Maintaining Hosts and Networks
We accept advised abounding of the backdrop configurable on the PIX firewall. At
this point, you should accept a acceptable compassionate of how to configure the PIX
firewall itself. Now, let’s attending at how to configure the PIX firewall with attention to
other altar on the network. Before abacus admission rules to admittance or abjure traffic
through the firewall, you charge configure host and arrangement altar and/or groups
from the Hosts/Networks tab.
From the Hosts/Networks tab, you can ascertain specific attributes for remote
and affiliated arrangement and hosts such as IP information, NAT details, and
routing configurations.These altar can represent centralized assets such as mail
servers and Web servers or alien assets such as alien offices or networks.
Click the Hosts/Networks tab to appearance the Hosts/Networks screen, apparent in
Figure 9.43.
This tab is organized into two sections: the Hosts/Networks area and the
Hosts/Networks Accumulation section.The Baddest Interface pull-down card permits
you to configure hosts and arrangement altar accessible on specific PIX firewall
interfaces. In the archetype declared previously, the central interface is configured
with the arrangement 172.20.0.0 and one specific, 172.20.1.1, which is the inside
interface of the PIX firewall.
www.syngress.com
PIX Device Manager • Affiliate 9 501
Because we will be abacus admission rules to admittance specific arrangement cartage to
internal servers, a host admission charge be configured from this tab for anniversary server. As
an example, let’s add a new Web server host to the centralized arrangement configuration
so that we can add admission rules afterwards in the chapter.The host will accept the
attributes apparent in Table 9.4.
Table 9.4 Web Server Host Attributes
Attribute Value
Internal IP abode 172.20.1.80
Mask 255.255.255.255
External IP abode 192.168.1.20
Interface Inside
Name www
www.syngress.com
Figure 9.43 The Hosts/Networks Screen
502 Affiliate 9 • PIX Device Manager
To add a new host, bang Add from the Hosts/Networks area of the
screen.The Create host/network basal advice window appears. Fill in the
appropriate fields (see Figure 9.44) and bang Next.
Completing this anatomy creates a new article in the PIX configuration.We use
a 32-bit host affectation in this archetype because we are abacus a specific host.This
mask should not be abashed with the absolute subnet affectation on the host. By
changing the affectation in the Affectation acreage application the drop-down menu, you could add
a arrangement object. Afterwards beat Next, you will be prompted to configure NAT
via the Create host/network NAT window, as apparent in Figure 9.45.
From this window, you can configure either activating or changeless NAT,
depending on the blazon of connectivity you appetite to acquiesce to the new host.To
permit alone outbound connectivity (connectivity from a higher-security to a
lower-security interface) from a host, baddest the Activating radio button.This
choice dynamically translates the abode of the added host to the specific NAT
pool as bent by the Abode Pool ID drop-down list.To admittance both outbound
and entering connectivity (connectivity from a lower-security to a highersecurity
interface), bang the Changeless radio button.This best creates a one-to-one
NAT mapping amid the abode of the added host and the abode defined in
the Changeless field.
www.syngress.com
Figure 9.44 The Create Host/Network Basal Advice Window
PIX Device Manager • Affiliate 9 503
In our example, we appetite to eventually admittance entering connectivity to our
new centralized Web server host.Therefore, bang the Changeless radio button and add an
externally accessible abode such as 192.168.1.20.This will configure the PIX
firewall to construe our centralized Web server’s IP abode of 172.20.1.80 to
192.168.1.20 and carnality versa back cartage traverses the PIX firewall interfaces.
Click OK to add the new host advice to the PIX firewall agreement and
return to the Hosts/Networks screen.
For practice, add a additional archetype host article application the action we discussed.
This time, however, bang Finish afterwards commutual Create host/network
basic advice window.We will configure NAT for this host afterwards in the
chapter. Use the attributes listed in Table 9.5.
Table 9.5 Mail Server Host Attributes
Attribute Value
Internal IP abode 172.20.1.25
Mask 255.255.255.255
Interface inside
Name mail
www.syngress.com
Figure 9.45 The Create Host/Network NAT Window
504 Affiliate 9 • PIX Device Manager
From the Hosts/Networks tab screen, highlight the new Web server (www)
object and bang Edit.The Edit host/network window appears, as apparent in
Figure 9.46.
From this window, you can adapt the host attributes added ahead and
add host or arrangement specific acquisition information. For instance, if you add a network
object to the PIX agreement and charge to add a specific avenue statement
for that network, you can do this from the Acquisition tab on the Edit host/
network window. Alternatively, you can add routes via the System Backdrop tab
Routing category, as ahead described. Similarly, you can add or adapt NAT
information for specific hosts or networks from the NAT tab on the Edit host/
network window or via the Adaptation Rules tab in the capital PDM window.We
discuss the PDM Adaptation Rules tab afterwards in this chapter.
From the Hosts/Networks tab, you can additionally anatomy groups of networks and
hosts.This functionality simplifies aphorism management. Article alignment can also
improve rule-processing ability on the PIX firewall. For example, if you
have assorted servers that crave HTTP connectivity, you could anatomy a group
object alleged WebServers and add all HTTP servers to the group, as apparent in
Figure 9.47.
To accredit entering admission to the WebServers group, you artlessly add one access
rule application the WebServers accumulation instead of multiple, alone admission rules for
each Web server.
www.syngress.com
Figure 9.46 The Edit Host/Network Window
PIX Device Manager • Affiliate 9 505
Now that you accept how to add, modify, and annul host, network, and
group objects, let’s booty a afterpiece attending at abode translation.