© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall

What Is a Firewall? A firewall is a system or group of systems that manages access between two networks.

Firewall Technologies Firewall operations are based on one of three technologies: Packet filtering Proxy server Stateful packet filtering

ACL Packet Filtering Limits information into a network based on destination and source address

Proxy Server Requests connections between a client on the inside of the firewall and the outside

Stateful Packet Filtering Limits information into a network based not only on destination and source address, but also on packet data content

PIX Firewall—What Is it? Stateful firewall with high security and fast performance Adaptive security algorithm provides stateful security Cut-through proxy eliminates application-layer bottlenecks Secure, real-time, embedded operating system

Adaptive Security Algorithm Provides “stateful” connection control through the PIX Firewall Tracks source and destination ports and addresses, TCP sequences, and additional TCP flags TCP sequence numbers are randomized to minimize the risk of attack Tracks UDP and TCP session state Connections allowed out—allows return session back flow (TCP ACK bit)

ASA Security Level Example Internet PIX Firewall Outside network e0 Security level 0 Interface name = outside e0 Security level 0 Interface name = outside Perimeter network e2 Security level 50 Interface name = pix/intf2 e2 Security level 50 Interface name = pix/intf2 Inside network e1 Security level 100 Interface name = inside e1 Security level 100 Interface name = inside e0 e1 e2

Cut-Through Proxy Operation Authenticates once at the application layer (OSI Layer 7) for each supported service Connection is passed back to the PIX Firewall high-performance ASA engine, while maintaining session state Internal/ external user IS resource 1.The user makes a request to an IS resource. 2.The PIX Firewall intercepts the connection. 3.The PIX Firewall prompts the user for a username and password, authenticates the user, and checks the security policy on a RADIUS or TACACS+ server. 5.The PIX Firewall directly connects the internal or external user to the IS resource via ASA. 4.The PIX Firewall initiates a connection from the PIX Firewall to the destination IS resource. Cisco Secure PIX Firewall Username and Password Required Enter username for CCO at User Name: Password: OKCancel student 3.

Stateful Failover Internet Secondary PIX Firewall Primary PIX Firewall / /24 Backbone, web, FTP, and TFTP server /24 e2.1 e0.2 e0.7 e1.7e1.1.2 DMZ Failover cable /24.1 e2.7 e3.1e /

Summary There are three firewall technologies: packet filtering, proxy server, and stateful packet filtering. The PIX Firewall features include: Secure operating system, Adaptive Security Algorithm, cut-through proxy, stateful failover, and stateful packet filtering.

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-13 PIX Command Line Interface

Access Modes The PIX Firewall has four administrative access modes: Unprivileged mode Privileged mode Configuration mode Monitor mode

enable Command pixfirewall> enable password: pixfirewall# configure terminal pixfirewall(config)# pixfirewall(config)# exit pixfirewall# enable pixfirewall> Enables you to enter different access modes

enable password password passwd password pixfirewall# enable password and passwd Commands The enable password command is used to control access to the privileged mode. The passwd command is used to set a Telnet password. pixfirewall#

hostname and ping Commands pixfirewall (config)# hostname proteus proteus(config)# hostname pixfirewall hostname command hostname newname pixfirewall(config)# pixfirewall(config)# ping response received -- 0Ms ping command ping [if_name] ip_address pixfirewall(config)#

write Commands The following are the write commands: write net write erase write floppy write memory write standby write terminal

show? show Commands The following are show commands: show history show memory show version show xlate show cpu usage show interface show ip address

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-20 PIX Configuration Commands

Six Primary Configuration Commands nameif interface ip address nat global route

nameif hardware_id if_name security_level pixfirewall(config)# pixfirewall(config)# nameif ethernet2 dmz sec50 nameif command The nameif command assigns a name to each interface on the PIX Firewall and specifies its security level.

interface hardware_id hardware_speed pixfirewall(config)# interface command The interface command configures the speed and duplex. pixfirewall(config)# interface ethernet0 100full pixfirewall(config)# interface ethernet1 100full The outside and inside interfaces are set for 100 Mbps Ethernet full-duplex communication.

