|
|
PIX Firewall has multiple features and functions for controlling access to and from your company's network. Installing this product requires a thorough knowledge of your company's network topology and security policy. The forms in this appendix are provided for your convenience and can help you prepare for the PIX Firewall installation, making the process easier and faster.
You can configure the PIX Firewall for immediate operation and network protection using a small subset of the information requested in these forms. To get the PIX Firewall running immediately, fill in the information in Tables A-1 to Table A-8, and proceed to Chapter 2, "Configuring PIX Firewall."
The purpose of these forms is to capture the information you need to complete the initial configuration of your PIX Firewall unit, and to help gather the information you need for more complicated configuration tasks. The forms do not capture all options available with some of the configuration commands, such as the em_limit and norandomseq options in the nat command. Additionally, the forms do not have one-to-one correspondence with PIX Firewall command syntax, meaning that information may not appear in the same order in the forms as it does in command syntax. "Command Reference," has complete information on all PIX Firewall commands. Refer to these commands as needed during the actual installation process.
Cisco recommends completing the forms in the order presented, as later forms use information defined in earlier forms. After you complete the forms in Tables A-1 to Table A-8, you have the information you need to enter the PIX Firewall unit's initial configuration. With the initial configuration, you can test your PIX Firewall to verify the system is running properly in your network environment.
This appendix includes the following sections:
For specific information about your network environment, contact your network administrator.
Each PIX Firewall has two or more physical network interfaces. You must configure each interface with an IP address, network speed, maximum transmission unit (MTU) size, and so on. Refer to "Command Reference," for complete information on the interface command. Table A-1 provides a form for entering PIX Firewall network interface information.
| Interface Name | Interface Type (Ethernet, Token Ring, or FDDI) | Hardware ID | Interface IP Address | Interface Speed | MTU Size | Interface Security Level |
|---|---|---|---|---|---|---|
Outside |
|
|
|
|
| 0 |
Inside |
|
|
|
|
| 100 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Each PIX Firewall interface requires a name. Outside is the default name for the PIX Firewall interface with the lowest security level (0) and which is typically the interface connection to the outside world. Inside is the default name for the PIX Firewall interface with the highest security level (100), making it the most secure interface connection to the inside (local) networks. If the PIX Firewall has three or more interfaces, choose names for the perimeter interfaces and assign a security level to each perimeter interface between 1 and 99. You can pick any number you choose, but for simplicity, we recommend when there are three interfaces, assign the third interface to security level 50. If there are four interfaces, use 40 for one and 60 for the other. Each security level must be unique.
Security levels become important when you need to permit users on one interface to access another. When accessing an interface with a higher security level from a lower level interface, you use the static and access-list commands. When accessing an interface with a lower security level from a higher level interface, you use the nat and global commands.
The PIX Firewall supports Ethernet, Gigabit Ethernet, FDDI, and Token Ring interfaces. The interface speed values for each type of interfaces are as follows:
Make sure the MTU is no more than 1500 bytes for Ethernet, or 8192 for either Token Ring or FDDI.
Each inside or perimeter PIX Firewall interface is configurable for route and RIP (Routing Information Protocol) information. To determine what route information is required, consider what routers are in use in your network and are adjacent to the planned installation point of the firewall.
Specifying a route tells the PIX Firewall where to send information that is exiting a specific interface and destined for a particular network address. You can specify more than one route per interface, allowing you control over where to send network traffic. Configuring a route requires the following information: PIX Firewall interface name, destination network IP address, network mask, and IP address of the router (gateway) that routes traffic to the destination network. Refer to the route command page for more information.
The PIX Firewall learns where everything is on the network by "passively" listening for RIP network traffic. When the PIX Firewall interface receives RIP traffic, the PIX Firewall updates its routing tables. You can also configure the PIX Firewall to broadcast an inside or perimeter interface as a "default" route. Broadcasting an interface as a default route is useful if you want all network traffic on that interface to go out through that interface. Refer to the rip command page for more information.
Table A-2 provides a form for entering route information. The router IP addresses must not be the same as the PIX Firewall interface IP address, or the same as any global address specified in Table A-3.
| Interface Name | Destination Network IP Address | Network Mask | Gateway (Router) IP Address | (RIP) Enable Passive Listening for Routing Information? (Yes, No) | (RIP) Broadcast This Interface as a Default Route? (Yes, No) |
|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When defining a route, you must specify the IP address and network mask for the destination network. Use 0.0.0.0 for both the IP address and network mask as the default value.
The gateway IP address is the router that routes the traffic to the destination network IP address.
The RIP information specifies whether the PIX Firewall updates its routing tables by passive listening to RIP traffic, and whether the interface broadcasts itself as a default route for network traffic on that interface. If you configure the PIX Firewall interface to listen for RIP updates, be sure to configure the router supplying the RIP information with the network address for the PIX Firewall interface.
 |
Note Before testing your configuration, flush the ARP caches on any routers that feed traffic into or from the PIX Firewall and between the firewall and the Internet. For Cisco routers, use the clear arp command to flush the ARP cache. |
The Network Address Translation (NAT) feature works by substituting, or translating, host addresses on an internal interface with a "global address" associated with an outside interface. This protects internal host addresses from being exposed on other network interfaces. To understand whether you want to use NAT, you must decide if you want to expose internal addresses on other network interfaces connected to the PIX Firewall. If you choose to protect internal host addresses using NAT, you must identify the pool of addresses you want to use for translation.
