Configuring The PIX Firewall

C H A P TER
Conguring the PIX Firewall

You can congure the PIX Firewall by entering commands on your console computer or terminal that are similar in context to those you use with Cisco IOS technology.
Note All commands described in this chapter are explained fully in Chapter 3,
Command Reference. Before starting to congure the PIX Firewall, read Installing PIX Firewall and PIX10000 for important information about how to congure a terminal or workstation to act as the PIX Firewall console. You cannot congure the PIX Firewall without an external console to enter the commands. In addition, read the current PIX Firewall release notes for the latest information about new features, command changes, and usage notes.
PIX Firewall Command Line

The following sections provide preliminary information about use of the PIX Firewall command line interface.
Access Modes
The PIX Firewall contains a command set based on Cisco IOS technologies, which provides three administrative access modes:
Unprivileged mode is available when you rst access the PIX Firewall and displays the > prompt. This mode lets you view restricted settings. Privileged mode displays the # prompt and lets you change current settings. Any unprivileged command also works in privileged mode. Use the enable command to start privileged mode and the disable or ^z commands to exit. Conguration mode displays the (cong)# prompt and lets you change system congurations. All privileged, unprivileged, and conguration commands work in this mode. Use the congure terminal command to start conguration mode and the ^z command to exit.
Configuring the PIX Firewall 2-1
Help Information
Help information is available from the PIX Firewall command line by entering help or a question mark to list all commands, or after a command to list command syntax; for example, arp ?. The number of commands listed when you use the question mark or help command differs by access mode so that unprivileged mode offers the least commands and conguration mode offers the greatest number of commands. In addition, you can enter the clear, no, and show commands by themselves on the command line and then press Enter to view the commands that start with these keywords.
Abbreviating Commands
You can abbreviate most commands down to the fewest unique characters for a command; for example, you can enter wr t to view the conguration instead of entering the full command write terminal, or you can enter en to start privileged mode and co t to start conguration mode. In addition, you can enter 0 instead of 0.0.0.0.
Command Line Editing

You can use the following commands to edit or view previously entered commands:
View the last 10 entered commands with the history command View a previously entered command with ^p or !! View a specic command with !number; for example, to view line 9, enter !9 View the next command with ^n Redisplay the line with ^r or ^l Erase the current line with ^u Erase word to left of cursor with ^w Change a word in the line with this syntax: ^old_word^new_word
If you are using a VT100-compatible terminal, such as HyperTerminal with Windows 95 or Windows NT, the up and down arrow keys have the same effect as ^p and ^n. In addition, the left arrow key works as a backspace. The command line history consists of 10 lines in a circular buffer. When you enter the 11th command, it replaces the rst entered and so on. When you are at the rst line in the history and enter ^n, the 10th line appears.
2-2 PIX Firewall Series Configuration Guide
Command Dependencies
The following commands must be used together:
If You Use this Command: aaa authentication link nat outbound radius-server or tacacs-server static syslog host You Need to Use this Command Next: aaa authorization linkpath and age global apply aaa authentication conduit syslog output
Command Output Paging

On commands such as help or ?, show, show xlate, or other commands that provide long listings, you can determine if the information displays a screenful and pauses, or lets the command run to completion. The pager command lets you choose the number of lines to display before the More prompt appears. When paging is enabled, the following prompt appears:
<--- More --->
The More prompt uses syntax similar to the UNIX more command:

Port Names
To view another screenful, press the Space bar. To view the next line, press the Enter key. To return to the command line, press the q key.
The following literal names can be used instead of a numerical port value in command lines: dns, ftp, h323, http, ident, ipsec, nntp, ntp, pop2, pop3, pptp, rpc, smtp, snmp, snmptrap, sqlnet, telnet, tftp. You can specify literals in port ranges; for example, ftp-h323.
Recommended IP Addresses
When you create an internal network, we recommend that you use one of the following address groups for hosts reserved by the Network Working Group (RFC 1918) for use with private network addressing: Class A: 10.1.1.1 to 10.254.254.254 Class B: 172.16.1.1 to 172.31.254.254 Class C: 192.168.1.1 to 192.168.254.254
Configuring the PIX Firewall
Conguring the PIX Firewall

Conguring the PIX Firewall consists of the following steps:
Step 1 Step 2
Read Installing PIX Firewall and PIX10000 before starting to install your software and prepare a terminal for use as the console. Enter conguration mode by entering the enable command in unprivileged mode and the congure terminal command in privileged mode. The enable command does not require an initial password, so press the Enter key at the password prompt. The prompts should appear as follows:
pixfirewall> enable Password: pixfirewall# configure terminal pixfirewall(config)#
Step 3 Step 4 Step 5
Initially congure the PIX Firewall using the commands described in the section that follows, Initially Conguring the PIX Firewall. Change the default privileged mode password with the enable password command. Monitor the network interface trafc with the show interface command. If both interfaces show that packets are input and output, then the rewall is functioning. If not, ensure that the interface and route commands are specied correctly. Use the ping command as described in Testing the Conguration to ensure that hosts on the inside and outside of the network are visible to the rewall.
Step 6
Note You cannot ping the PIX Firewalls own network interfaces.
Step 7
Congure the following tasks, which are described in greater detail later in this chapter:
Establish outbound accessThe initial conguration described in the next section permits all inside hosts to start outbound connections. When you expand your conguration, you can tailor outbound access to t your security policy with access control lists and by determining which IP addresses users have access to on outbound connections. Establish inbound access to serversMost networks have at least one server inside the rewall that outside users need to access including the email delivery host, a web site, or for FTP, Telnet, or any of the other services that you want to make available in keeping with your security policy. Determine user authentication and authorizationWithout user authentication and authorization, your network can be protected but not given the measure of security possible when users must prove who they are and the system determines what they can access.
Step 8
Use ^z to exit conguration mode and return to privileged mode. From privileged mode, use the disable command or ^z to return to unprivileged mode. The command prompt changes for each mode.
Initially Configuring the PIX Firewall
Initially Conguring the PIX Firewall

