|
|
Figure 2-1 depicts a small corporation's network topology. An Internet service provider (ISP) has a backbone network 192.168.1.0 with a network mask of 255.255.255.0. The registered external IP address of the access router is 172.31.7.130, while the default gateway on the internal side of the router is 192.168.1.254. All outbound traffic destined for the Internet is routed to the default gateway.
Example Network Topology
For the remainder of this tutorial, we are going to focus on the small corporate network. For this corporation, the PIX Firewall protects a perimeter/administrative network 10.1.1.0 with a network mask of 255.255.255.0. On the 10.1.1.0 network, the 10.1.1.10 server is dedicated for Cisco Security Manager. This PIX Firewall also protects an inside network 10.1.2.0 with a network mask of 255.255.255.0. This network provides connectivity for two key hosts and for the main network users. In this discussion, the 10.1.2.35 host represents the corporate web server and the 10.1.2.36 host represents the corporate e-mail server.
The PIX Firewall itself has an external IP address pool. 192.168.1.51 is the address of the outside interface, for which 192.168.1.52 through 192.168.1.59 are additional IP addresses that can be used for other purposes. In PIX Firewall terminology, we would refer to these additional IP addresses as belonging to a global network address translation (NAT) pool.
This example assumes that you have installed a standalone Cisco Security Manager server on the 10.1.1.10 host (hostname Admin-NT) and that you are logged on to Cisco Policy Manager for the first time. It also assumes that the PIX Firewall that you want to protect uses 192.168.1.51 as the IP address assigned to its outside interface and that this firewall has the enable password of corp1.
In addition, we want to implement a security policy that accomplishes the following objectives:
The remainder of this tutorial describes in detail how to perform the following tasks on the basis of the network topology example that we have described in this chapter.
1. Define your Network Topology
(a) Use the Topology Wizard to define the PIX Firewall, specify the Internet settings, and create required connecting networks
(b) Define the Cisco Security Manager server
(c) Define special hosts
(d) Define address hiding rules
(e) Define static mapping rules
2. Define and apply your security policies
(a) Populate the Security Policy Enforcement branch
(b) Define and apply security policies
3. Define your logging and notification settings
(a) Specify audit event settings
(b) Verify PIX Firewall log settings
4. Generate, verify, and publish device-specific command sets
(a) Perform Save and Update operation
(b) Verify the generated command sets
(c) Approve the command sets and publish them to the PIX Firewall
Posted: Thu Aug 19 08:57:14 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.