Resetting the System

Resetting the System

Generally, afterwards attractive a new image, you will appetite to accept the PIX alpha under

the new image. Similarly, it is accessible to occasionally restore the agreement to

what is active on the flash—if, for example, you accept been exploring commands

and accept gotten to an ambiguous state.You can consistently power-cycle the

device; this band-aid has no affective parts, and configurations and images are fully

flushed to flash, so you do not accept to anguish about corruption. But there is a

better way: the reload command.

The reload Command

You can restart the PIX alluringly application the reload command.This command

prompts you, to ensure that you absolutely beggarly what you are saying; it can alone be

executed from advantaged mode:

pix1# reload

Proceed with reload? [confirm]

At this point, there is a abrupt abeyance while the PIX reboots, and again you will

be alive beneath the new system. Note: If you appetite to bypass acute the

second carrying return, you can blazon reload noconfirm, but aback you are executing

a potentially alarming command such as a reboot, it is about acceptable to

have an “Are you absolutely abiding you appetite to do this?” checkpoint.

www.syngress.com

Introduction to PIX Firewalls • Affiliate 2 83

Summary

The PIX is a committed firewall apparatus based on a special-purpose, hardened

operating system.The simplified atom and bargain command anatomy (compared

with firewalls based on general-purpose operating systems) agency that all

other things actuality equal, the PIX will accept college throughput and added reduced

maintenance costs than the general-purpose device. In addition, the affinity to

IOS provides an bend to aegis administrators who are accustomed with the Cisco

environment.

The PIX is a amalgam firewall based on stateful packet clarification with the use of

proxies for specific applications.The stateful packet clarify is accepted as the Adaptive

Security Algorithm, or ASA, and uses two databases: a table of translations and a

table of accepted connections, to advance accompaniment of the cartage transiting the network

and to dynamically acquiesce packets through the filter.The ASA inspects both packet

header information, including antecedent address, destination address, and TCP and

UDP atrium information, as able-bodied as packet capacity for assertive protocols, to make

intelligent decisions on acquisition the packets. ASA has added features: It will

rewrite packets area necessary, as allotment of its analysis engine, area the protocols

are able-bodied known.

About a dozen proxies are associated with the PIX. Some, such as the FTP

proxy, augment the ASA action by acceptance the casual of packets associated

with an accustomed communication—for FTP, while the command admission follows

the accustomed three-way handshake accomplished by the applicant and directed at a wellknown

socket, the abstracts channels accept the handshake accomplished by the server (in

the adverse administration of the accepted aegis policy) and directed at a anchorage defined

during the transaction. Others, such as the SMTP proxy, are advised to enforce

a bound subset of agreement commands and, by administration the RFC, provide

additional aegis to potentially buggy applications. Still others, such as the

multimedia proxies, accommodate the intelligence to abstract IP addresses from the body

of the packets and handle the circuitous afterlight and allotment for these

interrelated protocols.

In accession to its built-in packet-filtering and admission ascendancy features, the PIX

provides added accepted firewall services. Again, a key advantage of an appliance

is performance, and the PIX makes an accomplished VPN terminator, with the

ability to canyon encrypted cartage at wire speed, aback an accelerator agenda is

installed. It can accommodate agreeable logging and clarification to advice ascendancy Web surfing

and provides abode adaptation to acquiesce for either “sewing together” networks

seamlessly at the ambit or accumulation (and concealing) centralized networks to

present to the alfresco apple a bound cardinal of addresses.

www.syngress.com

84 Affiliate 2 • Introduction to PIX Firewalls

Modern environments depend on firewalls, and so the PIX provides high

resiliency through its failover mechanism.This apparatus provides for a hot

spare—a added PIX with an agnate agreement that will automatically

press itself into account should the primary accessory fail.

The PIX’s all-encompassing capabilities are akin by accouterments flexibility. As of this

writing, bristles altered models are shipping, advised to bout about any environment.

The PIX 501 is advised for the SOHO user, with a baby about-face congenital in

for basal use.The PIX 506E, advised for the baby or annex office, supports

better achievement for abutting aback to the accumulated hub.The PIX 515E is

designed for the action amount of baby to medium-sized business, with a rackmount

chassis and agnate enterprise-class performance.The PIX 525 is

designed for ample action or baby account provider environments and has a

slot-based agreement to acquiesce for assorted interface configurations.The PIX

535 is the top-of-the-line model, advised for account provider environments,

with the best accessible throughput of the PIX appliances.

