• cisco pix: introduction
  
• cisco pix: introduction cont
  
• cisco pix: basic pix configuration
  
• cisco pix: basic pix configuration cont
  
• cisco pix: tcp, udp, nat, pat, and pd
  

• cisco pix: tcp, udp, nat, pat, and pd 2
  
• cisco pix: tcp, udp, nat, pat, and pd 3
  
• cisco pix: tcp, udp, nat, pat, and pd 4
  
• cisco pix: configuring site to site vpn's
  
• cisco pix: configuring site to site vpn's 2
  

• cisco pix: configuring site to site vpn's 3
  
• cisco pix: configuring site to site vpn's 4
  
• cisco pix: configuring site to site vpn's 5
  
• cisco pix: access control lists and content filtering
  
• cisco pix: access control lists and content filtering 2
  

• cisco pix: access control lists and content filtering 3
  
• cisco pix: object grouping for quick and easy acl's
  
• cisco pix; slightly advanced configuration
  
• cisco pix: slightly advanced configuration 2
  
• cisco pix: slightly advanced configuration 3
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials3
  
• securitytutorials4
  

CISCO PIX: SLIGHTLY ADVANCED CONFIGURATION CONT...

Now we have a configuration we want to keep, we may need to review it when entering other commands to ensure we are doing it correctly. There are a multitude of show (sh for short) command we can use to see various settings.
Most show commands are entered from the privileged mode (the hostname# prompt) and not the configuration mode:

Code:
 London# sh run


Will show the entire running-configuration.

Code:
 London#sh run interface (sh run int - for short)


Will show the running-configuration of the interfaces only

Code:
 London#sh interface


Will show the statistics of all interfaces – i.e. how many packets have been sent and received, collisions, errors etc. This can be further narrowed down to specifying an interface, like so:

Code:
London#sh int e1


We can view the memory usage and statistics of the PIX with the ‘show memory’ command:

Code:
 London#sh memory
Free memory:          493849384 bytes
Used memory:         109384928 bytes
------------------------------------------------
Total memory           603234312


In conjunction with the Memory Usage we can also see the CPU Usage – these two commands come in very useful when troubleshooting performance problems with the PIX and to determine when you may need to upgrade it.

Code:
 London#sh cpu usage
cpu utilization for 5 seconds = 0%; 1 minute: 12%;  5 minutes: 78%

This shows the average CPU utilization over 5 seconds, 1 minute and 5 minutes – if you start seeing consistently high CPU usage you are trying to do to much with your PIX and need to look into load balancing or using a higher model PIX.

*Occasionally you may get a N/A for the percentage of CPU usage, this happens if you have requested it during an interval update, issuing the command again will rectify this*

When contacting Cisco for support, upgrading your licence, firmware etc they will need certain information about your PIX such as BIOS number, serial number etc.
All this can be found with the ‘show version’ command;

Code:
 London#sh ver

Cisco PIX Security Appliance Software Version 7.0(1)

Compiled on Wed 10-May-06 13:22 by morlee
System image file is “flash:/PIX-701.bin”
Configuration file at boot was “startup-configuration”

Pixfirewall up 109 mins 29 secs

Hardware  PIX-515, 128 MB RAM, CPU Pentium 200 MHz
Flash i28F427H5 @ 0x300, 16MB………..
BIOS Flash AT15236748 @ oxfffd8000, 32KB

This platform has an Unrestricted (UR) License

Serial Number: 289476272

Running Activation Key: 0x43345565 0x43454234 0x98642635 0x 174935139

Configuration has not been modified since last start

{OUTPUT TRUNCATED}


If we need to see only the IP addressing in use on the PIX we can use the ‘show ip address’ command;

Code:
 London#sh ip address
System IP address
Interface               name                   ip address                   subnet mask
Ethernet 0             outside                80.80.80.80                255.255.255.0
CONFIG
Ethernet 1             inside                   10.10.10.1                  255.255.255.0
CONFIG
{OUTPUT TRUNCATED}


If we need to check what we named our interfaces we can use the ‘shoe nameif’ command;

Code:
 London#sh nameif
Interface                                Name                                       Security
Ethernet 0                              outside                                     0
Ethernet 1                              inside                                       100
Ethernet 2                              dmz                                          50


We can review the NAT settings we have configured with the ‘show run nat’ command;

Code:
 London#sh run nat
nat (inside) 1 10.10.10.0 255.255.255.0


The above output shows us we have configured the PIX to translate any host on the INSIDE interface on the 10.10.10.0 network when traversing the firewall, and the NAT ID is 1.

As we know the global command goes hand in hand with the nat command, hence the ‘show run global’ command will tell us what addresses we are using to replace the source address on outgoing packets.

Code:
 London#sh run global
global (outside) 1 80.80.80.81-80.80.80.250 netmask 255.255.0.0

So we know the pool of addresses we have assigned to NAT ID 1 for the inside hosts to pick-up on the way out of the firewall.

If we want to see any translations that are currently in use with use the ‘show xlate’ command. Xlate is the translations table the PIX updates when a NAT has been setup between hosts on two interfaces.

Code:
 London#sh xlate
1 in use, 1 most used
Global 80.80.80.82 Local 10.10.10.20


The above output tells us there is currently one NAT currently on going and there most ever used at one time was 1 (this is handy to check if you need to increase the pool of global addresses or not) It is also telling us the IP of 10.10.10.20 is using 80.80.80.82 to send traffic out of the OUTSIDE interface.

****************************************************************

Internet Control Messaging Protocol a.k.a PING

The ping command determines if the PIX has connectivity to networks / routers / hosts etc. As most people will know, we send out a packet and if we get a reply back then the host must have been active if it was able to reply to the ping.

If the ping was not received the command output will display ‘NO response received’. If this was to happen the first troubleshooting step is to issue the ‘show interface’ command to make sure that the interface is up and connected to the network and is passing traffic – if it is not issue the ‘show run interface’ command to review your configuration.

By default the PIX will make 3 attempts to reach an IP address.

ICMP can be configured in everyway possible on a PIX with ACL’s, you can allow all ICMP packets through both ways, allow them out but not in, in but not out, in to certain hosts but no to others, allow the interfaces to reply to ICMP requests etc. – this will be covered in much more detail later on.

If you wish to allow internal hosts to be able to ping external hosts an ACL needs to be created to allow echo replies.

If you are pinging through the PIX between routers, hosts etc and you think you have configured the interfaces and ACL’s correctly and you are sure the host is up but can not reach it for some reason, you can debug ICMP from the PIX with the command;

Code:
 London# debug icmp trace


Once you have configured the PIX in the same way as described so far, by default all external hosts will not be able to ping the INSIDE interface of the PIX. A rule of thumb is, if you can ping the INSIDE interface from internal hosts and if you can ping the OUTSIDE interface from an external hosts then all your routes and configurations are correct so far.

 

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on September 12th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.