Access conguration mode and enter the commands that follow to initially congure the rewall. Enter the initial conguration as:
1 2 3 4 5 6 7 8 9
interface ethernet0 auto interface ethernet1 auto ip address inside ip_address netmask ip address outside ip_address netmask nat (inside) 1 0.0.0.0 global (outside) 1 ip_address-ip_address route inside 0 0 inside_default_router_ip_address route outside 0 0 outside_default_router_ip_address write memory
Note These commands complete the initial conguration so that inside users can start connections
and outside users cannot access the inside network. When you complete these commands, move to Testing the Conguration to verify network connectivity.
Command Explanations
Lines 1 and 2 let you specify the type of network interfaces installed on your rewall. These are either Ethernet or Token Ring. For Ethernet interfaces, replace hardware_id with ethernet0 for the outside network, ethernet1 for the inside network, and so on. For Token Ring interfaces, replace hardware_id with token0 for the outside network, token1 for the inside network, and so on. Insert one interface statement for each network interface on your PIX Firewall. The auto keyword in lines 1 and 2 can only be used with the Intel 10/100 automatic speed sensing network interface card, which shipped with the PIX Firewall in units manufactured after November 1996. If your system contains 3Com Ethernet boards, replace auto with 10baseT or any of the derivations shown on the interface command page in Chapter 3, Command Reference. If your system contains Token Ring boards, replace auto with either 4mbps or 16mbps. Lines 3 and 4 assign the IP addresses to the network interface cards. The inside address can be any unique address available on the inside network. The nat statement in line 5 lets all inside users start outbound connections and provides name address translation (described in Providing Outbound Access). If the capability of letting all inside users start outbound connections does not agree with your security policy, you can create access control lists with the outbound command and the apply command. Refer to the outbound command page in Command Reference for more information. Line 6 creates a pool of global addresses that inbound connections can use when the internal address is translated to an external address. If the external network connects to the Internet, specify the global command with a NIC-registered address. If the external network is an intranet, use IP addresses for that network. The global statement lets nat group 1 use the pool of global addresses. Enter a class address such as this example address of 192.168.42.1-192.168.42.254 to assign IP addresses 192.168.42.1 through 192.168.42.254. Alternatively, you can enter a single IP address for use with the Port Address Translation (PAT) feature that lets one IP address handle up to 64,000 inside hostsprovided none use multimedia applications. Lines 7 and 8 let you assign default routes to the inside and outside network interfaces. If your system lets routers advertise default routes using the RIP protocol, these lines can be omitted. Line 9 writes the current conguration to ash memory.
Testing the Configuration
Testing the Conguration

Note Before starting to test your conguration, ush the ARP caches on any routers that feed trafc
into or from the PIX Firewall and between the rewall and the Internet. For Cisco routers, use the clear arp command to ush the ARP cache.
Ensure that the IP addresses for any network interface are not the same as those in the pool of global addresses created with the global command, those assigned as default routes, or the global addresses you specify for the static or mailhost commands.
Configuring with the PIX Firewall Manager
Step 4
Use the PIX Firewall ping command to test the rewalls ability to reach hosts on each network interface. Note that the PIX Firewall ping command cannot test the rewalls inside or outside network interfaces or any of its global addresses. When you ping from a host other than the rewall, view information about the ping with the trace debug on command. Run these tests with ping:
(a)
See if you can ping hosts on the inside network. If not, move to a host on the inside network and use that hosts ping command to test the inside network interface port on the PIX Firewall from a host on the inside network. If this does not work, the problem is on your internal network. From the inside host, try pinging another host on the same segment; for example, C to D in Figure 2-1. If you cannot, the problem is on the inside network and not with the PIX Firewall. Check the routing setup on the internal network(s) and the default gateways for the problem, if RIP listening is not in effect. If a router is present on the inside network, hosts on the inside segment must have gateways pointing to the router, and the router must point to the PIX Firewall. For example, the default routes for C and D must point to Router 2, and the default route for Router 2 must point to the PIX Firewall. Ping a host on the outside interface. If this does not work, move to a host on the interface and repeat the procedure in Step (b) for the outside network. If present, ping the perimeter interface in the same manner.
(b)
(c)
Conguring with the PIX Firewall Manager

The Java-based PIX Firewall Manager lets you manage multiple PIX Firewall units from an inside Windows NT Server version 4.0 workstation. Remote PIX Firewall units can also be managed if Private Link is congured on each rewall. Use the commands in the Initially Conguring the PIX Firewall section to prepare the PIX Firewall prior to use. Then use the PIX Firewall telnet command to permit access to the PIX Firewall from the Windows NT server running PIX Firewall Manager. The syntax for the telnet command is: telnet local_ip mask The local_ip parameter is the IP address of the Windows NT server running PIX Firewall Manager. The mask parameter is the network mask that species which hosts can access the PIX Firewall console with Telnet. Use 255.255.255.255 to limit Telnet console access to a single host or 255.255.255.0 to permit all hosts on the local network to access the console. Refer to the PIX Firewall Manager Version 4.1 Release Notes for more information about conguring the PIX Firewall Manager.
Providing Outbound Access
Providing Outbound Access

