Cisco PIX Firewall Basics

Published on January 2017 | Categories: Documents | Downloads: 51 | Comments: 0 | Views: 330
of 9
Download PDF   Embed   Report

Comments

Content

http://pixfirewallmanagement.blogspot.com/

Cisco PIX Firewall Basics

For More Step-by-Step PIX Firewall Articles
http://pixfirewallmanagement.blogspot.com

http://pixfirewallmanagement.blogspot.com/

1

http://pixfirewallmanagement.blogspot.com/

Introduction
What is PIX FIREWALL? The PIX is a firewall appliance based on a hardened, specially built operating system called PIX OS, minimizing possible OS-specific security holes.

PIX Firewall Features PIX firewalls provide a wide range of security and networking services including:


• • • • • • •



Network Address Translation (NAT) or Port Address Translation (PAT) content filtering (Java/ActiveX) URL filtering IPsec VPN support for leading X.509 PKI solutions DHCP client/server PPPoE support advanced security services for multimedia applications and protocols including Voice over IP (VoIP), H.323, SIP, Skinny and Microsoft NetMeeting AAA (RADIUS/TACACS+) integration

http://pixfirewallmanagement.blogspot.com/

2

http://pixfirewallmanagement.blogspot.com/

PIX Firewall management PIX can be graphically managed using the integrated Web-based management interface known as the PIX Device Manager (PDM). The PDM is a PIX-specific device configuration and management tool. Management interfaces include • • • • •


command-line interface (CLI), telnet, Secure Shell (SSH 1.5), console port, SNMP, and syslog.

http://pixfirewallmanagement.blogspot.com/

3

http://pixfirewallmanagement.blogspot.com/

Cisco PIX Models Cisco Rated Concurrent Description PIX Throughput Connections Model Some models include stateful high-availability capabilities, as well as integrated 1 Gbps + hardware Up to 95 PIX acceleration for 500,000 Mbps 3DES 535 VPN. Modular VPN, 2000 chassis, up to 10 IPsec tunnels 10/100 Fast Ethernet interfaces or 9 Gigabit Ethernet interfaces. PIX 360 Mbps + 280,000 Some models 525 include stateful Up to 70 high-availability Mbps 3DES capabilities, as VPN, 2000 well as integrated IPsec tunnels hardware acceleration for VPN. Modular chassis, up to 8

http://pixfirewallmanagement.blogspot.com/

4

http://pixfirewallmanagement.blogspot.com/

PIX 188 Mbps + 515E

125,000

20 Mbps +, PIX 16 Mbps 506E 3DES VPN

PIX 501

10 Mbps +, 3 Mbps 3DES VPN

10/100 Fast Ethernet interfaces or 3 Gigabit Ethernet interfaces. Some models include stateful high-availability capabilities and integrate support for 2,000 IPsec tunnels. Modular chassis, up to six 10/100 Fast Ethernet interfaces. Compact desktop chassis, two autosensing 10Base-T interfaces. Compact plug-nplay security appliance, integrated 4-port Fast Ethernet (10/100) switch and one 10Base-T interface.

http://pixfirewallmanagement.blogspot.com/

5

http://pixfirewallmanagement.blogspot.com/

PIX Terminology and Background Information The following diagram shows a multi-port PIX connected to various networks. We will use this diagram as we build up a PIX configuration in this and any subsequent PIX articles.

http://pixfirewallmanagement.blogspot.com/

6

http://pixfirewallmanagement.blogspot.com/

PIX terminology: We generally refer to the user segment as the Inside subnet. The interface connected to the Internet router is the outside subnet. As shown, we probably have DMZ (De-Militarized Zone) subnet, the subnet where we quarantine all servers that are accessible from the outside. We might also have a separate management subnet and a subnet tying to a redundant PIX for failover (if supported/licensed). The PIX Command-Line Interface (CLI) is somewhat like the Cisco IOS interface, but different. Use colon (":") for comments (which, as usual, are not retained). Newer PIX OS uses ACL's, replacing the former conduits (which were arguably more confusing to experienced Cisco router administrators). PIX interfaces are normally shutdown until the administrator activates them. PIX interfaces have an associated security level. Two interfaces at same level can't send packets to each other. Connections and traffic are normally permitted from higher to lower security level interfaces, although you do have to put in some basic configuration to allow traffic to flow. Connections the other way (from low to high security) are disallowed unless the configuration explicitly permits them.

http://pixfirewallmanagement.blogspot.com/

7

http://pixfirewallmanagement.blogspot.com/

You actually do not have to put any ACL if going from a higher security level to a lower. Everything will be allowed. Best practice is to put an ACL on all interfaces even if the ACL permits everything to flow using "ip any any". An ACL put inbound (PIX only does inbound ACLs) to the inside interface can control traffic destined going outbound. If an admin wants to only have www and dns traffic outbound he would allow only tcp on 80 and udp on 53 then everything else like real audio would be denied as it goes out.) To let traffic flow from a high security level to a lower level, use the nat and global commands. For the opposite direction, from lower to higher, use the static and access-list commands. We suggest using nat and global when going from any non-outside interface to the outside interface (Internet usually unless the PIX is used as a border between business units) which is a little different than the first sentence above. We also suggest using statics from any non-outside interface to any other non-outside interface (like inside to management or ethernet3 to ethernet4, below.) The PIX normally uses stateful NAT connections and stateful security, referred to as the Adaptive Security Algorithm (ASA).

http://pixfirewallmanagement.blogspot.com/

8

http://pixfirewallmanagement.blogspot.com/

MORE BOOKS ABOUT PIX FIREWALL

List of IT Certifications including Microsoft, Cisco, CISSP,Oracle, A+ and lot more
Click Here Click Here

Click Here

Click Here

Click Here

Click Here

Click Here

Click Here

Click Here

Click Here

Click Here

Click Here

Click Here

Click Here

http://pixfirewallmanagement.blogspot.com/

9

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close