© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1

PIX FirewallPIX Firewall

What Is a Firewall?What Is a Firewall?

A firewall is a system or group of systems that manages access between two networks.

Firewall TechnologiesFirewall Technologies

Firewall operations are based on one of three technologies:• Packet filtering

• Proxy server

• Stateful packet filtering

ACL

Packet FilteringPacket Filtering

Limits information into a network based on destination and source address

Proxy ServerProxy Server

Requests connections between a client on the inside of the firewall and the outside

Stateful Packet FilteringStateful Packet Filtering

Limits information

into a network based not only on destination and source address, but also on packet data content

PIX Firewall—What Is it?

• Stateful firewall with high security and fast performance

• Adaptive security algorithm provides stateful security

• Cut-through proxy eliminates application-layer bottlenecks

• Secure, real-time, embedded operating system

Adaptive Security Algorithm

• Provides “stateful” connection control through the PIX Firewall

• Tracks source and destination ports and addresses, TCP sequences, and additional TCP flags

• TCP sequence numbers are randomized to minimize the risk of attack

• Tracks UDP and TCP session state

• Connections allowed out—allows return session back flow (TCP ACK bit)

ASA Security Level Example

Internet

PIX Firewall

Outside network

e0• Security level 0• Interface name = outside

e0• Security level 0• Interface name = outside

Perimeter network

e2• Security level 50• Interface name = pix/intf2

e2• Security level 50• Interface name = pix/intf2

Inside network

e1• Security level 100• Interface name = inside

e1• Security level 100• Interface name = inside

e0

e1e2

Cut-Through Proxy OperationCut-Through Proxy Operation

Authenticates once at the application layer (OSI Layer 7) for each supported service

Connection is passed back to the PIX Firewall high-performance ASA engine, while maintaining session state

Internal/external

user

IS resource

1. The user makes a request to an IS resource.

2. The PIX Firewall intercepts the connection.

3. The PIX Firewall prompts the user for a username and password, authenticates the user, and checks the security policy on a RADIUS or TACACS+ server.

5. The PIX Firewall directly connects theinternal or external user to the IS resource via ASA.

4. The PIX Firewall initiates a connection from the PIX Firewall to the destination IS resource.

CiscoSecure

PIX FirewallUsername and Password Required

Enter username for CCO at www.com

User Name:

Password:

OK Cancel

student

123@456

3.

Stateful FailoverStateful Failover

Internet

SecondaryPIX Firewall

Primary PIX Firewall

10.0.0.0 /24

192.168.0.0 /24

Backbone, web, FTP, and

TFTP server

172.26.26.0 /24

e2 .1

e0 .2 e0 .7

e1 .7e1 .1 .2

DMZ

Failover cable

172.16.0.0/24

.1

e2 .7e3 .1 e3 .7172.17.0.0 /24

.50

.3

Summary

• There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering.

• The PIX Firewall features include: Secure operating system, Adaptive Security Algorithm, cut-through proxy, stateful failover, and stateful packet filtering.


PIX Command Line InterfacePIX Command Line Interface

Access ModesAccess Modes

The PIX Firewall has four administrative access modes:• Unprivileged mode

• Privileged mode

• Configuration mode

• Monitor mode

enable Commandenable Command

pixfirewall> enablepassword:pixfirewall# configure terminalpixfirewall(config)#pixfirewall(config)# exitpixfirewall#

enable

pixfirewall>

• Enables you to enter different access modes

enable password password

passwd password

pixfirewall#

enable password and passwd Commands

enable password and passwd Commands

• The enable password command is used to control access to the privileged mode.

• The passwd command is used to set a Telnet password.

pixfirewall#

hostname and ping Commands

hostname and ping Commands

pixfirewall (config)# hostname proteusproteus(config)# hostname pixfirewall

• hostname command

hostname newname

pixfirewall(config)#

pixfirewall(config)# ping 10.0.0.3

10.0.0.3 response received -- 0Ms



• ping command

ping [if_name] ip_address


write Commandswrite Commands

The following are the write commands:• write net

• write erase

• write floppy

• write memory

• write standby

• write terminal

show?

