© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 5 Getting Started with the Cisco PIX Firewall

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the PIX Firewall access modes. Navigate the PIX Firewalls user interface and examine the PIX Firewalls status. Describe the ASA security levels. Describe and execute the basic configuration commands. Configure the PIX Firewall to send Syslog messages to a Syslog server. Configure the PIX Firewall as a DHCP client.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA User Interface

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Access Modes pixfirewall> pixfirewall# monitor> The PIX Firewall has four administrative access modes: Unprivileged mode Privileged mode Configuration mode Monitor mode

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Access Privilege Modeenable and enable password Commands pixfirewall> enable password: pixfirewall# enable password cisco123 enable [priv_level] pixfirewall> Enables you to enter other access modes enable password pw [level priv_level] [encrypted] pixfirewall(config)# Used to control access to the privileged mode

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA configure terminal pixfirewall# Access Configuration Mode configure terminal Command Used to start configuration mode to enter configuration commands from a terminal pixfirewall# configure terminal pixfirewall(config)# exit pixfirewall# exit pixfirewall> exit pixfirewall# Used to exit from an access mode

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Changing the Hostname CLI Prompt pixfirewall (config)# hostname chicago chicago(config)# hostname newname pixfirewall(config)# Changes the hostname in the PIX Firewall command line prompt Server Chicago Server New_York Server Dallas

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring the PIX Firewall

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Default Setup Dialog Pre-configure PIX Firewall now through interactive prompts [yes]? Enable Password [ ]: cisco123 Clock (UTC) Year [2002]: Month [Aug]: Day [27]: 12 Time [22:47:37]: 14:22:00 Inside IP address: Inside network mask: Host name: chicago Domain name: cisco.com IP address of host running PIX Device Manager: Use this configuration and write to flash? Y

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA console timeout Command TFTP server Console session Pixfirewall(config)# console timeout 20 console timeout number pixfirewall# Idle time in minutes (0-60) after which the serial-cable console session ends

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA banner Command The banner command configures a banner to display. exec login motd chicago (config)# banner exec Unauthorized access is prohibited. chicago (config)# banner exec Violators will be prosecuted. Unauthorized access is prohibited. Violators will be prosecuted Type help or ? for available commands chicago>

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Viewing and Saving Your Configuration The following commands enable you to view or save your configuration: show running-config show startup-config write memory To save configuration changes: write memory running- config startup- config (saved) Configuration changes

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Erasing Your Configuration pixfirewall(config)# write erase Clears the Flash memory configuration chicago # write erase Erase PIX configuration in Flash memory? [confirm] Set the startup- configuration to its default settings: write erase running- config startup- config (default)

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Reload the Configuration reload Command Reboots the PIX Firewall and reloads the configuration chicago # reload Proceed with reload?[confirm] y Rebooting... PIX Bios V2.7.. reload [noconfirm] pixfirewall(config)#

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuration Backup and Restore write net and configure net pixfirewall(config)# write net [server_ip]:[filename] configure net [server_ip]:[filename] Stores the current running configuration to a file on a TFTP server Downloads a configuration file from a TFTP server write net TFTP Server Configuration - IP Address – Path - pixfirewall/config - File - test_config pixfirewall(config)# write net :/ pixfirewall/config/test_config configure net

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA TFTP Server Parameters tftp-server Command tftp-server [if_name] ip_address path pixfirewall(config)# Specifies the IP address of a TFTP configuration server Specifies the path and filename TFTP Server Parameters - IP Address – Path - Pixfirewall/config - File - Test_config pixfirewall(config)# tftp-server pixfirewall/config/test_config pixfirewall(config)# write net

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA chicago(config)# names chicago(config)# name bastionhost chicago(config)# name insidehost Host Name-to-IP Address Mapping name Command Configures a list of name-to-IP address mappings on the PIX Firewall name ip_address name pixfirewall(config)# bastionhost insidehost

