Cisco PIX Firewall Basics

icon Cisco Pix Firewall Basics

Introduction

This month we start a series of articles on security. And where better to start than by taking a look at what the Cisco PIX can do, and how to configure it?

The online reference materials for configuring Cisco PIX Firewall Version 6.1 can be found at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/index.htm . I recommend you look there for the details we had to omit in this article. It is always a good idea to check the Release Notes, especially for open caveats (bugs) that may affect an advanced PIX implementation.

Another good source of information about the Cisco PIX is the Cisco CSPFA course. This is a security-certification track course. See http://www.cisco.com/pcgi-bin/front.x/wwtraining/CELC/index.cgi?action=CourseDesc&COURSE_ID=1628 .

What Does a PIX Do?

The PIX is a firewall appliance based on a hardened, specially built operating system, PIX OS, minimizing possible OS-specific security holes. The PIX has received ICSA Firewall and IPsec certification as well as Common Criteria EAL4 evaluation status.

PIX firewalls provide a wide range of security and networking services including:

  • Network Address Translation (NAT) or Port Address Translation (PAT)
  • content filtering (Java/ActiveX)
  • URL filtering
  • IPsec VPN
  • support for leading X.509 PKI solutions
  • DHCP client/server
  • PPPoE support
  • advanced security services for multimedia applications and protocols including Voice over IP (VoIP), H.323, SIP, Skinny and Microsoft NetMeeting
  • AAA (RADIUS/TACACS+) integration
PIX can be graphically managed using the integrated Web-based management interface known as the PIX Device Manager (PDM) or by the Cisco Secure Policy Manager 2.3f and 3.0f (not to be confused with CSPM 2.3.3i which is for intrusion detection system management).  The PDM is a PIX-specific device configuration and management tool whereas CSPM is generally used as part of a larger security management infrastructure and allows one to correlate organizational security policies with a PIX configuration. Management interfaces include command-line interface (CLI), telnet, Secure Shell (SSH 1.5), console port, SNMP, and syslog.

Cisco PIX Models

Cisco PIX
Model
Rated 
Throughput
Concurrent
Connections
Description
PIX 535 1 Gbps + 

Up to 95 Mbps 3DES VPN, 2000 IPsec tunnels

500,000 Some models include stateful high-availability capabilities, as well as integrated hardware acceleration for VPN. Modular chassis, up to 10 10/100 Fast Ethernet interfaces or 9 Gigabit Ethernet interfaces.
PIX 525 360 Mbps + 

Up to 70 Mbps 3DES VPN, 2000 IPsec tunnels

280,000 Some models include stateful high-availability capabilities, as well as integrated hardware acceleration for VPN. Modular chassis, up to 8 10/100 Fast Ethernet interfaces or 3 Gigabit Ethernet interfaces. 
PIX 515E 188 Mbps + 125,000 Some models include stateful high-availability capabilities and integrate support for 2,000 IPsec tunnels. Modular chassis, up to six 10/100 Fast Ethernet interfaces. 
PIX 506E 20 Mbps +, 
16 Mbps 3DES VPN
  Compact desktop chassis, two auto-sensing 10Base-T interfaces.
PIX 501 10 Mbps +, 
3 Mbps 3DES VPN
  Compact plug-n-play security appliance,  integrated 4-port Fast Ethernet (10/100) switch and one 10Base-T interface. 

See http://www.cisco.com/warp/customer/cc/pd/fw/sqfw500/   for information about the PIX product line in general, or for more details or the latest models added to this product line.

PIX Terminology and Background Information

The following diagram shows a multi-port PIX connected to various networks. We will use this diagram as we build up a PIX configuration in this and any subsequent PIX articles.

PIX terminology: we generally refer to the user segment as the Inside subnet. The interface connected to the Internet router is the outside subnet. As shown, we probably have DMZ (De-Militarized Zone) subnet, the subnet where we quarantine all servers that are accessible from the outside. We might also have a separate management subnet and a subnet tying to a redundant PIX for failover (if supported/licensed).

The PIX Command-Line Interface (CLI) is somewhat like the Cisco IOS interface, but different. Use colon (":") for comments (which, as usual, are not retained).  Newer PIX OS uses ACL's, replacing the former conduits (which were arguably more confusing to experienced Cisco router administrators).

PIX interfaces are normally shutdown until the administrator activates them.

