Lab Exercise―Configure the PIX Firewall Complete the following lab exercises to practice what you have learned. Objectives In this lab exercise, you will complete the following tasks: ■ Configure basic PIX Firewall features to protect Internet access to an enterprise network. ■ Test and verify basic PIX Firewall operation. Visual Objective The following figure displays the topology of the lab environment used in this exercise. © 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—4-32 Lab Visual Objective Lab Visual Objective Inside host Internet server web, FTP, and TFTP server PIX Firewall 192.168.P.0/24 e1 inside .1 .2 10.0.P.0 /24 e0 outside .1 e2 dmz 172.16.1.P Bastion host web and FTP server 192.168.P.2 .50 172.16.1.0/24 Internet Copyright  2003, Cisco Systems, Inc. Pix Advanced Road Show Lab 1-1 Access and Lab Setup To do this lab exercise, you must be connected to the lab at www.labgear.net. Your instructor will provide the username and password for logging into this site. Once logged on, the lab diagram will be displayed (the picture below is for Pod #1): To access the PIX Firewall from the main lab diagram, click on the “CONSOLE” icon associated with the PIX Firewall. A window will open to the PIX console. To access the inside or outside hosts, click on the appropriate ”PC Desktop” icon. For these devices you must first authenticate at the “VNC Authentication” screen before you can access the PC desktop. Passwords Use the following passwords for this lab: ■ Lab Gear password: Your instructor will provide it. ■ PIX password: Either no password (just press the Enter key) or cisco. ■ PC client or server: The username is administrator and there is no password (just press the Enter key). ■ VNC password: When you connect to the PCs or servers, use a password of cisco at the VNC screen. PIX Advanced Road Show Lab 1 Copyright  2003, Cisco Systems, Inc. Task 1—Configure PIX Firewall Interfaces To configure PIX Firewall Ethernet interfaces, complete the following steps: Step 1 On the main lab diagram, click on the “CONSOLE” icon associated with the PIX Firewall. A window will open to the PIX console. Press Enter, and one of two things will happen. Step 2 If there is currently a configuration in the PIX, a PIX prompt will be displayed: pixP> or pixP# or firewall> (where P = pod number) Step 3 If you get the pixfirewall> prompt, go to step 7. Otherwise, continue (we want to start this lab with an un-configured PIX). Step 4 Enter the privileged mode of the PIX Firewall. If prompted for a password press Enter: pixP> enable Password: pixP# Step 5 Erase the configuration and reload the firewall: pixP# write erase pixP# reload Step 6 If there is no configuration in the PIX, after a reload it will start the basic setup routine. This routine will ask you a series of questions in order to build a basic configuration. We do not want to use the setup routine. Enter no at the “Pre- configure PIX Firewall now through interactive prompts [yes]?” prompt. Step 7 Enter the privileged mode of the PIX Firewall. If prompted for a password press Enter. Enter configuration mode and change the hostname to pixP (where P = pod number) using the hostname command: pixfirewall> enable Password: pixfirewall# pixfirewall# configure terminal pixfirewall(config)# hostname pixP pixP(config)# Step 8 Assign the PIX Firewall DMZ interface a name (dmz) and security level (50). Display the interface names and security levels with the show nameif command. Your output should be similar to that shown below: pixP(config)# nameif e2 dmz security50 pixP(config)# show nameif nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 Copyright  2003, Cisco Systems, Inc. Pix Advanced Road Show Lab 1-3 Step 9 Enable the Ethernet 0, Ethernet 1, and Ethernet 2 interfaces for Auto sensing 10/100 communications. Use the show interface command to display information about the interfaces: Note By default the interfaces are disabled. You must enable all interfaces you intend to use. pixP(config)# interface e0 auto pixP(config)# interface e1 auto pixP(config)# interface e2 auto pixP(config)# show interface interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 0090.2724.fd0f MTU 1500 bytes, BW 10000 Kbit full duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) interface ethernet1 "inside" is up, line protocol is up Hardware is i82559 ethernet, address is 0090.2716.43dd MTU 1500 bytes, BW 100000 Kbit full duplex 184 packets input, 15043 bytes, 0 no buffer Received 179 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) interface ethernet2 "dmz" is up, line protocol is up Hardware is i82558 ethernet, address is 0090.2725.060d MTU 1500 bytes, BW 10000 Kbit full duplex 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) interface ethernet3 "intf3" is administratively down, line protocol is down Hardware is i82558 ethernet, address is 