Only Two Ways through the PIX Firewall For a packet to traverse the PIX Firewall, it must pass two policies: NAT and access control. The following are the only two ways to pass these policies and gain access through the PIX Firewall: Valid user request—Outbound communications. Pre-defined static and conduit—Inbound communications. ACLs are preferred over conduits ..support dropped in 6.3 for conduits Valid User Request: Inside to Outside. All inside to outside originated sessions first dynamically populate the Adaptive State table. When an outside server responds to the request, the PIX checks the state table to see if a translation slot exists for that particular request. If present, the PIX allows the session to flow. Once the session is terminated (FIN or RESET for TCP), that translation is deleted. For UDP requests, a configurable timer sets once the session is established and fires based on the time allowed for the UDP session thereby closing the translation slot. Pre-Defined Conduits are used for Outside to Inside communication. A pre-defined static translation is entered using an address or range of addresses (netstatic) from the global pool. In addition, a conduit is entered that defines either by address, group of addresses and tcp/udp port or range of ports, who and what application is allowed to flow through the PIX. A TACACS+ or RADIUS server may be used for authentication and authorization for both inside to outside and outside to inside communication.

ACL Usage Guidelines Higher to lower security level: Use an ACL to restrict outbound traffic. The ACL source address is the actual (un-translated) address of the host or network. Applied at the higher level interface inbound Lower to higher security level: Use an ACL to restrict inbound traffic. The ACL destination address is the translated global IP address. Requires a statically mapped address for the internal destination address Applied at the lower level interface inbound

access-list Command pixfirewall(config)# access-list acl_ID deny | permit protocol source_addr source_mask [operator port[port]]destination_addr destination_mask operator port [port] Enables you to create an ACL. 1. The outside interface’s IP address can now be used as the PAT address. The interface IP address used for PAT is the address associated with the interface when the xlate (translation slot) is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT. When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall unit's outside interface. pixfirewall(config)# access-list DMZ1 deny tcp 192.168.1.0 255.255.255.0 host 192.168.0.1 lt 1024 Denies access from the 192.168.1.0 network to TCP ports less than 1024 on host 192.168.0.1.

access-group Command access-group acl_ID in interface interface_name pixfirewall(config)# access-group acl_ID in interface interface_name Binds an ACL to an interface. pixfirewall(config)# access-group DMZ1 in interface dmz Binds ACL DMZ1 to interface dmz.

Static Inside Translations For this and each subsequent feature: Mention the feature name Outline the feature qualities and capabilities Show where the feature is used by highlighting the example network diagram to show the extent of the feature’s influence Discuss the example configuration Mention to students that address 172.16.0.0 simulates a public address. Note that the global IP address specified in the static command (172.16.1.11) is mapped to the MAC address of the outside PIX address. pixfirewall(config)# static (inside, outside) 192.168.0.18 10.0.0.10 Packet from 10.0.0.10 has a source address of 192.168.0.18. Permanently maps a single IP address.. Remember “inside outside outside inside”

static Command pixfirewall(config)# static [(prenat_interface, postnat_interface)] mapped_address | interface real_address [netmask mask] pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255 static [(internal_if_name, external_if_name)] {tcp | udp} {global_ip | interface} global-port local_ip local-port [netmask mask] [max_conns [emb_limit [norandomseq, nailed]]] Packet sent from 10.0.0.11 has a source address of 192.168.0.10. Permanently maps a single IP address. Recommended for internal service hosts.

Three Interfaces with NAT pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0 Inside users can start outbound connections to both the DMZ and the Internet. The nat (dmz) command gives DMZ services access to the Internet. The global (dmz) command gives inside users access to the web server on the DMZ.

Permit Web Access to the DMZ pixfirewall(config)# write terminal ... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif ethernet2 dmz sec50 ip address outside 192.168.0.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0 static (dmz,outside) 192.168.0.11 172.16.0.2 access-list acl_in_dmz permit tcp any host 192.168.0.11 eq www access-list acl_in_dmz deny ip any any access-group acl_in_dmz in interface outside Purpose: Describe the PIX and its e2 interface to a protected DMZ and its servers. Emphasize: The PIX supports multiple interfaces, with the third and other additional interfaces available to create one or more secured DMZ areas. The two major advantages of using multiple perimeter interfaces are that PIX enhances the extensibility of servers to other platforms and that the PIX is a major element for enforcing the network security policy. Configure the interfaces with the following commands: nameif interface ip address Refer to the SG text for guidelines to present with this figure. Transition: The next section covers the integration of AAA services with the PIX. The ACL acl_in_dmz permits web traffic on port 80 from the Internet to the DMZ web server. The ACL acl_in_dmz denies all other IP traffic from the Internet.

Configuring Three Interfaces pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0 pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0 pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2 pixfirewall(config)# access-list acl_in_dmz permit tcp any host 192.168.0.11 eq www pixfirewall(config)# access-list acl_in_dmz deny ip any any pixfirewall(config)# access-group acl_in_dmz in interface outside Purpose: Describe the PIX and its e2 interface to a protected DMZ and its servers. Emphasize: The PIX supports multiple interfaces, with the third and other additional interfaces available to create one or more secured DMZ areas. The two major advantages of using multiple perimeter interfaces are that PIX enhances the extensibility of servers to other platforms and that the PIX is a major element for enforcing the network security policy. Configure the interfaces with the following commands: nameif interface ip address Refer to the SG text for guidelines to present with this figure. Transition: The next section covers the integration of AAA services with the PIX.