PIX interfaces have an associated security level. Two interfaces at same level can't send packets to each other. We'll shortly see that you set levels with nameif command. Connections and traffic are normally permitted from higher to lower security level interfaces, although you do have to put in some basic configuration to allow traffic to flow. Connections the other way (from low to high security) are disallowed unless the configuration explicitly permits them.

You actually do not have to put any ACL if going from a higher security level to a lower. Everything will be allowed. Best practice is to put an ACL on all interfaces even if the ACL permits everything to flow using "ip any any".  An ACL put inbound (PIX only does inbound ACLs) to the inside interface can control traffic destined going outbound. If an admin wants to only have www and dns traffic outbound he would allow only tcp on 80 and udp on 53 then everything else like real audio would be denied as it goes out.)

To let traffic flow from a high security level to a lower level, use the nat and global commands. For the opposite direction, from lower to higher, use the static and access-list commands. We suggest using nat and global when going from any non-outside interface to the outside interface (Internet usually unless the PIX is used as a border between business units) which is a little different than the first sentence above.  We also suggest using statics from any non-outside interface to any other non-outside interface (like inside to management or ethernet3 to ethernet4, below.)

The PIX normally uses stateful NAT connections and stateful security, referred to as the Adaptive Security Algorithm (ASA). The PIX does not pass multicast traffic. (Can you say "DVMRP tunnel"?)

Cisco and we recommend you do not dynamic routing to or through the PIX. The PIX does support RIP, but the authors both loathe RIP. And static routing is more secure, cannot be as easily fooled.

PIX Configuration

We'll start off with good housekeeping. Enter configuration mode with "config t". You'll want to assign a hostname / prompt name so you can tell which device you're on. You'll also want to set up passwords.
 
Command
Command Explanation
enable password myEnableSecret encrypted
Set the enable password (displays encrypted). Displays in encrypted form, with the word "encrypted" at the end. Note that when entering the command leave off  "encrypted" keyword or the PIX will assume that the string you are putting in is the encryption of the actual password. 
passwd myLoginSecret encrypted
Set the user mode password, the first password challenge when using Telnet.  Note that when executing the command leave off the "encrypted" keyword or the PIX will assume that the string you are putting in is the encryption of the actual password.
hostname UNIT1
Set the name of the host. It is best to make this name innocuous so that it does not give away the type of device this is. 

The PIX does allow you to set up a hosts table as a management convenience. Because there is no connection to DNS or /etc/hosts on UNIX servers, use of this command is a mixed blessing. It makes configurations much more readable but introduces another level of administration. Not only do you have to add and delete IP addresses to your configuration as you do now. But with this command, you also need to ensure that the host names match existing names.

Command
Command Explanation
name 10.3.3.22 DMZWEBSERVER

Map address to name

name 10.1.1.82 INTERNALDNSHOST

 

name 10.1.1.79 INTERNALORACLEHOST

 

name 10.1.1.71 INTERNALNTPHOST

 

name 1.1.1.5 EXTERNALSMTPHOST

 

name 1.1.1.22 EXTERNALWWWHOSTNAME
 

To start adjusting the default PIX configuration, one usually names the interfaces and assigns them security levels. (0 = least trusted; 100 = most trusted). We then specify the speed for each interface, carefully leaving off the default shutdown keyword at the end to activate (enable) the interface. We do this for each interface we're going to use. We have one extra unused interface which we shutdown.

We also need to assign IP addresses to the interfaces that will be carrying IP traffic. One trick you can use on a shutdown interface is to assign it the loopback address, 127.0.0.1. This prevents accidental forwarding of traffic through that interface.

Command
Command Explanation

nameif ethernet0 outside security0

Define the name of ethernet 0 and security level. 

nameif ethernet1 inside security100
 
nameif ethernet2 management security90
 
nameif ethernet3 dmz security30
 
nameif ethernet4 pix_failover security40
We've connected ethernet4 to another failover-capable PIX. The name reflects this.
nameif ethernet5 not_in_use security20
Not currently in use.
interface ethernet0 100full
Identify network interface speed and duplex. Activate the interface. 
interface ethernet1 100full
 
interface ethernet2 100full
 
interface ethernet3 100full
 
interface ethernet4 100full
Identify network interface speed and duplex. Note that this interface must be set to 100 and full duplex for proper operation of failover, which may be explained in another article.
interface ethernet5 100full shutdown
Note that this interface is shutdown.
ip address outside 1.1.1.1 255.255.255.0
Assign IP address and subnet mask for the interface
ip address inside 10.1.1.1 255.255.255.0
 
