• cisco pix: introduction
  
• cisco pix: introduction cont
  
• cisco pix: basic pix configuration
  
• cisco pix: basic pix configuration cont
  
• cisco pix: tcp, udp, nat, pat, and pd
  

• cisco pix: tcp, udp, nat, pat, and pd 2
  
• cisco pix: tcp, udp, nat, pat, and pd 3
  
• cisco pix: tcp, udp, nat, pat, and pd 4
  
• cisco pix: configuring site to site vpn's
  
• cisco pix: configuring site to site vpn's 2
  

• cisco pix: configuring site to site vpn's 3
  
• cisco pix: configuring site to site vpn's 4
  
• cisco pix: configuring site to site vpn's 5
  
• cisco pix: access control lists and content filtering
  
• cisco pix: access control lists and content filtering 2
  

• cisco pix: access control lists and content filtering 3
  
• cisco pix: object grouping for quick and easy acl's
  
• cisco pix; slightly advanced configuration
  
• cisco pix: slightly advanced configuration 2
  
• cisco pix: slightly advanced configuration 3
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials3
  
• securitytutorials4
  

CISCO PIX: INTRODUCTION, HOW IT OPERATES AND THE CLI

The PIX Firewall.

The Cisco PIX firewall is one of the most popular brands of firewalls available today. Whilst they can be a very useful piece of equipment, it is not always straight forward to configure them.
Due to the nature of a Firewall and what it is used for it is essential to deploy and configure it correctly to prevent you inadvertently leaving your network wide open to attack when you thought it was secure.

The PIX comes in several form factors:

501 – This the cheapest and smallest firewall in the PIX range and is aimed almost exclusively at Small Office – Home Office (SOHO) setups. It can support up to 7500 concurrent connections and has 60 Mbps throughput.
Interface wise it has a 10/100BASE-T Ethernet interface for the outside connection (100BASE-T is only in version 6.3) and a four-port 10/100 switch for the inside interfaces. It can also support up to 10 simultaneous VPN connections. It does not support any failover at all.

As you can no doubt see it is only useful for the very small SOHO setup.

506E – Although more useful for the SOHO setup than the 501, the 506E is more geared up towards the ROBO setup (Remote Office – Branch Office) and is an ideal choice for a small – medium sized business if you don’t need any failover capabilities, a lot of VLAN’s or a very fast throughput of data.
It can provide 25,000 concurrent connections and 100 Mbps clear text throughput.
It has only two 10/100BASE-T interfaces and support for up to Two VLAN’s and can support up to 25 simultaneous VPN connections. It does not support version 7 of the PIX operating system or the ADSM utility, instead it has a less useful PDM for remote configuration.

515E – Is designed for small to medium sized businesses and enterprise networks. It can handle up to 130,000 concurrent connections and provides 190 Mbps of clear text throughput. It can have up to 6 10/100 Fast Ethernet interfaces, 25 VLAN’s and up to five contexts (contexts will be explained later).
It is the first PIX in the range that supports failover and version 7 of the PIX operating system. It can have up to 2,000 VPN tunnels and supports site to site and remote access VPN’s

525 – The 525 is probably the most common security appliance in the PIX range that you may come across due to its affodability Vs funcionality. It can support up to 280,000 concurrent connections, has 330 Mbps of clear text throughput, up to 10 10/100 Fast Ethernet interfaces, up to 100 VLAN’s and 50 contexts.
It supports failover and version 7 of the PIX operating System and up to 2,000 VPN tunnels.

535 -The Cisco PIX 535 is a high-performance, purpose-built security appliance designed for very large enterprise and service provider networks.

It supports up to ten 10/100 Fast Ethernet interfaces or nine Gigabit Ethernet interfaces and redundant power supplies, can handle up to 1.7 Gbps of firewall throughput with the capacity to handle more than 500,000 simultaneous sessions.

Certain PIX 535 models include an integrated hardware VPN acceleration card that delivers up to 440 Mbps of Triple Data Encryption Standard (3DES) VPN throughput and 440 Mbps of Advanced Encryption Standard-256 (AES) VPN throughput.


The PIX firewall range has a wide variety of add on cards and can work hand in hand with the Adaptive Security Appliance (ASA). There are too many add on cards and different ASA configurations to go in to here but the Cisco web site has all the information if you need to research it further.

Getting Started:

There are three ways to connect to the PIX:

1) Via the console cable
2) Via the PDM or for the 515 and later the ADSM
3) Via Telnet /SSH (needs to be configured first)

If you are comfortable with the Command Line Interface (CLI) on the PIX then the best way to connect is via the console port. To do this, simply attach the supplied console cable and open hyper terminal (or a terminal emulation program of your choice) set the baud rate to 9600 and press enter.

If you are not comfortable using the CLI then Cisco have provided a GUI for you to use. On the 501 and the 506E this is known as the PDM and on the 515 and above it is known as the ADSM.