show Commandsshow Commands

The following are show commands:• show history

• show memory

• show version

• show xlate

• show cpu usage

• show interface

• show ip address


PIX Configuration Commands

PIX Configuration Commands

Six Primary Configuration Commands

Six Primary Configuration Commands

• nameif

• interface

• ip address

• nat

• global

• route

nameif hardware_id if_name security_level


pixfirewall(config)# nameif ethernet2 dmz sec50

nameif command nameif command

• The nameif command assigns a name to each interface on the PIX Firewall and specifies its security level.

interface hardware_id hardware_speed


interface command interface command

• The interface command configures the speed and duplex.

pixfirewall(config)# interface ethernet0 100fullpixfirewall(config)# interface ethernet1 100full

• The outside and inside interfaces are set for 100 Mbps Ethernet full-duplex communication.

ip address if_name ip_address [netmask]


ip address command ip address command

• The ip address command assigns an IP address to each interface.

pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0


PIX Firewall TranslationsPIX Firewall Translations

Sessions in an IP WorldSessions in an IP World

In an IP world, a network session is a transaction between two end systems. It is carried out over two transport layer protocols:• TCP (Transmission Control Protocol)

• UDP (User Datagram Protocol)

TCPTCP

• TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol.

• TCP features

–Sequencing and acknowledgement of data

–A defined state machine (open connection, data flow, retransmit, close connection)

–Congestion management and avoidance mechanisms

PIX Firewall

TCP header

IP header

The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created.

10.0.0.3

The PIX Firewall follows the Adaptive Security Algorithm:

• (Src IP, Src Port, Dest IP, Dest Port ) check

• Sequence number check

• Translation check

If the code bit is not syn-ack,PIX drops the packet.

# 1172.30.0.50

# 2

# 3# 4

Start the embryonicconnection counterNo data

TCP Initialization—Inside to Outside

TCP Initialization—Inside to Outside

Private network

Source port

Destination addr

Source addr

Initial sequence #

Destination port

Flag

Ack

172.30.0.50172.30.0.50

10.0.0.310.0.0.3

10261026

2323

4909149091

SynSyn

10.0.0.310.0.0.3

172.30.0.50172.30.0.50

2323

10261026

9251392513

Syn-AckSyn-Ack

4909249092

Public network

172.30.0.50172.30.0.50

192.168.0.20192.168.0.20

4976949769

SynSyn

192.168.0.20192.168.0.20

172.30.0.50172.30.0.50

2323

10261026

9251392513

Syn-AckSyn-Ack

4977049770

10261026

2323

Private network Public network

PIX Firewall

Reset the embryonic counter for this client. It then increments the connection counter for this host.

10.0.0.3

# 5172.30.0.50

# 6

Strictly follows theAdaptive SecurityAlgorithm

Data flows

TCP Initialization—Inside to Outside (cont.)

TCP Initialization—Inside to Outside (cont.)

172.30.0.50172.30.0.50

192.168.0.20192.168.0.20

10261026

2323

4977049770

AckAck

9251492514

Source port

Destination addr

Source addr

Initial sequence #

Destination port

Flag

Ack

172.30.0.50172.30.0.50

10.0.0.310.0.0.3

10261026

2323

4909249092

AckAck

9251492514

TCP header

IP header

UDPUDP

• Connectionless protocol

• Efficient protocol for some services

• Resourceful but difficult to secure

PIX Firewall

TCP header

IP header

The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created.

10.0.0.3

The PIX Firewall follows the Adaptive Security Algorithm:

• (Src IP, Src Port, Dest IP, Dest Port ) check

• Translation check

# 1172.30.0.50

# 2

# 3# 4

UDP (cont.)UDP (cont.)

Private network

Source port

Destination addr

Source addr

Destination port

172.30.0.50172.30.0.50

10.0.0.310.0.0.3

10281028

4500045000

10.0.0.310.0.0.3

172.30.0.50172.30.0.50

4500045000

10281028

Public network

172.30.0.50172.30.0.50

192.168.0.20192.168.0.20

192.168.0.20192.168.0.20

172.30.0.50172.30.0.50

4500045000

10281028

10281028

4500045000

All UDP responses arrive from outside and within UDP user-configurable timeout. (default=2 minutes)