0090.2716.43dc MTU 1500 bytes, BW 100000 Kbit full duplex 184 packets input, 15043 bytes, 0 no buffer PIX Advanced Road Show Lab 1 Copyright  2003, Cisco Systems, Inc. Received 179 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier interface ethernet4 "intf4" is administratively down, line protocol is down Hardware is i82558 ethernet, address is 0090.2716.43db MTU 1500 bytes, BW 100000 Kbit full duplex 184 packets input, 15043 bytes, 0 no buffer Received 179 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) interface ethernet5 "intf5" is administratively down, line protocol is down Hardware is i82558 ethernet, address is 0090.2716.43da MTU 1500 bytes, BW 100000 Kbit full duplex 184 packets input, 15043 bytes, 0 no buffer Received 179 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Step 10 Assign IP addresses to the inside, outside, and dmz network interface cards. Insert your pod number wherever you see the letter P: pixP(config)# ip address outside 192.168.P.1 255.255.255.0 pixP(config)# ip address inside 10.0.P.1 255.255.255.0 pixP(config)# ip address dmz 172.16.1.P 255.255.255.0 Step 11 Ensure that the IP addresses are correctly configured and are associated with the proper network interface: pixP(config)# show ip address System IP Addresses: ip address outside 192.168.P.1 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.1.P 255.255.255.0 no ip address intf3 no ip address intf4 no ip address intf5 Current IP Addresses: ip address outside 192.168.P.1 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.1.P 255.255.255.0 Copyright  2003, Cisco Systems, Inc. Pix Advanced Road Show Lab 1-5 no ip address intf3 no ip address intf4 no ip address intf5 Step 12 Write the configuration to the flash memory: pixP(config)# write memory Building configuration Cryptochecksum: d4d9ae69 9f7c734c babeef58 54b69c91 [OK] pixP(config)# Task 2—Configure Global Addresses, NAT, and Routing for Inside and Outside Interfaces To configure a global address pool, NAT, and routing, complete the following steps: Step 1 Assign one pool of NIC-registered IP addresses for use by outbound connections: pixP(config)# global (outside) 1 192.168.P.20-192.168.P.250 netmask 255.255.255.0 pixP(config)# show global global (outside) 1 192.168.P.20-192.168.P.250 netmask 255.255.255.0 Step 2 Configure the PIX Firewall to allow all inside hosts to use NAT for outbound access: pixP(config)# nat (inside) 1 0 0 Step 3 Display the currently configured NAT: pixP(config)# show nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 Note The nat ID in the global and nat commands must match. That allows you to have multiple different nat pools. So, nat pool 1 could be used for hosts from subnet A, and nat pool 2 could be used for hosts from subnet B. In the above example, the nat ID is 1. Step 4 In order to direct traffic to other networks, you need to add routes. You assign a default route on the outside network this way: pixP(config)# route outside 0 0 192.168.P.254 Step 5 Display the currently configured routes: pixP(config)# show route outside 0.0.0.0 0.0.0.0 192.168.P.254 1 OTHER static inside 10.0.P.0 255.255.255.0 10.0.P.1 1 CONNECT static dmz 172.16.1.0 255.255.255.0 172.16.1.P 1 CONNECT static outside 192.168.P.0 255.255.255.0 192.168.P.1 1 CONNECT static Step 6 Write the current configuration to flash memory: pixP(config)# write memory PIX Advanced Road Show Lab 1 Copyright  2003, Cisco Systems, Inc. Step 7 Display a list of the most recently entered commands: Your history list should be similar to the following: pixP(config)# show history interface e0 auto interface e1 auto interface e2 auto show interface ip address outside 192.168.P.1 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.1.P 255.255.255.0 show ip address write memory global (outside) 1 192.168.P.20-192.168.P.254 netmask 255.255.255.0 show global nat (inside) 1 0 0 show nat route outside 0 0 192.168.1.254 show route write memory show history Note You can use the up and down cursor keys on your keyboard to recall commands. Step 8 Write the current configuration to the terminal and verify that you have entered the previous commands correctly: pixP(config)# write terminal Building configuration : Saved : PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix1 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 Copyright  2003, Cisco Systems, Inc. Pix Advanced Road Show Lab 1-7 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 192.168.P.1 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.1.P 255.255.255.0 no ip address intf3 no ip address intf4 no ip address intf5 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 pdm history enable arp timeout 14400 global (outside) 1 192.168.P.20-192.168.P.250 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 192.168.P.