ip address if_name ip_address [netmask] pixfirewall(config)# ip address command The ip address command assigns an IP address to each interface. pixfirewall(config)# ip address dmz

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-25 PIX Firewall Translations

Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out over two transport layer protocols: TCP (Transmission Control Protocol) UDP (User Datagram Protocol)

TCP TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol. TCP features –Sequencing and acknowledgement of data –A defined state machine (open connection, data flow, retransmit, close connection) –Congestion management and avoidance mechanisms

PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Sequence number check Translation check If the code bit is not syn-ack, PIX drops the packet. # # 2 # 3 # 4 Start the embryonic connection counter No data TCP Initialization—Inside to Outside Private network Source port Destination addr Source addr Initial sequence # Destination port Flag Ack Syn Syn-Ack Public network Syn Syn-Ack

Private network Public network PIX Firewall Reset the embryonic counter for this client. It then increments the connection counter for this host # # 6 Strictly follows the Adaptive Security Algorithm Data flows TCP Initialization—Inside to Outside (cont.) Ack Source port Destination addr Source addr Initial sequence # Destination port Flag Ack Ack TCP header IP header

UDP Connectionless protocol Efficient protocol for some services Resourceful but difficult to secure

PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Translation check # # 2 # 3 # 4 UDP (cont.) Private network Source port Destination addr Source addr Destination port Public network All UDP responses arrive from outside and within UDP user-configurable timeout. (default=2 minutes)

Internet Static Translations DNS Server PIX Firewall Perimeter router pixfirewall(config)# static (inside, outside) Packet from has source address of Permanently maps a single IP address Recommended for internal service hosts like a DNS server

Internet Dynamic Translations Configures dynamic translations –nat (inside) –global (outside) netmask Global Pool

Connections vs. Translations Translations—xlate –IP address to IP address translation –65,536 translations supported Connections—conns –TCP or UDP sessions

xlate Command clear xlate [global_ip [local_ip]] The clear xlate command clears the contents of the translation slots. pixfirewall(config)#

Summary The PIX Firewall manages the TCP and UDP protocols through the use of a translation table. Static translations assign a permanent IP address to an inside host. Mapping between local and global addresses is done dynamically with the nat command. Dynamic translations use NAT for local clients and their outbound connections and hides the client address from others on the Internet.

NAT terminology when using the PIX NAT terminology – an inside (or local) network is the network, from which we translate addresses (local addresses) – an outside (or global) network is the network, to which we translate local addresses which become global addresses – a translation is a one-to-one mapped pair of (local, global) IP addresses

NAT terminology when using the PIX – a translation slot (xlate slot)is a software structure inside PIX/OS used to describe active translations – a connection slot is a software structure inside PIX/OS describing an active connection (many connection slots can be bound to a translation slot) – the translation table (xlate table) is the software structure inside PIX/OS containing all active translation and connection slot objects

23 NAT Example Source port Destination addr Source addr Destination port Source port Destination addr Source addr Destination port InsideOutside Inside Local IP Address Global IP Pool Internet Translation table

nat [(if_name)] nat_id local_ip [netmask] pixfirewall(config)# nat command The nat command defines which addresses can be translated. pixfirewall(config)# nat (inside)

global command Works with the nat command to assign a registered or public IP address to an internal host with the same nat_id. pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) pixfirewall(config)# global[(if_name)] nat_id {global_ip[-global_ip] [netmask global_mask]} | interface When internal hosts access the outside network through the firewall, they are assigned addresses from the – range.

Two Interfaces with NAT (Multiple Internal Networks) Backbone, web, FTP, and TFTP server Pod perimeter router PIX Firewall / /24 e0 outside.2 security level Internet e1 inside.1 security level /24 pixfirewall(config)# nat(inside) pixfirewall(config)# nat (inside) pixfirewall(config)# global(outside) netmask pixfirewall(config)# global(outside) netmask Use separate nat_id’s to assign different global address pools. The mask used in the nat and global commands is not a mask for host ranges but the mask for each address.

