Cisco PIX Firewall
John Joo
APAC Channels Technical Operations

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


PIX Technical Development Program Agenda

• Product Review
• Six Primary Commands
• VLAN Support
• Syslog Configuration
• Access Control Lists
• Java and Active X filtering
• URL Filtering
• Fixup Protocols
© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


PIX Technical Development Program Agenda

• Attack Guards
• IDS
• Failover
• VPNs
• System Maintenance

• OSPF
• PDM 3.0
• Lab Instructions

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


PIX Firewall—Review

Stateful firewall with high security and fast
performance
• Secure, real-time, embedded operating system—
no UNIX or NT security holes
• Adaptive security algorithm provides stateful
security
• Cut-through proxy for Authentication eliminates
application-layer bottlenecks
• Easy management through CLI or PDM GUI
© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


PIX Firewall Family Lineup

Price

PIX 535


Catalyst 6500
Firewall Services
Module

PIX 525
PIX 515E

PIX 506E

Gigabit Ethernet

PIX 501

SOHO

ROBO

SMB

Enterprise

Enterprise/SP

Functionality
© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced



PIX Firewall Product Line Overview
GigE
Enabled

Model

501

506E

515E-UR

525-UR

535-UR

Market

SOHO

ROBO

SMB

Enterprise

Ent.+, SP

MSRP


$595 or $845

$1,395

$7,495

$13,995

$37,995

Licensed Users

10, 50 or Unlimited

Unlimited

Unlimited

Unlimited

Unlimited

Max VPN Peers

10

25

2,000


2,000

2,000

Size (RU)

<1

1

1

2

3

Processor (MHz)

133

300

433

600

1 GHz

RAM (MB)


16

32

64

256

1 GB

Max. Interfaces

1 10BT + 4 FE

2 10BaseT

6

8

10

Failover

No

No

Yes


Yes

Yes

Cleartext (Mbps)

10

20

188

360

1.7 Gbps

3DES (Mbps)

3

16

63

70

95

© 2002, Cisco Systems, Inc. All rights reserved.


PIX Advanced


Multi-Gigabit Firewall Module

NEW

Multi-Gigabit Firewall Acceleration Module for Securing
Enterprise Campus, Data Center & SP Networks
Applications
•Enterprise Campus/WAN Perimeter Security
•Data Center Security
•Service Provider Edge Security Services

High performance
-3Mpps (5Gbps) Packet Processing Performance
-100,000 Conn Per Sec, 1 million sessions/ sec for HTTP&DNS
-VLANs, DMZ, Dynamic Routing, Failover Capabilities
-Multiple blades per chassis supported

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


The Six Primary Commands
(Review)

© 2002, Cisco Systems, Inc. All rights reserved.


PIX Advanced


PIX Firewall Primary Commands
There are six primary configuration
commands for the PIX Firewall:
• nameif
• interface
• ip address
• nat
• global
• route

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Command 1: nameif

pixfirewall(config)#

nameif hardware_id if_name security_level
• The nameif command assigns a name to each perimeter
interface on the PIX Firewall and specifies its security
level.

pixfirewall(config)# nameif ethernet2
dmz sec50


© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Command 2: interface

pixfirewall(config)#

interface hardware_id hardware_speed
• The interface command configures the type and
capability of each perimeter interface.

pixfirewall(config)# interface ethernet0 auto
pixfirewall(config)# interface ethernet1 10
pixfirewall(config)# interface ethernet2 100

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Command 3: ip address

pixfirewall(config)#

ip address if_name ip_address [netmask]
• The ip address command assigns an IP address to
each interface.


pixfirewall(config)#

pixfirewall(config)# ip address dmz
172.16.0.1 255.255.255.0

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Command 4: nat

pixfirewall(config)#

nat [(if_name)] nat_id local_ip
[netmask]
• The nat command shields IP addresses on the
inside network from the outside network.

