A PIX with three interfaces is one of the most commonly used PIX hardware configurations in use in most enterprise networks today. The three interfaces are the inside, the outside, and a DMZ interface. As discussed earlier, the DMZ interface is used to house the servers that are to be accessed from the public network. In this case study, the server is a web server sitting on the DMZ interface. Example 8-1 shows the configuration for a PIX Firewall with three interfaces with a web server residing on the DMZ interface.
This case study also gives a detailed description of all the commands that go into setting up a PIX. In the case studies after this, only the commands that have not been explained in this case study are described.
Figure 8-12 shows the network topology for this case study.
Figure 8-12 Network Topology for This Case Study
Example 8-1 PIX Firewall with Three Interfaces Residing on the DMZ Interface
Pixfirewall#wr t
!The nameif commands are used to name the interfaces of the PIX and assign them a
!security level.
nameif ethernet0 outside security0 SNMP
Server
Web Server
10.0.0.199
(10.0.0.1)
Inside Interface
209.165.201.1
192.168.0.2
192.168.0.0/24
DMZ Interfaces
(192.168.0.1)
Outside Interface
(209.166.201.3)
209.105.201.8/255.255.255.224 10.0.0.0/24
Case Studies 177
nameif ethernet1 inside security100 nameif ethernet2 dmz security50
!The interface commands that follow define the physical medium to which the
!interfaces are connected
interface ethernet0 10baset interface ethernet1 10baset interface ethernet0 100basetx
!The command below is used to specify the password for getting into the privileged
!or enable mode of the PIX firewall.
enable password <removed> encrypted
!The command below specifies the password used to specify the password for Telnet
!access to the PIX firewall.
passwd <removed> encrypted
!The IP address commands that follow are used to give IP addresses to the PIX
!interfaces using the names defined above
ip address outside 209.165.201.3 255.255.255.224 ip address inside 10.0.0.1 255.255.255.0
ip address dmz 192.168.0.1 255.255.255.0
!The hostname command defines the name of the PIX hostname pixfirewall
!The fixup commands that follow turn on the fixup functionality for the PIX box,
!as discussed in the preceding sections
fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521
!The arp command defines the time after which the ARP entries in the ARP cache
!maintained by the PIX are flushed out arp timeout 14400
!The no failover command below suggests that this is a standalone PIX no failover
!The names command that follows turns on the use of the name command. The name
!command is used here to allow you to use the word 'webserver' in the
!configuration instead of typing its whole IP address, 192.168.0.2 names
continues Example 8-1 PIX Firewall with Three Interfaces Residing on the DMZ Interface (Continued)
name 192.168.0.2 webserver
!The pager command that follows is used to specify the number of lines in a
!page of output that are displayed before the 'more' prompt appears pager lines 24
!The logging command defines what kind of messages are to be logged and to where.
!In this case, debugging messages are being logged to the PIX buffer logging buffered debugging
!The nat command that follows states that if a packet arrives on the inside
!interface with a source address in subnet 10.0.0.0/24, it should be NATed using
!the global command defined by 'global (<interface name>) 1', where 'interface
!name' is the name of the interface to which the packet is routed based on the
!destination IP address. Please note that the number '1' is used to tie a pair of
!NAT and global commands together. Any number would do as long as both the NAT and
!global commands use it.
!The nat/global command is used only for traffic originating from a higher
!security level interface destined for a lower security level interface. It does
!not impact traffic originated from a lower security level interface destined for a
!higher security level interface. Also note that the tag number ‘0’ cannot be used
!in a nat command unless the intent is not to translate the addresses on the higher
!security interface into any other range of addresses. A typical example is where
!the network on the inside has a globally routable address space with no need to do
!address translation. This is typically known as NAT 0.
nat (inside) 1 10.0.0.0 255.255.255.0
!The nat command that follows is being deployed in similar fashion as described
!in the previous comment. The only difference is that the traffic is assumed to be
!arriving at the DMZ interface rather than the inside interface. Please note that
!more than one nat command can be tied to the same 'global' command, as is
!happening here.
nat (dmz) 1 192.168.0.0 255.255.255.0
!The two global commands that follow are tied to the two nat commands defined
!above. The first global command defines the range of IP addresses to be used to
!translate the private IP address of packets arriving on the inside or DMZ
!interfaces and destined for the outside interface. This command is used for a
!one-to-one NAT translation, meaning that once the 21 IP addresses
(209.165.201.10-!209.165.201.30) defined herein are finished, this command cannot do any more
!translations. That is where the second global command kicks in. This command, with
!only one address specified, is used to do PAT on the packets, exactly how the first
!command did one-to-one NAT on the packets. This way it can translate numerous
!private IP addresses to this one globally routable address and still be able to
!distinguish between them based on the port number used.
global (outside) 1 209.165.201.10-209.165.201.30 global (outside) 1 209.165.201.5
Example 8-1 PIX Firewall with Three Interfaces Residing on the DMZ Interface (Continued)
Case Studies 179
!The global command that follows is used to translate the private IP addresses of
!the packets arriving on the inside interface destined for the DMZ interface.