ip address management 10.2.2.1 255.255.255.0
 
ip address dmz 10.3.3.1 255.255.255.0
 
ip address pix_failover 10.4.4.1 255.255.255.0
 

After the PIX has been addressed, we need to think about what it is to do with the addresses of other devices. Do we wish to use Network Address Translation (NAT)? Network Address Translation (NAT) lets your network have any IP addressing scheme and the firewall protects these addresses from visibility on the external network. If we have global Internet addressing and do not wish to re-address our computers, we can assign NAT ID 0 within the PIX to disable NAT. Let's assume for our sample configuration that we do wish to perform NAT. (Looking at the above diagram, we have to do NAT, network 10.0.0.0  /8 is a private address range.

We generally put a global command on each lower security interface we want our internal users to have access to, although statics can be preferable for internal-internal access (see below). The main decision (other than addressing design) is whether to use one or multiple NAT ID's. Using unique NAT ID's limits access to specific interfaces. Using one NAT ID is simpler and assumes the PIX will sort out which nat command (below) pairs up with which global command on which interface.

We put nat commands on the higher security interfaces, allowing users to start connections to lower security level interfaces with global commands on them. The NAT ID ties the inside addresses in the nat command to the pool of addresses in one or more global commands with the same NAT ID.

Port Address Translation is where all inside addresses appear as one outside address, with shifted ports. PAT has some restrictions, for example it cannot support H.323 or caching nameserver use, so you may want to use it to augment a range of global addresses rather than using it as your sole global address.

Let's see what that looks like:

global (outside) 1 1.1.1.51-1.1.1.100 netmask 255.255.255.0
Defines the routable addresses to be used for outbound connections. This pool defines 1.1.1.51 through .100 as being available on a first come first served basis. As connections are torn down the addresses become available again for use. These addresses are used before the PAT address specified below is used. The number "1" is the NAT ID for this pool.
global (outside) 1 1.1.1.50 netmask 255.255.255.0
Defines the port address translation (PAT) address to be used by outbound connections after all one-to-one translation address (defined above) are exhausted. This continues NAT ID (pool) 1. 
nat (inside) 0 access-list 101
A "NAT 0" means no NAT-ing is happening. This entry is used for the IPsec connection defined in the configuration. The nat command with access list lets you exempt traffic that is matched by the access-list command statements from the NAT services. Access list 101 (not shown) specifies IPsec traffic. This row may confuse users and if we are not going to touch IPsec now, I would leave it out. We'll cover IPsec on the PIX in a future article.
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
This command connects the global pool 1 to the networks allowed to tap into that pool. Subnet 10.1.1.0 on the inside interface will be allowed to use global pool 1 for its outbound connections.The nat command lets you enable or disable address translation for one or more internal addresses. The nat command will disable nat for an inside network if that net is not explicitly defined to use the pool. Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses.
nat (management) 1 10.2.2.0 255.255.255.0 0 0
Subnet 10.2.2.0 on the management interface will be allowed to use global pool 1 for its outbound connections.

Note that if acl 101 is undefined, no IPsec traffic will match and no traffic will go through the IPsec tunnel. All traffic would then be subjected to NAT.

If you've used NAT before, you'll recognize that servers on the inside that need to be connected to from the outside will need static mappings. The static command creates a permanent mapping (called a static translation slot or "xlate") between a local IP address and a global IP address. Use the static and access-list commands when you are accessing an interface of a higher security level from an interface of a lower security level. When NAT exists between two interfaces the command takes the form of "static (high,low) low high" . Without address translation, the format of the static command becomes different: "static (high,low) high high".

static (dmz,outside) 1.1.1.22 10.3.3.22 netmask 255.255.255.255 0 0
You need to specify the IP address users on the lower security interface's network will use to access the server on the higher security level interface's network. In this case, we make a DMZ web server at 10.3.3.22 accessible as outside address 1.1.1.22. 
static (inside,management) 10.1.1.13 10.1.1.13 netmask 255.255.255.255 0 0
This static command allows traffic from inside interface (address 10.1.1.13) to management subnet, or vice versa if an appropriate ACL exists for traffic coming from the lower security interface. There is no NAT change to the address. 

