Cisco PIX 515E Firewall Configuration Task List

CISCO PIX 515E FIREWALL CONFIGURATIONS TASK LIST

In this lab, I will show you how to configure the Cisco PIX 515E Firewall. Instead of dumping a lengthy configuration and provide some explanation to it, I will do it a little bit differently.

I am going to label each section as a task and show you the commands to acomplish that task. This lab assumes the followings:

The Cisco PIX Firewall 515E has six FastEthernet interfaces: ethernet0, … ethernet5.

The Internal netowrk (LAN) has a subnet IP address of 10.0.0.0/24. This is on ethernet0. The interface will have IP 10.0.0.254.

The External network (WAN) has a public IP subnet address of 216.123.169.0/24. This is on ethernet1. The interface will have IP 216.123.169.99.

The remaining four interfaces: ethernet2, ethernet3, ethernet4, and ethernet5 will be used as four different DMZ subnets. They are as follows:

  • Ethernet2: used for DMZ2 and is assigned an IP subnet of 192.168.20.0/24. The interface will have IP 192.168.20.254.
  • Ethernet3: used for DMZ3 and is assigned an IP subnet of 192.168.30.0/24. The interface will have IP 192.168.30.254.
  • Ethernet4: used for DMZ4 and is assigned an IP subnet of 192.168.40.0/24. The interface will have IP 192.168.40.254.
  • Ethernet5: used for DMZ5 and is assigned an IP subnet of 192.168.50.0/24. The interface will have IP 192.168.50.254.

Task 1: How to enable all six interfaces?

Answer:

First, we need to set the speed for the interfaces to be auto, then we name the interfaces and assign security numbers to them. Security number is a number ranging from 0 to 100 with 0 being completely untrusted and 100 being completely trusted. Any number in the middle have different trusted level depending on how low/high the nunber is. The higher the number, the more security it has. This means that an interface with security of 20 is a less trusted network than that of an interface with security number of 30.

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto
interface ethernet5 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz2 security20
nameif ethernet3 dmz3 security30
nameif ethernet4 dmz4 security40
nameif ethernet5 dmz5 security50

Task 2: How to enable Internet access for LAN (Internal netowrk)?

Answer:

The GLOBAL and NAT commands are what allow access from the HIGHER SECURITY subnet to the LOWER SECURITY subnet. GLOBAL is applied to the LOWER SECURITY interface and NAT applies to the HIGHER SECURITY interface.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 216.123.169.1 1

The last command indicates that we allow Internet connection through next hop of 216.123.169.1.

Task 3: How to enable DHCP server on the PIX firewall

We can enable DHCPD on the LAN interface as well as the DMZ interfaces.

Here is how we would enable DHCP server on the LAN interface

dhcpd address 10.0.0.50-10.0.0.200 inside
dhcpd domain dalaris.local
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd enable inside

Here is how we would enable DHCP server on the DMZ2 interface

dhcpd address 192.168.20.50-192.168.20.200 dmz2

dhcpd domain dalaris.local
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd dns 8.8.8.8 4.2.2.2

dhcpd enable dmz2

Now try to hookup a computer to ethernet1 (internal network), a local IP address should be assigned to it by the DHCP server on the PIX firewall. Try to browse the Internet. You should be able to browse at this point. The red text is optional if it has already been typed in the inside interface section.

Task 4: Check public IP address

Answer:

Launch your favourite browser, type: whatismyip.com in the browser to obtain the public IP address for your Internet connection. It should be 216.123.169.99.

Task 5: Assign / map a public IP address to a host inside the internal network.

Answer:

I hooked up and PC to the internal network (LAN) and the PC obtained an IP address of 10.0.0.50. I would like to map a different public IP address (216.123.169.100) to this host. This means that every time this PC access the Internet, it is known as 216.123.169.100. People from the Internet can reach this PC via 216.123.169.100.

static (inside, outside) 216.123.169.100 10.0.0.50 netmask 255.255.255.255 0 0
access-list 110 permit tcp any host 216.123.169.100 eq 3389
access-group 110 in interface outside

Testing: Open your favourite browser and access whatismyip.com, your IP should now be 216.123.169.100. Additionally, I have allowed traffic to the RDP port so that anyone on the Internet now may connect to the internal PC via the IP address of 216.123.169.100.

In order to allow only 1.2.3.4 to access the PC using RDP, use this command:

access-list 110 permit tcp host 1.2.3.4 host 216.123.169.100 eq 3389

Task 6: Allow ping from the Internet

access-list 110 permit icmp any host 216.123.169.100 echo

Note that the access list number is 110. There can only one access group bound to an interface at a time. After that command, test to ensure pinging from the Internet is OK.

Task 7: Allow ping from internal

access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp source-quench
access-list 110 permit icmp unreachable
access-list 110 permit icmp time-exceeded

Now ensure that the access-group command is in place.

