CISCO
PIX: BASIC PIX CONFIGURATION
2: Basic PIX configuration
There are only 6 steps that need to be taken to enable the PIX to be
able to send packets to the outside world, known by some as the PIX
SIX, they are:
Hostname
Interface
Nat-Control
Nat
Global
Route
Hostname:
This assigns a host name to the PIX and should be called something that
is meaningful for that particular PIX. The prompt will change to what
you call the PIX when you set this and is set in the configuration mode
with the command ‘hostname <name>’, like so:
Code:
pixfirewall>en
password:
pixfirewall#conf t
pixfirewall(config)# hostname London
London(config)#
Notice ‘pixfirewall’ now becomes ‘London’. Usually the firewall may be
named after its geographic location, the service/project it is
protecting etc. I look at it in such a way that if you have 3 different
telnet sessions open to three different PIX’s you will always know
exactly what you are configuring.
The hostname can be up to 63 alphanumeric characters in either
uppercase of lowercase and defaults to ‘pixfirewall’ out of the box or
when the ‘wr erase’ command is used followed by a reload.
Interface:
The interface command differs per PIX operating system, in version 7 it
acts much like a Cisco router and drops you in to the ‘config-if’ sub
context. On version 6.3 and earlier the prompt will not change and the
command should be issued all on the one line. For this paper we are
using version 7
The Interface or ‘int’ for short is the configuration command we use to
allow us to alter the configuration of the PIX interfaces. We can
assign it an IP address, subnet mask etc from this sub context.
Code:
London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)#
Notice with version 7 the prompt now changes to ‘config-if’ to let us
know we are configuring an InterFace.
We can now configure the interface with a name, IP address, speed
settings and duplex settings amongst others.
Code:
London (config-if)# nameif outside
Although it is already named outside by default the above example is to
show the relevant command. ‘nameif’ as is fairly obvious, is used to
assign a name to the interface.
Next we need to assign an IP address and subnet mask:
Code:
London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address 80.80.80.80 255.255.0.0
If you make a mistake whilst entering this command, simply re-enter the
correct information. The ‘clear configure ip’ command will clear ALL
interfaces IP addresses to no IP address.
Interfaces can also be configured to pick up a DCHP assigned IP
address, by using the ‘dhcp’ command.
Code:
London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address dhcp
The PIX will now pick up a DCHP IP address on the OUTSIDE interface.
There are various DHCP commands we can use to view information about
the DHCP IP address, such as the lease time etc
Code:
London# sh ip address outside dhcp lease
And
Code:
London# sh ip address outside dhcp server
The above will both provide you with information about the DHCP server
and details about the IP address that the interface has been assigned.
To stop the interface from getting a DHCP IP address we use the ‘no’
command before the dhcp command. So:
Code:
London (config-if)# no ip address dhcp
*Most of the commands you issue via the CLI can be disabled by
re-entering them with the word ‘no’ in front of them.*
Next we need to assign a security level to the interfaces (the INSIDE
and OUTSIDE interfaces have a precompiled security level, but for this
example we will set them anyway).
A security level can be between 0 and 100, with 100 being the highest
and most trusted. See part one if you want to read more about security
levels.
To set it we use the ‘security-level’ command:
Code:
London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address 80.80.80.80 255.255.0.0
London (config-if)# security-level 0
By default interfaces with the same security level can not communicate,
to enable it use the ‘same-security-traffic’ command. This may be handy
when you have a DMZ and you want it to be able to communicate with the
INSIDE network without NAT being preformed.
Code:
London (config-if)# same-security-traffic
Next we need to tell the interface what speed and duplex settings we
want it to operate at. By default all interfaces are set to automatic
detection and will try to detect the best speed and duplex settings to
work at. However sometimes you may need to configure them manually.
The speeds for an Ethernet cable you can choose from are 10, 100, auto
or nonegotiate.
10 = 10BASE-T
100 = 100BASE-T
Auto = automatically sets the speed
Nonegotiate = for small form factor pluggable media types (SFP) and
sets the speed to 1000Mbps.
Code:
London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address 80.80.80.80 255.255.0.0
London (config-if)# security-level 0
London (config-if)# speed 100
London (config-if)# duplex full
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on September 11th, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.