The Basics of the Cisco PIX Firewall
The word appliance is a three-syllable noun. It is defined as a device or an instrument designed to perform a specific function, and it applies especially to an electrical device, such as a toaster, an oven, or a refrigerator for household use. We all use appliances in our everyday lives. We plug in the toaster, pop in some bread, and push down the button—in a minute or so, we have toast. What could be easier? Appliances make our lives simple, fast, and complete.
When used in the data communications world, an appliance is defined as a device that is dedicated to a specific function. The term applianc may be combined with another word to be used more specifically, such as "Internet appliance" or "firewall appliance." Many consider the Cisco PIX firewall to be an appliance. Maybe it is, but don't think that when you buy a PIX and install it, you'll have an operational internetwork and be secure in 60 seconds. While the PIX is a fairly simple device to configure, there's more to it than that.
The Six Basic Commands
The six basic commands to configure a Cisco PIX firewall are well known: nameif, interface, ip address, global, nat, and route. The nameif, interface, and ip address commands are the necessary minimum to get the PIX to communicate with other devices.
The nameif command has two big jobs to perform. It names the interface and assigns a security level. The syntax of the command follows:
nameif hardware_id if_name security_level
The hardware_id is the type of hardware that is being used for the interface. Examples are Gigabit Ethernet, Ethernet, Token Ring, and FDDI. It is important to note that both Token Ring and FDDI have reached end-of-sale status at Cisco. The last date that the Token Ring interface was available for sale was August 25, 2001. The last date that the FDDI interface was available for sale was June 23, 2001.
The if_name is the name of the interface. The name can be up to 48 characters in length and can be uppercase or lowercase. Default names appear in the configuration of the PIX. By default, the E0 interface is named the outside interface and is considered the least secure interface. The E1 interface is named inside, by default, and is considered the most secure. If the PIX has more than two interfaces, the default names of the additional interfaces are intf2 for E2, intf3 for E3, and so on.
The third variable parameter is security_level. The security level is used to define how to configure the PIX to permit traffic to be passed. The inside interface has a default security level of 100. The outside interface has a default security level of 0. 100 is the maximum permitted, and 0 is the minimum. An interface with a higher security level number assigned is considered more secure. If the PIX has more than two interfaces, the default security level of the additional interfaces is 10 for E2 and 15 for E3; each additional interface security level increments by 5.
An interface with a higher security level (assigned to the interface) is considered to be more trusted than an interface with a lower security level. This is an important distinction to understand when configuring data flow. By default, with no configuration parameters input, no data can pass through the PIX. When utilizing the six basic commands that are discussed here, you may configure the PIX to pass data from a more trusted side of the PIX to a less trusted side of the PIX.
An example of a three-interface configuration using nameif might look like this:
pixfirewall# write terminal Building configuration… : Saved : PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security 50 . . .
The interface command is used to identify the network interface type, the hardware speed, and the duplex setting (if applicable); it also enables the interface. Network interface types are Ethernet, Gigabit Ethernet, Token Ring, and FDDI. The interface command can be used to shut down an interface, just as an administrator can do on a Cisco router. An interface that is shut down is one that is disabled and is passing no data due to the configuration. The interface command syntax is shown here:
Interface hardware_id [hardware_speed] [shutdown]
If an interface is shut down, configuring that interface and leaving off the variable shutdown will enable the interface. This is an example of configuring the interface command on a three-interface PIX using the auto option (which will set the Ethernet speed automatically) for hardware_speed:
interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto
Assigning an IP address to an interface is accomplished with the ip address command. Each interface that is to be used to pass data must be configured with an IP address. When configuring the ip address command, the IP address is bound to the interface name that was created with the nameif command:
ip address if_name ip_address [netmask]
When the nameif, interface, and ip address commands are configured, it is possible to learn the status of the interfaces. Issuing the show interface command will let you know whether the interfaced is up or down. If the interface is up, you may also test connectivity to the PIX. You may issue a ping command to find out whether the PIX is communicating with a neighbor device on the same network.
When passing data to a destination network that is not directly connected to the PIX, the destination network must be specified. The destination network is specified using the route command. The PIX is not a router, although it sometimes behaves in a routerlike fashion. The PIX cannot make the same kinds of dynamic routing decisions that a router makes; it must be configured statically.
Route if_name ip_address netmask gateway_ip [metric]
Here, if_name is the name of the interface that the data will pass through when exiting the PIX. The gateway_ip is the IP address of the device (usually a router) that is the next-hop device to the destination network.
It is common to use a default route to the untrusted side of the PIX (the outside interface). The following is an example of how the route commands might be configured if the outside interface were connected to the Internet and the inside interface were connected to your company intranet, which consists of three subnets. The inside interface is directly connected to the 10.2.0.0 255.255.0.0 subnet. The 10.3.0.0 and 10.4.0.0 subnets are reached via a router with a local interface of 10.2.1.4.
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 route inside 10.3.0.0 255.255.0.0 10.2.1.4 1 route inside 10.4.0.0 255.255.0.0 10.2.1.4 1
With the default route, any traffic that is permitted to pass through the PIX that has a destination network other than 10.2.0.0, 10.3.0.0, and 10.4.0.0 will be passed through the outside interface to 192.168.1.1 for routing.
global and nat
Now it's time to configure the PIX to allow data to pass through. One of the jobs that the PIX performs very well is address translation. The IP address that enters the PIX through a more trusted interface (this is referred to as a local address) is translated to a different IP address when it exits the PIX through a less trusted interface (this is referred to as the global address).
To pass this data, it is necessary to input some configuration parameters. One way to configure the PIX to permit this data is to use the global and nat statements.
The nat command enables network address translation. nat also defines the local IP addresses that are to be translated to the global IP addresses defined in the global statement. The syntax for the nat and global commands follows:
nat (if_name) nat_id local_ip [netmask]
Data enters the PIX via the interface defined with the if_name variable. The nat_id is an arbitrary, administrator-assigned number between zero and two billion (0 is reserved for a specific purpose, but that is a discussion for another article). The nat_id number used here must match the one used with the corresponding global command. The nat_id number is what binds the nat and global statements together. The local_ip is the more trusted local network that is to be translated to the address or addresses defined in the global command.
global (if_name) nat_id global_ip [-global_ip] [netmask global_mask]
Data exits the PIX via the interface defined with the if_name variable of the global command. The nat_id number used here must match the one used with the corresponding nat command. The global_ip defines the global IP address or global network number.
An example of a two-interface PIX configuration using each of the six basic commands follows:
nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 auto interface ethernet1 auto ip address outside 192.168.1.2 255.255.255.0 ip address inside 10.2.1.1 255.255.0.0 global (outside) 1 192.168.1.20-192.168.1.254 nat (inside) 1 10.0.0.0 255.0.0.0 route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 route inside 10.3.0.0 255.255.0.0 10.2.1.4 1 route inside 10.4.0.0 255.255.0.0 10.2.1.4 1