Internet

Static Translations

10.0.0.10 DNS Server

192.168.0.1

192.168.0.2

10.0.0.1

PIX Firewall

Perimeter router

pixfirewall(config)# static (inside, outside)192.168.0.18 10.0.0.10

pixfirewall(config)# static (inside, outside)192.168.0.18 10.0.0.10

• Packet from 10.0.0.10 has source address of 192.168.0.18

• Permanently maps a single IP address

• Recommended for internal service hosts like a DNS server

Internet

Dynamic Translations Dynamic Translations

• Configures dynamic translations

– nat (inside) 1 0.0.0.0 0.0.0.0

– global (outside) 1 192.168.0.20-192.168.0.254netmask 255.255.255.0

192.168.0.20-192.168.0.254

Global PoolGlobal Pool

10.0.0.3

192.168.0.1

192.168.0.2

10.0.0.1

Connections vs. TranslationsConnections vs. Translations

• Translations—xlate

– IP address to IP address translation

–65,536 translations supported

• Connections—conns

–TCP or UDP sessions

xlate Command

clear xlate [global_ip [local_ip]]clear xlate [global_ip [local_ip]]

• The clear xlate command clears the contents of the translation slots.


SummarySummary

• The PIX Firewall manages the TCP and UDP protocols through the use of a translation table.

• Static translations assign a permanent IP address to an inside host. Mapping between local and global addresses is done dynamically with the nat command.

• Dynamic translations use NAT for local clients and their outbound connections and hides the client address from others on the Internet.

NAT terminology when usingthe PIX

NAT terminology– an inside (or local) network is the network,

from which we translate addresses (local addresses)

– an outside (or global) network is the network, to which we translate local addresses which become global addresses

– a translation is a one-to-one mapped pair of (local, global) IP addresses

NAT terminology when usingthe PIX

– a translation slot (xlate slot)is a software structure inside PIX/OS used to describe active translations

– a connection slot is a software structure inside PIX/OS describing an active connection (many connection slots can be bound to a translation slot)

– the translation table (xlate table) is the software structure inside PIX/OS containing all active translation and connection slot objects

2323

NAT Example

10.0.0.3

49090Source port

Destination addr

Source addr

Destination port

200.200.200.10200.200.200.10

49090Source port

Destination addr

Source addr

Destination port

192.168.0.20192.168.0.20

200.200.200.10

23

Inside Outside

Inside LocalIP Address

GlobalIP Pool

10.0.0.310.0.0.4

192.168.0.20192.168.0.21

Internet10.0.0.3

10.0.0.4

Translation table

10.0.0.3 192.168.0.20

nat [(if_name)] nat_id local_ip [netmask]


nat command nat command

• The nat command defines which addresses can be translated.

pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0

global command global command

• Works with the nat command to assign a registered or public IP address to an internal host with the same nat_id.


pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254


global[(if_name)] nat_id {global_ip[-global_ip][netmask global_mask]} | interface

• When internal hosts access the outside network through the firewall, they are assigned addresses from the 192.168.0.20–192.168.0.254 range.

Two Interfaces with NAT (Multiple Internal Networks)

Two Interfaces with NAT (Multiple Internal Networks)

Backbone,web, FTP, and TFTP server

Pod perimeter router

PIX Firewall

192.168.0.0/24

.1

10.0.0.0 /24

e0 outside .2security level 0

172.26.26.50

Internet

e1 inside .1security level 100

10.1.0.0 /24

pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0


pixfirewall(config)# global(outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240

pixfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.240

• Use separate nat_id’s to assign different global address pools.

• The mask used in the nat and global commands is not a mask for host ranges but the mask for each address .

Three Interfaces with NATThree Interfaces with NAT

Inside host, andweb and FTP server

Backbone, web, FTP, and TFTP server

Pod perimeter router

PIX Firewall

192.168.0.0/24

.1

.3

10.0.0.0 /24

e0 outside .2security level 0

e2 dmz .1security level 50

Bastion host, andweb and FTP server

172.26.26.50

.2

172.16.0.0/24

Internet

e1 inside .1security level 100

pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0

pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0

pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

• Inside users can start outbound connections to both the DMZ and the Internet.

• DMZ users can start outbound connections to the Internet.