Before providing outbound access to inside hosts, you need to consider the following security issues:
Which outside IP addresses do you want outbound connections to be able to use for access to the Internet? Are there any services you want to restrict outbound users from accessing? Are there any inside hosts that need to be restricted from starting outbound connections? Are there any sites that you want to prevent users from accessing? Do you want to deny Java applet use to inside users?
To congure outbound access:

Step 1
To let all inside hosts start outbound connections, use the nat 1 0.0.0.0 command. NAT stands for name address translation, which shields IP addresses on the inside network from the outside network. The nat 1 0.0.0.0 command enables name address translation and lets all hosts (specied as 0.0.0.0) start outbound connections. The nat command can also specify single hosts or ranges of hosts, to make access more selective. Use the nat command to specify which hosts can start outbound connections. Then use the global command to create a pool of global addresses and specify which nat statements can use the address pool. Inherent in the use of nat is the idea of address translation, which means that no matter what numbering scheme is present on the inside or perimeter networks, the only IP addresses visible on the outside of the rewall are those in the address pool created by the global command, those dened by the static command, or by the mailhost command. Address translation protects your inside and perimeter hosts from intruders on the outside network. The following commands let hosts 10.1.2.1 through 10.1.2.254 (because the 10.1.2.0 address actually means 10.1.2.1 through 10.1.2.254) create outbound connections and then assigns the global addresses 204.31.17.1 through 204.31.17.254 in a pool to accommodate the outbound connections:
nat (inside) 2 10.1.2.0 255.255.255.0 global (outside) 2 204.31.17.1-204.31.17.254
The number to the right of the (interface) specication in the global command is the nat_id_set, which lets you specify which nat statements are permitted to access the global addresses in the pool. When more than two interfaces are present, this value lets you choose which nat statements can access which external interface.
Step 2
By default, whichever inside hosts you let start outbound connections can use all services during the outbound connection. You can expand this capability with access control lists that let you do the following:
Deny or permit access to certain services Restrict or permit access from an inside address or access to an outside address Restrict use of Java applets on outbound web access
Use the outbound and apply commands to create access control lists. The following commands deny outbound web access and permit a group of hosts access:
outbound 1 deny 0 0 80 outbound 1 permit 10.1.2.1-10.1.2.10 255.255.255.255 80 outbound 1 deny 10.1.2.5 255.255.255.255 java apply (inside) 1 outgoing_src
Providing Access to Inside Servers and to a Mail Server
The rst outbound command denies web access to all inside hosts. The next outbound command permits hosts 10.1.2.1 through 10.1.2.10 access to the web. The third outbound command species that for host 10.1.2.5, this user is not permitted to execute Java applets on the inside network. The apply command indicates that the access control list pertains to inside hosts starting outbound connections.
Step 3 Step 4
If you want a specic IP address to always be used for outbound access, you can use the static command to map a global IP address to a local IP address. Another feature for outbound connections is the ability to control which IP addresses are visible on the outside. The nat 0 command lets you disable address translation so that inside IP addresses are visible on the outside without address translation. Use of nat 0 depends on your security policy.
nat 0 0 0
The last two zero's are abbreviations for 0.0.0.0. By itself, nat 0 lets all inside IP addresses start connections on the outside without address translation. If you want these same addresses to be visible on the outside, then you need to use nat 0 in conjunction with the static command described in the next section. The following commands let a group of inside NIC-registered addresses be visible on the outside without translation:
static (inside, outside) 204.31.17.0 204.31.17.0 conduit (inside, outside) 204.31.17.0 0 tcp 10.1.1.0 255.255.255.0
Step 5
Another aspect of address translation is the ability to have addresses on the internal network be NIC-registered addresses but not visible on the outside. In this case, users may eventually need to access an IP address on the outside that is also being used as an inside address. You can use the alias command to create an alternate address for the address on the outside so that users can access the outside address transparently by domain name or explicitly by specifying the alternate IP address instead of the outside IP address.
Refer to Chapter 3, Command Reference for more information about each command and additional examples.
Providing Access to Inside Servers and to a Mail Server

By default, the PIX Firewall prevents all outside connections from accessing inside servers. If your security policy requires that outside users access inside servers, use the static command to specify which NIC-registered IP addresses are visible on the outside for users to access and use the conduit command to specify which services users can access on the servers. Whenever you permit outside users to access your network, you should establish a user authentication and authorization system as described in the next section. Without it, your network is only as secure as the inside server. For many networks, this risk is too great. An exception to the use of static and conduit is provided for SMTP mail hosts, which require additional security from attacks. The mailhost command takes the place of the static and conduit
Providing User Authentication
Providing User Authentication