We also need some static routing, so the PIX knows which subnets are out which interface. Like Cisco routers, the PIX does know how to route to connected subnets, so you only have to specify subnets or address ranges behind other routers. You can only have one default route for the PIX Firewall.

route outside 0.0.0.0 0.0.0.0 1.1.1.254 1
Specifies a default route out the outside interface to a router at 1.1.1.254 which is 1 hop away.
route management 10.117.220.0 255.255.255.0 10.2.2.254
Specifies a route to the 10.117.220.0 network via the management interface with the next hop address set to 10.2.2.254 (assuming 10.117.220.0 is behind a router on the management subnet). 


TIP: If you use statics you will also be able to go from higher to lower without having to use nat and global.  Example: suppose management station 10.2.2.2 (NMS) needs to talk to serv1 at 10.1.1.15 on the inside. Configure:
static (inside,management) 10.1.1.15 10.1.1.15 netmask 255.255.255.255
access-list from-management-coming-in permit tcp host 10.2.2.2 host 10.1.1.15 eq 8888
access-group from-management-coming-in in interface management
Because the static exists, 10.1.1.15 can also inititate connections to 10.2.2.2 but cannot talk to 10.2.2.50 (NMS2) because no method of translation exists.

Another example:

static (inside,management) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
This allows each network to address the other. The inside can then talk to everything on the management net and reply packets are let back through by virtue of stateful inspection but an ACL must exist for the management net to initiate anything to the inside.

There are some other variations one can do, but statics are more clear and you can predict behaviour because no timeouts for the connections exist and you still retain ultimate control via the ACL.


Conclusion

Books on the PIX seem to be a bit scarce right now. There is however:

Cisco(R) Secure PIX(R) Firewalls, by David W. Chapman Jr., Andy Fox, Cisco Press. See also http://www.amazon.com/exec/obidos/ASIN/1587050358/ .

For information about creating a security policy see http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/intro.htm#xtocid9 .

Books on security and firewalling in general:

Internet Security for Business, by Bernstein, T., Bhimani, A.B., Schultz, E. and Siegel, C. A. Published by Wiley Press. See
http://www.amazon.com/exec/obidos/ASIN/0471137529/ .

Building Internet Firewalls, Chapman, D. B. & Zwicky, E. D. Published by O'Reilly Press. See
http://www.amazon.com/exec/obidos/ASIN/1565928717/ .

Firewalls & Internet Security, Cheswick, W. and Bellovin, S. Published by Addison-Wesley. See http://www.amazon.com/exec/obidos/ASIN/0201633574/ .

Practical UNIX Security, Garfinkel, S. and Spafford, G. Published by O'Reilly Press. See http://www.amazon.com/exec/obidos/ASIN/1565921488/ .

TCP/IP Illustrated, Volume 1 The Protocols, Stevens, W. R. Published by Addison-Wesley. See http://www.amazon.com/exec/obidos/ASIN/0201633469/ .

Questions, suggestions for articles, etc. can be sent to This email address is being protected from spambots. You need JavaScript enabled to view it. .


Dr. Peter J. Welcher (CCIE #1773, CCSI #94014) is a Senior Consultant with Chesapeake NetCraftsmen. NetCraftsmen is a high-end consulting firm and Cisco Premier Partner dedicated to quality consulting and knowledge transfer. NetCraftsmen has eleven CCIE's (4 of whom are double-CCIE's, R&S and Security). NetCraftsmen has expertise including large network high-availability routing/switching and design, VoIP, QoS, MPLS, network management, security, IP multicast, and other areas. See http://www.netcraftsmen.net for more information about NetCraftsmen. . New articles will be posted under the Articles link. Questions, suggestions for articles, etc. can be sent to This email address is being protected from spambots. You need JavaScript enabled to view it. .

Grant P. Moerschel (CCNP #CSCO10108676) works for NovatoSystems.com LLC, an Internet security and network architecture consultancy and developers of FlackJacket security.  NovatoSystems specializes in creating multi-layered secure networks based on the Cisco SAFE blueprint.  FlackJacket, the premiere product offering of NovatoSystems, uses best-of-breed security components and advanced reporting systems to provide your organization with greater peace of mind regarding data protection.  Questions, suggestions for articles, etc. can be sent to This email address is being protected from spambots. You need JavaScript enabled to view it. .


3/4/2002
Copyright (C)  2002,  Peter J. Welcher