Cisco’s PIX firewall is one of the more common hardware devices used to protect small- to medium-size networks from outside attacks. A correctly configured PIX also helps you maintain some level of control over resources that internal users can access. In this article, I’ll walk through the steps to get a PIX firewall up and running in a useful configuration.
I’ll be using the relatively lightweight PIX 501 for my example setup. (This unit will run you somewhere around $450 for a 10-user license bundle.) The PIX 501 includes a console port, a WAN port, four 10/100 Ethernet ports, and it supports up to 10 internal IP addresses as well as optional DES encryption. I’ll be installing under PIX management software version 6.2(1). Your configuration steps may differ slightly from the ones presented in this article if you’re using a different version of the software.
First of all, physically install your PIX where you’ll be able to connect it to both the network and directly to a Windows-basedPC via a serial cable. The new PIX operating system includes two methods of management, either from the command line or the Pix Device Manager (PDM), a Web-based GUI that can handle almost the entire configuration process. Of course, you’ll have to use the command line to set up an IP address for the PIX before you actually are able to use the PDM.
The default IP address
The PIX 501 assigns an address of 192.168.1.1 to the PIX to be accessed from the internal network. In the likely case that I was willing to accept this default, I could skip thecommand line setup on this particular unit. I’ll walk through the IP assignment process here to give a more thorough overview of the configuration steps for other PIX models.
To begin the configuration process, you must connect your administrative PC to the PIX via HyperTerminal. Simply link the PIX’s console port to the PC via the serial cable. In HyperTerminal, set the baud rate to 9600. Once connected, the PIX asks you to do some basic configuration via a number of prompts at the command line.
Connecting via HyperTerminal
For more information on connection to Cisco equipment via HyperTerminal, check out Jack Wallen, Jr’s. article, Taking your first steps with a Cisco router.
The command line setup process
Listing A provides a transcript of my sample setup routinefor my PIX 501. The items in bold are my responses to the prompts. I’ve also included a few notes about some of the questions.
If you have a new PIX, you should check the version of the management software installed on it using the version command at the command prompt. To do an upgrade, you’ll need to download the newest images from the Cisco support Web site. You’ll need a support contract on your firewall to successfully download the upgrade. I always recommend support contracts on single points of failure in a network; the contracts aren’t terribly expensive considering how much they can end up saving you. If you do not have a support contract, you’ll have to register your product and purchase a contract on the Customer Registration page.
As of this writing, the most current PIX software image available is 6.2.1 (login required) and the PIX Device Manager is in version 2.0.1 (login required). Going to the new PDM is critical if you want to use VPNs because version 1.x does not support their configuration. The files are named pix621.bin and pdm-201.bin, respectively.
The PIX software
Installing the newest version of the PIX software is as easy as following these steps:
- 1. Save the PIX files into a directory accessible by your TFTP server. If you need a TFTP server, Cisco provides one for free.
- 2. Connect via HyperTerminal to make sure the serial link is still working.
- 3. Reboot the PIX by either power cycling it or issuing a reboot command at the command line.
- 4. When a message appears indicating that the configuration is about to load from flash, press [Esc] to put the PIX into monitor mode.
- 5. Provide the PIX with some information about its addressing and where it can find your TFTP server, as well as the name of the binary to install. I entered the information in Table A for my set up.
|address 192.168.1.20||Internal address of the PIX.|
|server 192.168.1.2||IP address of my TFTP server.|
|file pix621.bin||Name of the file to download.|
|tftp||Starts the TFTP transfer of the new image.|
When the install routine is complete, elect to save this image to flash. The unit will reboot with the new PIX software loaded.
Updating the PDM software
My PIX 501 came with version 1.x of the PDM, which is out-of-date. To upgrade it, I used the copy tftp://192.168.1.2/pdm-201.bin flash:pdm command at the PIX prompt to update the GUI tool.
