All Cisco-Network Study Notes: Configuration Steps

Configuration Steps

Connections initiated from higher security going to lower security (for example, inside to Internet or inside to DMZ interface) are considered to be outbound connections. And the traffic from the lower- to higher-security interface network is considered to be inbound traffic. Work through the following steps to configure PIX Firewall for inbound and outbound traffic:


1.	Configure access-list on ingress (incoming) interface (optional). By default, outbound connections are allowed through the PIX firewall if you have the proper translation (if nat-control is turned on) and the routing configured. If nat-control is turned off, you do not need any translation. However, if you prefer to create an ACL and apply it on the ingress (incoming) interface, be sure to allow the initial traffic so that translation (if nat-control is turned on and NAT is configured for the traffic) and connections can be created on the PIX firewall. This translation and connection information is maintained on the PIX firewall. To allow the outbound web traffic only from the inside network to a single web server IP address 198.133.219.25 (see Figure 3-4), use the following command: PIX (config) # access-list 101 permit tcp any host 198.133.219.25 eq www PIX (config) # access-group 101 in interface inside By default, inbound connections are denied on the interface. You must configure an access-list to allow the connection on the interface. However, you must be sure to allow the initial traffic so that translation and connections can be created on the PIX firewall and the state information is maintained. The following ACL will allow SMTP traffic to the mail server (10.1.1.10), which has translated IP address 20.1.1.10: PIX (config) # access-list 102 permit tcp any host 20.1.1.10 eq smtp PIX (config) # access-group 102 in interface outside If you want to allow the connection from the web server (172.16.171.10) to the mail server on the inside with the IP address of 10.1.1.10, use the following ACL: PIX (config)# access-list 103 permit tcp host 172.16.171.10 host 10.1.1.10 eq smtp PIX (config)# access-group 103 in interface dmz
2.	Configure for translation or no translation. Beginning with PIX Firewall Version 7.0, you have the option to turn NAT on or off with the NAT-control command. If the NAT-control command is turned on (off is default unless the PIX is upgraded from 6.3), PIX Firewall requires you to configure the NAT for source address translation by default for outbound traffic, and destination address translation for the inbound traffic. If NAT-control is turned off, NAT will be performed only if the packet matches the source or destination NAT rules.

3.	Configure NAT for the outbound connection. There are many options available to configure source address translation depending on your need for the outbound connection. To configure Dynamic NAT, use the following command: PIX(config)# global (outside) 1 20.1.1.2020.1.1.50 netmask 255.255.255.0 PIX(config)# global (outside) 1 20.1.1.51 PIX(config)# nat (inside) 1 10.10.1.0 255.255.255.0 PIX(config)# nat (inside) 1 10.10.2.0 255.255.255.0 For outbound connection, you can also configure Dynamic PAT with the interface IP address as follows: PIX(config)# global (outside) 1 interface PIX(config)# nat (inside) 1 10.10.1.0 255.255.255.0 PIX(config)# nat (inside) 1 10.10.2.0 255.255.255.0 To configure policy NAT for outbound connection, use the following command: PIX(config)# access-list 101 permit 10.1.1.0 255.255.255.0 any PIX(config)# access-list 101 permit 10.1.2.0 255.255.255.0 any PIX(config)# nat (inside) 1 access-list 101 PIX(config)# global (outside) 1 20.1.1.2020.1.1.50 netmask 255.255.255.0 To configure Policy PAT, use the following commands: PIX(config)# access-list 101 permit 10.1.1.0 255.255.255.0 any PIX(config)# access-list 101 permit 10.1.2.0 255.255.255.0 any PIX(config)# nat (inside) 1 access-list 101 PIX(config)# global (outside) 1 interface To use static for the source address translation, use the following command: PIX(config)# static (inside,outside) 20.1.1.100 10.1.1.100 netmask 255.255.255.255 Note that the same static translation can be used for the inbound connection to the 10.1.1.100 address which has external IP address 20.1.1.100. If you do not want to perform the NAT for the source address, you can configure identity NAT, which is also known as nat 0 with the following command: PIX(config)# nat(inside) 0 10.1.1.0 255.255.255.0 PIX(config)# nat(inside) 0 10.1.2.0 255.255.255.0 The same can be configured with the following command: PIX(config)# access-list 101 permit 10.1.1.0 255.255.255.0 any PIX(config)# access-list 101 permit 10.1.2.0 255.255.255.0 any PIX(config)# nat (inside) 0 access-list 101 The difference between the nat 0 ACL vs. nat 0 network is that with nat 0 ACL, the translation will be bypassed for both inbound and outbound connections. For inbound connections, the destination address will be bypassed and for outbound connections, the source address will be bypassed. But when you have nat 0 network statement, only the source address translation will be bypassed.

4.	Configure NAT for inbound connection if required. For an inbound connection you must configure PIX to perform destination address translation. This usually is accomplished with the static command on the PIX firewall as follows: PIX(config) # static(inside,outside) 20.1.1.100 10.1.1.100 netmask 255.255.255.255 You must allow the traffic to 20.1.1.100 on the outside interface of the PIX for the inbound connection. To use the interface IP address for the inside host address 20.1.1.100, configure static PAT with the following command: PIX(config)# static (inside,outside) tcp interface 80 10.1.1.100 80 netmask 255.255.255.255 On the ACL applied to the ingress interface, you must create an ACL to allow the traffic to the 20.1.1.1 address for the web access. To configure policy static NAT to define additional criteria for the NAT to be triggered for the destination address translation, use the following command: PIX(config)# access-list 101 permit tcp host 10.1.1.100 eq 80 host any PIX(config)# static (inside, outside) 20.1.1.100 access-list 101 You also can configure bi-directional NAT on the PIX firewall. The details of bi-directional NAT are beyond the scope of this book.
5.	Configure routes for outside and inside networks. You can configure static or dynamic routing protocol on the PIX to populate the routing table. Usually, if PIX performs the NAT/PAT for the Internet-bound traffic, a default gateway is configured to point to the next-hop router. You can have a single default gateway on the PIX firewall. The following command will configure the default gateway for the Internet-bound traffic: PIX(config)# route outside 0.0.0.0 0.0.0.0 20.1.1.10 As the network 10.1.2.0/24 network is not directly connected to the PIX firewall, but off the inside router, you must configure the following route pointing to 10.1.1.2. PIX(config)# route inside 10.1.2.0 255.255.255.0 10.1.1.2 You also must have a default gateway on the inside router to point to PIX inside interface IP address (10.1.1.1).
6.	Turn on protocol inspection. By default, several protocol inspections are enabled, which are sufficient to process traffic across the PIX firewall. If there is a protocol that is not inspected, you might need to turn it on.