Three Interfaces with NAT Inside host, and web and FTP server Backbone, web, FTP, and TFTP server Pod perimeter router PIX Firewall / /24 e0 outside.2 security level 0 e2 dmz.1 security level 50 Bastion host, and web and FTP server /24 Internet e1 inside.1 security level 100 pixfirewall(config)# nat(inside) pixfirewall(config)# nat (dmz) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global(dmz) netmask Inside users can start outbound connections to both the DMZ and the Internet. DMZ users can start outbound connections to the Internet.

PAT Global Port Address Translation Source port Destination addr Source addr Destination port Source port Destination addr Source addr Destination port Source port Destination addr Source addr Destination port Source port Destination addr Source addr Destination port Internet

PAT Example pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask Assign a single IP address ( ) as a global pool Source addresses of hosts in network are translated to for outgoing access Source port changes to a unique number greater than 1024 Sales Engineering Information systems Bastion host PIX Firewall Perimeter router

PAT Using Outside Interface Address pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) 1 interface Sales Engineering Information systems Bastion host PIX Firewall Perimeter router Use the interface option to enable use of the outside interface ip address as the PAT address. Source addresses of hosts in network are translated to for outgoing access. The source port is changed to a unique number greater than 1024.

pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (outside) netmask Augmenting a Global Pool with PAT Sales Engineering Information systems Bastion host PIX Firewall Perimeter router When hosts on the network access the outside network through the firewall, they are assigned public addresses from the range. When the addresses from the global pool are exhausted, PAT begins. Make sure PAT address is not part of global pool.

route if_name ip_address netmask gateway_ip [metric] pixfirewall(config)# route The route command defines a static or default route for an interface. pixfirewall(config)# route outside

Other Configuration Commands static conduit name fixup protocol

Outside Security 0 Inside Security 100 Statics and Conduits The static and conduit commands allow connections from a lower security interface to a higher security interface. The static command is used to create a permanent mapping between an inside IP address and a global IP address. The conduit command is an exception in the ASA’s inbound security policy for a given host.

static Command pixfirewall(config)# static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask][max_conns[em_limit]][norandomseq] Maps a local IP address to a global IP address PIX Firewall Perimeter router pixfirewall(config)# static (inside,outside) netmask Packet sent from has a source address of Permanently maps a single IP address (external access) Recommended for internal service hosts

pixfirewall(config)# conduit permit tcp host eq ftp any conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask[operator port[port]] conduit Command A conduit maps specific IP address and TCP/UDP connection from the outside host to the inside host. pixfirewall(config) # PIX Firewall Perimeter router The conduit statement is backwards from an ACL.

Port Redirection pixfirewall(config)# static [(internal_if_name, external_if_name)] {tcp|udp}{global_ip|interface}global-port local_ip local- port[netmask mask][max_conns[emb_limit [norandomseq]]] Allows outside users to connect to a particular IP address or port and have the PIX redirect traffic to the appropriate inside server. The external user directs an HTTP port 8080 request to the PIX Firewall PAT address, The PIX Firewall redirects this request to host port 80. pixfirewall(config)# static (inside,outside) tcp www netmask Web Server

Conduit Example pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# conduit permit tcp host eq http any pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# conduit permit tcp host eq http any e0 e2 e1 Bastion host / / /24 Internet

Another Conduit Example pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# nameif ethernet3 partnernet sec40 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# ip address partnernet pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# conduit permit tcp host eq http any pixfirewall(config)# static (dmz,partnernet) pixfirewall(config)# conduit permit tcp host eq http any pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# nameif ethernet3 partnernet sec40 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# ip address partnernet pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# conduit permit tcp host eq http any pixfirewall(config)# static (dmz,partnernet) pixfirewall(config)# conduit permit tcp host eq http any Partnernet e0 e2 e1 Bastion host DMZ / / /24 e /24.1 Internet

Fixup Protocol Command PIX has a protocol fixup feature to recognize applications running on non-standard ports fixup protocol [- ] NAT uses the fixup information for badly behaved protocols to handle those connections properly fixup protocol ftp 2021 fixup protocol sqlnet 1600

Attack Guards The PIX has special handling for DNS and SMTP using the fixup protocol command. fixup protocol DNS [- ] fixup protocol SMTP [- ] DNS will only allow one response back to a query. SMTP will only allow RFC 821 specified commands such as HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT.

