[ home | about | about me | my BII project 1 || my BII project 2 |contact | email | guestbook| links ]
  
   
Configuring Cisco PIX Firewall
  Configuring a Cisco PIX Firewall- basic commands' guide
 

Note:

'//' means comments
'>' means in user EXEC mode
'# means in privileged EXEC mode

Updating the image of the PIX Firewall using TFTP
// key 'reload' or after power up the firewall, press Esc to interrupt the boot process.

monitor>int eth0 (select TFTP interface)
monitor>address 192.168.1.1 (set IPaddress of firewall)
monitor>gateway 192.168.1.2 (set IP address of default gateway)
monitor>ping 172.30.1.1 (do a ping test on the TFTP server first)
monitor>server 172.30.1.1 (set IP address of the TFTP server)
monitor>file pixNNN.bin (set the image from the TFTP server to load)
monitor>tftp (TFTP download)

// it will reboot by itself

'Enter new activation key?[yes/no]:
>N
// update image process ended

 

 



 

Basic Configuration used in Cisco Firewall

#sh ver (to see the version and configuration of the firewall
(config)# en password Cisco (set the password to 'Cisco')
(config)# telnet 'local IP address of firewall' [range of IP addresses allowed]
(config)# hostname newname (change the name of firewall to 'newname')
(config)# sh int ( show the configuration of all the interfaces on the firewall)

 

Configurating Ethernet Interface

(config)# nameif ethernet2 dmz sec50 (set security of dmz network to 50 - highest 100, lowest 0)
(config)# int eth2 100full (setting the eth0's speed)
(config)#ip address dmz 192.168.2.2 255.255.255.0 (assign IP address to this ethernet2)

 



 

Basic Flow of traffic

Incoming traffic - definition -> low security level interface to high security level interface
Outgoing traffic - definition -> high security level interface to low security level interface


Commands applicable on Incoming/Outgoing traffic are:

NAT/Global -> Outgoing traffic
Static/Conduit -> Incoming traffic

NAT/Global/PAT

#sh xlate (show NAT table)
#clear xlate (refresh NAT table)
(config)# nat (inside) 1 192.168.10.1 255.255.255.0 (assign this IP address or range of IP addresses to this nat_id, in this case it's 1)
(config)# global (outside) 1 192.168.1.20 - 192.168.1.254 (works with NAT command to assign a range of public/registered IP addresses to an internal host when accessing the outside network through the firewall)
(config)# global (outside) 1 eth0 (make use of the IP address of ethernet interface 0, make full used of unreserved ports on that interface, this is called Port Address Translation or PAT. Similar to NAT)
(config)# route outside 0 0 192.168.1.1 1 (all traffic will route through the default gateway(192.168.1.1) with metric 1, to the outside network)

STATIC/CONDUIT

// Static maps a local IP address to a global IP address
// A conduit maps specific IP address and TCP/UDP/IMCP connection from outside host to inside host.

(config)# static (inside, outside) 192.168.1.10 10.0.1.3 ( 'inside' is where your server is, 'outside' is where your server is been access from, '192.168.1.10' is IP address of a host outside the firewall, '10.0.1.3' is the IP address of the server)
(config)# static (inside, outside) 192.168.1.10 10.0.1.0 255.255.255.0 ( 'inside' is where your server is, 'outside' is where your server is been access from, '192.168.1.10' is IP address of a host outside the firewall, '10.0.1.0 255.255.255.0' is the range of the IP address of a group of servers)
(config)# conduit permit tcp host 192.168.1.10 eq ftp host 10.1.1.1 ('192.168.1.10' is the destination, '10.1.1.1' is the source)

 



Configuring a VPN

Step 1 :Configure IKE Parameter

(config)# isakmp en outside (ensure IKE is enabled on the outgoing interface of the firewall)5
(config)# isakmp policy 10 authentication pre-share (configure a basic IKE policy using pre-sharing keys for authentication)
(config)# isakmp key cisco123 address 192.168.1.2 netmask 255.255.255.255 (Initiating the secret key. 'cisco123' is a pre-shared key agreed between the location. '192.168.1.2' is the IP address of the other firewall.)

Step 2: Configure IPSec Parameter

(config)# access-list 101 permit ip host 10.10.1.1 host 10.30.1.10 (create an access-list to select traffic to protect. '10.10.1.1' is our host in our network. '10.30.1.10' is their host in their network.)
(config)# crypto ipsec transform-set pix2 esp-des ah-md5-hmac (create an IPSec transform set to use ESP for encryption, and AH for authentication, 'pix2' is the name for this transform set)
(config)# crypto map peer1 10 ipsec-isakmp (creating a crypto map entry 'peer1')
(config)# crypto map peer1 10 match address 101 (assign the access-list 101 to the crypto map)
(config)# crypto map peer1 10 set peer 192.168.1.2 (defining the peer. '192.168.1.2' is their firewall)
(config)# crypto map peer1 10 set transform-set pix1 (specifying the transform set used to reach the peer)
(config)# crypto map peer1 10 interface outside (applying the crypto set to the outside interface)

//crypto map - maps name and sequence numbers group entries into a policy

Test and Verify IPSec Configuration

(config)# sh isakmp (verify the IKE policy created)
(config)# sh isakmp (examine the IKE policies in the PIX firewall)
(config)# sh access-list (verify the crypto access list)
(config)# sh crypto ipsec transform-set (verify correct IPSec parameters)
(config)# sh crypto map (verify correct crypto map configuration)
(config)# sh crypto ipsec sa (examine the IPSec security association)

// For debugging purposes
(config)# debug crypto ipsec (to debug crypto ipsec)
(config)# debug crypto isakmp (to debug crypto isakmp)

// Done

Hosted by www.Geocities.ws

1