172.30.0.50172.30.0.50

192.168.0.15

PAT GlobalPAT Global

Port Address Translation

172.30.0.50172.30.0.50

10.0.0.2

49090

23

10.0.0.3

172.30.0.50172.30.0.50

2000

2323

192.168.0.15192.168.0.15

172.30.0.50172.30.0.50

2001

2323

192.168.0.15192.168.0.15

Source port

Destination addr

Source addr

Destination port

Source port

Destinationaddr

Source addr

Destinationport

10.0.0.3

49090Source port

Destination addr

Source addr

Destination port 23

10.0.0.2

Source port

Destination addr

Source addr

Destination port

Internet

PAT Example

pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0

pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0

pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1


pixfirewall(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.0

• Assign a single IP address (192.168.0.9) as a global pool

• Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.9 for outgoing access

• Source port changes to a unique number greater than 1024

SalesEngineering

10.0.1.0 10.0.2.0

Information systems

192.168.0.1

192.168.0.2

172.16.0.2

Bastion hostPIX Firewall

Perimeter router

10.0.0.1

PAT Using Outside Interface Address





pixfirewall(config)# global (outside) 1 interface

SalesEngineering

10.0.1.0 10.0.2.0

Information systems

192.168.0.1

192.168.0.2

172.16.0.2


Perimeter router

10.0.0.1

• Use the interface option to enable use of the outside interface ip address as the PAT address.

• Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.2 for outgoing access.

• The source port is changed to a unique number greater than 1024.






pixfirewall(config)# global (outside) 1 192.168.0.19 netmask 255.255.255.0

Augmenting a Global Pool with PAT

Augmenting a Global Pool with PAT

SalesEngineering

10.0.1.0 10.0.2.0

Information systems

192.168.0.1

192.168.0.2

172.16.0.2


Perimeter router

10.0.0.1

10.0.0.0

• When hosts on the 10.0.0.0 network access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20-192.168.0.254 range.

• When the addresses from the global pool are exhausted, PAT begins.

• Make sure PAT address is not part of global pool.

route if_name ip_address netmask gateway_ip [metric]


route route

• The route command defines a static or default route for an interface.

pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

Other Configuration Commands

Other Configuration Commands

• static

• conduit

• name

• fixup protocol

OutsideSecurity 0

InsideSecurity 100

Statics and ConduitsStatics and Conduits

• The static and conduit commands allow connections from a lower securityinterface to a higher security interface.

• The static command is used to create apermanent mapping between aninside IP address and a globalIP address.

• The conduit command is an exception in the ASA’s inbound securitypolicy for a given host.

static Commandstatic Command


static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask][max_conns[em_limit]][norandomseq]

• Maps a local IP address to a global IP address

10.0.0.3

192.168.0.1

192.168.0.2

10.0.0.1

PIX Firewall

Perimeter routerpixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.3 netmask 255.255.255.255 0 1000

• Packet sent from 10.0.0.3 has a source address of 192.168.0.10

• Permanently maps a single IP address (external access)

• Recommended for internal service hosts

pixfirewall(config)# conduit permit tcp host 192.168.0.10 eq ftp any

conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask[operator port[port]]

conduit Commandconduit Command

• A conduit maps specific IP address and TCP/UDP connection from the outside host to the inside host.

pixfirewall(config) #

10.0.0.3

192.168.0.1

192.168.0.2

10.0.0.1

PIX Firewall

Perimeter router

• The conduit statement is backwards from an ACL.

Port Redirection Port Redirection


static [(internal_if_name, external_if_name)] {tcp|udp}{global_ip|interface}global-port local_ip local-port[netmask mask][max_conns[emb_limit [norandomseq]]]

• Allows outside users to connect to a particular IP address or port and have the PIX redirect traffic to the appropriate inside server.

• The external user directs an HTTP port 8080 request to the PIX Firewall PAT address, 192.168.0.9. The PIX Firewall redirects this request to host 172.16.0.2 port 80.

pixfirewall(config)# static (inside,outside) tcp 192.168.0.9 8080 172.16.0.2 www netmask 255.255.255.255 0 0

http://192.168.0.9:8080 http://172.16.0.2:80 172.16.0.2Web Server

Conduit Example

pixfirewall(config)# nameif ethernet0 outside sec0

pixfirewall(config)# nameif ethernet1 inside sec100

pixfirewall(config)# nameif ethernet2 dmz sec50pixfirewall(config)# ip address outside

192.168.0.2 255.255.255.0pixfirewall(config)# ip address inside 10.0.0.1

255.255.255.0pixfirewall(config)# ip address dmz 172.16.0.1

255.255.255.0pixfirewall(config)# nat (inside) 1 10.0.0.0

255.255.255.0pixfirewall(config)# global (outside) 1

192.168.0.20-192.168.0.254 netmask 255.255.255.0

pixfirewall(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2

pixfirewall(config)# conduit permit tcp host 192.168.0.11 eq http any

pixfirewall(config)# nameif ethernet0 outside sec0

pixfirewall(config)# nameif ethernet1 inside sec100

pixfirewall(config)# nameif ethernet2 dmz sec50pixfirewall(config)# ip address outside