Task 8: How to erase the PIX in order to start from scratch

The following commands erase the PIX configurations and restarts the device.

write erase
reload

Task 9: Create users

Privilege 15 is administrative privilege.


username chuong password Pass1234 privilege 15
username testuser password Pass1234 privilege 2

Task 10: Change password

The first password is the user mode access whereas the second password is the manager password used to allow management of the firewall.

passwd Cisco
config t
enable password Pass1234
write mem

Task 11: Where is DMZ2 interface physically?

On the left most interface, looking from behind.

Task 12: Enable Internet on DMZ2

nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0

When you check whatismyip, it should show 216.123.169.99.

Task 12b: Assign 216.123.169.105 to a host on DMZ2 network.

static (dmz2, outside) 216.123.169.105 192.168.20.50 netmask 255.255.255.255 0 0
access-list 110 permit tcp any host 216.123.169.105 eq 3389
(access-group 110 in interface outside)

Task 13: Enable SSH and telnet to the PIX

In this task, I will enable SSH from the Internet. Users from the outside world can SSH into my PIX firewall at 216.123.169.99 which is the WAN (outside) interface).

aaa authentication ssh console LOCAL
hostname pixfirewall
domain-name pix.dalaris.local
ca gen rsa key 1024
ssh 0.0.0.0 0.0.0.0 outside
aaa authenticate ssh console ssh123
telnet 10.0.0.0 255.255.255.0 inside
ca save all

To SSH: ssh chuong@216.123.169.99

Password: Pass1234
pixfirewall>enable
Pass4321

Note: to restrict SSH access to a subnet only, use the following command:

ssh 216.123.169.0 255.255.255.0 outside

 

Task 14: Port mapping

static (inside, outside) tcp interface 33890 10.0.0.50 3389 netmask 255.255.255.255

A computer from the Internet can RDP to 10.0.0.50 using the following host:

216.123.169.99:33890 (with 216.123.169.99 being the outside WAN IP address)

 

Task 15: Allow internal to RDP from LAN to DMZ

The GLOBAL and NAT commands are what allow access from the HIGHER SECURITY subnet to the LOWER SECURITY subnet. GLOBAL is applied to the LOWER SECURITY interface and NAT applies to the HIGHER SECURITY interface.

global (dmz2) 20 interface
nat (inside) 20 10.0.0.0 255.255.255.0 0 0

Task 16: Allow access from DMZ back into internal LAN

clear xlate
static (inside, DMZ2) 10.0.0.50 10.0.0.50 netmask 255.255.255.255 0 0
access-list DMZ_TO_LAN permit tcp host 192.168.20.50 host 10.0.0.50 eq 3389
access-list DMZ_TO_LAN permit ip any any
access-group DMZ_TO_LAN in interface DMZ2

Task 17: How to configure Gateway to Gateway VPN (from the PIX to Cisco RV042)

Step 1 is to check to make sure that 3DES is enabled on the Firewall. Please do not consider using DES as DES is just a bit stronger than clear text, but not secure. 3DES is much more secure to use for VPN.

pixfirewall# show version
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
pixfirewall up 17 hours 31 mins
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: ethernet0: address is 0015.f9a9.03b7, irq 10
1: ethernet1: address is 0015.f9a9.03b8, irq 11
2: ethernet2: address is 000d.8811.0300, irq 11
3: ethernet3: address is 000d.8811.0301, irq 10
4: ethernet4: address is 000d.8811.0302, irq 9
5: ethernet5: address is 000d.8811.0303, irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled

VPN-3DES-AES: Enabled


Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has an Unrestricted (UR) license.

Step 2 is to check and see if there is any VPN configuration exists on the firewall.

pixfirewall# show isakmp policy
Default protection suite
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

If there is only a Defaule protection suite policy, it means there are no VPNs configured.

Allow IPSec connections to the PIX.

pixfirewall# config t
pixfirewall(config)# sysopt connection permit-ipsec

Enable ISAKMP on the outside interface (the eth0 facing the Internet side)

pixfirewall(config)# isakmp enable outside

Now we have to configure ISAKMP policy on the PIX firewall.

pixfirewall(config)# isakmp policy 10 authen pre-share
pixfirewall(config)# isakmp policy 10 encryp 3des
pixfirewall(config)# isakmp policy 10 hash md5
pixfirewall(config)# isakmp policy 10 group 2
pixfirewall(config)# isakmp policy 10 lifetime 86400

The policy we created above uses:

  • Pre-shared key as authentication method
  • 3DES as encryption
  • MD5 as Hashing
  • Group is 2
  • Lifetime is 86400 seconds

Now we need to define pre-shared key for the connection.

pixfirewall(config)# isakmp key G3tm3!n address 2.3.4.5 netmask 255.255.255.255

(Pre-shared key is G3tm3!n and 2.3.4.5 is the IP address of the peer).