pixfirewall(config)#

pixfirewall(config)# nat (inside)
1 0.0.0.0 0.0.0.0

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Command 5: global

pixfirewall(config)#

global[(if_name)] nat_id {global_ip[-global_ip]
[netmask global_mask]} | interface
• Works with the nat command to assign a registered or public IP
address to an internal host when accessing the outside network
through the firewall

pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254
• When internal hosts access the outside network through the firewall,
they are assigned public addresses from the 192.168.0.20–
192.168.0.254 range
© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Three Interfaces with NAT
Internet

Pod perimeter router

.1
192.168.0.0/24

e0 outside .2
security level 0


PIX Firewall

e1 inside .1
security level 100

e2 dmz .1
security level 50

172.16.0.0/24

.2

Bastion host, and
web and FTP server

172.26.26.50

Backbone, web,
FTP, and TFTP server

10.0.0.0 /24
.3
Inside host, and
web and FTP server

pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#


nat(inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

• Inside users can start outbound connections to both the DMZ and the Internet.
• The nat (dmz) command gives DMZ services access to the Internet.
• The global (dmz) command gives inside users access to the web server on the DMZ.
© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Command 6: route

pixfirewall(config)#

route if_name ip_address netmask gateway_ip
[metric]
• The route command defines a static or default route for an interface.

pixfirewall(config)# route outside 0.0.0.0
0.0.0.0 192.168.0.1 1

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


New 6.3 feature

VLAN SUPPORT(802.1Q tagging)

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


PIX VLAN SUPPORT
Supports IEEE 802.1Q encapsulation for trunking and tagging
of VLAN traffic
Supports inter-VLAN communications and no intra-VLAN
communications
Does not support bridging, dynamic VLAN registration protocols,
and EtherChannel
Supported on all PIX adapters except for the Intel 82557 adapter
since it does not understand frame sizes greater than 1500 bytes

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Number of VLANs supported
VLAN Feature with Restricted License

Platform

MaximumPhysical Maximum
Interfaces
Interfaces

(Physical + Logical interfaces

501

2

Not supported

506

2

Not supported

515E

3

3

525- (520)

6

6 (4)

535

6


8

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Number of VLANs supported
VLAN Feature with Unrestricted License

Platform

MaximumPhysical
Interfaces

Maximum
Interfaces
(Physical + Logical interfaces

501

2

Not Supported

506

2

Not Supported


515E

6

8

525-520

8

10

10

22

535
© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Logical interface

Logical interfaces have been added to support the
VLAN feature.
Multiple logical IP interfaces per physical interface.
Layer 3 attributes such as IP addressing and security
levels can be configured.

layer 2 attributes such as MTU and failover will be
available only on the physical interface.

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Creating a logical interface
Create a logical interface for it or add it to a physical interface.
interface ethernet0 vlan10 [physical | logical ]
physical : Permanent interface.
interface ethernet0 vlan10 physical : Assigns VLAN ID 10 to
physical interface 0
Can send and receive both tagged and untagged VLAN traffic.
interface ethernet0 vlan10 logical : Create a new Interface
Associated with interface 0 and assign VLAN ID 10 to it.
Can send receive only tagged traffic.
An IP address can be assigned to each VLAN interface and
it will have its own security level
Different security zones can be defined with VLAN interface
© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


VLAN Configuration Example
interface ethernet0 vlan100 physical
interface ethernet0 vlan200 logical
interface ethernet1 vlan300 logical

nameif vlan200 dmz2 security20
Ip address dmz2 192.168.1.10 255.255.255.0
nameif vlan300 dmz3 security30
ip address dmz3 192.168.2.10 255.255.255.0

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Syslog Messages

© 2002, Cisco Systems, Inc. All rights reserved.

PIX Advanced


Syslog Messages
The PIX Firewall sends Syslog messages
to either:
- An internal buffer
- A Syslog Server
Syslog documents the following events:
• Security
• Resources
• System
• Accounting

© 2002, Cisco Systems, Inc. All rights reserved.


PIX Advanced