Book Excerpt: Cisco Secure Internet Security Solutions - part 3
Are you considering the purchase of a Cisco firewall? Or perhaps you already have one and need reference material? This excerpt from the Cisco Press book, Cisco Secure Internet Security Solutions, deals with their Secure Private Internet Exchange Firewall, or PIX. Part 3 of Chapter 4 covers realistic configuration and includes Web, e-mail, and FTP services.
Cisco Secure Internet Security Solutions - Chapter 4
by Andrew Mason, Mark Newcomb
Although the basic configuration suffices to illustrate how simple it is to configure the PIX,there are a few more items that almost all systems need. Three examples are Web services, e-mail services, and FTP services. This configuration will show how access from the outside to the inside of the PIX can be allowed.
The default configuration for the PIX Firewall is to prevent all access from an interface with a lower security level through an interface with a higher security level. The configuration in this section shows how access can be allowed without losing security protection on the whole network subnet, or even on the hosts that you allow to be seen from the outside.
Figure 4-6 shows the layout for this scenario. Note that the 192.168.1.0 /24 network has been used on the interfaces between the PIX and the perimeter router. In real life, these should be routable IP addresses, because you need people on the Internet to be able to browse your Web server, download files from your FTP server, and send and receive from your e-mail server.
As shown in Figure 4-6, the interior router and the inside interface of the PIX are on a separate network. This is not mandatory. However, if there is a spare Ethernet interface on the interior router and plans to use a nat 0 command, using a spare interface on the inside router is advised, because the PIX will use ARP to a router for the address of each request.Repeated ARP requests can cause an excessive load on an overtaxed network. Connecting the PIX to a router's interface also ensures that all packets from and to the PIX are not delayed because of issues such as collisions and broadcast storms. Finally, the interior router can and should be configured with at least simple access lists to ensure that only authorized traffic is traversing the network. This might seem like too much trouble for some administrators. However, security should become a pervasive attitude throughout the network engineering staff. Having an extra layer of protection is never a waste of effort.