Configuring Cisco PIX515E Firewall


#1

1>Connect the PIX515E to any PC’s com port using the supplied console cable.

2>Start Hyper terminal program using default settings for the selected com port. Ensure the status window as “connected” at the bottom left hand corner.

3>Boot the firewall by switching it off and on (incase it is on).

4>Allow the boot process to complete to bring the command prompt.

5>type “enable” to log into the firewall.

6>Enter the password previously set.(factory configuration is blank so pls press enter to proceed)

7>After entering the password, the password enters configuration mode(#).

8>As the firewall will be configured through hyper terminal, type “config t”

9>Enter the following commands as shown below in the configuration mode.

10>The commands shown below are space specific. Maintain exact syntax for the command to get applied without error.

11>Successful application of command returns no character on the succeeding line.


Inside PC to be accessed=172.16.0.51 1=Inside Port of Firewall=172.16.0.241
(Experion Server) 255.255.248.0 255.255.248.0
Outside PC access required=192.168.0.15 0=Outside Port of Firewall=192.168.0.11
(Third Party PC) 255.255.0.0 255.255.0.0


interface Command
interface hardware_ id hardware_speed
interface ethernet0 100full
interface ethernet1 100full
This command sets the speed for the interface. In the example speed has been set to 100Mbps Full Duplex.

nameif command
nameif hardware_id if_name security_level
nameif ethernet0 outside security0
nameif ethernet1 inside security100
This command configures the security levels for your pix. By default, the interfaces have their hardware ID. Ethernet 0 is the outside interface, and Ethernet 1 is the inside interface. The outside and inside interfaces are named by default and have default security values of 0 and 100.
0 means the least secured interface which is the outside WAN and 100 means the most secured interface which is LAN.

Ip address command

Ip address if_name ip_address [netmask]
Ip address inside 172.16.0.241 255.255.255.0
Ip address outside 192.168.0.11 255.255.0.0 

This command specifies the ip addresses for the inside and the outside ports respectively. Inside port is on the LAN side which is the most secured interface and the outside port is the WAN side which is the least secured interface.

Static NAT(Network Address Translation) command.

static (inside,outside) 192.168.0.51 172.16.0.51 netmask 255.255.255.255 0 0

       Outside Dumy IP	Inside PC IP to be accessed 
			In		Out
	172.16.0.51			192.168.0.51	

As the above syntax exemplifies, the ip address of the web server (172.16.0.51) is getting converted into 192.168.0.51.The netmask as specified 255.255.255.255 means we are pointing at a host, else if it is 255.255.255.0 means we are pointing at a network. With this the original IP address of the web server is hidden.
For applying the command follow the same syntax with equal spaces.

Setting accesslists for data transfer

Access list for outside interface(outbound to inbound traffic direction)

access-list acl_out permit tcp any any
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 172.16.12.18 eq www
(Outside Dumy IP)

Access list for inside interface(inbound to outbound traffic direction)

access-list acl_in permit tcp any any
access-list acl_in permit icmp any any
access-list acl_in permit tcp 172.16.0.51 255.255.255.255 any eq www
(Inside PC IP)
OR ( One of the command should run successfully )
access-list acl_in permit tcp 172.16.0.51 255.255.255.0 any eq www
(Inside PC IP)
The above command sets the permission for the data transfer from WAN port to LAN port which hosts the web server. “acl_out” is the identification given to the new access-list. Permit or deny can be one of the commands to permit data transfer. “tcp” is the protocol for data transfer. First “any” is any host on the inside interface (LAN) port and second “any” is any host on the outside interface. If data transfer has to be permitted from outside specific host to inside “any” network then see the third example in “access list for outside interface”. For web access tcp port (80) is enabled. For the ping command to operate “icmp” is enabled.
In the similar fashion, for the setting access-list for the inside interface see the examples given in “access list for inside interface” .

Access groups

access-group acl_out in interface outside
access-group acl_in in interface inside

For activating the access-lists created, one has to give access-group command which enables the access-lists on the specific interfaces. In the above example “acl_out” is enabled on the outside interface i.e WAN port and “acl_in” is enabled on the inside interface i.e LAN port.

Writing the configuration to flash

write memory

In the configuration mode itself type the following command which writes the configuration to the flash memory of firewall.

With this firewall is configured

Settings to be made at eserver ( Experion server )side:
From the network connections window open TCP/IP properties, in the default gatway pls enter firewall’s Inside port ip address-172.16.0.241
Update the host file with 192.168.0.15 TESTPC

Settings to be made at client PC/Third Party side:
From the network connections window open TCP/IP properties, in the default gatway pls enter firewall’s Outside port ip address-192.168.0.11
Update the host file with 192.168.0.51 ESERVER
(in this case 192.168.0.51 is the dummy ip address for eserver)

After this type http://172.16.12.18/eserver in URL of client computer for ESERVER

Erasing the flash

write erase

In the configuration mode type the following command to erase all the configuration stored in flash. Switch off the firewall and on again for the boot process to begin. After this erase, the firewall prompts for reconfiguration for the following:
Host name,Domain name, password ,inside,outside interface ip addresses and ip address of the host which will be supporting PDM (PIX Device manager,a internet explorer based interface for programming firewall).

Removing the applied commands

With reference to all the commands shown in the procedure e.g access-list ,static a “no” before any of the commands removes the applied command from the firewall.
For example

no static (inside,outside) 192.168.0.51 172.16.0.51 netmask 255.255.255.255 0 0

In the above example no is applied to remove the static NAT(Network Address Translation) applied.
After any change is made in the command ensure at the end to type “write memory” to write the configuration to flash.

Viewing the configuration

Type sho run to view the running configuration
Type sho xlate to view the translation tables.(These are generated by the firewall when any host on the WAN calls a web server’s(located on LAN) ip address in the URL. In the above example the ip address of web server 172.16.0.51 is translated to 172.16.12.18. After typing http://172.16.12.18/eserver in URL, run xlate in hyper terminal to view the following “domain 172.16.12.18 local 172.16.0.51”
Type sho ip to view the addresses of the outside and inside interfaces.
Type sho access-list to view the access-list configured

From external PC ------> Ping192.168.0.11 —ok
(Third Part) Ping192.168.0.51 —ok
From internal PC -------> Ping172.16.0.241 —ok
(Experion) Ping192.168.0.15 —ok

Netstat –a To check which port are open
Arp –a which nodes accessing.


Refer the practical running configuration below for reference

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password K2e34OFITEn5cvo9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Cisco.pix
domain-name cisco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
<— More —>fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list acl_out permit tcp any any
access-list acl_out permit udp any any
access-list acl_out permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 192.168.0.11 255.255.0.0
ip address inside 172.16.0.241 255.255.248.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm location 200.0.0.50 255.255.255.255 inside
pdm location 172.16.0.51 255.255.255.255 inside
pdm history enable
arp timeout 14400
static (inside,outside) 192.168.0.51 172.16.0.51 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 200.0.0.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a397a072a0aa6c111ee76c1079998def
: end
Cisco.pix(config)#