If the addresses that you want to protect access only other networks within your organization, you can use any set of "private" addresses for the pool of translation addresses. For example, if you want to protect the host addresses on the Finance Department's network (connected to the inside interface on the PIX Firewall) from exposure when connecting to the Sales Department network (connected to the perimeter interface on the PIX Firewall), you can set up translation using any available set of addresses on the Sales network. The effect is that hosts on the Finance network appear as local addresses on the Sales network.
If the addresses that you want to protect require Internet access, you must use only NIC-registered addresses (official Internet addresses registered with the Network Information Center for your organization) for the pool of translation addresses. For example, if you want to protect host addresses on the Sales network (connected to a perimeter interface of the PIX Firewall) from exposure when making connections to the Internet (accessible through the outside interface of the PIX Firewall), you can set up translation using a pool of registered addresses on the outside interface. The effect is that hosts on the Internet see the only the Internet addresses for the Sales network, not the addresses on the perimeter interface.
If you are installing the PIX Firewall in an established network that has host- or network-registered addresses, you might not want to do translation for those hosts or networks because that would require using another registered address for the translation.
When considering NAT, it is also important to consider whether you have an equal number of addresses for internal hosts. If not, some internal hosts might not get network access when making a connection. In this case you can either apply for additional NIC-registered addresses or use Port Address Translation (PAT).
Mapping a range of global IP addresses to an inside or perimeter address, or to a set of addresses, is known as Network Address Translation (NAT). Mapping a single global IP address to many inside or perimeter addresses is known as Port Address Translation (PAT). PAT extends the range of available outside addresses at your site by dynamically assigning unique port numbers to the outside address as a connection is requested. A single IP addresses has up to 64,000 ports that are available for making connections. For PAT, the port number uniquely identifies each connection.
The PIX Firewall associates internal addresses with global addresses using a NAT identifier (NAT ID). For example, if the inside interface has NAT ID5, then hosts making connections from the inside interface to another interface (perimeter or outside) get a substitute (translated) address from the pool of global addresses associated with NAT ID5.
If you decide not to use NAT to protect internal addresses from exposure on outside networks, you must assign those addresses NAT ID 0, which indicates to the PIX Firewall that translation is not provided for those addresses.
Table A-3 provides a form for gathering the global address pool information. Table A-4 links internal network addresses with the global pool information. The information in Tables A-3 and A-4 work together to set up NAT and PAT on the PIX Firewall.
Refer to the "Command Reference," for complete information on the global and nat commands.
| Outside or Perimeter Interface Name | NAT ID Number from Table A-3 | Beginning of IP Address Range | End of IP Address Range (Optional)1 | Comments |
|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1Do not enter an ending IP address for PAT assignments. PAT uses only a single IP address. |
Table A-4 maps internal (inside) or perimeter network addresses with global network addresses on other interfaces in the PIX Firewall.
| Inside or Perimeter Name from Table A-1 | NAT ID Number (1 to 65,000) | Network Address Mapped to the NAT ID | Network Mask for This Address | Comments |
|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note Table A-5 defines advanced configuration settings (static address mapping). Cisco recommends completing the initial (basic) installation from Tables A-1 to A-4 and testing the PIX Firewall with configuration settings prior to adding static address maps and access-list command statements. Refer to the "Command Reference," for complete information on the static command. |
Static address translation creates a permanent, one-to-one mapping between a host on a higher security level interface and a global address on a lower security level interface. For example, if a perimeter interface has a web server you want to share with outside users, you would use a static address so that outside users can be given a registered IP address to access, which shields the actual address of the server from the outside.
Static addresses must not be members of the global address pool specified in Table A-3. If the internal host requires Internet access, the static address must be a NIC-registered address.
Table A-5 provides a form for entering static address information.
| Interface on Which the Host Resides | Interface Name Where the Global Address Resides | Host IP Address | Static IP Address | Comments |
|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note Table A-6 defines advanced configuration settings. You should complete the initial (basic) installation from Tables A-1 to A-4 and test the PIX Firewall with these configuration settings prior to configuring static address mappings and access-list command statements. Refer to the "Command Reference," for complete information on the access-list command. |
The mechanism by which the PIX Firewall permits hosts on an outside interface to initiate connections with hosts on an inside interface is configured with the access-list command.
To understand whether you need to configure access-list command statements at your site, you must decide if you want external hosts to access internal (PIX Firewall protected) hosts. By default, all external attempts to access internal hosts are denied, and you must configure specific access. If you want external hosts to access internal hosts or networks, you must consider whether you want to control access by IP address, or by both IP address and by user. To control access by IP address, you must configure an access-list command statement. To control access by user, you must set up authentication, as shown in Table A-8.