192.168.0.2 255.255.255.0pixfirewall(config)# ip address inside 10.0.0.1


255.255.255.0pixfirewall(config)# nat (inside) 1 10.0.0.0


192.168.0.20-192.168.0.254 netmask 255.255.255.0

pixfirewall(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2

pixfirewall(config)# conduit permit tcp host 192.168.0.11 eq http any

e0e2

e1

Bastionhost

.2

.1.1

.2

172.16.0.0/24

10.0.0.0/24

192.168.0.0/24

Internet

Another Conduit Examplepixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100pixfirewall(config)# nameif ethernet2 dmz sec50pixfirewall(config)# nameif ethernet3 partnernet

sec40pixfirewall(config)# ip address outside 192.168.0.2

255.255.255.0pixfirewall(config)# ip address inside 10.0.0.1


255.255.255.0pixfirewall(config)# ip address partnernet

172.18.0.1 255.255.255.0pixfirewall(config)# nat (inside) 1 10.0.0.0


192.168.0.20-192.168.0.254 netmask 255.255.255.0pixfirewall(config)# global (dmz) 1 172.16.0.20-

172.16.0.254 netmask 255.255.255.0pixfirewall(config)# static (dmz,outside)

192.168.0.11 172.16.0.2pixfirewall(config)# conduit permit tcp host

192.168.0.11 eq http anypixfirewall(config)# static (dmz,partnernet)


172.18.0.11 eq http any

pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100pixfirewall(config)# nameif ethernet2 dmz sec50pixfirewall(config)# nameif ethernet3 partnernet

sec40pixfirewall(config)# ip address outside 192.168.0.2

255.255.255.0pixfirewall(config)# ip address inside 10.0.0.1


255.255.255.0pixfirewall(config)# ip address partnernet

172.18.0.1 255.255.255.0pixfirewall(config)# nat (inside) 1 10.0.0.0


192.168.0.20-192.168.0.254 netmask 255.255.255.0pixfirewall(config)# global (dmz) 1 172.16.0.20-

172.16.0.254 netmask 255.255.255.0pixfirewall(config)# static (dmz,outside)


192.168.0.11 eq http anypixfirewall(config)# static (dmz,partnernet)


172.18.0.11 eq http any

PartnernetPartnernet

e0e2

e1

Bastionhost

DMZDMZ

.2

.1.1

.2

172.16.0.0/24

10.0.0.0/24

192.168.0.0/24

e3

172.18.0.0/24.1

Internet

Fixup Protocol Command

PIX has a protocol fixup feature to recognize applications running on non-standard ports

fixup protocol <protocol> <port>[-<port>]

NAT uses the fixup information for badly behaved protocols to handle those connections properly

fixup protocol ftp 2021

fixup protocol sqlnet 1600

Attack Guards

The PIX has special handling for DNS and SMTP using the fixup protocol command.

fixup protocol DNS <port>[-<port>]

fixup protocol SMTP <port>[-<port>]

DNS will only allow one response back to a query.

SMTP will only allow RFC 821 specified commands such as HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.

Defending against denial-of-service attacks

The PIX can defend against inbound SYN-flooding (excess connection requests) attacks with the option for maximum number of embryonic (SYN only) connections per translation slot

static (int_if_name, out_if_name) global_ip local_ip [max_conn [max_embr]][norandomseq]

AAA and SYN Floodguards

AAA Floodguard protects against DoS attacks of authorization requests. It is enabled by default.

Floodguard enable | disable

SYN Floodgaurd protects against DoS half-open connection attacks.

Nat(inside) 1 0 0 [max_conns [em_limit]]

static(inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255 [max_conns [em_limit]]

Max_conns is the maximum connections permitted to hosts accessed from local_ip.

Em_limit is the maximum embryonic connections permitted to hosts accessed from local_ip.

SummarySummary

• The PIX Firewall has four administrative access modes: unprivileged, privileged, configuration, and monitor.

• Interfaces with a higher security level can access interfaces with a lower security level, while interfaces with a lower security level cannot access interfaces with a higher security level unless given permission.

