The write command works in the same way that the write command operates in a Cisco router. For those of you relatively new to Cisco equipment, this command has largely been replaced on routers with the copy command. The write command can take any of the following formats:
write net [[server_ip_address]:[filename]] write erase
write floppy write memory write terminal write standby
The write net command writes across a network to a Trivial File Transfer Protocol (TFTP) server with the filename specified. If no server IP address or filename is entered, the user is prompted.
The write erase command clears the Flash memory configuration. The write floppy
command writes the configuration to the floppy disk, if the PIX has a floppy. The write memory command stores the configuration in RAM memory. The write terminal command shows the current configuration on the terminal. The write standby command is used to write the configuration to either a failover or standby, PIX'S RAM memory.
At this point, you have completed a basic configuration. You are ready to move toward a more realistic situation, such as a network with a mail server and an FTP server.
Realistic Configuration
Although the basic configuration suffices to illustrate how simple it is to configure the PIX, there are a few more items that almost all systems need. Three examples are Web services, e-mail services, and FTP services. This configuration will show how access from the outside to the inside of the PIX can be allowed.
The default configuration for the PIX Firewall is to prevent all access from an interface with a lower security level through an interface with a higher security level. The configuration in this section shows how access can be allowed without losing security protection on the whole network subnet, or even on the hosts that you allow to be seen from the outside.
Figure 4-6 shows the layout for this scenario. Note that the 192.168.1.0 /24 network has been
routable IP addresses, because you need people on the Internet to be able to browse your Web server, download files from your FTP server, and send and receive from your e-mail server.
Figure 4-6. Realistic PIX Configuration
As shown in Figure 4-6, the interior router and the inside interface of the PIX are on a separate
network. This is not mandatory. However, if there is a spare Ethernet interface on the interior router and plans to use a nat 0 command, using a spare interface on the inside router is advised, because the PIX will use ARP to a router for the address of each request. Repeated ARP requests can cause an excessive load on an overtaxed network. Connecting the PIX to a router's interface also ensures that all packets from and to the PIX are not delayed because of issues such as collisions and broadcast storms. Finally, the interior router can and should be configured with at least simple access lists to ensure that only authorized traffic is traversing the network. This might seem like too much trouble for some administrators. However, security should become a pervasive attitude throughout the network engineering staff. Having an extra layer of protection is never a waste of effort.
You now have three major design changes to make to your system. You must first allow WWW traffic to access the Web server, whose IP address is 10.1.1.30. This IP address needs to be statically translated to a routable address on the Internet. One of the easiest ways to keep track of static IP translations is to use the same last octet in both addresses. In the case of the Web server, you will use 30 as the last octet. The second change is to allow e -mail through to the mail server. The third change is to allow FTP traffic to the FTP server. All of these servers
need a static translation because you cannot be guaranteed what host will be using a given outside IP address at any given time if you simply rely on the default NAT settings on the PIX and allow traffic into the LAN.
Issue a write erase command on the PIX. This erases the saved configuration. Turn the PIX power off and then back on to arrive at a clean state. Enter the following commands while in enable mode on the PIX. This section covers each change after the lines are entered. Again, the lines are separated for clarity.
enable password enablepass encrypted passwd password encrypted
nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 10baset
interface ethernet1 10baset
ip address outside 192.168.1.1 255.255.255.0 ip address inside 172.30.1.2 255.255.255.252
global (outside) 1 192.168.1.50-192.168.1.253 255.255.255.0 global (outside) 1 192.168.1.254 255.255.255.0
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
static (inside, outside) 192.168.1.30 10.1.1.30 netmask 255.255.255.255 0 0 static (inside, outside) 192.168.1.35 10.1.1.35 netmask 255.255.255.255 0 0 static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.30 eq http any
conduit permit tcp host 192.168.1.35 eq ftp any conduit permit tcp host 192.168.1.49 eq smtp any route outside 0 0 192.168.1.2 1
route inside 10.1.1.0 255.255.255.0 172.30.1.1 1 arp timeout 7200
write mem
There are only a few changes from the basic configuration. You first changed the inside IP address to reflect the separate network between the PIX and the interior router. The two
global commands shown next assign both NAT and PAT to be used by the inside hosts. Because you used a range of IP addresses, the first global command allows for each host on the LAN to get a dynamically assigned global address, or NAT. Once all of the available global IP addresses are in use, any hosts attempting to connect to the outside will use PAT. The second global line is critical because it assigns one address for use with PAT. If a single address is not reserved for use by PAT, hosts will simply not be able to get through the PIX. The users will think that the Internet connection has been dropped, because they will receive no indication of a problem other than a lack of connection.
You might wonder why the range of IP addresses starts at 50 in the first global command. This allows servers to have static IP addresses. The number 50 was arbitrarily chosen. Whatever number is chosen ensures that there are sufficient reserved IP addresses for all servers on the network. You could have also reserved a set of IP addresses on the upper end of the network. The inside and outside routes were also changed to reflect the network as shown in Figure 4-6. You are now actually ready to allow users on the Internet to access your e -
mail, FTP, and Web services.
Setting up to allow e -mail to traverse the PIX requires a few new commands. This replaces the
mailhost command in previous versions of the PIX. These commands are covered later in this section. Enter the following lines into the PIX configuration.
static (inside, outside) 192.168.1.49 10.1.1.49 netmask 255.255.255.255 0 0 conduit permit tcp host 192.168.1.49 eq smtp any
That is all that is required to allow SMTP packets to traverse the PIX to the server with the 10.1.1.49 IP address. Users outside the PIX will see this server as 192.168.1.49. Packets sent to 192.168.1.49 will have NAT applied to them and will be forwarded to 10.1.1.49. Only the SMTP commands HELLO,MAIL,RCPT,DATA,RSET, NOOP, and QUIT are allowed through the PIX. The response to all other SMTP commands is an OK packet from the PIX. You added two new commands here, the static and the conduit commands. Each of them will be examined before moving on to the FTP and Web servers.