Defending against denial-of-service attacks The PIX can defend against inbound SYN- flooding (excess connection requests) attacks with the option for maximum number of embryonic (SYN only) connections per translation slot static (int_if_name, out_if_name) global_ip local_ip [max_conn [max_embr]][norandomseq]

AAA and SYN Floodguards AAA Floodguard protects against DoS attacks of authorization requests. It is enabled by default. Floodguard enable | disable SYN Floodgaurd protects against DoS half-open connection attacks. Nat(inside) [max_conns [em_limit]] static(inside,outside) netmask [max_conns [em_limit]] Max_conns is the maximum connections permitted to hosts accessed from local_ip. Em_limit is the maximum embryonic connections permitted to hosts accessed from local_ip.

Summary The PIX Firewall has four administrative access modes: unprivileged, privileged, configuration, and monitor. Interfaces with a higher security level can access interfaces with a lower security level, while interfaces with a lower security level cannot access interfaces with a higher security level unless given permission. The primary commands necessary to configure the PIX Firewall are the following: nameif, interface, ip address, nat, global, static, conduit, and route.

Summary (continued) The nat and global commands work together to hide internal IP addresses. The nat 0 command allows an address to go out of the PIX untranslated while providing ASA security features for inbound requests. The static and conduit commands work together to provide access though the PIX. The PIX firewall supports protocol redirection and has advanced protocol handling features. The PIX firewall has DoS attack guards and Floodguards.

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-62 Configuring Failover

Internet Secondary PIX Firewall Primary PIX Firewall failover cable Failover The primary and secondary units must: be the same model number. have identical software versions and activation key types. have the same amount of Flash memory and RAM.

Internet Secondary PIX Firewall (standby/active) (failover IP/system IP) Primary PIX Firewall (active/standby) (system IP/failover IP) /24.1e0.2 e /24 e1.1 e1.7.3 IP Address for Failover on PIX Firewalls

Configuration Replication Configuration replication occurs: When the standby firewall completes its initial bootup. As commands are entered on the active firewall. By entering the write standby command.

Failover and Stateful Failover Failover –Connections are dropped. –Client applications must reconnect. –Provides redundancy. Stateful failover –Connections remain active. –No client applications need to reconnect. –Provides redundancy and stateful connection.

failover Commands failover link [stateful_if_name] pixfirewall(config)# The failover link command enables stateful failover. failover ip address if_name ip_address pixfirewall(config)# The failover ip address command creates an IP address for the standby PIX Firewall. failover pixfirewall(config)# The failover command enables failover between the active and standby PIX Firewalls. pixfirewall# failover ip address inside The failover active command makes a PIX Firewall the primary firewall. failover [active] pixfirewall(config)#

failover poll Command Specifies how long failover waits before sending special failover “hello” packets between the primary and standby units over all network interfaces and the failover cable. Failover waits ten seconds before sending special failover "hello“ packets. pixfirewall(config)# pixfirewall(config)# failover poll 10 failover poll seconds

show failover Command pixfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 This host: Primary - Active Active time: 360 (sec) Interface dmz ( ): Normal Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface dmz ( ): Normal Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : dmz pixfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 This host: Primary - Standby Active time: 0 (sec) Interface dmz ( ): Normal Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Active Active time: 150 (sec) Interface dmz ( ): Normal Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : dmz Before failoverAfter failover

Summary The primary and secondary PIX Firewalls are the two firewalls used for failover. The primary PIX Firewall is usually active, while the secondary PIX Firewall is usually standby, but during failover the primary PIX Firewall goes on standby while the secondary becomes active. The configuration of the primary PIX Firewall is replicated to the secondary PIX Firewall during configuration replication. During failover, connections are dropped, while during stateful failover, connections remain active.