• The primary commands necessary to configure the PIX Firewall are the following: nameif, interface, ip address, nat, global, static, conduit, and route.

Summary (continued)Summary (continued)

• The nat and global commands work together to hide internal IP addresses.

• The nat 0 command allows an address to go out of the PIX untranslated while providing ASA security features for inbound requests.

• The static and conduit commands work together to provide access though the PIX.

• The PIX firewall supports protocol redirection and has advanced protocol handling features.

• The PIX firewall has DoS attack guards and Floodguards.


Configuring FailoverConfiguring Failover

Internet

SecondaryPIX Firewall

PrimaryPIX Firewall

failover cable

FailoverFailover

The primary and secondary units must:

• be the same model number.• have identical software versions and

activation key types.• have the same amount of Flash

memory and RAM.

Internet

Secondary PIX Firewall(standby/active)

(failover IP/system IP)

Primary PIX Firewall(active/standby)

(system IP/failover IP)192.168.0.0 /24

.1 e0 .2

e0 .7

10.0.0.0 /24

e1 .1

e1 .7

.3

IP Address for Failoveron PIX Firewalls

IP Address for Failoveron PIX Firewalls

Configuration ReplicationConfiguration Replication

Configuration replication occurs:• When the standby firewall completes its initial

bootup.

• As commands are entered on the active firewall.

• By entering the write standby command.

Failover and Stateful FailoverFailover and Stateful Failover

• Failover

– Connections are dropped.

– Client applications must reconnect.

– Provides redundancy .

• Stateful failover

– Connections remain active.

– No client applications need to reconnect.

– Provides redundancy and stateful connection.

failover Commandsfailover Commands

failover link [stateful_if_name]


• The failover link command enables stateful failover.

failover ip address if_name ip_address


• The failover ip address command creates an IP address for the standby PIX Firewall.

failover


• The failover command enables failover between the active and standby PIX Firewalls.

pixfirewall# failover ip address inside 10.0.0.4

• The failover active command makes a PIX Firewall the primary firewall.

failover [active]


failover poll Commandfailover poll Command

•Specifies how long failover waits before sending special failover “hello” packets between the primary and standby units over all network interfaces and the failover cable.

•Failover waits ten seconds before sending special failover "hello“ packets.


pixfirewall(config)# failover poll 10

failover poll seconds

show failover Commandshow failover Command

pixfirewall(config)# show failoverFailover OnCable status: NormalReconnect timeout 0:00:00 This host: Primary - Active Active time: 360 (sec) Interface dmz (172.16.0.1): Normal Interface outside (192.168.0.2): Normal Interface inside (10.0.0.1): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface dmz (172.16.0.4): Normal Interface outside (192.168.0.4): Normal Interface inside (10.0.0.4): Normal

Stateful Failover Logical Update Statistics Link : dmz

pixfirewall(config)# show failoverFailover OnCable status: NormalReconnect timeout 0:00:00 This host: Primary - Standby Active time: 0 (sec) Interface dmz (172.16.0.4): Normal Interface outside (192.168.0.4): Normal Interface inside (10.0.0.4): Normal Other host: Secondary - Active Active time: 150 (sec) Interface dmz (172.16.0.1): Normal Interface outside (192.168.0.2): Normal Interface inside (10.0.0.1): Normal

Stateful Failover Logical Update Statistics Link : dmz

Before failover After failover

SummarySummary

• The primary and secondary PIX Firewalls are the two firewalls used for failover. The primary PIX Firewall is usually active, while the secondary PIX Firewall is usually standby, but during failover the primary PIX Firewall goes on standby while the secondary becomes active.

• The configuration of the primary PIX Firewall is replicated to the secondary PIX Firewall during configuration replication.

• During failover, connections are dropped, while during stateful failover, connections remain active.


Access Control Configuration and Content Filtering

Access Control Configuration and Content Filtering

Access Control ListAccess Control List

• An ACL enables you to determine what traffic will be allowed or denied through the PIX Firewall.

• ACLs are applied per interface (traffic is analyzed inbound relative to an interface).

• The access-list and access-group commands are used to create an ACL.

• The access-list and access-group commands are an alternative for the conduit and outbound commands.

ACL Usage GuidelinesACL Usage Guidelines

• Higher to lower security level

–Use an ACL to restrict outbound traffic.

–The ACL source address is the actual (un-translated) address of the host or network.

