Book Excerpt: Cisco Secure Internet Security Solutions, part 2
Cisco Secure Internet Security Solutions - Chapter 4
Cisco Secure PIX Firewall - Part 2
by Andrew Mason, Mark Newcomb
This section defines terms and gives explanations of how different scenarios require different hardware and software configurations.
The basic PIX configuration is extremely simple. By default, this configuration allows outgoing packets and responsive packets into the LAN. This configuration also denies all ICMP packets traversing the PIX from the outside to the inside, even when such a packet is in response to a ping issued from the inside.
Like any other Cisco IOS, the Cisco PIX has a command-line interface (CLI). There is a user mode and an enable mode. For the moment, you will configure the PIX by connecting the console port on the PIX to a serial port on a computer using the cable you received with the PIX Firewall. Some of the commands will be familiar and some will be new. Each scenario in this section builds on the previous scenario.
If by issuing a show config command you see a number of items not shown on a particular configuration, do not panic. The PIX enters a number of defaults into the configuration when booting. These defaults can be changed. This chapter will deal with the most frequently used commands first. If you simply cannot wait to see what a command does, look in the index and jump ahead to the section concerning that command.
The basic configuration for the PIX is illustrated in Figure 4-5. In this scenario, the PIX is used to protect a single LAN from the Internet. Notice in Figure 4-5 that the perimeter router and the connection between the perimeter router and the outside interface of the PIX are unprotected. The perimeter router should be hardened against attacks--especially DoS attacks--because it is not protected by the PIX Firewall. Chapter 10, "Securing the Corporate Network," deals with securing a perimeter router. Any device that is outside of the PIX Firewall cannot be protected by the PIX. If possible, only the perimeter router should reside on the unprotected side of the network. Take a few minutes to study Figure 4-5, which you can use to define terms such as inside, outside, protected, and unprotected.
As shown in Figure 4-5, there is an inside and an outside interface on the PIX. The outside interface is less trusted than the inside interface. The inside interface has a security level of 100. The outside interface has a security level of 0. The security level is what determines whether packets originating from a particular interface are trusted by another interface. The higher the security level, the more an interface is trusted. This premise becomes more important as you build systems with multiple DMZs. When packets are trusted, they are allowed through an interface by default. When packets are not trusted, they are not allowed through by default.
For the basic configuration, you only need to add a few commands. This section takes much longer to read than it will actually take to configure the PIX. Start up the PIX Firewall and connect the inside interface into your local network. Connect the outside interface to the inside interface of your perimeter router. Do not connect these through the same switch or hub that runs your local network. The only path from the perimeter router to your LAN must travel through the PIX Firewall. Companies with multiple paths to the Internet should employ a PIX Firewall between each perimeter router and the LAN.
After showing you how to configure the PIX, the chapter explains what has been done. Using Telnet, enter the following commands. The lines are separated for clarity.
enable password enablepass encrypted passwd password encrypted nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 10baset interface ethernet1 10baset ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.1.1.254 255.255.255.0 global (outside) 1 192.168.1.100 255.255.255.0 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 192.168.1.254 1 route inside 10.1.1.0 255.255.255.0 10.1.1.1 1 arp timeout 7200 write mem
At this point, you have your basic configuration set. The next sections walk through each line that you entered and explain the significance of the commands.
The first two lines set up your passwords. The first password line was set with the enable password command to enablepass. This was entered with the optional keyword encrypted. Using encrypted ensures that the password will not be revealed if you print out a copy of your configuration. The second line configures your Telnet password to password. The same rules that apply to router passwords apply to PIX passwords. For example, the enable password controls access to the enable commands.
The nameif command is used to label your interfaces and set the security levels for each of your interfaces. The first line sets the Ethernet0 interface to be called outside and to have a security level of zero. The next line labels the Ethernet1 interface as inside with a security level of 100. In other words, Ethernet0 is from now on called outside instead of Ethernet0 and is completely untrusted because it has a security level of zero. Ethernet1 is now called inside and is completely trusted. These are both the defaults and are necessary to the configuration. Ethernet0 is always outside and Ethernet1 is always inside. outside always has a security level of zero, and inside always has a security level of 100. Except for the inside and outside interfaces, an interface may be named anything you desire and will have a security level somewhere between 0 and 100. Remember that the higher a security level, the more it is trusted.
This is important because the default behavior of the PIX Firewall is relative to the security levels associated with the interfaces in question. Every interface has a higher security level than the outside interface. Therefore, by default, packets from any interface can travel through the outside interface. Conversely, no packets from the outside interface by default can travel to any other interface.
Suppose that your PIX had two additional interfaces, Ethernet2 and Ethernet3. You enter the following two lines:
nameif ethernet2 joe security16 nameif ethernet3 nancy security45The joe interface (Ethernet2) has a security level of 16 and the nancy interface (Ethernet3) has a security level of 45. This is feasible because you can assign any security level to an interface and can call the interface anything you choose. In this scenario, packets from nancy could travel through the joe interface without any special configurations. Packets originating at joe cannot by default travel through the nancy interface because the nancy interface has a higher security level. The advanced configurations later in this chapter expand on this concept and use more realistic names for the interfaces.
Assigning IP Addresses
The next two lines assign an IP address and subnet mask to the inside and outside interfaces. The words inside and outside are used because that is what you have named with the nameif command. Substitute whatever name you have given to this particular interface. The IP addresses on each interface must reside on different subnets.
The full ip address command follows:
ip address interface_name ip_address subnet_mask
One of the strengths of the PIX Firewall is its ability to support NAT and PAT. The global command, in conjunction with the nat command, is used to assign the IP addresses that packets receive as they cross the interface. The global command defines a pool of global addresses. This pool provides an IP address for each outbound connection and for inbound connections resulting from these outbound connections. Whether NAT or PAT is used depends on how the global command is used. If you are connecting to the Internet, the global addresses should be registered. Nonroutable IP addresses are used here for illustrative purposes only. Using routable IP addresses becomes a vital consideration when using VPNs that terminate on the PIX Firewall, because without a routable IP address the VPN will never travel over the Internet. The syntax for the global command follows:
global [( interface_name)] nat_id global_ip[- global_ip] [netmask global_netmask]The interface_name is the name assigned with the nameif command. The nat_id is an integer. The nat_id must match the number used in the nat command. Although almost any number can be used (as long as the number is consistent between the global and nat commands), the number 0 is reserved for special cases. The use of 0 is covered in the section "nat Command."
The global-ip can take one of two forms. The form chosen determines whether NAT or PAT is used. If PAT is to be used, enter a single IP address. All packets from all hosts will receive this address as they cross the interface. If NAT is to be used, enter an address range for the IP addresses to be seen from the outside. For example, if you wish to use the single address of 184.108.40.206, you would enter the following:
global (outside) 1 220.127.116.11 255.255.255.0If, on the other hand, you wish to use NAT and use a whole Class C subnet, you would enter the following:
global (outside) 1 18.104.22.168-22.214.171.124 255.255.255.0You could also use more than a Class C network by adjusting the IP addresses entered and the subnet mask. The following example uses a 23-bit subnet mask and allows you to use all IP addresses between 126.96.36.199 and 188.8.131.52. When an address range overlaps subnets, the broadcast and network addresses are not used by the global command.
global (outside) 1 184.108.40.206-220.127.116.11 255.255.254.0When you want to use PAT, you use a single address instead of a range. PAT supports up to 65,535 concurrent translations. There are some limitations in the use of PAT. For example, PAT cannot be used with H.323 and multimedia applications. These types of applications expect to be able to assign certain ports within the application. PAT also does not work in conjunction with the established command. Because the ports are changed when using PAT, these applications fail. As in the basic configuration, the following line sets a single IP address:
global (outside) 1 192.168.1.100 255.255.255.0The use of the global command requires reverse DNS PTR entries to ensure that external network addresses are accessible through the PIX Firewall. Without these PTR entries, you will see slow or intermittent Internet connectivity and File Transfer Protocol (FTP) requests consistently failing. DNS servers on a higher security level needing updates from a name server on an outside interface must use the static command, which will be explained in the "Realistic Configuration" section (part 3).
The subnet mask should match the subnet mask on the network segment. Use the ranges of IP addresses to limit the hosts used, not the subnet mask. In more advanced configurations later in this chapter, you will see how to use NAT and PAT together and how to use multiple global ranges.
The nat command is used in conjunction with the global command. The nat command specifies from which interface connections can originate. The syntax for the nat command follows:
nat [( interface_name)] nat_id local_ip [ netmask [ max_connections [ em_limit]]] [norandomsequence]The nat_id number must be the same on the nat and global command statements. Although you might have multiple global commands associated with an interface, only a single nat command can be used. Use the no form of the nat command to remove the nat entry, or rewrite the nat command with the same nat_id to overwrite the existing nat command. After issuing a nat command, you should enter the clear xlate command. This command clears all present NAT and PAT connections, which are then reestablished with the new parameters. This section will deal with using the number 0 for the nat_id after you have seen the other parameters within the nat command and the discussion on using the nat command with access lists.
The local_ip parameter can be set to a single IP address or to a whole network by adjusting the netmask parameter. The local_ip parameter specifies the internal network address to be translated. Using 0.0.0.0 allows all hosts to start outbound connections. Instead of using 0.0.0.0, you can abbreviate by using simply 0.
Use the netmask parameter as you would use any subnet mask. The exception is when you use 0.0.0.0 as the netmask. Using 0.0.0.0 means that you want to allow all hosts on the local network through. This can be abbreviated as simply 0. When allowing all hosts through, you can use 0 for both the local_ip and the netmask. Within the PIX, 0 can be substituted for where the word any would be used on a Cisco router. The command line might look like any of the following lines, assuming that the local inside network is 10.1.1.0 with a Class C subnet mask:
nat (inside) 1 0 0 0 0 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 nat (inside) 1 0 255.255.255.0 0 0 nat (inside) 1 10.1.1.0 0 0 0
The max connections parameter limits the number of concurrent TCP connections through an interface. Using 0 makes the number of connections limited only by the license agreement and software installed on the PIX Firewall.