A global or static address must exist for an internal host or network before you can set up a access-list command statement. See Tables A-3 and A-5 to configure a global or static entry for an internal host. Use the deny option to create exceptions for broadly applied access-list command statements. For example, you can configure one access-list command statement that permits a host on the Internet (foreign host) to access your corporate (internal) network using any port service, while another access-list command statement specifically denies that same outside host FTP services. Table A-6 provides a form for entering access-list command statement information.
| Access List Identifier | Permit or Deny | Network Protocol: UDP, TCP, ICMP, or Number | Source Address: External Host or Network IP Address(es) and Network Mask | Destination Address: Static IP Address and Network Mask from Table A-51 | Destination Ports 2 | Interface To Bind List |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1Use the keyword "any" to specify all global IP addresses. 2To specify a single port or a range of ports, you can use operands: greater than, less than, equal, not equal, and range. |
You can also specify a port with the source address, but this is seldom used.
Precede host addresses with the host parameter.
Use the interface name with the access-group command.
The following is a list of literal port names that you can use when configuring an access-list command statement: DNS, ESP, FTP, H323, HTTP, IDENT, NNTP, NTP, POP2, POP3, PPTP, RPC, SMTP, SNMP, SNMPTRAP, SQLNET, TCP, Telnet, TFTP, and UDP. You can also specify these ports by number. Port numbers are defined in RFC 1700.
You must have two access-list command statement definitions to permit access to the following ports:
You can configure the PIX Firewall with access lists that permit or deny network connections or services. These services include World Wide Web (port 80), Telnet (port 23), H.323 (port 1720), and many others. For example, access control can permit a specific network or port access to the World Wide Web but deny that same network or port access to a specific server on the Internet.
To understand whether you need access control at your site, you must decide if you want to enforce restrictions on outbound network traffic; that is, network traffic initiated by hosts on an inside network to an outside network. By default, all internally initiated connections are allowed out, and you must configure restrictions. You can control access by IP address, or by both IP address and user authentication. To configure access control by IP address, follow the form provided in Table A-7. To control access by user, you must set up authentication, as defined in Table A-8. Once you complete the form, use the access-list command to specify the outbound access restrictions and use the access-group command to bind the access-list command statements to a specific interface.
| Access List Identifier | Permit or Deny | Network Protocol: UDP, TCP, or Number | Source Address: External Host or Network IP Address(es) and Network Mask | Destination Address or Network IP and Network Mask from Table A-51 | Destination Ports (Services) 2 | Interface To Bind Access List To |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1Use the keyword "any" to specify all global IP addresses. 2To specify a single port or a range of ports, you can use operands: greater than, less than, equal, not equal, and range. |
You can also specify a port with the source address, but this is seldom used.
Precede host addresses with the host parameter.
Use the interface name with the access-group command.
Refer to "Protocols" in Chapter 1, "Introduction" for a list of protocol values. In addition, you can specify protocols by number.
|
Note Table A-8 defines advanced configuration settings (authentication and authorization). Cisco recommends completing the initial (basic) installation from Tables A-1 to A-4 and testing the PIX Firewall with configuration settings prior to configuring authentication and authorization settings. Refer to the "Command Reference," for complete information on the aaa command. |
If you want to control network access by user, or you want to authorize users for certain network services, use PIX Firewall authentication and authorization features.
Table A-8 defines the information needed applications that provide user authentication and authorization for network connections. Authentication servers include TACACS+ and RADIUS.
Understanding the relative relationship of the PIX Firewall interfaces is important for configuring authentication or authorization schemes. In the PIX Firewall, you use two interfaces to make a connection from a local host or network to an outside, or foreign, host or network. The interface with the highest security level, relative to the two interfaces, is always the local interface. The interface with the lower security level, relative to two interfaces, is always the outside interface. Table A-1 defines the security level for each interface on the PIX Firewall.
If you want authentication and authorization to occur when a local host initiates a connection to the outside network, you configure the local interface. If you set up authentication and authorization to occur when an outside host initiates a connection, you configure the outside interface. In other words, you determine how to configure the interfaces based on the origination point of the connection.
|
Note If your configuration requires a host on an outside (lower security level) interface to initiate connections with a host on a local (higher security level) interface, you must create static and access-list command statements for that connection as defined in Tables A-5 and A-6. |
Prior to defining authentication and authorization requirements, you must identify the authentication server you are using, along with the IP address of the server, and the server encryption key on the PIX Firewall. Enter the information in the following form:
Authentication server (TACACS+ or RADIUS):_________________________
IP address: _________________________
Encryption key:_________________________
If you have additional authentication servers, list them separately.
| Select Authentication or Authorization | Interface Name On Which to Authenticate or Authorize Connections | Protocol That Will Be Used to Provide Authentication: ANY, FTP, HTTP, TELNET | Authentication Server Type: TACACS+ or RADIUS | Local Host or Network IP Address1 and Network Mask | Foreign Host or Network IP Address2 and Network Mask |
|---|---|---|---|---|---|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
| |
|
Posted: Thu Aug 31 21:02:18 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.