Cisco Pix Firewall

Download most current software from WEB. If using a DOS/Windows PC choose the executable file (pixnnn.exe). This file has the rawrite.exe program compressed into it. The rawrite program creates a bootable floppy disk that has the latest firewall software installed. Follow the readme.txt file instructions that you get once you run the pixnnn.exe.

Get a console session established to the PIX firewall.

Configure Network Routers

  • Set default routes
  • Set access lists
  • Set any filters

Configure the PIX Firewall

pixfirewall> enalble

pixfirewall# configure t	- Enter configuration mode.

Identify each interface - you are forced to use the name outside for the outside interface to attain maximum security.

pixfirewall(config)# nameif ethernet0 outside security0

pixfirewall(config)# nameif ethernet1 inside security100

Assign each interface an ip address.

pixfirewall(config)# ip address inside

pixfirewall(config)# ip address outside

Specify network card speed and duplex. Auto uses automatic detection. The AUTO option exists only for ethernet.

pixfirewall(config)# interface ethernet0 auto

pixfirewall(config)# interface ethernet1 auto

This is a good place to save our work.

pixfirewall(config)# exit	--- Exit config mode.

pixfirewall # wr mem		--- Save our work.

Show a little of what we have done.

pixfirewall# sh nameif
	nameif ethernet0 outside security0
	nameif ethernet1 inside security100

Continue with the configuration

pixfirewall# config t		---- Enter configuration mode

Enable Network Address Translation for the outside interface

pixfirewall(config)# nat (inside) 1 0 0
  • The number 1 is the local NAT ID (between 0 and 2 billion).
  • The 0 0 is the internal IP address and subnet mask to be translated 0 stands for all

Specify NAT and PAT parameters.

pixfirewall(config)# global (outside) 1 netmask
  • The number 1 is the Local NAT ID (see above nat statement)
  • The address and subnet mask is the address to be used for port address translation. PAT will not work with multimedia applications and does not work with H.323 application and caching nameservers.
pixfirewall(config)# global (outside) 1 netmask
  • The number 1 is the Local NAT id (see nat statement)
  • The network address range and mask are used for network address translation. NAT gives a limited number of addresses. There has to be a one for one address translation for NAT to work properly.

Create a default route to the outside router

pixfirewall(config)# route outside 0 0 1
  • The 0 0 stands for all ip addresses.
  • The ip address is the address of the router to the ISP
  • The 1 tells how many hops away the router is from the firewall.

Permit ICMP traffic through the firewall

pixfirewall(config)# conduit permit icmp any any
  • check with your security policy

Set a host name for the firewall. This also sets the prompt.

pixfirewall(config)# hostname wally

Set the enable passwork for the firewall.

pixfirewall(config)# enable password snnug

Exit configuration mode and save our work

pixfirewall(config)# exit	- Exit

pixfirewall# wr mem		- Save
Building configuration...
Cryptochecksum: 975d086a f1df1506 86647656 021580bc 

Check out the configuration

pixfirewall# sh ip address
System IP Addresses:
	ip address outside
	ip address inside
Current IP Addresses:
	ip address outside
	ip address inside

pixfirewall# sh global
global (outside) 1 netmask
global (outside) 1 netmask

pixfirewall# sh nat
nat (inside) 1 0 0

pixfirewall# sh route
	outside 1 OTHER static

pixfirewall# write t