8255X @ PCI(bus:0 dev:18 irq:10) <br />Using 1: i82557 @ PCI(bus:0 dev:18 irq:10), MAC: 000d.2370.40ac Use ? for help. </p> <p>monitor></p> </font></blockquote> <p>What you have to do is setting IP address of PIX, gateway, and TFTP server, and Password Lockout Firewall filename.</p> <blockquote><font style="font-family: courier; font-size: 9px"> <p>monitor> interface 0 <br />0: i8255X @ PCI(bus:0 dev:17 irq:9 <br />1: i8255X @ PCI(bus:0 dev:18 irq:10) <br />Using 0: i82557 @ PCI(bus:0 dev:17 irq:9 ), MAC: 000d.2870.L0ab <br />monitor> address 192.168.10.99 <br />address 192.168.10.99 <br />monitor> server 192.168.10.128 <br />server 192.168.10.128 <br />monitor> file np63.bin <br />file np63.bin <br />monitor> gateway 192.168.10.10 <br />gateway 192.168.10.10 <br />monitor> ping 192.168.10.128 <br />Sending 5, 100-byte 0x7206 ICMP Echoes to 192.168.10.128, timeout is 5 seconds: </p> <p>Success rate is 0 percent (0/5) <br />monitor> ping 192.168.10.128 <br />Sending 5, 100-byte 0x7205 ICMP Echoes to 192.168.10.128, timeout is 5 seconds: <br />!!!!! <br />Success rate is 100 percent (5/5) <br />monitor> tftp <br />tftp np63.bin@192.168.1O.128 via 192.168.1O.1O<6><3><3>.<11><11><11> ........................................ <br />............................................... <br />Received 92160 bytes </p> <p>Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003 <br />Flash=E28F640J3 @ 0x3000000 <br />BIOS F1ash=E28F66OJ3 @ 0xD8000 </p> <p>Do you wish to erase the passwords? [yn] </p> </font></blockquote> <p>There you go, your PIX will be accessible afterward. However, this will not erase any configuration in the PIX. You have 2 choices of doing it though:-</p>
|
||
|
|
|
||
|
|
<pre name="code" class="c-sharp">
|
||
|
|
1. pixfirewall(config)# configure factory-default
|
||
|
|
2. pixfirewall(config)# clear configure all
|
||
|
|
</pre>
|
||
|
|
|
||
|
|
<p>What difference between these 2 commands are the first one will restore back factory default value which enables DHCP server for inside and get IP address by DHCP for outside, but the latter is clear everything, so you have to use console to start configuring from the beginning.</p> <p>By the way, if you read up to here, you, might be like me, are starting to understand all PIX commands and configurations. Then '<font style="font-family: courier; font-size: 9px">clear configure all</font>' is the way to go. Next time, we will go through how to set this up in existing network. Stay tuned.</p>
|