Move to the GUI
You’ll be asked to provide a username and password to access the PDM. The PIX PDM does not use a username, but it does use the password field, which needs to match the enable password that we configured during the command-line setup. For my configuration, this password is “admin”.
The PDM will ask you whether or not you want to install the PDM software. Choosing either Grant Always or Grant This Session will allow the connection either every time or just this once, respectively. The other option is to deny the session by clicking Deny. I’ll choose the Grant Always option.
Next, the PDM informs me that since this is the first time the PDM has been used, it must do a one-time configuration. I’ll allow this by choosing the Proceed button. The PDM then loads the configuration from your PIX and populates the various GUI screens with that information. The final result is the opening screen for the PDM, shown in Figure A.
|The PDM provides a number of configuration screens.|
Each of the PDM’s tabs represent a different service.
- · Access Rules: Shows your network access policy listed as rules. If you have used Checkpoint’s policy editor software, the look and feel of this tab will be somewhat familiar.
- · Translation Rules: Shows your NAT and PAT (port address translation) rules.
- · VPN: Lets you set up your VPN configuration.
- · Hosts/Networks: Lets you edit the list of hosts and networks defined for a selected interface. Access rules reference these hosts and networks.
- · System Properties: Lets you make changes to the configuration of network interfaces.
- · Monitoring: Lets you watch various aspects of the system.
The PIX needs to have certain parameters supplied to it before it can begin its work. While some of these parameters, such as the internal IP address, were defined during the initial command line configuration, the PIX still needs some vital information, such as the outside interface IP address and Access rules.
Setting up the outside interface
On my PIX 501, the inside interface is set to 192.168.1.20 and the outside interface is configured to obtain an IP address from my ISP’s DHCP server. I want to assign a static IP address to this interface, however. I can do this from the PDM’s System Properties tab, as shown in Figure B.
|You can configure the interface from the System Properties tab.|
As you can see in the Interfaces table shown in Figure B, I have two interfaces on my PIX 501: inside and outside. These interface names were assigned during the initial system configuration; the inside interface name can be changed to anything you want. To change the IP address of an interface, select the interface entry in the list and then click the Edit button at the bottom of the screen to open the Edit Interface screen shown in Figure C. I’ve set the IP address of the WAN interface to 10.10.10.1 and retained the name “outside.”
|Making addressing changes is easy with the PDM.|
I click OK and return to the main PDM window, where the now-active Apply To PIX button will let me save my changes in this session. To make my changes permanent, I’ll need to save them to flash on the PIX. As shown in Figure D, the PDM lets you know when a flash save is needed; simply clicking the message will write the new configuration to the PIX. Once you save to flash, the message goes away.
|The PDM lets you know when you need to save to flash.|
Access rules form the basis of the PIX’s security policies and need to be carefully administered. Many organizations have access rules that allow certain traffic, such as SMTP, to traverse the firewall from the outside, or they block the use of a specific service, such as IM, from inside the firewall.
Let’s suppose you want to block access to a specific Web site, such as www.whitehouse.com. First, you need to look up the IP address for www.whitehouse.com, which happens to be 220.127.116.11. On the PDM’s Access Rules tab, right-click anywhere and choose Add from the shortcut menu.
In Figure E, I have configured the PIX to deny all traffic from the inside interface to the IP address 18.104.22.168 on the outside.
|Blocking access to a Web site is a snap with the PDM.|
When I click OK, I get a message indicating that the host does not exist on the outside network, and PDM offers to let me set it up, as you can see in Figure F.
|The PDM helps you set up a new external host.|
To check this operation, I can click on Outside Interface in the Hosts/Network tab and see (Figure G) that the White House has been added as a host.
|Whitehouse.com is now on the hosts list.|
Compatibility and responsibility
Remember to administer your PIX responsibly by saving your configuration every so often and keeping a hard copy. I’ve had to rebuild a PIX configuration from scratch in the middle of a frantic day as a result of a very simple mistake.