!Please note that this is a one-to-one NAT only, meaning that only 11 hosts on the
!inside network can access the DMZ network at a time. Also, please note that the
!IP addresses defined in this command are private. This is OK because the packets
!are not going out on a public network, just the DMZ network.
global (dmz) 1 199.168.0.10-199.168.0.20
!The command that follows is used to create a static NAT translation through the
!PIX firewall. This is needed because you have a web server on the DMZ network
!that needs to be accessed from the public network using the IP address
!209.165.201.6 instead of its private address, 192.168.0.2. Please note that we
!are taking advantage of the 'name' command here to avoid typing in the IP address.
!Also note that the server will still be accessible from the inside network using
!its 192 address because you are not creating any static translation between the
!inside interface and the DMZ interface. None is needed because the inside network
!is on a higher security level than the DMZ interface and can access it without
!needing static translations or access list permissions.
static (dmz,outside) 209.165.201.6 webserver
!The access list below is being created to allow the world sitting on the public
!network to access the web server using its globally routable address on port 80
!only. The access group command applies the access list to the outside interface
!in the incoming direction, or the direction from which the traffic coming from the
!public network is entering the public interface. Please note that PIX access lists
!can be applied only in the "in" direction. As always, there is an implicit deny
!statement at the bottom of the access list.
access-list acl_out permit tcp any host 209.165.201.6 eq http
access-group acl_out in interface outside
!The rip passive command below turns on RIP on the outside interface such that the
!PIX listens for RIP updates on this interface and updates its routing tables.
!Also note that RIP v2 authentication has been turned on. The number at the end is
!the key ID, which must be the same on the router and the PIX sharing updates.
rip outside passive version 2 authentication md5 keyforsaadat 2
!The rip default command forces the PIX to send a default RIP route to other RIP
!devices sitting on the outside interface
rip outside default version 2 authentication md5 keyforsaadat 2
!The rip passive command below is similar to the previous command, but in this case
!RIP v1 is being used, which does not support authentication rip inside passive version 1
!The rip passive command below is similar to the commands above, but in this case
!although RIP v2 is being used, no authentication has been turned on because the
continues Example 8-1 PIX Firewall with Three Interfaces Residing on the DMZ Interface (Continued)
!DMZ network is considered somewhat safe rip dmz passive version 2
!The route outside command below is a default route. If the PIX is unable to
!determine the interface to which it must forward a packet using its ARP table, it
!must use the route table to find out what to do. The interface name in the route
!commands specifies the interface on which the PIX must send an ARP request for
!the IP address listed as the default gateway if it does not already have it in its
!ARP cache. Once the PIX has the MAC address of the IP address specified in the
!route command, it forwards the packet on the interface specified in the route
!command using this MAC address as the destination. The number 1 at the end
!specifies the metric for the route. A metric is used to choose the better route if
!more than one route is configured for the same destination.
route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
!The timeout command below is used to define the time it will take a NAT
!translation created through the PIX to be removed after it has not been used for
!the time specified in this command. The value configured is 1 hour timeout xlate 1:00:00
!The timeout command below defines how long the PIX will allow a connection to
!remain idle before it removes the entry. Please note that although the TCP
!protocol itself does not have a timeout built into it, the PIX firewall does
!implement its own timeout for such connections. The value configured here is 1
!hour. The closed time is used to specify how long PIX will allow a
half-!closed connection to linger. This is an important timer to take care of
!applications that get killed without getting the chance to close their TCP
!connections entirely. The UDP timer is for UDP connections through the PIX, as
!discussed in the ASA section on UDP
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
!The timer that follows defines how long the PIX caches a user's
!authentication and authorization credentials. The absolute keyword runs the
!times continuously, irrespective of whether the user is idle timeout uauth 0:05:00 absolute
!The sysopt commands below turn on some of the security features that are
!desirable for specific network environments. Please see the discussion in the
!sections on sysopt commands and the x guard features for more details
sysopt connection timewait sysopt connection tcpmss sysopt security fragguard
Example 8-1 PIX Firewall with Three Interfaces Residing on the DMZ Interface (Continued)
Case Studies 181
This case study not only gave you an overview of one of the most commonly used PIX configurations but also reviewed the most common commands in the PIX setup. Larger PIX setups, meaning ones involving more than just the three interfaces, are done using configurations similar to the configuration in Example 8-1.