CISCO
PIX: SLIGHTLY ADVANCED CONFIGURATION
3. Slightly Advanced PIX Configuration
If you have read part two you will know we have configured the PIX for
basic operation; we have gave it a name, assigned IP addresses,
speed/duplex setting and gave security levels to the interfaces. We
configured NAT from the INSIDE to the OUTSIDE interfaces.
So now anything attached to the INSIDE interface will be allowed to
send traffic to the internet and will pick up and external IP address
when doing so.
Due to the security levels in place any traffic that comes to the
OUTSIDE interface will be denied unless it is a return packet from an
already existing connection that was initiated from a host on the
INSDIE network. So although we are only using about 10% of the
functionality of the PIX, it is still doing its job and protecting our
INSIDE network with a very minimal configuration.
Before we moved on to a few advanced configuration commands, I will
first cover a few things that can make our job easier when we come to
configure the PIX and how to view information about our configuration.
It is easy to get confused when using the command line when it comes to
things like setting up VPN’s, upgrading firmware etc, so the following
our commands we can use to simplify these tasks.
Names
When you have a lot of hosts on your LAN all obviously with different
IP addresses it becomes hard to remember all the different IP addresses
and can sometimes lead to very serious configuration errors. To ease
these problems Cisco have introduced the ‘name’ command.
The name command allows us to assign a name to an IP address and once
we have told it of this translation we are allowed to use the name of
the host in place of the IP address in all subsequent configuration
tasks.
Code:
London (config)# names
London (config)# name 10.10.10.20 seans_pc
London (config)# name 80.80.80.85 Web-Server1
London (config)# name 192.168.1.20 DMZ_WEBSERVER-10
We can use the following characters (up to a maximum of 16) when naming
a host; a-z, A-Z, 0-9, - and a _.
It works in the same way DNS does except it is just a local naming
table for the PIX to use, nothing else.
*I make a habit to always use UPPERCASE when naming a host, as it
stands out easier when looking at your configuration, especially when
it comes to reviewing ACL’s*
The above example is easy enough to understand, we can now use seans_pc
in all subsequent configuration commands instead of using 10.10.10.20.
If we want to delete of change a name, we can delete it all together by
putting the ‘no’ command in front of it.
Code:
London (config)#no name 10.10.10.20 seans_pc
If we want to clear all of the name we can use the ‘clear configure
names’ command:
Code:
London (config)# clear configure names
Finally if we want to view all of the names we have translated we use
the ‘show names’ command.
Code:
London (config)#sh names
So to put al this in to context here is a sample configuration using
most of the commands covered in this and previous papers:
Code:
London>en
Password
London# conf t
London (config)#interface e0
London (config-if)# nameif outside
London (config-if)# security-level 0
London (config-if)# speed 100
London (config-if)# duplex full
London (config-if)# ip address 80.80.80.80 255.255.0.0
London (config-if)#end
London# conf t
London (config)#int e1
London (config-if)#name-if inside
London (config-if)#security-level 100
London (config-if)#speed 100
London (config-if)#duplex full
London (config-if)#ip address 10.10.10.1 255.255.255.0
London (config-if)#end
London (config)# conf t
London (config)#int e2
London (config-if)#name-if DMZ
London (config-if)#security-level 50
London (config-if)#speed 100
London (config-if)#duplex full
London (config-if)#ip address 192.168.1.5 255.255.255.0
London (config-if)#end
London# conf t
London (config)#names
London (config)# name 80.80.80.81 WEB-SERVER-1
London (config)# name 10.10.10.20 SEANS_PC
London (config)# name 192.168.1.20 DMZ-WEBSERVER-10
London (config)# nat-control
London (config)# nat (inside) 1 0.0.0.0 0.0.0.0
London (config)#global (outside) 1 80.80.80.82–80.80.80.250
London (config)#nat (dmz) 2 192.168.1.0 255.255.255.0
London (config)#gloabal (outside) 2 80.80.80.10-80.80.80.79
London (config)# route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
London (config)#route inside 10.10.10.0 255.255.255.0 10.10.10.2 1
London (config)#end
London# wr mem
In the above configuration example we have configured the interfaces
with IP addresses, names and speed/duplex settings – then we names some
hosts on the various networks and also named an IP address on the
outside network that we may use for a static NAT later on – then we
used the nat-control command which says that everything must have a
valid NAT translation – we told the PIX that everything on the INSIDE
interface needs to be translated to an address that is in global pool 1
– and then we told it that everything on the 192.168.1.0 network on the
DMZ interface needs to be translated to an address in global pool 2
when it leaves the OUTSIDE interface – we told it where to send traffic
destined for an unknown IP address by putting in a static route on the
outside interface and finally we entered a default route in the inside
interface to tell it where to send traffic destined for the 10.10.10.0
network. W also wrote the configuration to the start-up configuration
by issuing the ‘write memory’ command, so now are configuration is safe
should the PIX suffer a power cut or should we mess up the running
configuration we can reload the PIX and revert back to the
configuration we know works.
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on September 12th, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.