Understanding a Basic Cisco PIX Firewall Configuration

Reader Please Note: To the best of my knowledge the information in this document is accurate. If you find any errors, have any comments, additions, or just have questions, please feel free to contact me at billetter@networktechnologist.com.

Glossary

Term	Definiition
CLI	Command Line Interface - non graphical method of configuring the PIX fireall. Can be accessed from the PIX console port, telnet or secure shell (ssh).
NAT	Network Address Translation
PAT	Port Address Translation
PDM	Pix Device Manager - Web based PIX configuration program.

Introduction

The purpose of this article is look at a basic Cisco PIX Firewall configuration that might be used by a small business to connect to the internet. For the purposes of this article we will assume that there is a single connection to the internet through the PIX and that there is a single internal network connected to the PIX as well. This article will discuss how to view the configuration and what each statement means. Further advanced configuration options will be left to future articles.

Using the PDM to View the Cisco Pix Configuration

The are 2 methods that can be used to view a PIX Firewall's configuration. You can view the configuration by a web browser such as the Internet Explorer, or you can connect directly to the serial port of the PIX and use a terminal emulation program such as HyperTerm that comes with the Microsoft Windows operating systems.

To use the web page access you must type the IP address of your PIX firewall in URL format. For example, lets assume that your PIX firewall is setup to be IP Address 192.168.1.1. The URL that you need to enter is: http://192.168.1.1 (NOTE it is https:, NOT http:). This will probably give you a security alert that you are about to view pages over a secure connection, just click OK to continue. You may also get a Security Alert about a security certificate - again just click YES to continue. At this point the PIX firewall will ask for your username and password. The username will be cisco, and the password will be whatever the person who set up the firewall chose. If no password was chosen, just leave it blank.

This will launch the web page called Cisco PIX Device Manager, or what is referred to as PDM. There may be a security warning about installing and running the PDM, just click Yes to continue. This runs a java applet that will display the configuration of your PIX firewall and allow you to change it.

Using the CLI to view the PIX Configuration

The second method for viewing your PIX configuration is through the command line interface (CLI). This is accomplished by running the HyperTerminal program that comes with Windows 9.X and Windows 2000/XP. On Windows 2000 it can be found at: Start -> Programs -> Accessories -> Communications -> HyperTerminal. The program will ask you for the name of the connection, for our purposes just type "cisco". Then the program will ask you how to connect to the PIX. You must use the serial cable that Cisco provides to go from the PIX to a serial port on your PC, usually COM1 or COM2. Select the correct com port and click ok. Next you will have to enter port settings. Choose 9600 Bits Per Second, 8 Data bits, None for parity, 1 Stop bit and Hardware flow control. Verify these settings and click Ok. Now the screen will be blank. At this point hit the <Enter> key and you should see a prompt from the Pix firewall:

pixfirewall>

This is the unpriviliged mode prompt of the firewall. In order to see the configuration you must enter or "enable" priviliged mode. This is done by entering the command enable and providing the proper password (same as when using the Internet Explorer to run the PDM).

pixfirewall> enable
Password: *********
pixfirewall#

The new prompt the ends with "#" instead of ">" indicates that I am now in privileged mode. At this point you can easily view the configuration of the firewall by typing "sh config" (short for show configuration). This should display a multipaged screen which is the complete configuration of the PIX firewall. The remainder of the article will analyze a typical configuration, line by line.

General configuration commands

In this section the general purpose commands that are found in a default configuration will be described. These commands are:

interface
ip address
enable password
password
hostname
mtu
pager
pdm
arp
ip audit
timeout
aaa-server
http
snmp-server
floodguard
sysopt
telnet
ssh
dhcpd
terminal

The first line of the PIX configuration will identify the version of the firewall itself. Expect to see a line that looks similar to:

PIX Version 6.1 (2)

Two commands that are related to the information contained in the nameif commands are the ip address and interface commands. For our little example they are the following:

interface ethernet0 10baset
interface ethernet1 10full

ip address outside 10.0.0.253 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0

The interface command identifies the parameters of the interface. Since ethernet0 and ethernet1 are clearly ethernet connections, their parameters are related to ethernet. In this case 10baset is 10 MBS ethernet that is half duplex, and 10full is 10 MBS full duplex ethernet.

The ip address command just assigns the ip address and subnet mask to the interface. In this example we are using static ip addresses with subnet masks of 255.255.255.0.

You can expect to see and enable password and a password command as well:

enable password Git7QUt/ykhvVvkn encrypted
passwd 2KFQnbNIdI.2KYOU encryped

The enable password command is the password used to switch from non-priviliged mode to priviliged mode. That command was discussed previously in section "How to view the PIX configuration" above.

The command passwd sets the user mode password which is used for telnet access.

You will see a hostname command which assigns the name of the firewall:

hostname host5

This is the name of the firewall and it also becomes part of the prompt when you are using the CLI. It is best to have it be called something neutral, and not have anything in the name that might identify the type of device.

The mtu command specifies the maximum transmission unit to be used in the frames sent through an interface. Ethernet has an mtu of 1514 bytes, but it is common to see this set to 1500 bytes in the default PIX configuration. Any data that exceeds this size will be broken up (fragmented) to fit into 1500 byte frames.

The pager command enables or disables screen paging. For example pager lines 24 sets the screen size to 24 lines. Any display that requires more than 24 lines will be paused each 24 lines so that nothing scrolls off the screen before it can be read.

The pdm command configures the parameters that are used when the firewall is accessed via the web browser. This is usually done to set logging and history parameters.

The arp command is used to view and change the arp cache. ARP is used to find the ethernet mac address of a particular ip address. Normally we leave this parameter alone. However the default configuration of the PIX firewall will set a time out value in seconds. The default value used is 14400 seconds or 4 hours.

The ip audit command is used to trigger auditing using the intrustion detection system (ids). The default configuration may include the following:

ip audit info action alarm
ip audit attack action alarm

These 2 commands indicate that if either an informational signature (info) or an attack signature is detected that an alarm will be reported to the syslog server.

The time out is used to configure how long resources are allowed to remain idle before they are timed out and reused. Here are 3 common time out commands:

timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:20:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

The timeout xlate is for an idle translation slot. Here it is set to 5 mins (HR:MIN:SEC). The next timeout is for different types of connections and protocols. The conn refers to connection, half-closed refers to a half-closed connection. The remainder of this command refers to specific protocols. The uauth refers to authentication requests and how long the credentials remain in cache.

The aaa-server command specifies AAA server groups which are used to segment different types of authentication traffic. In this example the default settigs are:

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

The http command enables the PIX firewall http server. This is used for PDM access. The commands are:

http server enable
http 192.168.1.0 255.255.255.0

The first command enables the http server, and the second command controls the ip address(es) that can access it. In this example, any host on 192.168.1.0 can access the server.

The snmp-server command specifies how PIX will utilize snmp. Here are some typical commands:

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps

In snmp location and contact are information fields. In this example they are disable with the command no snmp-server. That just means that when PIX uses snmp it will not have a value for location or contact information. The next command is a security field - community. The community is used to validate other snmp communications as being from "your community" or not. The default of public is a well known community name and should not be used! Enable traps allows PIX messages to be automatically reported to snmp servers. In this case it is also disabled.

The floodguard enable command enables the PIX Flood Defender to assist during hacker attacks and busy server periods. This allows resources that have been consumed to be quickly reclaimed. This is useful during a denial or service attack, or even in an overly busy network. The command used is:

floodguard enable

The sysopt command is used to configure PIX firewall security features. For example:

no sysopt route dnat

This command is used to configure how incoming packets routed.

Pix is capable of using the telnet and ssh protocols. They can be configured as the following shows:

telnet timout 5
ssh timeout 5

These simple default commands indicated the amount of idle time before both telnet and ssh connections are dropped.

The dhcpd command is used to configure the dynamic host configuration protocol (dhcp). PIX is capable of providing dhcp support. Here are some sample dhcpd commands:

dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside

The first dhcpd command indicates the length of lease for any ip addresses that the PIX supplies through dhcp. The value is 3600 seconds or 60 hours. The ping time out is the number of milleseconds that PIX will wait before it will assign an address. The PIX will ping the address for the timeout value looking to see if it has already been assigned. The auto_config allows dhcpd to automatically configure optional information such as windows internet naming service (wins), domain name system (dns) and the domain name. This example will provide that information to the outside interface.

The terminal width command configures wrap around. For example:

terminal width 80

This command indicates a terminal width of 80 characters and will format the display using those parameters.

Controlling data flow through the firewall

The commands that we will use to control data flow through the PIX firewall are:

nameif
global
nat
static
route
access-list
access-group

The nameif command starts the process of allowing data to flow through the PIX fireall. This command allows you to assign a name to an interface and also to assign a security level to it. Expect to see several lines like:

nameif ethernet0 outside security0
nameif ethernet1 inside security100

You should see one line for each of your PIX interfaces. In this example we have 2 ethernet interfaces, one designated as outside and one as inside. Inside and outside are default names. By default the inside interface will have a security level of 100 (most trusted) and outside will have a security level of 0 (least trusted). Security levels are important to define traffic flow. The basic rules are:

Interfaces at the same security level may not communicate with each other.
Interfaces may communicate from a higher security level to a lower security level.
Interfaces may NOT communicate from a lower security level to a higher security level (unless some other mechanism such as access lists are used). So, at this point we are allowing the higher security level to communicate with the lower security level, or we are allowing the inside network to communicate with the outside network. Note that the outside network is not allowed to communicate with the inside network (low security level may not talk to high security level).

This is a good start, but usually we want to perform address translation. This is done by the global and nat commands. The global command sets an address on the outside interface that the inside interfaces can use. By setting a range of addresses, the inside interface can choose specific addresses to use. By setting a single address, then NAT (network address translation protocol) and PAT (port address translation protocol) will translate the internal addresses the single global address. Lets assume a simple case:

global (outside) 1 interface
global (outside) 1 10.0.0.254
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The first global command tells address translation (PAT and NAT) to use the ip address of the outside interface for port address translation. The next global command identifies another ip address to use for address translation. The NAT command identifies the address range of the inside interface that will be used for NAT. In this case all addresses on the inside will be translated to ip address assigned to the outside interface.

Now we need a method for the outside world to reach servers on the inside of the firewall. This is done through static mappings. For example:

static (inside, outside) 10.0.0.253 192.168.1.3 netmask 255.255.255.255 0 0

This command allows the outside address of 10.0.0.253 to access 192.168.1.3 which is the address of a server on the inside. This allows a higher security level (outside is 100) to communicate with a lower security level (inside is 0). Essentially the inside server is now available as the outside address 10.0.0.253.

Next a default route must be established. The route command will do this:

route outside 0.0.0.0 0.0.0.0 10.0.0.254 1

This specifies a default route to the router which has the address of 10.0.0.254. The metric 1 indicates that the router is 1 hop away.

The final item we need to do is close down ports that we don't want coming through our firewall. At this point all that is coming throught the firewall is traffic for the server because of the static command. Now by using the access-list command it will be possible to limit what type of traffic will be sent to the server. Here are the commands:

access-list 100 permit tcp any host 10.0.0.253 eq smtp
access-list 100 permit tcp any hsot 10.0.0.253 eq pop3

This will only allow incoming traffic to the server (10.0.0.253) if it is smtp or pop3. Basically we are just allowing email traffic.

Next we configure these rules to the interface:

access-group 100 in interface outside

This allows the 2 access-list rules, which are both assigned to number 100 to be associated with the outside interface in the "in" direction. Which means any incoming packets from the outside world.

Assisting the flow of protocols throught the firewall

Not all protocols will flow smoothly through the PIX firewall. This is not the fault of the PIX. Rather it is a problem that is associated with PAT and NAT. Address translation changes the original address of the packet. Although the firewall keeps track of this flawlessly, it can still confuse some protocols. For those easily confused protocols, Cisco has included the fixup protocol command.

You will usually see several fixup protocol commands such as:

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol smtp 25

This is a typical list of protocols that would be expected to passthrough the firewall. However, these protocols are picky about address translation. As a result, by specifying fixup protocol, this tells the PIX to help these protocols work correctly even though PAT and NAT is being used. Here is a quick summary to what these protocols are:

Abbreviation	Protocol	Function
ftp	file transfer protocol	Transfer of files between hosts.
http	hypertext transfer protocol	Web page access
h323		CODEC call setup and negotiation. Required by some applications, such as netmeeting and VOip.
rsh	remote shell	Command line access to a remote host
rtsp	real time streaming protocol	Media on demand protocol for streaming media (audio, video, etc.).
sqlnet		Used to connect Oracle clients to databases
sip	session initiation protocol	Used for 2 party audio conferencing
skinny	skinny client control protocol (sccp)	Used for IP telephony (VOip).
smtp	simple mail transfer protocol	Transfer of email between client and server or between server and server.

Back To Main Page For List Of Other Documents