Communicating with an unconfigured PIX is best calmly accomplished through

the animate cable.This is provided with anniversary firewall kit. Use a communications

program such as Hyperterm, set your ambit to 8-N-1, and during the boot

sequence you will see characters on your screen.

Licensing for the PIX appearance is set via an activation key.You should have

received advice about your activation key aback you purchased the PIX;

additional appearance can be purchased and new activation keys applied.The activation

keys are abased on a (hardware) consecutive cardinal based on your flash.You

can add new keys through either adviser admission or the activation-key command,

new to adaptation 6.2. Licensing usually avalanche into three types: complete (all features

enabled), belted (limited appearance and interfaces), or failover (used for hot

standby machines).

Password accretion is accomplished by active a appropriate affairs (different for

each adaptation of the operating system) on the PIX itself.The action requires

either a committed cossack diskette or the use of adviser admission and a TFTP download

of a acting image.

The accustomed agreement of the PIX is accomplished through a command-line

interface.This interface uses the “emacs” alteration commands and is actual agnate to

that provided in the Cisco IOS.The command anatomy is modal, with three

major modes: unprivileged, which has actual few accessible commands; privileged,

where all commands are accessible (subject to your advantage level, which can be

set in a bounded database), and agreement mode, by which changes are fabricated to

the active configuration.

www.syngress.com

Introduction to PIX Firewalls • Affiliate 2 85

Things that you will appetite to set up in every agreement accommodate host and

domain name, which configures the alert and controls fields in the agenda certificates

used in VPN traffic, and the backdrop of the interfaces.You ascendancy a

name—an affiliation amid a characteristic identifier for the interface and its

default aegis characteristics—physical properties, and IP properties.You will

also apparently appetite to set up some basal routing, decidedly the absence route.

Passwords on any aegis accessory are actual important.There are passwords for

access to the accessory (unprivileged mode) and for accretion to advantaged mode.

They can be aggregate passwords, one per box, or passwords on a per-user basis.

Cisco recommends the closing method, which requires ambience up AAA services,

either alien or local.

Managing agreement advice is additionally important. Once you accept built

the absolute config, you do not appetite to accept to retype it all in case of an emergency.

Configurations can be stored in human-readable architecture via an ASCII capture

(via abode terminal) or as a argument book on a TFTP server (via abode net). Images

can additionally be brought assimilate the arrangement with the archetype command, either from a TFTP

server (copy tftp) or from a Web server URL (copy https://servername/pix_image

flash).The arrangement can again be restarted with the reload command and is accessible to

run beneath the new configuration.

Solutions Fast Track

PIX Firewall Features

 The PIX is based on a committed operating arrangement with security

functionality as the focus as against to actuality aloof accession affection of the

general operating system.

 All added things equal, a committed operating arrangement will accommodate higher

throughput back beneath added tasks are actuality performed and will have

lower aliment costs because there are beneath patches to manage.

 The affection of the PIX’s functionality is the stateful packet filter, accepted as

the Adaptive Aegis Algorithm, or ASA. It is a committed procedure

that manages state, independent in two key databases, the CONN table and

XLATE table.

www.syngress.com

86 Affiliate 2 • Introduction to PIX Firewalls

 The PIX is a amalgam firewall, accumulation packet clarification with dedicated

proxies for specialized protocols such as H323 and SMTP. It contains

other careful appearance such as fragment aegis and DNS replay

protection.

 In accession to “classic” firewall features, the PIX has several other

features:VPN abortion (helpful for amalgam encrypted cartage into

the firewall policies); URL clarification (helpful because the firewall sits in a

choke point and is a accustomed abode to do filtering), and NAT/PAT

capabilities so that the firewall can burrow centralized abode structures and

extend the accessible abode space.

PIX Hardware

 The PIX band has bristles models, advised for deployments alignment from

home users to account provider firewall cores.

 The PIX 501 has a desktop anatomy agency and is advised for the SOHO

environment. It is advised to clearly bead into home user

networks after acute user configuration, but it supports central

administration and all the appearance of the blow of the artefact line.

 The PIX 506E is agnate to the 501 but is aimed at the baby or branch

office deployments. It additionally has an accessible bureaucracy and is advised to support

more users.

 The PIX 515E is advised for the action amount and is a rack-mounted

appliance. It is additionally acceptable as an centralized firewall, isolating internal

enterprise departments.

