Cisco PIX Firewall
John Joo
APAC Channels Technical Operations
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Technical Development Program Agenda
• Product Review
• Six Primary Commands
• VLAN Support
• Syslog Configuration
• Access Control Lists
• Java and Active X filtering
• URL Filtering
• Fixup Protocols
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Technical Development Program Agenda
• Attack Guards
• IDS
• Failover
• VPNs
• System Maintenance
• OSPF
• PDM 3.0
• Lab Instructions
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Firewall—Review
Stateful firewall with high security and fast
performance
• Secure, real-time, embedded operating system—
no UNIX or NT security holes
• Adaptive security algorithm provides stateful
security
• Cut-through proxy for Authentication eliminates
application-layer bottlenecks
• Easy management through CLI or PDM GUI
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Firewall Family Lineup
Price
PIX 535
Catalyst 6500
Firewall Services
Module
PIX 525
PIX 515E
PIX 506E
Gigabit Ethernet
PIX 501
SOHO
ROBO
SMB
Enterprise
Enterprise/SP
Functionality
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Firewall Product Line Overview
GigE
Enabled
Model
501
506E
515E-UR
525-UR
535-UR
Market
SOHO
ROBO
SMB
Enterprise
Ent.+, SP
MSRP
$595 or $845
$1,395
$7,495
$13,995
$37,995
Licensed Users
10, 50 or Unlimited
Unlimited
Unlimited
Unlimited
Unlimited
Max VPN Peers
10
25
2,000
2,000
2,000
Size (RU)
<1
1
1
2
3
Processor (MHz)
133
300
433
600
1 GHz
RAM (MB)
16
32
64
256
1 GB
Max. Interfaces
1 10BT + 4 FE
2 10BaseT
6
8
10
Failover
No
No
Yes
Yes
Yes
Cleartext (Mbps)
10
20
188
360
1.7 Gbps
3DES (Mbps)
3
16
63
70
95
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Multi-Gigabit Firewall Module
NEW
Multi-Gigabit Firewall Acceleration Module for Securing
Enterprise Campus, Data Center & SP Networks
Applications
•Enterprise Campus/WAN Perimeter Security
•Data Center Security
•Service Provider Edge Security Services
High performance
-3Mpps (5Gbps) Packet Processing Performance
-100,000 Conn Per Sec, 1 million sessions/ sec for HTTP&DNS
-VLANs, DMZ, Dynamic Routing, Failover Capabilities
-Multiple blades per chassis supported
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
The Six Primary Commands
(Review)
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX Firewall Primary Commands
There are six primary configuration
commands for the PIX Firewall:
• nameif
• interface
• ip address
• nat
• global
• route
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Command 1: nameif
pixfirewall(config)#
nameif hardware_id if_name security_level
• The nameif command assigns a name to each perimeter
interface on the PIX Firewall and specifies its security
level.
pixfirewall(config)# nameif ethernet2
dmz sec50
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Command 2: interface
pixfirewall(config)#
interface hardware_id hardware_speed
• The interface command configures the type and
capability of each perimeter interface.
pixfirewall(config)# interface ethernet0 auto
pixfirewall(config)# interface ethernet1 10
pixfirewall(config)# interface ethernet2 100
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Command 3: ip address
pixfirewall(config)#
ip address if_name ip_address [netmask]
• The ip address command assigns an IP address to
each interface.
pixfirewall(config)#
pixfirewall(config)# ip address dmz
172.16.0.1 255.255.255.0
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Command 4: nat
pixfirewall(config)#
nat [(if_name)] nat_id local_ip
[netmask]
• The nat command shields IP addresses on the
inside network from the outside network.
pixfirewall(config)#
pixfirewall(config)# nat (inside)
1 0.0.0.0 0.0.0.0
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Command 5: global
pixfirewall(config)#
global[(if_name)] nat_id {global_ip[-global_ip]
[netmask global_mask]} | interface
• Works with the nat command to assign a registered or public IP
address to an internal host when accessing the outside network
through the firewall
pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254
• When internal hosts access the outside network through the firewall,
they are assigned public addresses from the 192.168.0.20–
192.168.0.254 range
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Three Interfaces with NAT
Internet
Pod perimeter router
.1
192.168.0.0/24
e0 outside .2
security level 0
PIX Firewall
e1 inside .1
security level 100
e2 dmz .1
security level 50
172.16.0.0/24
.2
Bastion host, and
web and FTP server
172.26.26.50
Backbone, web,
FTP, and TFTP server
10.0.0.0 /24
.3
Inside host, and
web and FTP server
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#
nat(inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0
• Inside users can start outbound connections to both the DMZ and the Internet.
• The nat (dmz) command gives DMZ services access to the Internet.
• The global (dmz) command gives inside users access to the web server on the DMZ.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Command 6: route
pixfirewall(config)#
route if_name ip_address netmask gateway_ip
[metric]
• The route command defines a static or default route for an interface.
pixfirewall(config)# route outside 0.0.0.0
0.0.0.0 192.168.0.1 1
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
New 6.3 feature
VLAN SUPPORT(802.1Q tagging)
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
PIX VLAN SUPPORT
Supports IEEE 802.1Q encapsulation for trunking and tagging
of VLAN traffic
Supports inter-VLAN communications and no intra-VLAN
communications
Does not support bridging, dynamic VLAN registration protocols,
and EtherChannel
Supported on all PIX adapters except for the Intel 82557 adapter
since it does not understand frame sizes greater than 1500 bytes
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Number of VLANs supported
VLAN Feature with Restricted License
Platform
MaximumPhysical Maximum
Interfaces
Interfaces
(Physical + Logical interfaces
501
2
Not supported
506
2
Not supported
515E
3
3
525- (520)
6
6 (4)
535
6
8
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Number of VLANs supported
VLAN Feature with Unrestricted License
Platform
MaximumPhysical
Interfaces
Maximum
Interfaces
(Physical + Logical interfaces
501
2
Not Supported
506
2
Not Supported
515E
6
8
525-520
8
10
10
22
535
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Logical interface
Logical interfaces have been added to support the
VLAN feature.
Multiple logical IP interfaces per physical interface.
Layer 3 attributes such as IP addressing and security
levels can be configured.
layer 2 attributes such as MTU and failover will be
available only on the physical interface.
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Creating a logical interface
Create a logical interface for it or add it to a physical interface.
interface ethernet0 vlan10 [physical | logical ]
physical : Permanent interface.
interface ethernet0 vlan10 physical : Assigns VLAN ID 10 to
physical interface 0
Can send and receive both tagged and untagged VLAN traffic.
interface ethernet0 vlan10 logical : Create a new Interface
Associated with interface 0 and assign VLAN ID 10 to it.
Can send receive only tagged traffic.
An IP address can be assigned to each VLAN interface and
it will have its own security level
Different security zones can be defined with VLAN interface
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
VLAN Configuration Example
interface ethernet0 vlan100 physical
interface ethernet0 vlan200 logical
interface ethernet1 vlan300 logical
nameif vlan200 dmz2 security20
Ip address dmz2 192.168.1.10 255.255.255.0
nameif vlan300 dmz3 security30
ip address dmz3 192.168.2.10 255.255.255.0
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Syslog Messages
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced
Syslog Messages
The PIX Firewall sends Syslog messages
to either:
- An internal buffer
- A Syslog Server
Syslog documents the following events:
• Security
• Resources
• System
• Accounting
© 2002, Cisco Systems, Inc. All rights reserved.
PIX Advanced