Cisco Secure Internet Security Solutions – Chapter 4
by Andrew Mason, Mark Newcomb
Although the basic configuration suffices to illustrate how simple it is to configure the PIX,there are a few more items that almost all systems need. Three examples are Web services, e-mail services, and FTP services. This configuration will show how access from the outside to the inside of the PIX can be allowed.
The default configuration for the PIX Firewall is to prevent all access from an interface with a lower security level through an interface with a higher security level. The configuration in this section shows how access can be allowed without losing security protection on the whole network subnet, or even on the hosts that you allow to be seen from the outside.
Figure 4-6 shows the layout for this scenario. Note that the 192.168.1.0 /24 network has been used on the interfaces between the PIX and the perimeter router. In real life, these should be routable IP addresses, because you need people on the Internet to be able to browse your Web server, download files from your FTP server, and send and receive from your e-mail server.
As shown in Figure 4-6, the interior router and the inside interface of the PIX are on a separate network. This is not mandatory. However, if there is a spare Ethernet interface on the interior router and plans to use a nat 0 command, using a spare interface on the inside router is advised, because the PIX will use ARP to a router for the address of each request.Repeated ARP requests can cause an excessive load on an overtaxed network. Connecting the PIX to a router’s interface also ensures that all packets from and to the PIX are not delayed because of issues such as collisions and broadcast storms. Finally, the interior router can and should be configured with at least simple access lists to ensure that only authorized traffic is traversing the network. This might seem like too much trouble for some administrators. However, security should become a pervasive attitude throughout the network engineering staff. Having an extra layer of protection is never a waste of effort.
You now have three major design changes to make to your system. You must first allow
WWW traffic to access the Web server, whose IP address is 10.1.1.30. This IP address
needs to be statically translated to a routable address on the Internet. One of the easiest
ways to keep track of static IP translations is to use the same last octet in both addresses. In the case of the Web server, you will use 30 as the last octet. The second change is to allow e-mail through to the mail server. The third change is to allow FTP traffic to the FTP server. All of these servers need a static translation because you cannot be guaranteed what host will be using a given outside IP address at any given time if you simply rely on the default NAT settings on the PIX and allow traffic into the LAN.
Issue a write erase command on the PIX. This erases the saved configuration. Turn the PIX power off and then back on to arrive at a clean state. Enter the following commands while in enable mode on the PIX. This section covers each change after the lines are entered. Again, the lines are separated for clarity.
enable password enablepass encrypted passwd password encrypted nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 10baset interface ethernet1 10baset ip address outside 192.168.1.1 255.255.255.0 ip address inside 172.30.1.2 255.255.255.252 global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0 global (outside) 1 192.168.1.254 255.255.255.0 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 static (inside, outside) 192.168.1.30 10.1.1.30 netmask 255.255.255.255 0 0 static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0 static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.30 eq http any conduit permit tcp host 192.168.1.35 eq ftp any conduit permit tcp host 192.168.1.49 eq smtp any route outside 0 0 192.168.1.2 1 route inside 10.1.1.0 255.255.255.0 172.30.1.1 1 arp timeout 7200 write mem
There are only a few changes from the basic configuration. You first changed the inside IP address to reflect the separate network between the PIX and the interior router. The two
global commands shown next assign both NAT and PAT to be used by the inside hosts.
Because you used a range of IP addresses, the first global command allows for each host on the LAN to get a dynamically assigned global address, or NAT. Once all of the available global IP addresses are in use, any hosts attempting to connect to the outside will use PAT.
The second global line is critical because it assigns one address for use with PAT. If a single address is not reserved for use by PAT, hosts will simply not be able to get through the PIX.
The users will think that the Internet connection has been dropped, because they will
receive no indication of a problem other than a lack of connection.
You might wonder why the range of IP addresses starts at 50 in the first global command.
This allows servers to have static IP addresses. The number 50 was arbitrarily chosen.
Whatever number is chosen ensures that there are sufficient reserved IP addresses for all
servers on the network. You could have also reserved a set of IP addresses on the upper end
of the network. The inside and outside routes were also changed to reflect the network as
shown in Figure 4-6. You are now actually ready to allow users on the Internet to access
your e-mail, FTP, and Web services.
Setting up to allow e-mail to traverse the PIX requires a few new commands. This replaces the mailhost command in previous versions of the PIX. These commands are covered later in this section. Enter the following lines into the PIX configuration.
static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.49 eq smtp any
That is all that is required to allow SMTP packets to traverse the PIX to the server with the
10.1.1.49 IP address. Users outside the PIX will see this server as 192.168.1.49. Packets
sent to 192.168.1.49 will have NAT applied to them and will be forwarded to 10.1.1.49.
Only the SMTP commands HELLO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT are allowed through the PIX. The response to all other SMTP commands is an OK packet from the PIX. You added two new commands here, the static and the conduit commands. Each of them will be examined before moving on to the FTP and Web servers.
The static command is actually a very simple command once you are familiar with it. The
purpose of the static command is to apply NAT to a single host with a predefined IP
address. The syntax is as follows:
static [( internal_interface, external_interface)] global_ip local_ip [netmask subnet_mask] [ max_connections [ em_limit]] [norandomsequence]
The internal_interface and external_interface are names defined by the nameif command.
The global_ip is the IP address seen on the outside, after NAT has been applied. The
local_ip is the IP address used on the local host before NAT is applied. The subnet_mask should always be 255.255.255.0 when applied to a single host. If a network is being
assigned to a single address, use the subnet mask for the network. For example, if you want
the whole 10.1.4.0 network to be translated using PAT to 192.168.1.4, you use the following
static (inside, outside) 192.168.1.4 10.1.4.0 netmask 255.255.255.0 0 0
In this case, you also need to associate an access list with the conduit command. This will be covered under a more advanced configuration entitled Dual DMZ with AAA
Authentication later in this chapter.
The max_connections and em_limit (embryonic limit) work in the same manner as with the global command. Using the no form of the command removes the static command. Using a show static command displays all of the statically translated addresses.
The static command is simple if you remember the order in which interface names and IP addresses appear. The order is:
static (high, low) low high
In other words, the name of the interface with the higher security level is shown first within the parenthesis, followed by the name of the lower security level interface and a closing
parenthesis. This is followed by the IP address as seen on the lower security interface, then
the IP address as seen on the higher security level interface. The authors remember this with
the phrase “high, low, low, high.” When you start looking at PIX Firewalls using one or
more DMZs, the principle will hold true. Because every interface must have a unique
security level, one interface must be more trusted than the other. You will still place the
name of the interface with the higher security level first, followed by the less trusted
interface name inside the parenthesis. Outside the parenthesis, you will show the IP address
as seen on the lower security level interface, followed by the IP address as seen on the
higher security level interface.
If you choose to use nat 0 to avoid translating the IP address, you still use “high, low, low, high,” but the IP addresses are the same for the global and local IP. The following is an
example for when you do not use NAT on the IP address:
static (inside, outside) 10.1.1.49 10.1.1.49 netmask 255.255.255.255 0 0
The conduit command is necessary to allow packets to travel from a lower security level to
a higher security level. The PIX Firewall allows packets from a higher security level to
travel to a lower security level. However, only packets in response to requests initiated on
the higher security level interface can travel back through from a lower security level
interface. The conduit command changes this behavior. By issuing a conduit command,
you are opening a hole through the PIX to the host that is specified for certain protocols
from specified hosts.
The conduit command acts very much like adding a permit statement to an access list. The default behavior of the PIX is to act as if there were a deny all access list applied. Because you must allow e-mail to reach your server, you need to use the conduit command. The rule for access from a higher security level interface to a lower security level interface is to use the nat command. For access from a lower security level interface to a higher security level interface, use the static and conduit commands. As with any opening into the corporate
network, this opening should be as narrow as possible. The following allows any host on
the Internet to send mail to the host:
conduit permit tcp host 192.168.1.49 eq smtp any
If you wish to limit the originating IP address for e-mail, you could simply add an IP address and network mask to the end of the preceding line. You are allowed to have as many conduit statements as required. The following example allows SMTP traffic to enter the network from one of three networks — two with Class C subnets and the final one with a Class B subnet:
conduit permit tcp host 192.168.1.49 eq smtp 10.5.5.0 255.255.255.0 conduit permit tcp host 192.168.1.49 eq smtp 10.15.6.0 255.255.255.0 conduit permit tcp host 192.168.1.49 eq smtp 10.19.0.0 255.255.0.0
The combination of the static declaration and the conduit command can allow FTP traffic through your network. You have allowed FTP traffic to the FTP server with the following two lines:
static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.35 eq ftp any
It is possible to have multiple conduit commands associated with a single IP address. For example, the following lines allow SMTP, FTP, and HTTP services to gain access to a single server:
static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.35 eq ftp any conduit permit tcp host 192.168.1.35 eq http any conduit permit tcp host 192.168.1.35 eq smtp any
Notice that there is a single static statement for the host. Although some versions of the PIX IOS will allow you to enter multiple static commands for a single address, only the first static command is used. The PIX only allows the use of the host in the first static command. If you are using multiple conduit commands, you might deny some networks while allowing others. Alternatively, you might allow traffic from some networks, but not from others. In the following example, you deny FTP traffic from the 10.5.1.0 /24 network, while allowing traffic from all other networks:
static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0 conduit deny tcp host 192.168.1.35 eq ftp 10.5.1.0 255.255.255.0 conduit permit tcp host 192.168.1.35 eq ftp any
Remote Site Configuration
At this point, you have a configuration that allows the main office to communicate through the Internet. You allowed access to the Web, FTP, and mail servers. What you do not have is access from the remote sites in Manchester and Seattle. The reason you do not have access is that the nat statement only applies to the Chicago LAN. You can easily add access to the Seattle and Manchester offices by adding the following lines:
nat (inside) 1 10.2.1.0 255.255.255.0 0 0 nat (inside) 1 10.3.1.0 255.255.255.0 0 0 route inside 10.2.1.0 255.255.255.0 172.30.1.1 1 route inside 10.3.1.0 255.255.255.0 172.30.1.1 1