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 PIX Advanced Road Show Lab 1 Copyright  2003, Cisco Systems, Inc. terminal width 80 Cryptochecksum:f937dddaa79ad7a8b39ac14f6cd87ee5 : end [OK]Test the operation of the globals and NAT statements you configured by originating connections through the PIX Firewall: 1. Click on the “PC Desktop” icon on the inside client. 2. The “VNC Authentication” screen is displayed. The password is cisco. (The password is case-sensitive.) 3. Open a web browser on the inside client. 4. Use the web browser to access the outside server at IP address 192.168.P.2 by entering http://192.168.P.2 . If you are successful, the browser page will have a message like “Pod P Outside HTTP Server”. (You may have to scroll the page down to see this.) Step 9 Observe the translation table: pixP(config)# show xlate Your display should appear similar to the following: Global 192.168.P.20 Local 10.0.P.2 A global address chosen from the low end of the global range has been mapped to the inside client. Task 3—Configure Inside Multiple Interfaces Configure the PIX Firewall to allow access to the DMZ from the inside and outside network. Enter the following commands to configure the global address pools, NAT, and routing for the DMZ interface: Step 1 Assign one pool of IP addresses for hosts on the public DMZ: pixP(config)# global (dmz) 1 172.16.1.1P0-172.16.1.1P9 netmask 255.255.255.0 (where P = pod number) Use .100 109 for pod 10 Step 2 Clear the translation table so that the global IP address will be updated in the table: pixP(config)# clear xlate Step 3 Write the current configuration to flash memory: pixP(config)# write memory Step 4 Test web access to your bastion host from the inside client by doing the following: 1. Open a web browser on the inside client. 2. Use the web browser to access your bastion host by entering http://172.16.1.50 . 3. The home page of the bastion host should appear on your web browser. The browser page will have a message like “DMZ HTTP Server”. (You may have to scroll the page down to see this.) 4. Use the show arp, show conn, and show xlate commands to observe the transaction: pixP(config)# show arp outside 192.168.P.2 00e0.1e41.8762 Copyright  2003, Cisco Systems, Inc. Pix Advanced Road Show Lab 1-9 inside 10.0.P.2 00e0.b05a.d509 dmz 172.16.1.50 00e0.1eb1.78df pixP(config)# show xlate Global 172.16.1.1P0 Local 10.0.P.2 pixP(config)# show conn 1 in use, 3 most used TCP out 172.16.1.50:80 in 10.0.P.2:1074 idle 0:00:07 Bytes 989 flags UIO Note If you have successfully reached the web page but do not see any connection information, you probably need to turn off the caching on your web browser. For Internet Explorer: Tools->Internet Options…->Click on General Tab->Click on Settings… in the Temporary Internet files area->Under Check for new versions of stored pages: select the Every visit to the page option->Click OK->Click OK. Task 4—Test the Inside, Outside, and DMZ Interface Connectivity To test and troubleshoot interface connectivity using the PIX Firewall ping command, complete the following steps: Step 1 Ping the inside interface: pixP(config)# ping 10.0.P.1 10.0.P.1 response received 0ms 10.0.P.1 response received 0ms 10.0.P.1 response received 0ms Step 2 Ping your inside host: pixP(config)# ping 10.0.P.2 10.0.P.2 response received 0ms 10.0.P.2 response received 0ms 10.0.P.2 response received 0ms Step 3 Ping the outside interface: pixP(config)# ping 192.168.P.1 192.168.P.1 response received 0ms 192.168.P.1 response received 0ms 192.168.P.1 response received 0ms Step 4 Ping your pod outside host: pixP(config)# ping 192.168.P.2 192.168.P.2 response received 0ms 192.168.P.2 response received 0ms PIX Advanced Road Show Lab 1 Copyright  2003, Cisco Systems, Inc. [...]... Ping the DMZ interface: pixP(config)# ping 172.16.1.P 172.16.1.P response received 0ms 172.16.1.P response received 0ms 172.16.1.P response received 0ms Step 6 Ping your bastion host: pixP(config)# ping 172.16.1.50 172.16.1.50 response received 0ms 172.16.1.50 response received 0ms 172.16.1.50 response received 0ms Completion Criteria You completed this lab exercise if you were... exercise if you were able to browse to the outside and DMZ web servers and were also able to ping the inside interface, outside interface, and DMZ interface Copyright  2003, Cisco Systems, Inc Pix Advanced Road Show Lab 1-11 . Copyright  2003, Cisco Systems, Inc. Pix Advanced Road Show Lab 1-1 Access and Lab Setup To do this lab exercise, you must be connected to the lab at www.labgear.net. Your instructor will provide. hostname to pixP (where P = pod number) using the hostname command: pixfirewall> enable Password: pixfirewall# pixfirewall# configure terminal pixfirewall(config)# hostname pixP pixP(config)#. is currently a configuration in the PIX, a PIX prompt will be displayed: pixP> or pixP# or firewall> (where P = pod number) Step 3 If you get the pixfirewall> prompt, go to step