User authentication and authorization starts with your security policy and the respective inside RADIUS or TACACS+ server that you have. Authentication determines whether a user has access to the inside or outside network. Authorization determines what services a user can use to access a host. From the conguration on this server you need to determine which users can access the network, which services they can use, and what hosts they can access. Once you have this information, you can congure the PIX Firewall to either enable or disable authentication or authorization. In addition, you can also congure the rewall to permit users access to specic hosts or services. However, if you congure the rewall to this degree, you risk the information being different between the authentication server and the rewall. After you enable authentication and authorization, the PIX Firewall provides credential prompts to inbound or outbound users for FTP, Telnet, or HTTP (web) access. The actual decision about who can access the system and with what services is handled by the authentication and authorization servers. To provide user authentication and authorization:
Step 1
For inbound authentication, create the static and conduit statements required to permit outside hosts to access servers on the inside network. This is described in Providing Outbound Access. If the external network connects to the Internet, create a global address pool of NIC-registered IP addresses, or if the network connects to an intranet, a pool of those addresses with the global command. Then specify which inside hosts can start outbound connections with the nat command and with the access control lists features found in the outbound and apply commands. This is described in Providing Access to Inside Servers and to a Mail Server. Specify which server handles authentication or authorization with the radius-server or the tacacs-server commands. RADIUS can provide authentication but not authorization. Enable authentication with the aaa authentication command. It is best to use this command only to enable authentication with one or both of the following commands:
aaa authentication any outbound 0 0 tacacs+ aaa authentication any inbound 0 0 tacacs+
Step 2
Step 3 Step 4
In these commands, if the server is RADIUS, use radius instead of tacacs+. While the aaa authentication command lets you specify hosts that can be authenticated or specic hosts, if you implement this level of management in the rewall, you run the risk that your authentication server and the rewall can have different information. For example, if the authentication server is only accepting Telnet logins and you set the rewall for FTP, no users will be authenticated.
Step 5
Enable authorization with the aaa authorization command. Even though this command lets you specify which services and inside hosts an authorized user can access, it is best to not set it here and only use this command to enable authorization. The authorization server should make the decision. Use one or both of the following commands:
aaa authorization (inside) any outbound 0 0 aaa authorization (inside) any inbound 0 0
Sample Configuration
Sample Conguration
The conguration that follows provides an overview of how the various commands are used to create a conguration. This conguration shows the use of PAT (port address translation), denying Java applets, using the AAA commands, creating a mail host, permitting NFS, initializing SNMP, and setting console access with Telnet and HTTP.
Figure 2-2
Conguring Multiple Features
Internet Intel Internet Phone
204.31.17.12
204.31.17.1
PIX Firewall
204.31.17.42 DMZ Global pool 204.31.17.25-27 204.31.17.28 (PAT) 204.31.18.0 10.1.1.12
RIP NT SNMP 3.3.3.1
10.0.0.2
10.1.1.3
10.1.1.11
Sun Mail host BSDI
BSDI
The conguration is as follows: 1 syslog output 20.7 2 no syslog console 3 syslog host 10.1.1.11 4 nameif ethernet0 inside security100 5 nameif ethernet1 outside security0 6 interface ethernet0 auto 7 interface ethernet1 10baset 8 ip address inside 10.1.1.1 255.0.0.0 9 ip address outside 204.31.17.10 255.255.255.0 10 arp timeout 6400 Line 1 sets SYSLOG to send all possible messages to the SYSLOG host in line 3. Line 2 disables displaying messages to the console. Lines 4 and 5 specify the names and security levels for the inside and outside interfaces. This command is not necessary for rewalls with two network interfaces but is a good practice to specify in the event that another interface is added later. Lines 6 and 7 establish that the network interfaces are Ethernet and specify their line speed. Lines 8 and 9 assign IP addresses and the subnet mask to each interface. Line 10 sets an ARP timeout to 6,400 seconds (one hour and 45 minutes). This is useful when you are setting up a network and changing inside and outside host addresses often.
S6247
NT TACACS+ server
11 12 13 14 15 16 17 18 19 20 21 22
nat (inside) 3 3.3.3.0 255.255.255.0 nat (inside) 1 10.0.0.0 255.0.0.0 global (outside) 1 204.31.17.25-204.31.17.27 global (outside) 1 204.31.17.28 global (outside) 3 204.31.18.1-204.31.18.254 outbound 11 deny 3.3.3.3 255.255.255.255 1720 outbound 10 deny 0 0 80 outbound 10 permit 3.3.3.3 255.255.255.255 80 outbound 10 deny 3.3.3.3 255.255.255.255 java outbound 11 permit 10.1.1.11 255.255.255.255 80 apply (inside) 10 outgoing_src apply (inside) 11 outgoing_src
Lines 11 and 12 let you specify address translation for internal hosts starting outbound connections. Lines 13 to 15 create two pools of global addresses to let the nat statements use the address pools for translating internal IP addresses to external addresses. The global command in line 14 species an IP address for port address translation address (PAT) so that up to 64,000 hosts can share this PAT address. Lines 16 to 19 create access lists to determine which hosts can access services. Line 16, denies host 3.3.3.3 from accessing H323 (port 1720) services such as MS NetMeeting or InternetPhone. Line 17 denies all hosts from accessing the web (port 80). Lines 18 and 19 let host 3.3.3.3 use the web, but denies its users from downloading Java applets. Line 20 permits host 10.1.1.11 access to the web (at port 80) and to download Java applets. This permit statement outweighs the previous deny regardless of the order in which the statements are entered into the conguration. Lines 21 and 22 specify that the access lists in lines 16 to 20 pertain to connections started on the inside network to access outside services. 23 24 25 26 27 28 29 30 31 32 33
no rip outside passive no rip outside default rip inside passive rip inside default route outside 0 0 204.31.17.1 1 route outside 171.69.74.25 255.255.255.255 204.31.17.2 1 tacacs-server host 10.1.1.12 1q2w3e aaa authentication (inside) any outbound 3.3.3.3 255.255.255.255 tacacs+ aaa authorization (inside) any outbound 3.3.3.3 255.255.255.255 static (inside, outside) 192.150.50.0 3.3.3.0 conduit (inside, outside)192.150.50.0 h323 tcp 0 0
