© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Explain the routing functionality of the PIX Firewall. Configure the PIX Firewall to work with RIP. Configure the PIX Firewall to forward multicast traffic.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Static and Dynamic Routing

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Static Routes pixfirewall(config)# route inside pixfirewall(config)# route outside pixfirewall(config)# show route outside OTHER static inside OTHER static inside CONNECT static outside CONNECT static Student PC PIX Firewall Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Dynamic Routes Student PC PIX Firewall pixfirewall(config)# rip outside passive version 2 authentication md5 MYKEY 2 pixfirewall(config)# rip inside default Router A Router B The PIX Firewall accepts encrypted RIP version 2 multicast updates. For example, it could learn the route to network from Router A. The PIX Firewall broadcasts IP address as the default route for devices on the inside interface

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA rip if_name default | passive [version [1 | 2]] [authentication [text | md5 key key_id]] pixfirewall(config)# Dynamic Routes (cont.) Changes RIP settings. pixfirewall(config)# rip outside passive version 2 authentication md5 MYKEY 2 pixfirewall(config)# rip outside default version 2 authentication md5 MYKEY 2 pixfirewall(config)# rip inside passive pixfirewall(config)# rip dmz passive version 2

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Multicast

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA IP Multicasting PIX Firewall Multicast router IP/TV server IP/TV client IP/TV client outside inside dmz

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA The PIX Firewall and IP Multicasting IP multicasting –Is the transmission of an IP datagram to a set of hosts identified by a single IP destination address. –Conserves bandwidth. Internet Group Management Protocol (IGMP) –Is an integral part of the IP protocol. –Is used by IP hosts to report their host group memberships to multicast routers. In a multicasting environment, the PIX Firewall –Supports Stub Multicast Routing (SMR), also known as IGMP proxying. –Does not operate as a full multicast router. –Forwards IGMP messages between hosts and multicast routers. –Does not require the construction of GRE tunnels for passing multicast traffic.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA multicast interface interface_name [max-groups number] pixfirewall (config)# Allowing Hosts to Receive Multicast Transmissions Enables multicast support on the specified interface and places the interface in multicast promiscuous mode. pixfirewall(config)# multicast interface dmz pixfirewall(config-multicast)# exit pixfirewall(config)# multicast interface inside pixfirewall(config-multicast)# igmp forward interface dmz pixfirewall(config-multicast)# igmp join-group pixfirewall(config-multicast)# igmp forward interface interface_name pixfirewall(config-multicast)# igmp join-group group Enables forwarding of all IGMP host reports and leaves messages received on the interface specified. Enables the PIX Firewall to join a multicast group.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Inside Receiving Hosts Example pixfirewall(config)# multicast interface dmz pixfirewall(config-multicast)# exit pixfirewall(config)# multicast interface inside pixfirewall(config-multicast)# igmp forward interface dmz 1. Host sends an IGMP report: Source Destination IGMP group The PIX Firewall accepts the packet and IGMP places the inside interface on the output list for the group. 3. The PIX Firewall forwards the packet to the multicast router: Source Destination IGMP group The router places the input interface on the output list for the group. 5. Packets from the multicast server arrive at the router, which forwards them to the necessary interfaces. 6. The PIX Firewall accepts the packets and forwards them to the interfaces for the group..1 PIX Firewall.11 Multicast server Multicast router

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA mroute src smask in-if-name dst dmask out-if-name pixfirewall(config)# Forwarding Multicasts from a Transmission Source Specifies a static multicast route. pixfirewall(config)# multicast interface outside pixfirewall(config-multicast)# exit pixfirewall(config)# multicast interface inside pixfirewall(config-multicast)# mroute inside outside pixfirewall(config-multicast)# exit pixfirewall(config)# multicast interface dmz pixfirewall(config-multicast)# mroute dmz outside pixfirewall(config-multicast)# exit

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Inside Multicast Transmission Source Example pixfirewall(config)# multicast interface outside pixfirewall(config-multicast)# exit pixfirewall(config)# multicast interface inside pixfirewall(config-multicast)# mroute inside outside.2.1 PIX Firewall Multicast to Member of group

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config-multicast)# Configuring Other IGMP Options igmp version 1 | 2 igmp query-max-response-time seconds igmp query-interval seconds pixfirewall(config-multicast)# pixfirewall(config-multicast)# igmp version 2 pixfirewall(config-multicast)# igmp query-interval 120 pixfirewall(config-multicast)# igmp query-max- response-time 50 Sets the version of IGMP to be used. Sets the maximum query response time (for IGMP version 2 only). Configures the frequency at which IGMP query messages are sent by the interface.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# Viewing Your SMR Configuration show multicast [interface interface_name] Displays all or per interface multicast settings. pixfirewall(config)# show igmp [group | interface interface_name][detail] Displays multicast-related information about one or more groups. show mroute [dst [src]] Displays multicast routes. pixfirewall(config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# Debugging Your SMR Configuration debug igmp Enables debugging for IGMP events. debug mfwd pixfirewall(config)# Enable debugging for multicast forwarding events.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary You can add static routes to the PIX Firewall to enable access to networks connected outside a router on any interface. The PIX Firewall can be configured to listen for RIP version 1 or RIP version 2 routing broadcasts. The PIX Firewall cannot pass RIP updates between interfaces. When RIP version 2 is configured in passive mode, the PIX Firewall accepts RIP version 2 multicast updates with the IP destination of The PIX Firewall transmits default route updates using an IP destination of if configured for the RIP version 2 default mode.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary (cont.) The PIX Firewall supports Stub Multicast Routing, which enables it to pass multicast traffic. The PIX Firewall can be configured to forward multicasts from a transmission source on a higher security level interface to receivers on a lower security level interface. The PIX Firewall can also be configured to allow hosts on a higher security level interface to receive multicasts from a host on a lower security level interface.