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA ASA Security Levels

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Functions of the ASA Implements stateful connection control through the PIX Firewall. Allows one-way (outbound) connections with a minimum number of configuration changes. An outbound connection is a connection originating from a host on a more-protected interface and destined for a host on a less-protected network. Monitors return packets to ensure that they are valid. Randomizes the first TCP sequence number to minimize the risk of attack.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA ASA Security Level Example Outside network e0 Security level 0 Interface name = outside DMZ network e2 Security level 50 Interface name = DMZ Inside network e1 Security level 100 Interface name = inside e0 e2 e1 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Basic PIX Firewall Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall Basic Commands nameif interface ip address nat global route e0 e2 e1 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA nameif hardware_id if_name security_level pixfirewall(config)# chicago(config)# nameif ethernet2 dmz sec50 Assign an Interface Name and Security Levelnameif Command Assigns a name to each perimeter interface on the PIX Firewall and specifies its security level ethernet0 Interface name = outside Security level = sec0 ethernet2 Interface name = DMZ Security level = sec50 ethernet1 Interface name = inside Security level = sec100 e0 e2 e1 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA interface hardware_id [hardware_speed] [shutdown] pixfirewall(config)# interface Command Enables an interface and configures its type and speed chicago(config)# interface ethernet0 100full chicago(config)# interface ethernet1 100full chicago(config)# interface ethernet2 100full ethernet0 100full ethernet2 100full ethernet1 100full e0 e2 e1 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA ip address if_name ip_address [netmask] pixfirewall(config)# Assign Interface IP Address ip address Command Assigns an IP address to each interface chicago(config)# ip address dmz ethernet2 dmz e2 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA DHCP Assigned Address chicago(config)# ip address outside dhcp pixfirewall(config)# ip address outside dhcp [setroute] [retry retry_cnt] Enables the DHCP client feature on the outside interface ethernet0 outside DHCP Assigned e0 Internet DHCP Assigned

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Network Address Translation Inside local Outside global pool Translation table NAT Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA nat [(if_name)] nat_id address [netmask][dns][max_conns] [emb_limit] pixfirewall(config)# nat Command Enables IP address translation chicago(config)# nat (inside) X.X.X.X NAT Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA global Command Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall, e.g chicago(config)# nat (inside) chicago(config)# global (outside) pixfirewall(config)# global[(if_name)] nat_id {global_ip[-global_ip] [netmask global_mask]} | interface NAT Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA route if_name ip_address netmask gateway_ip [metric] pixfirewall(config)# Configure a Static Route route Command Defines a static or default route for an interface chicago(config)# route outside chicago(config)# route inside Default Route Static Route Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuration Example write terminal interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 ip address outside ip address inside ip address dmz ethernet full interface name - outside security level - 0 IP address ethernet full Interface name - dmz Security level - 50 IP address ethernet full Interface name - inside Security level IP address Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuration Example (Cont.) passwd 2KFQnbNIdI.2KYOU encrypted hostname chicago names name bastionhost name insidehost nat (inside) global (outside) route outside route inside Global Pool insidehost bastionhost Default Route Static Route Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Examining the PIX Firewall Status

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA chicago# show memory Free memory: bytes Used memory: bytes Total memory: bytes show memory Command Displays system memory usage information pixfirewall# show memory

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA chicago# show cpu usage CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0% show cpu usage Command Displays CPU use pixfirewall# show cpu usage Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show version Command Displays the PIX Firewalls software version, operating time since its last reboot, processor type, Flash memory type, interface boards, serial number (BIOS identification), and activation key value pixfirewall# show version chicago# show version Cisco PIX Firewall Version 6.3(1) Compiled on Wed 23-Jul-03 11:49 by morlee chicago up 17 hours 59 mins Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz Flash 0x300, 16MB ……………

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA chicago# show ip address System IP Addresses: ip address outside ip address inside ip address dmz no ip address intf3 no ip address intf4 no ip address intf5 Current IP Addresses: ip address outside ip address inside ip address dmz no ip address intf3 no ip address intf4 no ip address intf5 show ip address Command

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA chicago# show interface interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is ff.653a IP address , subnet mask MTU 1500 bytes, BW Kbit full duplex 4 packets input, 282 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 20 packets output, 1242 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0 output queue (curr/max blocks): hardware (0/1) software (0/1) show interface Command