Lines 23 and 24 disable outside interface RIP listening and broadcasting of a default route. Lines 25 and 26 enable inside interface RIP listening and broadcasting a default route. Line 27 sets the outside default route to 204.31.17.1. (0 is an abbreviation for 0.0.0.0.) Line 28 creates an additional static route for the outside interface. Lines 29 to 31 establish outbound connection authentication and authorization using TACACS+. Line 32 creates a net static. A net is a static statement static for a class IP address, in this case for IP addresses 192.150.50.1 through 192.150.50.254. Line 33 allows users on the Internet to send InternetPhone (port h323) requests to users on 3.3.3.x while addressing them as 192.150.50.x.
34 35 36 37
static (inside, outside) 204.31.17.29 80 tcp 10 30 conduit (inside, outside) 204.31.17.29 80 tcp 0 0 conduit (inside, outside) 204.31.17.29 rpc udp 204.31.17.17 255.255.255.255 conduit (inside, outside) 204.31.17.29 2049 udp 204.31.17.17 255.255.255.255
Line 34 shows the use of the connection limit and the embryonic limit arguments. The maximum number of connections limits the number of connections a host can use. This line permit access to only 10 users and up to 30 SYNs (embryonic connections). In tandem with the conduit statement in line 35, these statements establish an externally visible IP address for web access (port 80 in line 35). Note that static commands maximum connections option applies to both inbound and outbound connections so if 30 SYN ooders come in, the web server cannot go out itself. Line 36 opens the RPC portmapper on UDP port 111. Refer to the UNIX /etc/rpc le and rpc(3N) for more information. Once you create a conduit for RPC, you can use the following command from outside 204.31.17.17 to track down the activity of a PCNFSD on RPC 150001:
rpcinfo -u 204.31.17.29 150001
Another use of RPC is with the following command to see the exports of 204.31.17.29 if you want to allow NFS mounting from outside in.
showmount -e 204.31.17.29
Many protocols based on RPC, as well as NFS, are insecure and should be used with caution. Line 37 permits NFS access (port 2049) between the outside and inside, such that 204.31.17.17 can mount 10.1.1.11. 38 39 40 41 42 43 44 45
mailhost (inside, outside) 204.31.17.30 10.1.1.3 10 11 conduit (inside, outside) 204.31.17.30 113 tcp 0.0.0.0 0.0.0.0 snmp-server host 3.3.3.2 snmp-server location building 42 snmp-server contact polly hedra snmp-server community ohwhatakeyisthee telnet 10.1.1.11 255.255.255.255 telnet 3.3.3.0 255.255.255.0
Line 38 designates an SMTP mail host. The Mail Guard feature in the PIX Firewall denes that only the seven commands described in section 4.5.1 of RFC 821 be permitted for access to the mail host. (The commands are HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.) The mailhost command in line 38 makes the mail server on 10.1.1.3 visible on 204.31.17.30 with 10 maximum connections and up to 11 embryonic connections. The Internet DNS MX record for this organization should point to 204.31.17.30. Line 39 creates a conduit for port 113, the IDENT protocol. If the mail server has to talk to many mail servers on the outside which connect back with the now obsolete and highly criticized IDENT protocol, use this conduit to speed up mail transmission. Lines 40 to 43 specify the SNMP server IP address, the servers location, and the name of its administrator. Line 43 species the community key in place at the SNMP server. Lines 44 and 45 permit host access to the PIX Firewall console. Line 44 permits a single host, 10.1.1.11 to access the PIX Firewall console with Telnet. The 255 value in the last octet of the netmask means that only the specied host can access the console. Line 45 permits PIX Firewall console access from hosts on the 3.3.3.0 network. The 0 value in the last octet of the netmask permits all hosts in that network access. However, Telnet only permits 16 hosts simultaneous access to the PIX Firewall console over Telnet.
Configuring Failover
Conguring Failover
Use the failover command without an argument after you connect the optional failover cable between your primary rewall and a secondary rewall. The default is failover on. Enter no failover in the conguration le for the PIX Firewall if you will not be using the failover feature. Use the show failover command to verify the status of the connection and to determine which unit is active. Failover works by passing control to the secondary unit should the primary unit fail. For Ethernet, failover detection should occur within 15 seconds. The markings on the cable let you choose which PIX Firewall unit is primary and which is secondary. Refer to Installing the Failover Connector Assemblies and Cable on the PIX Firewall supplied with the failover cable option for more information about upgrading a PIX Firewall unit to accept the failover cable. The PIX Firewall units manufactured after November 1996 come equipped with the failover cable connectors; for these units, you need only connect the failover cable between the PIX Firewall units.
Note The active PIX Firewall does not maintain a copy of the connection state in the secondary
unit. If the primary fails, network trafc must re-establish previous connections. Enable the failover feature by adding the failover command (without the active parameter) to the conguration les for both the primary and secondary PIX Firewall units. When you use Telnet to access the PIX Firewall, only the active unit serves the connection. Use the hostname command on both units to identify a unique name for each unit. Using the host name, you can tell if you are communicating with the primary or secondary unit. If you are using Telnet when a failure occurs, you need to disconnect the Telnet session and restart it to the IP address. If a failure occurs, the host name in the telnet command prompt gives you positive acknowledgment that the secondary unit is active. In addition, SYSLOG messages indicate whether the primary or secondary unit failed. Use the show failover command to verify which unit is active. If you want to force a PIX Firewall to be active or go to standby you can use the failover active or no failover active command. Use this feature to force a PIX Firewall offline for maintenance or to return a failed unit to service. Use the show failover command to verify the status of the connection and to determine which unit is active. You can create your own failover cable by connecting the pin outs as shown in Table 2-1.
Table 2-1 Failover Cable Pin Outs Secondary End of Cable Pins 10 14 3 1 2 6 5 and 12 connect inside Secondary 4 and 11 connect inside Secondary 9
Primary End of Cable Pins 1 9 2 10 3 4, 11, and 12 connect inside Primary 5 6 14
Conguring Both Firewall Units for Failover

Follow these guidelines for configuring both units the same:
The unit that has the cable end labeled primary becomes the default primary unit. Give each unit a different host name. Assign both units the same IP address. Ensure that the network is set up so that both units see exactly the same trafc. No ARP entries need to change or timeout anywhere in the network to handle the failover congurations.
Note When failover occurs, the secondary unit automatically takes the MAC address of the
primary.
Frequently Asked Failover Questions

This section contains some frequently asked questions about the failover feature.
How is start-up initialization accomplished between two units? There is currently no initialization shared between the two units other than the state of failover (On/Off & Active/Standby) and the MAC address of the primary unit. When a unit boots up, it defaults to Failover On and Secondary, unless no failover has been saved in the conguration. It then checks to see if the failover cable is present. If the cable is not present, the unit automatically becomes the active unit. If the cable is present, the unit that has the primary end of the failover cable plugged into it becomes the primary unit by default. The primary units MAC address is then given to the secondary unit.
How can both units be congured the same without manually entering the conguration twice? The easiest thing to do is save the conguration on the primary unit to diskette, and copy it to the secondary unit. What constitutes a failure? Fault detection is based on the following: Received network trafc counts on incoming and outgoing NIC cards (packet counts are kept and shared between the units every 15 seconds). If the active unit stops receiving packets while the standby is still seeing them for two consecutive 15 second intervals, the standby unit will take over as active. Cable errors. The cable is wired so that each unit can distinguish between a power failure in the other unit, and an unplugged cable. If the standby unit detects that the active unit is powered off (or resets), it will take active control. If the cable is unplugged, a SYSLOG is generated but no switching occurs. An exception to this is at boot-up, at which point an unplugged cable will force the unit active. If both units are powered up without the failover cable installed, they will both become active creating a duplicate IP address conict on your network. The failover cable must be installed for failover to work correctly. Failover communication. The two units share information every 15 seconds. If the standby unit does not hear from the active unit in two communication attempts (and the cable status is OK), the standby unit will take over as active.
How long does it take to detect a failure? Network trafc errors are detected within 30 seconds (two consecutive 15-second intervals). Power failure (and cable failure) is detected within 15 seconds. Failover communications errors are detected within 30 seconds (two consecutive 15-second intervals).
What happens when failover is triggered? A switch can be initiated by either unit. When a switch takes place each unit changes state. The newly active unit starts accepting trafc while the new standby unit stops accepting trafc. The two units do not share connection states. Any active connections will be dropped when a failover switch occurs. The clients must re-establish the connections through the newly active unit.
What maintenance is required? SYSLOG messages will be generated when any errors or switches occur. Evaluate the failed unit and x or replace it.
Failover SYSLOG Messages

In the messages that follow, P|S can be either Primary or Secondary depending on which the PIX Firewall is sending the message. Failover messages always have a SYSLOG priority level of 2, which indicates critical condition. Refer to the syslog output command description for more information on SYSLOG messages. The SYSLOG messages sent to record failover events are:
System okay messages: P|S: Cable OK. P|S: Disabling failover. The no failover command was entered. P|S: Enabling Failover. Either a PIX Firewall is booting that has the failover command in its conguration le or the failover command was just entered in the current conguration. P|S: Mate ifc number OK. The interface (ifc) is now working correctly after being brought back online after a failure. The number is either 0 for the inside network interface or 1 for the outside interface.
Cabling problem messages: P|S: Bad cable. The cable is connected on both units, but the failover cable has developed a wiring problem. P|S: Cable not connected my side. The cable on the current PIX Firewall is not connected. P|S: Cable not connected other side. The cable on the current unit is connected, but the connector on the other unit is disconnected. P|S: Error reading cable status. The cable state cannot be determined. Ensure that all connectors are securely attached.
Configuring Private Link
Failure in process messages: P|S: No response from mate. The other PIX Firewall has not responded in the last 30 seconds. P|S: Power failure other side. The other unit has lost power. P|S: Mate ifc number failed. The interface (ifc) for the other unit failed. The number is either 0 for the inside network interface or 1 for the outside interface.
Status messages: P|S: Switching to ACTIVE. The other unit has brought the network back online and is receiving connections. This message also occurs if you force a unit to active with the failover active command, or forced the other unit inactive with the no failover active command. P|S: Switching to STANDBY. The unit is inactive as a result of entering no failover active on the unit or by entering failover active on the other unit.
Conguring Private Link