• Lower to higher security level

–Use an ACL to restrict inbound traffic.

–The destination host must have a statically mapped address.

–The ACL destination address is the “global ip” assigned in the static command.

access-list Commandaccess-list Command

access-list acl_name [deny | permit] protocol {src_addr | local_addr} {src_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port


• Enables you to create an ACL

• ACLs associated with IPSec are known as “crypto” ACLs

• ACL “dmz1” denies access from the 192.168.1.0 network to TCP ports less than 1025 on host 192.168.0.1

pixfirewall(config)# access-list dmz1 deny tcp 192.168.1.0 255.255.255.0 host 192.168.0.1 lt 1025

access-group Commandaccess-group Command


access-group acl_name in interface interface_name

• Binds an ACL to an interface

• The ACL is applied to traffic inbound to an interface

• ACL “dmz1” is bound to interface “dmz”

pixfirewall(config)# access-group dmz1 in interface dmz

ACL

An ACL applies to a single interface, affecting all traffic entering that interface regardless of its security level.

Conduit

A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by permitting connections from one interface to access hosts on another.

ACL

It is recommended to use ACLs to maintain future compatibility.

conduit

ACLs Versus ConduitsACLs Versus Conduits

Convert Conduits to ACLs Convert Conduits to ACLs

access-list acl_name [deny | permit] protocol {src_addr | local_addr} {src_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port

conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask[operator port[port]]

• global_ ip = destination_addr

• foreign_ip = src_addr

pixfirewall(config)# conduit permit tcp host 192.168.0.10 eq www any

pixfirewall(config)# access-list acl_in permit tcp any host 192.168.0.10 eq www



ACLsACLs

pixfirewall(config)# nat (dmz) 1 0 0


pixfirewall(config)# static (inside,dmz) 172.16.0.10 10.0.0.3 netmask 255.255.255.255

pixfirewall(config)# static (inside,dmz) 172.16.0.12 10.0.0.4 netmask 255.255.255.255

pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0 172.16.0.10 255.255.255.255 eq ftp

pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0 172.16.0.12 255.255.255.255 eq smtp

pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0 any eq www

pixfirewall(config)# access-group 102 in interface dmz

• Users on the DMZ are able to access the Internet, the internal FTP server, and the internal mail server.

nameif ethernet0 outside sec0nameif ethernet1 inside sec100access-list acl_out deny tcp any any eq wwwaccess-list acl_out permit ip any anyaccess-group acl_out in interface insidenat (inside) 1 10.0.0.0 255.255.255.0global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

Deny Web Accessto the Internet

Deny Web Accessto the Internet

• Denies web traffic on port 80 from the inside network to the Internet

• Permits all other IP traffic from the inside network to the Internet

www

InternetIP Internet

Permit Web Accessto the DMZ

nameif ethernet0 outside sec0nameif ethernet1 inside sec100nameif ethernet2 dmz sec50ip address outside 192.168.0.2

255.255.255.0ip address inside 10.0.0.1 255.255.255.0ip address dmz 172.16.0.1 255.255.255.0static (dmz,outside) 192.168.0.11

172.16.0.2access-list acl_in_dmz permit tcp any

host 192.168.0.11 eq wwwaccess-list acl_in_dmz deny ip any anyaccess-group acl_in_dmz in interface

outside

Web server.2

.1.1

.2

172.16.0.0/24

10.0.0.0/24

192.168.0.0/24

Internet

• The ACL acl_in_dmz permits web traffic on port 80 from the Internet to the DMZ web server.

• The ACL acl_in_dmz denies all other IP traffic from the Internet.

icmp Commandicmp Command

• Enables or disables pinging to an interface

pixfirewall(config)# icmp deny any echo-reply outside

pixfirewall(config)# icmp permit any unreachable outside


icmp permit | deny [host] src_addr [src_mask] [type] int_name

• All ping requests are denied at the outside interface, and all unreachable messages are permitted at the outside interface

SummarySummary

• ACLs enable you to determine which systems can establish connections through your PIX Firewall.

• Cisco recommends migrating from conduits to ACLs.

• Existing conduits can easily be converted to ACLs.

• With ICMP ACLs, you can disable pinging to a PIX Firewall interface so that your PIX Firewall cannot be detected on your network.

• The PIX Firewall can work with URL-filtering software to control and monitor Internet activity.

Documents

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall