Basic Commands
The ambiance at the command alert is agnate to that of a Cisco router and
uses “emacs”-style commands, apparent in Table 2.3.
Table 2.3 Basal Keystroke Shortcuts
Command Result
Tab Command-line completion.
Ctrl + A Moves the cursor to the alpha of a line.
Ctrl + B Moves the cursor one appearance larboard (nondestructive).
Alt + B Moves the cursor one chat left.
Ctrl + D Deletes the appearance beneath the cursor.
Ctrl + E Moves the cursor to the end of the line.
Ctrl + F Moves the cursor one appearance right.
Alt + F Moves the cursor one chat right.
Ctrl + H or Rubout Erases the antecedent character.
Ctrl + R Reprints a line.
Up Arrow or Ctrl + P Displays the antecedent line.
Up Arrow or Ctrl + N Displays the abutting line.
Help or ? Displays help.
To see added alteration commands, try analytic the Web for emacs style
commands. However, the account apparent in Table 2.3 is actual useful. For example, if you
are ambience up assorted ACL statements, you can save a abundant accord of accomplishment by
changing alone a anchorage number, again acute Ctrl + P to get the antecedent line,
Alt + F to move appropriate a few words, Ctrl + D to annul the old port, then
typing the new port.
In addition, you don’t accept to blazon the abounding command—you alone accept to provide
enough of the command to authorize a different antecedent segment. For example,
the command configure terminal can be abbreviated; the aboriginal three belletrist aren’t
enough (both aqueduct and configure alpha with con), and alone one advantage from the
configure command starts with t. So to get into agreement mode, aloof blazon conf
t. Such shortcuts can save a bit of typing, decidedly on continued commands.
76 Chapter 2 • Introduction to PIX Firewalls
Hostname and Area Name
Two advantageous commands are the hostname and domain-name commands.These set the
hostname (which appears in the prompt) and the area name of the PIX.The
syntax is hostname
PIX1 (config)# hostname PIX1
PIX1(config)# domain-name secret.com
Configuring Interfaces
The best important aspect of a arrangement accessory is the arrangement interface. In the
PIX, configuring the arrangement interface is a adequately aboveboard process.You
need to specify a few ambit to put the aegis in ambience and a few parameters
to put connectivity in context, again the absence advice breeze policy
takes over.
The nameif Command
The nameif command is acclimated to accord an interface a analytic name and accredit it a
security level.The name should be memorable, back it will be acclimated in all other
commands.The architecture of the nameif command is:
nameif
hardware_id corresponds to the accouterments associated with the interface, such as
ethernet0. interface corresponds to a anecdotic name, such as dmz, and
security_level corresponds to the akin of trust, an accumulation amid 100 (trusted)
and 0 (untrusted).
The attitude is to put ethernet0 (the aboriginal agenda from the left) as the outside
interface, with a aegis akin of 0—for example:
PIX1(config)# nameif ethernet0 alfresco security0
To accredit ethernet1 (the additional agenda from the left) as the central interface
with a aegis akin of 100, the command is:
PIX1(config)# nameif ethernet1 central security100
The actual cards, if any, are assigned ethics amid 0 and 100.An
example for a DMZ arrangement ability resemble the following:
PIX1(config)# nameif ethernet2 dmz security50
Introduction to PIX Firewalls • Chapter 2 77
The interface Command
The interface command is acclimated to set the concrete band backdrop of the interface.
The syntax of the command is:
interface
In this command, hardware_id corresponds to the amount from the nameif command,
and hardware_speed is called from Table 2.4.
Table 2.4 Accouterments Acceleration Types for the interface Command
Value Description
10baset 10Mbps Ethernet, bisected duplex.
100basetx Fast Ethernet, bisected duplex.
100full Fast Ethernet, abounding duplex.
1000sxfull Gigabit Ethernet, abounding duplex.
1000basesx Gigabit Ethernet, bisected duplex.
1000auto Gigabit Ethernet to autonegotiate abounding or bisected duplex.
aui 10Mbps Ethernet, bisected duplex, for an AUI cable interface.
bnc 10Mbps Ethernet, bisected duplex, for a BNC cable interface.
auto Sets Ethernet acceleration automatically. Generally, it is bigger to
hardcode the cable type, back autonegotiation has failed
with some accouterments devices.
The alternative abeyance keyword disables the interface; abeyance is advantageous to
rapidly abolish a affiliation on a arrangement that is at hazard or to ensure that
unused networks are not accidentally added. An archetype of the interface command
is:
PIX1(config)# interface ethernet0 100full
The ip abode Command
The ip abode command sets the IP abode of the accurate interface.The syntax
of the command is as follows:
ip abode
In the ip abode command, interface corresponds to the aforementioned constant as in
the nameif command, a anecdotic appellation for the network, and ip_address and
www.syngress.com
78 Chapter 2 • Introduction to PIX Firewalls
netmask accord to the accepted backdrop for the interface. An archetype of this
command ability attending article like this:
PIX1(config)# ip abode dmz 192.168.0.1 255.255.255.0
NOTE
The PIX can additionally admission an IP abode through DHCP applicant or PPPoE
functionality. These appearance are discussed in Chapter 4.
Static Routes
The PIX is not a router and so does not accept a advanced alternative of acquisition protocols.
The PIX supports changeless routes and RIP. Specifying a changeless avenue is done
with the afterward syntax:
route
Translating this syntax into English, it reads “If packets destined for interface
if_name on the arrangement defined by arrangement abode ip_address are belted by
mask netmask, again avenue it via a abutting hop at gateway_ip.”The alternative metric
command is acclimated to accord an adumbration of distance.
A decidedly important avenue is the absence route.This is the “route of last
resort”—the avenue acclimated back no added administration is accepted for the packet. Only
one absence avenue is accustomed on the PIX.This avenue is adumbrated by the 0 route
with netmask 0; for example:
PIX1(config)# avenue alfresco 0 0 63.122.40.140 1
Password Configuration
Two passwords charge to be set: a countersign for admission to the PIX and an enable
password to get into advantaged (enable) mode.The PIX is bound to 16-byte
passwords and is case sensitive.A basal countersign will accredit a password, such as:
PIX1(config)# passwd cisco
PIX1(config)# accredit countersign cisco
In the configuration, the countersign is stored in an encrypted fashion.The
command again looks like this:
Introduction to PIX Firewalls • Chapter 2 79
enable countersign 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
When aboriginal abutting to the PIX, you will see a countersign prompt:
Connected to 10.10.10.1.
Escape appearance is '^]'.
User Admission Verification
Password:
Type advice or '?' for a account of accessible commands.
pix1> en
Password: *****
You should agenda that to bottle security, the countersign is not echoed to the
screen, and the antecedent arrangement will get you into accredit mode.
NOTE
The PIX additionally supports bounded user accounts with alone passwords.
Alternatively, you can use RADIUS or TACACS+ for animate authentication.
You’ll acquisition a abundant altercation of these appearance in Chapter 5.