The link command creates an encrypted path between version 4 Private Link-equipped PIX Firewall units. You can specify up to seven encryption keys for data access between your unit and the remote unit. The key-ID and key values must be the same on each side of the Private Link. Once you specify the same keys on both sides of the connection, the systems alert each other when a new key takes effect. You can use the age command to specify the number of minutes that a key is in effect. Specify the link command once for each key you want to specify; for example, if you want seven keys, enter the link command in the conguration seven times. The PIX Firewall Private Link consists of an encryption card and software that permits the PIX Firewall units to provide encrypted communications across an unsecure network such as the Internet. This optional feature is available to domestic customer sites. The PIX Firewall allows up to 256 Private Links. At least two PIX Firewall units are required along with the hardware/software option to use this feature. Private Link works by checking packets that arrive at the PIX Firewall inside interface. If a route link previously created by the linkpath command exists that matches the destination network address, the packet is encrypted and encapsulated in an AH/ESP frame. The frame has a destination address of the remote PIX Firewall and a source address of the local PIX Firewall. When the packet arrives at the remote PIX Firewall unit, the data in the packet is decrypted and then sent through the inside interface to the original IP address specied. No translation takes place on packets that traverse the PIX Firewall Private Link. The addressing and data remains completely unchanged. The PIX Firewall allows up to 512 link paths. You can manage remote PIX Firewall units through the Private Link interface.
Configuring Private Link
Example
To congure a Private Link, refer to the example setup in Figure 2-3.
Figure 2-3 Example Private Link Network Diagram
Global IP Address: 192.168.37.11192.168.37.2 192.168.37.254 Internet Router B PIX Firewall B 10.3.1.1 (Inside)
S6540
Global IP Address: 192.168.35.11192.168.35.254 PIX Firewall A 10.1.1.1 (Inside)
192.168.35.1 (Outside) Router A
192.168.35.2
192.168.37.1 (Outside)
10.1.0.0 Network A
10.3.0.0 Network B
Before conguring Private Link, you would initially congure the systems using the standard commands. When you congure a Private Link, follow these steps:
Step 1
Agree on up to seven hexadecimal encryption keys for use between the PIX Firewall Private Link local and remote units; for example, one key could be like the hexadecimal value fadebacbeebeee. Be sure to select unique keys that are difcult to guess. The key can be up to 56 bits in length (14 hexadecimal digits). Use the link command to create an encrypted link for each key you want to specify. Use linkpath to specify the IP address of the network on the inside of the remote rewall. On PIX Firewall A, in the previous illustration, enter these commands to congure the Private Link:
link 192.168.37.1 link 192.168.37.1 link 192.168.37.1 link 192.168.37.1 linkpath 10.3.0.0 1 fadebacfadebac 2 bacfadefadebac 3 baabaaafadebac 4 beebeeefadebac 255.255.255.0 192.168.37.1
Step 2 Step 3 Step 4
Step 5
On PIX Firewall B, enter these commands:

link 192.168.35.1 link 192.168.35.1 link 192.168.35.1 link 192.168.35.1 linkpath 10.1.0.0 1 fadebacfadebac 2 bacfadefadebac 3 baabaaafadebac 4 beebeeefadebac 255.255.255.0 192.168.35.1
Step 6
Test the connection to each foreign PIX Firewall with the ping inside command. For example, to test rewall B from rewall A, use these commands to test accessibility to the outside interface (192.168.37.1), inside interface (10.3.1.1), and a host on the inside network (10.3.1.8, not shown in gure):
ping inside 192.168.37.1 ping inside 10.3.1.1 ping inside 10.3.1.8
Note Use random keys, not the ones shown in this document.
Configuring SNMP
Conguring SNMP
The snmp-server command causes the PIX Firewall to send SNMP traps so that the rewall can be monitored remotely. Use snmp-server host to specify which systems receive the SNMP traps. You can specify up to ve systems and all must be on the inside network of the rewall.
Note The PIX Firewall does not send SNMP traps until you congure snmp-server host.
The SNMP server must be on the inside network. The PIX Firewall does not support browsing of the Cisco SYSLOG MIB. The only MIBs you can browse are System and Interfaces. Use snmp-server contact and snmp-server location to specify your name and the location of the PIX Firewall so that hosts receiving SNMP traps can contact you if monitored problems occur. Using SNMP, you can monitor system events on the PIX Firewall. The PIX Firewall SNMP MIB-II groups available are System and Interfaces. The PIX Firewall SNMP traps available to an SNMP server are:
Link up and link down (cable on outside interface working or not working) Warm and cold start Failover SYSLOG messages Security-related events sent via the Cisco Enterprise MIB: Global access denied SYSLOG messages
Use CiscoWorks for Windows (Product Number CWPC-2.0-WIN) or any other SNMP V1, MIB-II compliant browser to receive SNMP traps and browse a MIB. SNMP traps occur at UDP port 162. Up to ve hosts can receive SNMP traps. SNMP events can be read, but information on the PIX Firewall cannot be changed with SNMP.
Compiling Cisco SYSLOG Enterprise MIB Files

To receive security and failover SNMP traps from the PIX Firewall, compile the Cisco SYSLOG MIB into your SNMP management application. If you do not compile the Cisco SYSLOG MIB into your application, you only receive MIB-II traps for link up or down, and rewall cold and warm start. To compile Cisco SYSLOG Enterprise MIB les into your browser using CiscoWorks for Windows (SNMPc), complete the following steps:
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Get the Cisco SYSLOG Enterprise MIB les. Start SNMPc. Go to Cong|Compile MIB. Scroll to the bottom of the list, and select the last entry. Click the Add button. Find the le CISCO-SMI.my and click OK. Scroll to the bottom of the list, and select the last entry.
Configuring SYSLOG
Step 8 Step 9 Step 10 Step 11
Click the Add button again. Find the le CISCO-SYSLOG-MIB.my and click OK. Click Load All. If there are no errors, restart SNMPc.
Note These instructions are only for SNMPc (CiscoWorks for Windows).
Conguring SYSLOG
The syslog output command congures the facility and level of SYSLOG messages. Because network devices share the eight facilities, syslog output lets you set the facility marked on all messages. Messages are sent to the SYSLOG host over UDP. The syslog output command also starts sending messages onto the network. Use the syslog host command to specify which systems receive the messages. You can use show syslog to view previously sent messages. The PIX Firewall generates SYSLOG messages for system events, such as security alerts and resource depletion. SYSLOG messages may be used to create email alerts and log les, or displayed on the console of a designated host using UNIX SYSLOG conventions. A PC WinSock version of syslogd also will work.
Note You can specify only one syslog output command in your conguration. The PIX Firewall
sends all messages to the single facility you choose. The SYSLOG server must be on the inside network. The PIX Firewall sends SYSLOG messages only to a single le on the receiving system.
The PIX Firewall sends SYSLOG messages to document the following events:
SecurityDropped UDP packets and denied TCP connections. ResourcesNotication of 80% and 100% connection and translation slot depletion, and translation and connection counts every 10 minutes. SystemConsole and Telnet logins and logouts, and when the PIX Firewall reboots. AccountingBytes transferred per connection.
Logging is enabled by conguring the PIX Firewall with the IP address of the log host. The syslog output command syntax lets you specify the SYSLOG facility and level for how messages are sent to the SYSLOG host. The facility consists of eight facilities LOCAL0(16) through LOCAL7(23); the default is LOCAL4(20). Hosts le the messages based on the facility number in the message.
Configuring SYSLOG
The level species the types of messages sent to the SYSLOG host. Setting the level to 3, for example, allows messages with levels 0, 1, 2, and 3 to display. The default is 3. The levels are:
0 System unusable 1 Take immediate action 2 Critical condition 3 Error message 4 Warning message 5 Normal but signicant condition 6 Informational 7 Debug message
Conguring a UNIX System for SYSLOG

To congure a UNIX system to accept SYSLOG messages:
Step 1 Step 2
Use the PIX Firewall syslog host command to congure the PIX Firewall to send SYSLOG messages to the UNIX hosts IP address. Log into the UNIX system as root (superuser) and execute the following commands; change name to the log le in which you want SYSLOG messages to appear: # #
mkdir /var/log/pix touch /var/log/pix/pixfirewall
Step 3
While still logged in as root, edit the /etc/syslog.conf le with a UNIX editor and add the following selector and action pairs for each message type you want to capture:
Message Priority 0 Emergency 1 Immediate action 2 Critical condition 3 Error 4 Warning 5 Notice 6 Information 7 Debug UNIX syslog.conf File Keyword localn.emerg localn.alert localn.crit localn.err localn.warning localn.notice localn.info localn.debug
In the syslog.conf le, you code each selector and action pair for the messages you want to receive. For example, if you want to receive messages in a le called pixrewall for message priorities 0, 1, 2, and 3, using the default LOCAL4 facility, the syslog.conf statements would be:
# PIX Firewall SYSLOG messages local4.error /var/log/pix/pixfirewall
This conguration directs the PIX Firewall SYSLOG message to the specied le. Alternatively, if you want the message sent to the logging host console or emailed to a system administrator, refer to the UNIX syslog.conf(4) manual page.
Note The UNIX log le can grow to several megabytes per day when monitoring a busy
PIX Firewall.
Configuring FTP and URL Logging
Entries in /etc/syslog.conf must follow these rules:

(a) (b) (c) Step 4
Comments, which start with the pound (#) character, are only allowed on separate lines. Separate the selector and action pairs with a tab character. Blanks are not acceptable. Ensure that there are no trailing spaces after the le names.
Inform the SYSLOG server program on the UNIX system to reread the syslog.conf le by sending it a HUP (hang up) signal with the following command: #
kill -1 cat /etc/syslog.pid
The rst command lists the SYSLOG process ID. This number may vary by system. The second command sends SYSLOG the HUP signal to cause it to restart.
Step 5
Congure the PIX Firewall to send SYSLOG messages to the UNIX host:
syslog output 20.4 syslog host 10.10.10.56
Examples of the PIX Firewall SYSLOG messages resemble the following:

Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul 11 11 11 11 11 11 11 11 11 11 11 17:59:47 17:59:47 17:59:47 18:02:19 18:02:19 18:03:16 18:03:16 18:03:16 18:04:04 18:04:04 18:04:04 ant.oak.com ant.oak.com ant.oak.com ant.oak.com ant.oak.com ant.oak.com ant.oak.com ant.oak.com ant.oak.com ant.oak.com ant.oak.com 199002 305002 305002 111001 111004 199002 305002 305002 199002 305002 305002 PIX startup completed. Beginning operation. Translation built for gaddr 192.150.49.196 to Translation built for gaddr 192.150.49.195 to Begin configuration: writing to tftp End configuration: SUCCEEDED PIX startup completed. Beginning operation. Translation built for gaddr 192.150.49.196 to Translation built for gaddr 192.150.49.195 to PIX startup completed. Beginning operation. Translation built for gaddr 192.150.49.196 to Translation built for gaddr 192.150.49.195 to laddr 171.69.74.26 laddr 171.69.74.27
laddr 171.69.74.26 laddr 171.69.74.27 laddr 171.69.74.26 laddr 171.69.74.27
And so on. Items you may see in SYSLOG messages include gaddr which precedes a global IP address, laddr, which precedes a local IP address on the inside network, and faddr, which precedes a foreign IP address on the outside network. The starting numbers have no meaning other than to uniquely identify each message.
Conguring FTP and URL Logging

You can log FTP commands and WWW URLs when SYSLOG is enabled. FTP and URL messages are logged to SYSLOG level 7. The following example output shows what to expect:
Sample URL Log

<166> 192.168.69.71 accessed URL 10.0.0.1/secrets.gif
Sample FTP Log

<166> 192.168.69.42 Retrieved 10.0.0.42:feathers.tar <166> 192.168.42.54 Stored 10.0.42.69:privacy.zip
You can view these messages at the PIX Firewall console with the show syslog command.

Configuring The PIX Firewall

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuring The PIX Firewall

Uploaded by

Copyright:

Available Formats

C H A P TER

Conguring the PIX Firewall

PIX Firewall Command Line