PIX firewall configuration from scratch

In this tip, network engineers can learn how to configure a new PIX firewall, out of the box. You
will configure passwords, IP addresses, network address translation (NAT and basic
firewall rules.
PIX firewall configuration from scratch
The following article was originally posted at SearchNetworking.com and it is reproduced with
their permission.

Let's say that your boss hands you a new PIX firewall. It has neer been configured. !e says
that it needs to be configured with some basic IP addresses" security and a couple of basic
firewall rules. #ou hae neer used a PIX firewall before. !ow will you be able to perform this
configuration$ %fter reading this article" it should be easy. Let's find out how.
The basics of a Cisco PIX firewall
% &isco PIX firewall is meant to protect one network from another. There are PIX firewalls for
small home networks and PIX firewalls for huge campus or corporate networks. In this e'ample"
we will be configuring a PIX ()* firewall. The ()* model is meant for a small home network or a
small business.
PIX firewalls hae the concept of inside and outside interfaces. The inside interface is the
internal" usually priate" network. The outside interface is the e'ternal" usually public" network.
#ou are trying to protect the inside network from the outside network.
PIX firewalls also use the adaptie security algorithm +%S%,. This algorithm assigns security
leels to interfaces and says that no traffic can flow from a lower-leel interface +like the outside
interface, to a higher-leel interface +like the inside interface, without a rule allowing it. The
outside interface has a security leel of .ero and the inside interface has a security leel of *)).
!ere is what the output of the show nameif command looks like/
pi'firewall0 show nameif
nameif ethernet) outside security)
nameif ethernet* inside security*))
pi'firewall0
Notice the ethernet) interface is the outside interface +its default name, and the security leel is
). 1n the other hand" the ethernet* interface is named inside +the default, and has a security
leel of *)).
Guidelines for Configuring a PIX Firewall
2efore beginning the configuration" your boss has gien you some guidelines that you need to
follow. !ere they are/
%ll passwords should be set to 3cisco3 +in reality" you make these whateer you want" but
not 3cisco3,.
The inside network is *).).).) with a 4((.).).) subnet mask. The inside IP address for
this PIX should be *).*.*.*.
The outside network is *.*.*.) with a 4((.4((.4((.) subnet mask. The outside IP address
for this PIX should be *.*.*.*.
#ou want to create a rule to allow all inside clients on the *).).).) network to do port
address translation and connect to the outside network. They will all share the global IP
address *.*.*.4.
!oweer" clients should only hae access to port 5) +6eb browsing,.
The default route for the outside +Internet, network will be *.*.*.4(7.
Initial PIX Firewall Configuration
6hen you boot up your PIX firewall for the first time" you should see a screen like this/
#ou will be prompted to answer #8S or N1 as to whether or not you want to configure the PIX
through interactie prompts. %nswer N1 to this 9uestion because you want to learn how to really
configure the PIX firewall" not :ust answer a series of 9uestions.
%fter that" you will be sent to a prompt that looks like this/
pi'firewall;
6ith the 3greater than3 symbol at the end of the prompt" you are in the PIX user mode. &hange
to priileged mode with the en or enable command. Press 3enter3 at the Password prompt. !ere
is an e'ample/
pi'firewall; en
Password/
pi'firewall0
#ou now hae administratie mode to show things but would hae to go into global configuration
mode to configure the PIX.
Now" let's moe on to basic configuration of the PIX/
Basic PIX configuration
6hat I am calling basic configuration is made up of three things/
Set the hostname
Set passwords +login and enable,
&onfigure IP addresses on interfaces
8nable interfaces
&onfigure a default route
2efore you can do any of these things" you need to go into global configuration mode. To do
this" type/
pi'firewall0 config t
pi'firewall+config,0
To set the hostname" use the hostname command" like this/
pi'firewall+config,0 hostname PIX*
PIX*+config,0
Notice that the prompt changed to the name that you set.
Ne't" set the login password to cisco" like this/
PIX*+config,0 password cisco
PIX*+config,0
This is the password re9uired to gain any access to the PIX e'cept administratie access.
Now" configure the enable mode password" used to gain administratie mode access.
PIX*+config,0 enable password cisco
PIX*+config,0
Now we need to configure IP addresses on interfaces and enable those interfaces. The PIX"
unlike a router" has no concept of interface configuration mode. To configure the IP address on
the inside interface" use this command/
PIX*+config,0 ip address inside *).*.*.* 4((.).).)
PIX*+config,0
Now" configure the outside interface IP address/
PIX*+config,0 ip address outside *.*.*.* 4((.4((.4((.)
PIX*+config,0
Ne't" enable both the inside and outside interfaces. <ake sure that the 8thernet cable" on each
interface" is connected to a switch. Note that the ethernet) interface is the outside interface" and
it is only a *)base-T interface on a PIX ()*. The ethernet* interface is the inside interface" and it
is a *))2ase-T interface. !ere is how you enable these interfaces/
PIX*+config,0 interface ethernet) *)baset
PIX*+config,0 interface ethernet* *))full
PIX*+config,0
Note that you can do a show interfaces command" right from the global configuration prompt
line.
=inally" let's configure a default route so that all traffic sent to the PIX will flow to the ne't
upstream router +the *.*.*.4(7 IP address that we were gien,. !ere is how you do this/
PIX*+config,0 route outside ) ) *.*.*.4(7
PIX*+config,0
The PIX firewall can" of course" support dynamic routing protocols as well +such as >IP and
1SP=,.
Now" let's moe on to some more adanced configuration.
Network Address Translation
Now that we hae IP address connectiity" we need to use Network %ddress Translation +N%T,
to allow inside users to connect to the outside. 6e will use a type of N%T" called P%T or N%T
1erload" so that all inside deices can share one public IP address +the outside IP address of
the PIX firewall,. To do this" enter these commands/
PIX*+config,0 nat +inside, * *).).).) 4((.).).)
PIX*+config,0 global +outside, * *.*.*.4
?lobal *.*.*.4 will be Port %ddress Translated
PIX*+config,0
6ith this" all inside clients are able to connect to deices on the public network and share IP
address *.*.*.4. !oweer" clients don't yet hae any rule allowing them to do this.
=irewall rules
These clients on the inside network hae a N%T translation" but that doesn't necessarily mean
that they are allowed access. They now need a rule to allow them to access the outside network
+the Internet,. That rule will also allow the return traffic to come back in.
To make a rule to allow these clients port 5) +6eb browsing," you would type this/
PIX*+config,0 access-list outbound permit tcp *).).).) 4((.).).) any e9 5)
PIX*+config,0 access-group outbound in interface inside
PIX*+config,0
Note that PIX access lists" unlike router access lists" use a normal subnet mask" not a wildcard
mask.
6ith this access list" you hae restricted the inside hosts to accessing 6eb serers only on the
outside network +routers,.
Showing and saing the configuration
Now that you hae configured the PIX firewall" you can show your configuration with the show
run command.
<ake sure that you sae your configuration with the write memory or wr m command. If you
don't" your configuration will be lost when the PIX is powered off.