Connect to the INSDIE interface of the PIX (Eth1) using a normal Cat5 Ethernet cable, open your web browser and type 192.168.1.1.If you get stuck trying to connect to the PIX to use the PDM/ADSM refer to the user manual and it will tell you the IP address range the DHCP server uses. This is usually 192.168.1.1/24 so either set your PC to receive an IP via DHCP or configure it in the correct subnet 192.168.1.2 is usually good with a 255.255.255.0 mask.

There is a known problem when using the PDM with Sun’s latest versions of Java. You need to have version 4 installed, which you can get from the archive pages on the Sun web site. If you can not connect you may need to remove the latest Java update from the Add/ Remove programs window in the control panel.( 5.0 update 5 and 5.0 update 6)

For now we will use the CLI.

Once connected there are four administrative modes you can be in:

1) Unprivileged
2) Privileged
3) Configuration
4) Monitor

When you first connect via the CLI you will be in unprivileged mode, which uses the > prompt:

Code:
Firewall>


Just like a router you would now type ‘enable’ or en for short

Code:
Firewall>en


If there is a password set you will now be prompted for a password, the PIX usually ships with the default password of either pix or cisco.

If you enter the password successfully you will now land in privileged mode, which uses the # symbol:

Code:
Firewall#


From the privileged mode you can issue most commands that will show you details about the configuration but will not allow you to alter the configuration except for setting passwords, writing configuration to memory and a few others:

Code:
Firewall#show running-config (or sh run for short)


The above command would show you the entire running configuration of the PIX.
To make and changes to the actual configuration of the PIX we need to be in configuration mode. We get this by using the command Configure Terminal (or conf t for short)

Code:
Firewall#conf t


The prompt will now change to:

Code:
Firewall<config>#


This shows us we are in configuration mode. From here we can now change the configuration of the firewall.

Monitor mode is a special mode that enables us to update the OS image over a network to perform password recovery. Whilst in Monitor mode we can enter commands to specify the location of a TFTP server, the location of the updates software or a password recovery file to download.

As mentioned with most Cisco equipment that uses a CLI commands can be abbreviated to the fewest unique characters for that command.
So sh run is short for Show Running-Configuration, en is short for Enable, copy run start is short for copy running-configuration > startup-configuration.

The first thing we can do is set a password for the PIX to stop unauthorised access. It is easy to get so engrossed in the configuration of the PIX to forget to set a user password once finished, so I make it a habit to set the password on any device first.

There are 15 different access levels we can grant a user when he logs on to the PIX, with 15 being the highest. Depending on what password is used will depend on what access level the user is dropped in to.

To set the password we need to be in the privileged mode (the # prompt).

So

Code:
Firewall>en
Password:
Firewall#


We now issue the command enable password <password>

Code:
Firewall#enable password tazzone123 15


Enable = we want to set the enable password (the password that is presented when the enable command is issued)
Password = we are setting the password and not giving the enable command.
Tazzone123 = the password we want to set
15 = the privilege level that anyone using that password will be granted. In this case the user will have total control of the PIX.


Before we go in to the configuration commands there are a few commands we need to know to save the configuration to memory and to erase it in case we mess it up!

Like a router the PIX has two different configurations; running configuration and start-up configuration.

The running configuration is what we are making all the changes to. If after making the changes we do not save it to the start-up configuration and the PIX was to be unplugged, suffer a power cut etc it would start up with the configuration that is in the start-up configuration and all our changes would be lost.

There is a twofold advantage to this – we can make changes ‘on the fly’ and if the firewall was to stop working as it should, we can just reload it and it will have its old configuration, the other benefit of it is if we are unsure of any changes that have been made we can use the sh start and the sh run commands to view both configuration’s and compare then to each other.

After we have made a change to the running configuration and are sure we want to keep it, the command ‘write memory’ is used to save the running configuration to the start-up configuration.

Code:
Firewall#write memory  (or wr mem for short)


If we have made a complete hash of the running configuration and want to start over again but still retain the start-up configuration we can use the command ‘clear configure all’.

Code:
Firewall#clear configure all  (or clear con all for short)


Finally if we want to clear everything and start from afresh we can use the command ‘write erase’

Code:
Firewall#write erase  (or wr er for short)


You will be prompted to confirm that you do want to erase the start-up configuration, hitting Enter or typing Yes will clear the configuration.

We will still be active in the running configuration however so we need to either reload the PIX or copy the running configuration to the start-up configuration.

To reboot the PIX we use the command ‘reload’

Code:
Firewall#reload


We will be prompted to confirm we want to reload the device.

Or we can use the copy run start command to copy the running configuration to the start-up configuration:

Code:
Firewall#copy run start


If you are writing a script to send or paste straight in to the PIX we can issue the ‘reload noconfirm’ command – which will just reload the device without asking for confirmation.

*Before making any changes to the PIX once you have an up and running configuration you can copy the results of the ‘show run’ command in to a text editor such as notepad. Then if you ever need to revert back to the configuration you can just copy and paste it straight back in to the firewall.*

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on September 10th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.

.................................................................................................

ITRiskSpace

Our mission is to deliver to our readers top quality IT-Risk Management and IT-Security related content. Providing you with a source of information on how to increase business value for your organization. We want to be on the pulse of time and contribute for a broad range of stakeholders in this field.