Embryonic connections are half-open TCP connections. The default of 0 does not limit the number of embryonic connections. On slower systems, entering a number for em_limit ensures that the system does not become overwhelmed trying to deal with embryonic connections.
The norandomsequence keyword is used to disable the default random sequencing of TCP packet numbers. Although usually not added to the nat command, this can be useful for debugging and in certain other circumstances. For example, if traffic must travel through two PIX Firewalls, the dual randomization of sequence numbers might cause the application to fail. In this case, adding the norandomsequence keyword to one of the PIX Firewalls should resolve the problem.
There are some special considerations for using the nat and global commands with a nat_id of 0. The first consideration is when using an access list to prevent NAT from occurring. For example, the following lines allow the hosts at IP addresses 10.1.1.54 and 10.1.1.113 to traverse the PIX without changing their IP addresses. All other addresses on the inside network receive translation services. The access list associated with a nat 0 command merely prevents NAT; it does not limit accessibility to the outside.
access-list prevent_nat tcp host 10.1.1.54 access-list prevent_nat tcp host 10.1.1.113 nat (inside) 0 access-list prevent_natThe access list should not attempt to prevent specific ports, because this causes the addresses to become translated. The ASA remains in effect, watching packets and preventing unauthorized access. However, the addresses within the access list are available through the outer interface without translation.
The nat 0 command can also be used without an access list as any other nat_id could be used. However, using a nat_id of 0 without an access list causes all hosts on the network specified with the netmask to avoid being translated by the NAT functionality of the PIX. Previous versions of the PIX software experienced an issue when using 0 as the nat_id. This issue was that using 0 would cause the PIX to use proxy Address Resolution Protocol (ARP) for all inside addresses. PIX IOS versions 5.0 and above disable this behavior. If no addresses are to be translated, the global command is not necessary. The following example shows how all inside addresses can be prevented from being translated:
nat (inside) 0 0 0 0 0
The route command is used by the PIX in the same manner that static routes and default routes are used on a router. The PIX has limited routing capabilities. It is necessary for you to specify routes. As in a router, the most specific route listed takes precedence. The syntax for the route command follows:
route interface_name ip_address netmask gateway_ip [ metric]The interface_name is any name previously defined by the nameif command. The ip_address is the address of the internal or external network. A default route can be set with either 0.0.0.0 or 0. The netmask is the subnet mask of the route. A default route can use either 0.0.0.0 or 0.
The gateway_ip is the IP address of the next hop for the network to which you are adding a route. For example, if your inside interface supported multiple networks connected with a router whose interface is 10.1.1.20, your route statements might appear as follows:
route inside 10.1.2.0 255.255.255.0 10.1.1.20 2 route inside 10.1.8.0 255.255.255.0 10.1.1.20 2 route inside 10.2.13.0 255.255.255.0 10.1.1.20 2 route inside 10.11.7.0 255.255.255.0 10.1.1.20 2Version 5.1 has been improved to specify automatically the IP address of a PIX Firewall interface in the route command. Once you enter the IP address for each interface, the PIX creates a route statement entry that is not deleted when you use the clear route command. If the route command uses the IP address from one of the PIX's own interfaces as the gateway IP address, the PIX uses ARP for the destination IP address in the packet instead of issuing an ARP for the gateway IP address.
The metric parameter is used to specify the number of hops to gateway_ip, not to the ultimate destination of the IP packet. A default of 1 is assumed if this parameter is not used. If duplicate routes are entered with different metrics for the same gateway, the PIX changes the metric for that route and updates the metric for the route.
arp timeout Command
The arp timeout command is used to specify the time that an ARP entry remains in the ARP cache before it is flushed. The number shown is the time in seconds that an ARP entry remains in the cache. The default time is 14,400 seconds, or 4 hours. In the configuration, you change the default to 2 hours with the following:
arp timeout 7200
The write command works in the same way that the write command operates in a Cisco router. For those of you relatively new to Cisco equipment, this command has largely been replaced on routers with the copy command. The write command can take any of the following formats:
write net [[ server_ip_address]:[ filename]] write erase write floppy write memory write terminal write standbyThe write net command writes across a network to a Trivial File Transfer Protocol (TFTP) server with the filename specified. If no server IP address or filename is entered, the user is prompted.
The write erase command clears the Flash memory configuration. The write floppy command writes the configuration to the floppy disk, if the PIX has a floppy. The write memory command stores the configuration in RAM memory. The write terminal command shows the current configuration on the terminal. The write standby command is used to write the configuration to either a failover or standby, PIX'S RAM memory.At this point, you have completed a basic configuration. You are ready to move toward a more realistic situation, such as a network with a mail server and an FTP server (which will be covered in part 3).