Thursday, February 10, 2005

PIX Firewall-ing (Part 3)

To allow people from the Internet to connect to the servers located inside our internal network, we need to do 3 steps:
1. Create a static translation between one public IP address to the real IP address of our servers
2. Create an access control list to allow access to the server public IP address
3. Apply the access list on the interface

Suppose we have a web server with real IP address This server will be translated to public IP address
First, we have to create static translation with static command:
pixfirewall(config)#static (inside,outside)

The format of the command is: static (higher security interface,lower security interface) public_IP_address internal_IP_address
To verify the translation is correct we can use 'show xlate' command:
pixfirewall(config)#show xlate
Global Local

Now we need to create access control list. Access control list is a rule set for any traffic allowed or not allowed to particular destination. PIX uses 'default deny' concept, it means it you don't permit it explicitly in the rule set, the traffic will be denied.
The format is: access-list name_of_the_ruleset permit/deny protocol source destination eq ports. Protocol can be TCP, UDP, ICMP or even IP protocol such as ESP etc. If we don't specify any ports, it means we allow any ports for that protocol.
In this case, we want to allow access to our web server from anywhere on the Internet with destination port is port 80 or HTTP.
pixfirewall(config)#access-list externalrule permit tcp any host eq 80

Remember, the destination IP address is the public IP of the web server, and not the real IP. Suppose we have 1 network full of web servers (what kind of network is that?) and we want to allow anyone to connect to those all servers using HTTP:
pixfirewall(config)#access-list externalrule permit tcp any eq 80

To apply the access-list on the interface, type the following:
pixfirewall(config)#access-group externalrule in interface outside

Until PIX OS 6.2, the access list can have only one direction, “in” means traffic flowing into interface outside from Internet. Consider yourself as firewall, you have one interface called outside, and any traffic coming to you from that interface will be inspected using access list named externalrule.

Ok, so now Internal network can go to the Internet and people from the Internet can connect to our web server using HTTP protocol.
What's next?
Let's put the name for the firewall:
pixfirewall(config)#hostname kungfuzen

We need to put the password to connect to PIX remotely and enable the password to switch from user mode to privilege mode:
kungfuzen(config)#passwd password_for_telnet_or_ssh
kungfuzen(config)#enable password password_to_switch_to_priv_mode

PIX can be managed remotely by telnet or SSH from trusted interface. PIX can be managed only by SSH from outside interface. To enable SSH, we need to specify the domain name and generate key first:
kungfuzen(config)#ca generate rsa key 2048
For >= 1024, key generation could
take up to several minutes. Please wait.

Where 2048 is the key modules size. Save the key with following command:
kungfuzen(config)#ca save all

Then specify from where you can connect to PIX
kungfuzen(config)#ssh inside
kungfuzen(config)#ssh outside

PIX uses SSH version 1 and user name 'pix' so to connect from SSH client in *nix from inside, use this command:
[user@unix ~]$ ssh -l pix -c DES
pix@'s password:

Use the password as what we set with 'passwd' command. You will get the user mode prompt. Switch to privilege mode by typing 'enable' and put the password as what we specify using 'enable password'.

I think this will be the end of my PIX Firewall tutorial. There are so many features left in PIX that you can explore by yourself: application inspection using fixup, HTTP authentication, VPN, IDS feature, turbo access list. flood guard, failover etc. This link will take you to Cisco documentation for Cisco PIX 6.3.
Come on, you guys are grown-up, so I don't think I need to explain all Cisco PIX commands here. Just RTFM and use '?” anytime you are in doubt. Cisco website and google are your friends. Try all 'show' commands to check the status or the configuration.

In case this firewall doesn't belong to you, just erase the configuration completely by typing:
kungfuzen#write erase

Reboot the PIX, and.. voila! Back to factory default.
Now, put firewall back inside the box, wrap it, sell it in eBay or deliver the box to the real owner. As you wish. Good day.

No comments: