Simple Change to a Cisco Pix Firewall Configuration

To the best of my knowledge the information in this document is accurate. If you find any errors, have any comments, additions, or just have questions, please feel free to contact me at billetter@networktechnologist.com.

This article describes how to change the default router in a Cisco Pix firewall configuration. This change was being made to accomodate a switch from a wireless ISP to dsl. Because of the complexity of the internet connection usage, it was decided to make this move in a series of well timed phases. The phases for this project were:

Phase 1 - Proof of concept. Add the dsl connection in parallel to the existing wireless connection and perform some isolated internet access tests.

Phase 2 - Switch the basic internet access . This phase switches all corporate internal traffic from the wireless internet connection to the dsl internet connection. This article discusses the Pix configuration commands to accomplish this.

Phase 3 - Switch the email access. Because this company hosts it's own email, it requires a static address which is reflected in the DNS of the internet as an mx record. This mx record must be moved from the public IP address on the wireless connection to a public IP address on the dsl connection. This requires setting up the proper dns configuration with the web hosting provider. Once this has been done, the wireless connection can be dropped.

This article only addresses Phase 2. Changing the default gateway of the Cisco Pix is a simple procedure. It is accomplished with the following steps:

1. Connect to the Pix firewall.

For this task, I accessed the Pix firewall through the command line interface (CLI). I did this using HyperTerminal, as I described in a previous article "Understanding a Basic Cisco PIX Firewall Configuration", which can be found at www.networktechnologist.com. The communcation parameters that I used were:

Com2
9600 Bits Per Second
8 Data bits
None for parity
1 Stop bit
Hardware flow control

Once I completed this, I hit the <Enter> key and was rewarded with a prompt from the Pix firewall:

pixfirewall>

This is the unpriviliged mode prompt of the firewall. In order to access the firewall configuration you must enter or "enable" priviliged mode.

2. Put the Pix into priviliged mode.

To enter priviliged mode on the Pix, I use the command "enable":

pixfirewall> enable
Password: *********
pixfirewall#

The new prompt the ends with "#" instead of ">" indicates that I am now in privileged mode.

3. Put the Pix into change configuration mode.

To change the configuration use the command "configure terminal".

pixfirewall# configure terminal
pixfirewall(config)#

The new prompt now has (config) embedded in it to indicate that the configuration may be changed.

4. Verify the current configuration.

The command to show the configuration is "show configuration" or "sh config":

pixfirewall# sh config

This will list the entire Pix configuration, one page at a time. To simplify the verification process, I configured Hyperterminal to capture text from the screen to a file. This is done from the "Transfer" menu, by selecting the "Capture Text" option. Then you can select a file to save the text to. When you are done, go to the same menu to "Stop" the text capture.

Now I have a written record of my Pix configuration that works. This is critical if I need to go back to the original configuration for any reason.

5. Make the required change.

The default gateway is part of the "route" command. In my example the Pix was routing to the wireless connection on an IP address of 10.0.0.154. The command in the configuration was:

route outside 0.0.0.0 0.0.0.0 10.0.0.254 1

This command is described in my article on understand a basic Pix configuration. But for our purposes, this command routes all traffic to the IP address of 10.0.0.154.

The required change was to route all traffic to the dsl IP address of 10.0.0.150. To do the change is a 2 step process. First the old command must be deleted, then the new command must be added.

To delete the old route use the "no route" command:

pixfirewall# no route outside 0 0 10.0.0.254 1

This erases the "route outside 0.0.0.0 0.0.0.0 10.0.0.254 1" configuration. Now the new configuration must be added. This is done by issuing a new "route" command:

pixfirewall# route outside 0 0 10.0.0.150 1

6. Test the change.

Before committing the change to memory, it must be tested. The proper testing will make sure that all Internet use is still working. I used 3 tests to verify proper operation:

1. Internet Access I tested this by accessing websites on the Internet. To prove to myself that I was using dsl, I physically disconnected the wireless connection from the router.

2. Receiving Email: I reconnected the wireless connection and tested the ability to receive email.

3. Sending Email: The final test was to make sure that email could still be sent.

I did not save any changes until these tests had proven successful.

7. Save the change to memory.

Now, although the change is operation, it has not be written to the Pix. It will be lost if the Pix should reboot for any reason. To save the change to flash memory, use the following command:

pixfirewall# write memory

8. Reboot the Pix.

Now we need to verify that the new saved configuration will work. This is done by rebooting the Pix. Do this with the following command:

pixfirewall# reload

9. Verify that internet access and email is still working.

To complete the job, it is necessary to verify that everything is still working. To do this, I went to several users and had them test web access and email access.

Note: you need to be very careful that you are completely testing the system. For instance, if you are testing production email, make sure that you are verifying that new email may be sent and received AFTER the changes have been made and saved. The best way to do this is to actually compose a test email and send it to outside the firewall, and to compose an email outside the firewall and send it internally. Currently there are several web-sites that will allow an administrator to create email on a webpage and send it to an internal address.

Back To Main Page For List Of Other Documents