|
|
You can configure PIX Firewall by entering commands on your console computer or terminal that are similar in context to those you use with Cisco routers.
Help information is available by entering a question mark by itself for a listing of all commands, or with a command for command syntax. For example:
pixfirewall> int ? usage: interface ethernet inside|outside 10baseT|100baseTX|auto
You can abbreviate most commands down to the fewest unique characters for a command; for example, you can enter write t to view the configuration instead of entering the full command write terminal, or you can enter en to start privileged mode and conf t to start configuration mode.
Configuring PIX Firewall consists of the following steps:
Step 1 Using the terminal or computer you connected to the console port during the PIX Firewall installation, connect to the firewall using a modem program such as Procomm.
Step 2 Once you get to the unprivileged command prompt, which should appear as pixfirewall>, proceed to configuration mode by first entering the enable command and then the config terminal command.
Step 3 Initially configure PIX Firewall using the commands described in the section that follows, "Initially Configuring the PIX Firewall."
Step 4 Exit configuration mode and save the configuration in flash memory with the write memory command.
Step 5 Change the default privileged mode password with the enable password command.
Step 6 Monitor the network interface traffic with the show interface command. If both interfaces show that packets are input and output, then the firewall is functioning. If not, ensure that the interface and route commands are specified correctly.
Step 7 Use the ping command to ensure that hosts on the inside and outside of the network are visible to the firewall.
Step 8 Test the network to ensure that you can ping between inside hosts, between outside hosts, and from an inside host to an outside host.
The configuration is now complete.
You can configure the PIX Firewall from the console or across the network with either Telnet or from a network browser such as Netscape Navigator. Before entering commands on the console, you need to have connected a workstation to the console port and started a modem program so that you can enter the initial configuration commands.
Before you can use Telnet, you need to enter the telnet command. Before you use a network browser, enter the http command. After you add these commands to the configuration, you can perform configuration remotely across the network.
To start a console session, connect the console cable and start a terminal program such as Procomm. Set the baud rate to 9600, use 8 data bits, and no parity. Set the initialization string as follows so that the terminal program will communicate directly to the PIX Firewall instead of another modem:
ATE1V1X4Q0&C1&D2 S7=255 S0=0^M
Access configuration mode and enter the following commands to initially configure the firewall:
Alternatively, you can enter lines 1 through 4 and then complete your configuration with a network browser and the HTTP configuration feature of PIX Firewall. Refer to the next section "Configuring with HTTP." The use of the HTTP configuration feature also requires you to enter the http command as explained in "Configuring with HTTP."
Line 1 indicates that you are using an Intel 10/100 automatic speed sensing network interface card. This statement and that in line 2 set the interface speed. If your system contains 3Com Ethernet boards, replace auto with 10baseT. If your system contains Token-Ring cards, replace ethernet with token and auto with either 4mbps or 16mbps.
Lines 3 and 4 assign the IP addresses to the inside and outside network interface cards.
Line 5 disables network address translation until you can configure the system as required.
Line 6 assigns a pool of NIC-registered IP addresses for use by outbound connections. Enter a class address such as this example address of 192.168.42.0 to assign IP addresses 192.168.42.1 through 192.168.42.254.
Lines 7 and 8 let you assign default routes to the inside and outside network interfaces. If your system lets routers advertise default routes, these lines can be omitted.
Line 9 exits configuration mode and line 10 writes the current configuration to flash memory.
PIX Firewall provides a graphical user interface to help simplify configuration tasks. Once you have specified the network interface speed and IP addresses (as described in the last section), you need to enter two additional commands and you can then use a network browser, such as Netscape, to complete the configuration.
To access PIX Firewall from a network browser, enter these commands to specify an access password and your workstation's IP address and network mask:
pixfirewall(config)# passwd access_password
pixfirewall(config)# http ip_address network_mask
At your workstation, start a network browser. Then open a URL and specify the IP address of the PIX Firewall's inside IP address.
The network browser then prompts you for a user name and password as shown in Figure 3-1.
Always use admin for the user name and enter the password you specified with the passwd command.
The main configuration screen then appears as shown in Figure 3-2.
The troubleshooting information in this section is based on Figure 3-3.
Use the steps that follow to determine that your PIX Firewall is ready for use.
Step 1 Use the show interface command to ensure that the interface and line protocol are up. If the display contains "inside is up," then the interface is functioning on the firewall. If the display contains "line protocol is up," then the cable is correct and connected to the firewall. If both of these are true, ensure that packets are input and output. If this is occurring, the firewall is correctly configured and a cable is attached. However, even with these, the firewall may still not be reachable from other hosts.
Step 2 Use the show ip address command to ensure that the IP address you expect is associated with each network interface.
Step 3 Use the show arp command to see if ARP requests are being processed.
Step 4 Can you ping the inside Ethernet port on the PIX Firewall from a host on the inside network? If no, the problem is on your internal network.
Step 5 Can you ping another host on the same segment; for example, C to D? If no, the problem is on the inside network and not with the PIX Firewall. If yes, check the routing setup on the internal network(s). Check default gateways for the problem, if RIP listening is not in effect.
Step 6 Can you ping the outside Ethernet port from a host on the outside network; for example, from A or B? If no, can you ping another host on the outside network; for example, A to B? If no, the problem is not the PIX Firewall but is on the outside network.
Step 7 Can you ping a host on the outside segment from a host on the inside; for example D to A? If no, check the default gateways to the respective hosts if RIP listening is not in effect. If a router is present on the inside network, hosts on the inside segment must have gateways pointing to the router, and the router must point to the PIX Firewall. For example, the default routes for C and D must point to Router 2, and the default route for Router 2 must point to the PIX Firewall.
Once your initial configuration is complete and tested, you should add commands to tailor the configuration for your site.
Table 3-1 lists configuration commands by PIX Firewall features.
| Feature | Command | Access Mode |
|---|---|---|
ARP cache:
|
arp clear arp-cache |
Configuration Privileged |
Configuration:
|
conf floppy write floppy write term |
Privileged Privileged Privileged |
| Ethernet, configure | interface ethernet 10baseT | Configuration |
Failover cable (optional):
|
failover failover active no failover active show failover |
Configuration Configuration Configuration Unprivileged |
| Fast Ethernet, configure | interface ethernet auto | Configuration |
Flash memory access:
|
write erase show configuration reload write memory |
Privileged Privileged Privileged Privileged |
Floppy disk access:
|
configure floppy write floppy |
Privileged Privileged |
| IP address, set | ip address | Configuration |
Private Link
|
age link and linkpath lnko and lnkopath |
Configuration Configuration Configuration |
| Processes, show thread information | show processes | Unprivileged |
| Prompt host name, change | hostname | Configuration |
| RIP listening, enable or disable | rip | Configuration |
Routing table:
|
ip route show ip route |
Configuration Unprivileged |
Syslog:
|
show ip address syslog console show syslog syslog output syslog host |
Unprivileged Configuration Unprivileged Configuration Configuration |
| Token Ring interface, configure | interface token |
Observe the following guidelines during configuration:
|
|