© 2002, Cisco Systems, Inc. CSPFA 2.1—3-71 Access Control Configuration and Content Filtering

Access Control List An ACL enables you to determine what traffic will be allowed or denied through the PIX Firewall. ACLs are applied per interface (traffic is analyzed inbound relative to an interface). The access-list and access-group commands are used to create an ACL. The access-list and access-group commands are an alternative for the conduit and outbound commands.

ACL Usage Guidelines Higher to lower security level –Use an ACL to restrict outbound traffic. –The ACL source address is the actual (un- translated) address of the host or network. Lower to higher security level –Use an ACL to restrict inbound traffic. –The destination host must have a statically mapped address. –The ACL destination address is the “global ip” assigned in the static command.

access-list Command access-list acl_name [deny | permit] protocol {src_addr | local_addr} {src_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port pixfirewall(config)# Enables you to create an ACL ACLs associated with IPSec are known as “crypto” ACLs ACL “dmz1” denies access from the network to TCP ports less than 1025 on host pixfirewall(config)# access-list dmz1 deny tcp host lt 1025

access-group Command pixfirewall(config)# access-group acl_name in interface interface_name Binds an ACL to an interface The ACL is applied to traffic inbound to an interface ACL “dmz1” is bound to interface “dmz” pixfirewall(config)# access-group dmz1 in interface dmz

ACL An ACL applies to a single interface, affecting all traffic entering that interface regardless of its security level. Conduit A conduit creates an exception to the PIX Firewall Adaptive Security Algorithm by permitting connections from one interface to access hosts on another. ACL It is recommended to use ACLs to maintain future compatibility. conduitconduit ACLs Versus Conduits

Convert Conduits to ACLs access-list acl_name [deny | permit] protocol {src_addr | local_addr} {src_mask | local_mask} operator port {destination_addr | remote_addr} {destination_mask | remote_mask} operator port conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask[operator port[port]] global_ ip = destination_addr foreign_ip = src_addr pixfirewall(config)# conduit permit tcp host eq www any pixfirewall(config)# access-list acl_in permit tcp any host eq www pixfirewall(config)#

ACLs pixfirewall(config)# nat (dmz) pixfirewall(config)# global (outside) netmask pixfirewall(config)# static (inside,dmz) netmask pixfirewall(config)# static (inside,dmz) netmask pixfirewall(config)# access-list 102 permit tcp eq ftp pixfirewall(config)# access-list 102 permit tcp eq smtp pixfirewall(config)# access-list 102 permit tcp any eq www pixfirewall(config)# access-group 102 in interface dmz Users on the DMZ are able to access the Internet, the internal FTP server, and the internal mail server.

nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 access-list acl_out deny tcp any any eq www access-list acl_out permit ip any any access-group acl_out in interface inside nat (inside) global (outside) netmask Deny Web Access to the Internet Denies web traffic on port 80 from the inside network to the Internet Permits all other IP traffic from the inside network to the Internet www Internet IP Internet

Permit Web Access to the DMZ nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif ethernet2 dmz sec50 ip address outside ip address inside ip address dmz static (dmz,outside) access-list acl_in_dmz permit tcp any host eq www access-list acl_in_dmz deny ip any any access-group acl_in_dmz in interface outside Web server / / /24 Internet The ACL acl_in_dmz permits web traffic on port 80 from the Internet to the DMZ web server. The ACL acl_in_dmz denies all other IP traffic from the Internet.

icmp Command Enables or disables pinging to an interface pixfirewall(config)# icmp deny any echo-reply outside pixfirewall(config)# icmp permit any unreachable outside pixfirewall(config)# icmp permit | deny [host] src_addr [src_mask] [type] int_name All ping requests are denied at the outside interface, and all unreachable messages are permitted at the outside interface

Summary ACLs enable you to determine which systems can establish connections through your PIX Firewall. Cisco recommends migrating from conduits to ACLs. Existing conduits can easily be converted to ACLs. With ICMP ACLs, you can disable pinging to a PIX Firewall interface so that your PIX Firewall cannot be detected on your network. The PIX Firewall can work with URL-filtering software to control and monitor Internet activity.