 The PIX 525 is advised for ample action use. It is rack-mountable,

like the 515E, but has the adequacy for assorted interface configurations

such as accouterment account networks in accession to the Internet and

trusted networks.

 The PIX 535 is the highest-performing appliance, aimed at the service

provider environment. It combines the accomplished achievement of the PIX

product band with the adaptability of the 525 line.

www.syngress.com

Introduction to PIX Firewalls • Affiliate 2 87

PIX Software Licensing and Upgrades

 The PIX authorization is based on an activation key.The key is different to your

serial number, which is angry to the accouterments flash. If you alter the

flash, you charge a new key.

 Licensing is soft-upgradeable via accession of a new activation key.This

allows for a “pay as you charge it” approach, acceptance for new features

such as 3DES encryption or added interfaces to be enabled alone as

required, after accepting to alter the hardware.

 Licensing is awash as one of three types: unrestricted, restricted, failover.

Failover provides aerial availability (with a added accouterments device).

Restricted licensing banned the cardinal of admission or interfaces,

whereas complete licensing allows all appearance to be enabled.

The Command-Line Interface

 The command-line interface uses “emacs style” commands.This allows

for manipulating the command band to aeon through the command

history as able-bodied as alteration the absolute line.

 Beneath accustomed operation, the command band is in one of three modes:

unprivileged, privileged, and configuration. Unprivileged admission allows

you to audit a bound cardinal of ambit and to admission privileged

mode. Advantaged admission allows you abounding admission to the commands without

changing the configuration. As its name suggests, agreement admission is

the way you absolutely amend the accessory environment.

 The PIX supports a array of agreement administration technologies:

The config can be accounting to beam or out to TFTP servers. Back the

configurations are textual in nature, they can be apprehend or manipulated

outside the PIX analogously to any argument file.

www.syngress.com

88 Affiliate 2 • Introduction to PIX Firewalls

Q: Can I administer the PIX accidentally after application Telnet?

A: Yes. Starting with adaptation 5.3, analysis out SSH compatibility.The account is

enabled with:

ssh ip_address [netmask] [interface_name]

You charge a DES or 3DES activation key and charge administer an RSA key

pair. Back Telnet passes passwords in the clear, its use is deprecated except on

very deeply controlled networks, and the use of SSH or animate admission is

encouraged.

Q: Does the PIX abutment SNMP management?

A: Yes.The PIX supports read-only SNMP admission via the snmp-server commands.

You can set a association cord and activate accessories to a accumulating agent.

Q: Does the PIX abutment syslog-style events?

A: Yes.The PIX supports accident administration via syslog; assorted syslog hosts can

be specified. See the logging command for added details. (Earlier versions used

the syslog commands; they are retained for astern compatibility, but you

should drift to application the appellation logging.)

Q: Will the PIX accommodate DHCP services?

A: Yes. In fact, DHCP is enabled by absence on the 501 and 506 devices. DHCP

is a account that will dynamically accredit IP addresses to (internal) hosts as they

boot up.This account allows laptop users to automatically access IP addresses.

In abate environments, enabling DHCP allows for added convenience

in managing networks.

www.syngress.com

Frequently Asked Questions

The afterward Frequently Asked Questions, answered by the authors of this book,

are advised to both admeasurement your compassionate of the concepts presented in

this affiliate and to abetment you with real-life accomplishing of these concepts. To

have your questions about this affiliate answered by the author, browse to

www.syngress.com/solutions and bang on the “Ask the Author” form.

Introduction to PIX Firewalls • Affiliate 2 89

For higher-end PIX devices, DHCP is accessible but not angry on by

default. Although this is not a aegis hole, it is accessible to ascendancy DHCP via

a abstracted device, so that the IP-to-MAC abode mappings can be monitored,

queried, and contrarily controlled.

Q: I am aggravating to acquiesce from the Central to DMZ1. I opened the

appropriate port, and for the aboriginal person, aggregate formed great.The

instant a added central being tries to use , however, everything

breaks.What can I do?

A: Analysis your fixups. If matches a fixup, you ability be able to adjust

performance. If that is not working, it ability be a NAT/PAT problem.

Remember that PAT remaps IP addresses and anchorage numbers to a single

unique IP address. Some protocols will not admittance that affectionate of remapping;

switching from PAT to NAT could help. Better yet, see if you can abstain the

use of NAT altogether.When you are mapping from central to the DMZ, you

are apparently application clandestine addresses on both sides.Turn off the NAT translation,

and you should be able to canyon cartage safely.