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show nameif Command chicago# show nameif nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25 ethernet0 Interface name = outside Security level 0 ethernet2 Interface name = dmz Security level 50 ethernet1 Interface name = inside Security level 100 e0 e2 e1 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show nat Command chicago(config)# show nat nat (inside) X X.X.X.X NAT Displays a single host or range of hosts to be translated pixfirewall# show nat Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show global Command chicago(config)# show global global (outside) netmask Global Pool X Displays the pool of global addresses pixfirewall# show global Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show xlate Command chicago(config)# show xlate 1 in use, 1 most used Global Local Displays the contents of the translation slots pixfirewall# show xlate Inside local Outside global pool Xlate table Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA ping Command Determines whether other IP addresses are visible from the PIX Firewall chicago# ping response received -- 0Ms ping host pixfirewall# Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Time Setting and NTP Support

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA clock Command Sets the PIX Firewall clock chicago(config)# clock set 21:0:0 jul clock set hh:mm:ss {day month | month day} year pixfirewall(config)# Wed 23-Jul-03 21:00 Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Setting Daylight Savings Time and Time Zones Specifies that summertime starts on the first Sunday in April at 2 a.m. and ends on the last Sunday in October at 2 a.m. chicago(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset] pixfirewall(config)# clock timezone zone hours [minutes] pixfirewall(config)# Sets the clock display to the time zone specified Displays summertime hours during the specified summertime date range

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA ntp Command Synchronizes the PIX Firewall with a network time server chicago(config)# ntp authentication-key 1234 md5 cisco123 chicago(config)# ntp trusted-key 1234 chicago(config)# ntp server key 1234 source inside prefer chicago(config)# ntp authenticate ntp server ip_address [key number] source if_name [prefer] pixfirewall(config)# ntp server Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Syslog Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configure Syslog Output to a Syslog Server Syslog Server Syslog Messages Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Syslog Messages The PIX Firewall sends Syslog messages to document the following events: Security Resources System Accounting

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show logging Configure Message Output to the PIX Firewall Buffer Sends Syslog messages to an internal buffer pixfirewall(config)# pixfirewall# logging buffered level Enables a specific Syslog message Change a Syslog message level Clears the internal buffer clear logging pixfirewall(config)# logging message syslog_id level pixfirewall(config)# logging standby Allows a standby unit to send Syslog messages Displays messages from the internal buffer Displays current logging settings logging on Enables logging pixfirewall(config)#

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA logging trap level Configure Message Output to a Syslog Server Designates the Syslog host server Sets the logging level pixfirewall(config)# logging host [in_if_name] ip_address [protocol/port] logging on pixfirewall(config)# Enables logging

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configure Message Output to a Syslog Server (Cont.) Sets the facility marked on all messages Starts and stops sending time stamped messages logging facility facility pixfirewall(config)# logging timestamp pixfirewall(config)#

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Logging Device-ID Logging Device-ID PIX6 Displays a unique device ID in syslog messages logging device-id {hostname | ipaddress| string} pixfirewall(config)# pix6(config)# logging device-id hostname

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Logging Configuration Example chicago(config)# logging host inside chicago(config)# logging trap warnings chicago(config)# logging timestamp chicago(config)# logging on Syslog server Internet Syslog messages

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary The PIX Firewall has four administrative access modes: unprivileged, privileged, configuration, and monitor. Interfaces with a higher security level can access interfaces with a lower security level, while interfaces with a lower security level cannot access interfaces with a higher security level unless given permission. Using the PIX Firewall general maintenance commands help you to manage the PIX Firewall. The commands include the following: enable, write, show, and reload.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary (Cont.) The basic commands necessary to configure the PIX Firewall are the following: nameif, interface, ip address, nat, global, and route. The nat and global commands work together to translate ip addresses. The PIX Firewall can send Syslog messages to a Syslog server. The PIX Firewall can function as a DHCP client.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web or FTP, Cisco Secure ACS, and Syslog PIX Firewall.1 Local: 10.0.P.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web, FTP, and DHCP RBB.2 bastion host: Web or FTP P Q.0 bastion host: Web or FTP.1 Web or FTP, Cisco Secure ACS, and Syslog