All Cisco-Network Study Notes: Configuration Steps

Configuration Steps

Work through the following steps to configure transparent firewall based on Figure 3-6:

1.	Turn on transparent firewall. Convert the PIX firewall with the following command: PIX(config)# show firewall Firewall mode: Router PIX(config)# firewall transparent Switched to transparent mode PIX(config)#
2.	Assign an IP address for management. Configure the IP address for the PIX firewall for management purposes. This address cannot be used as a default gateway for the host. The IP address should be of the same subnet of the other hosts. PIX(config)# ip address 10.1.1.1 255.255.255.0

3.	Configure interfaces (inside and outside). Bring up both inside and outside interfaces and be sure not to use the IP addresses on the interface. The following command will turn on the outside interface: PIX(config)# interface Ethernet 0 PIX(config-if)# nameif outside PIX(config-if)# security-level 0 PIX(config-if)# no shutdown Configure the inside interface with the following commands: PIX(config)# interface Ethernet 1 PIX(config-if)# nameif inside PIX(config-if)# security-level 100 PIX(config-if)# no shutdown
4.	Configure an access-list (optional). You can configure an access-list optionally, and filter the traffic. The command syntax is as follows: [View full width] PIX(config)# [no] access-list ethertype [unicast \| multicast \| broadcast] For example, if you want to allow only the IPX traffic, and deny the rest, your ACL configuration will be the like the following: PIX(config)# access-list 100 ethertype permit ipx Then, you need to apply the access-list on the interface. If the access-list 100 needs to be applied on the inside interface, the configuration will look like this: PIX(config)# access-group 100 in interface inside

5.	Configure ARP inspection. ARP inspection is turned off by default, which means that all ARP packets are allowed through the PIX firewall. You can control the flow of ARP packets by enabling ARP inspection. When you enable ARP inspection, PIX Firewall compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the actions as follows: a. If the IP address, MAC address, and source interface match an ARP entry, the packet is allowed through. b. If there is a mismatch between the MAC address, the IP address, or the interface, the PIX firewall drops the packet. c. If the ARP packet does not match any entries in the static ARP table, you can set the PIX firewall to either forward the packet out all interfaces (flood), or to drop the packet. ARP inspection prevents network devices from ARP spoofing. ARP spoofing can lead an attacker to a man-in-the-middle attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker's MAC address instead of the router's MAC address. The host, thinking that the hacker's MAC address is the valid destination, starts forwarding the packet. The attacker can now intercept all the host traffic before forwarding it on to the router. ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, if the correct MAC address and the associated IP address are in the static ARP table. Note In multiple context mode, the commands in this chapter can be entered in a security context, but not in the system context. The dedicated management interface, if present, never floods packets even if this parameter is set to flood. You can add a static ARP Entry with the following command: arp interface_name ip_address mac_address ARP inspection compares ARP packets with static ARP entries in the ARP table. The following command allows ARP responses from the router at 10.1.1.1 with the MAC address 0009.7cbe.2100 on the outside interface. Enter the following command. PIX(config)# arp outside 10.1.1.3 0009.7cbe.2100 Note that the transparent firewall uses dynamic ARP entries in the ARP table for traffic to and from PIX Firewall, such as management traffic. To enable ARP inspection, use the following command: PIX(config)# arp-inspection interface name enable flood \| no-flood] Here flood forwards non-matching ARP packets out all interfaces, and no-flood drops non-matching packets. Note that the default setting is to flood non-matching packets. To restrict ARP through the PIX firewall to only static entries, set this command to no-flood. The following command enables ARP inspection on the outside interface, and to drop all non-matching ARP Packets. PIX(config)# arp-inspection outside enable no-flood To view the current settings for ARP inspection on all interfaces, enter the following command: PIX(config)# show arp-inspection

6.	Configure the MAC address table. Just as with a normal bridge or switch, PIX Firewall learns and builds a MAC address table by inserting the MAC address with the source interface. Unlike a normal bridge or switch, if the destination is not present on the MAC table, PIX does not flood on all interfaces. Instead it does the following: a. If the packets are for devices directly connected, PIX firewall generates an ARP request for the destination IP address so that it can learn which interface receives the ARP response. b. If the packets for devices are not directly connected, PIX Firewall generates a ping to the destination IP address so that PIX Firewall can learn which interface receives the ping reply. The original packet is dropped. You can build up the MAC table dynamically or statically. By default, each interface automatically learns the MAC addresses of entering traffic, and PIX Firewall adds corresponding entries to the MAC address table. You can disable MAC address learning if desired; however, unless you add MAC addresses to the table statically, no traffic can pass through the PIX Firewall. To disable MAC address learning, enter the following command. PIX(config)# mac-learn interface_name disable The no form of this command re-enables MAC address learning. The clear configure mac-learn command re-enables MAC address learning on all interfaces. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, the security appliance drops the traffic and generates a system message. To add a static MAC address to the MAC address table, enter the following command: PIX(config)# mac-address-table static interface_name mac_address The interface name is the source interface. The default timeout value for dynamic MAC address table entries is five minutes, but you can change the timeout. To change the timeout, enter the following command. PIX(config)# mac-address-table aging-time timeout_value The timeout_value (in minutes) is between 5 and 720 (12 hours). The default is 5 minutes.