Now we need to create an access-list defining the traffic that can cross the tunnel

access-list myvpn permit ip 10.0.0.0 255.255.255.0 172.16. 16.0 255.255.255.0

access-list myvpn permit ip 172.16.16.0 255.255.255.0 10..0.0.0 255.255.255.0

Next we need to design transform set for this connection call “myvpnset”

pixfirewall(config)# crypto ipsec transform-set myvpnset esp-3des esp-md5-hmac

Next, we define security association lifetime

pixfirewall(config)# crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

Now we will setup the actual connection, the crypto map “myvpnmap” with 2.3.4.5 as the IP address of the peer.

pixfirewall(config)# crypto map myvpnmap 10 ipsec-isakmp

pixfirewall(config)# crypto map myvpnmap 10 set peer 2.3.4.5

pixfirewall(config)# crypto map myvpnmap 10 set transform-set myvpnset

pixfirewall(config)# crypto map myvpnmap 10 match address myvpn

In the above statements, we have setup:

  • Type of VPN is ipsec-isakmp
  • Peer IP is 2.3.4.5
  • Transform set to be used is myvpnset as defined before
  • Packet matching (interest traffic) access list myvpn. Any traffic that match this access list should go through the VPN tunnel.

Last, we will tell the PIX NOT to use NAT for packets that traverse through the VPN but to ROUTE them instead.

First, let’s see if anything is currently routed


pixfirewall(config)# show nat
nat (inside) 20 10.0.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0

We need to create a “no-nat” access list using the following two lines:

access-list no-nat permit ip 10.0.0.0 255.255.255.0 172.16.16.0 255.255.255.0

access-list no-nat permit ip 172.16.16.0 255.255.255.0 10.0.0.0 255.255.255.0

Locate the line that says:

nat (inside) 0 access-list no-nat

Since we do not have that line in the nat configurations, we need to perform the followings:

pixfirewall(config)# nat (inside) 0 access-list no-nat

Now on the other side (peer) you can go ahead to configure an RV042 router to connect to the VPN.

Task 18: How to configure Client to Gateway VPN on the PIX

Define the access list to enable split tunneling.

access-list 101 permit ip 10.0.0.0 255.255.255.0 10.10.8.0 255.255.255.0

Define the access list to avoid network address translation (NAT) on IPsec packets.

access-list 102 permit ip 10.0.0.0 255.255.255.0 10.10.8.0 255.255.255.0

Create a pool of addresses from which IP addresses are assigned dynamically to the remote VPN Clients.

ip local pool vpnpool1 10.10.8.1-10.10.8.254

Disable NAT for IPsec packets.

nat (inside) 0 access-list 102

Permit packet that came from an IPsec tunnel to pass through without checking them against the configured conduits/access lists.

sysopt connection permit-ipsec

Define the transform set to be used during IPsec security association (SA) negotiation. Specify AES as the encryption algorithm.

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

Create a dynamic crypto map entry and add it to a static crypto map.

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

Bind the crypto map to the outside interface.

crypto map map1 interface outside

Enable Internet Security Association and Key Management Protocol (ISAKMP) negotiation on the interface on which the IPsec peer communicates with the PIX Firewall.

isakmp enable outside

isakmp identity address

Define an ISAKMP policy to be used while negotiating the ISAKMP SA. Specify

AES as the encryption algorithm. The configurable AES options are aes, aes-192 and aes-256.

Note: AES 192 is not supported by the VPN Client.

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Create a VPN group and configure the policy attributes which are downloaded to the Easy VPN Clients.

vpngroup groupmarketing address-pool vpnpool1
vpngroup groupmarketing dns-server 10.0.0.5
vpngroup groupmarketing wins-server 10.0.0.5
vpngroup groupmarketing default-domain dalaris.local
vpngroup groupmarketing split-tunnel 101
vpngroup groupmarketing idle-time 1800
vpngroup groupmarketing password ********

Task 20: Naming services, computers, and networks

We can name and group related objects together in order to make the firewall configurations cleaner.

name 10.0.0.0 LOCALNETWORK
name 192.168.20.0 DMZ2NETWORK
name 216.123.169.100 E_WEBSERVER
name 10.0.0.50 DC1
name 10.0.0.51 DC2
object-group network DOMAINCONTROLLERS
network-object DC1 255.255.255.255
network-object DC2 255.255.255.255
object-group service G_HTTP tcp
port-object eq www
port-object eq https
port-object eq 8080

access-list INBOUND_TRAFFIC remark this is for inbound traffic
access-list INBOUND_TRAFFIC permit tcp any host E_WEBSERVER object-group G_HTTP
access-group INBOUND_TRAFFIC in interface outside

Task 21:  Forward PPTP VPN traffic.  Behind the firewall (on the Inside interface connected to the LAN switch) we have a PPTP VPN router.  The LAN port of the PPTP router will have IP address of 10.0.0.4.  Enter the correct commands on the PIX to allow PPTP traffic to be forwarded to the PPTP box.

Note: Use the “interface” keyword


access-list INBOUND_TRAFFIC permit tcp any interface outside eq 1723
static (inside,outside) tcp interface 1723 10.0.0.4 1723 netmask 255.255.255.255
access-group INBOUND_TRAFFIC in interface outside