CISCO PIX FIREWALL LAB

Step 01: PIX Interface Information for Central Interface Name Outside Inside DMZ HardwareID Ethernet0 Ethernet1 Ethernet2 Interface IP Address 192.168.1.2 10.10.10.1 172.16.31.1 Interface Speed 100basefull 100basefull 100basefull

PIX Routing Information for Central Interface Name Destination Network IP Address 0.0.0.0 Network Mask Gateway (Router) IP Address 192.168.1.1

Outside

0.0.0.0

Recording Global IP Information for Central Interface Name NAT ID Number Bringing of IP Address Range End of IP Address Range

Outside Outside DMZ

1 1 1

192.168.1.12 192.168.1.152 172.16.31.12

192.168.1.150 192.168.31.100

NAT IP Information for Central Interface Name Inside DMZ NAT ID Number 1 1 Network Address 10.10.10.0 172.16.31.0 Network mask for This Address 255.255.255.0 255.255.255.0

Static IP Address Mapping Information for Central Interface on Interface Name Whic Wher h the e the Host Glob Resid al es Addr ess Resid es DMZ Outside DMZ Outside DMZ Outside Step 02: As the name intuitively indicates, the nameif command is used to name an interface and assign a security value from 1 to 99. The outside and inside interfaces are named by default and have default security values of 0 and 100, respectively. By default, the interfaces have their hardware ID. Ethernet 0 is the outside interface, and Ethernet 1 is the inside interface. The names that are configured by the nameif command are user-friendly and are easier to use for advanced configuration later. interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 Static IP addre ss Host IP Addr ess Description

192.168.1.4 192.168.1.5 192.168.1.6

172.16.31.4 172.16.31.5 172.16.31.4

Mail Server Web Server FTP Server

nameif ethernet2 DMZ security50 ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.10.10.1 255.255.255.0 ip address DMZ 172.16.31.1 255.255.255.0

Step 03: You must generate an RSA key-pair for the PIX Firewall (ca generate rsa key 512 command) before clients can connect to the PIX Firewall console. After generating the RSA key-pair, save the key-pair using the ca save all command. To use SSH, your PIX Firewall must have a DES or 3DES activation key. enable password cisco123 hostname CENTRAL domain-name abc.com username admin password admin privilege 15 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL ssh 10.20.10.0 255.255.255.0 outside ssh 192.168.2.0 255.255.255.0 outside ssh 10.10.10.0 255.255.255.0 inside ssh 172.16.31.0 255.255.255.0 dmz ssh timeout 20 Ca generate rsa key 1024 Ca save all Step 03: The global command is used to define the address or range of addresses into which the addresses defined by the nat command are translated. It is important that the nat-id be identical to the nat-id used in the nat command. The nat-id pairs the IP address defined by the global and nat commands so that network translation can take place global (outside) 1 192.168.1.12-192.168.1.150 netmask 255.255.255.0 global (outside) 1 192.168.1.151 netmask 255.255.255.0 global (DMZ) 1 172.16.31.12-172.16.31.100 netmask 255.255.255.0

nat (inside) 1 10.10.10.0 255.255.255.0 0 0 When a host or device tries to start a connection, the PIX Firewall checks the translation table to see whether there is an entry for that particular IP address. If there is no existing translation, a new translation slot is created. The default time that a translated IP address is kept in the translation table is 3 hours. You can change this with the timeout xlate hh:mm:ss command. To view the translated addresses, use the show xlate command. The route command tells the Cisco PIX Firewall where to send information that is forwarded on a specific interface and that is destined for a particular network address. You add static routes to the PIX using the route command. route outside 0.0.0.0 0.0.0.0 192.168.1.2 Step 04: Static Network Address Translation (NAT) creates a permanent, one-to-one mapping between an address on an internal network (a higher-security-level interface) and an external network (a lower-security-level interface) in all PIX versions. For an external host to initiate traffic to an dmz host, a static translation rule needs to exist for the inside host. Without the persistent translation rule, the translation cannot occur. static (DMZ,outside) 192.168.1.4 172.16.31.254 netmask 255.255.255.255 0 0 static (DMZ,outside) 192.168.1.5 172.16.31.5 netmask 255.255.255.255 0 0 static (DMZ,outside) 192.168.1.6 172.16.31.6 netmask 255.255.255.255 0 0 Step 05: After configuring the basic PIX Firewall parameters, you must create the access rules for the PIX Firewall at the CENTRAL PIX. The access rules are necessary to enable the remote sites to connect to the CENTRAL PIX while limiting access from unauthorized locations. The following steps define the access rules needed on CENTRAL PIX. access-list acl-out permit tcp any host 192.168.1.4 eq smtp access-list acl-out permit tcp any host 192.168.1.5 eq www access-list acl-out permit tcp any host 192.168.1.6 eq ftp access-list acl-out permit icmp any any access-list acl-in permit ip 10.10.10.0 255.255.255.0 any access-list acl-in permit icmp any any

access-group acl-out in interface outside access-group acl-in in interface inside Step 06 logging on logging trap informational logging host inside 10.10.10.254 Step 07 The two remote sites communicate with the Reston location (CENTRAL-PIX) using VPN connections that traverse the Internet. To enable these VPNs, you must define the VPN characteristics at the headquarters location, as well as at the remote sites. Configuring the VPN connections between CENTRAL-PIX and the two remote sites (BRANCH -PIX ) involves the following tasks:

Configuring the CENTRAL PIX Firewall for VPN tunneling Configuring the BRANCH PIX Firewall for VPN tunneling

Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy: isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 1000 Configure a pre-shared key and associate it with the peers : isakmp identity address isakmp key cisco123 address 192.168.1.2 netmask 255.255.255.255 Configure the supported IPSec transforms: crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

Create an access list: access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0 Define a crypto map for BRANCH: crypto map Branch-Map 20 ipsec-isakmp crypto map Branch-Map 20 match address 120 crypto map Branch-Map 20 set peer 192.168.1.2 crypto map Branch-Map 20 set transform-set myset Apply the crypto map to the outside interface: crypto map Branch-Map interface outside Specify that IPSec traffic is implicitly trusted (permitted): sysopt connection permit-ipsec sysopt connection permit-pptp Configure a NAT 0 policy so that traffic between the offices is excluded from NAT: access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list VPN permit ip 10.10.10.0 255.255.255.0 host 192.168.1.254 access-list VPN permit ip 10.10.10.0 255.255.255.0 host 192.168.1.253 nat (inside) 0 access-list VPN Step 08 Atcive IDS & VPN Client ip verify reverse-path interface outside ip verify reverse-path interface inside ip verify reverse-path interface DMZ

ip audit name AttacksPolicy attack action alarm drop ip audit name InfoPolicy info action alarm drop ip audit interface outside InfoPolicy ip audit interface outside AttacksPolicy ip audit interface inside InfoPolicy ip audit interface inside AttacksPolicy ip audit interface DMZ InfoPolicy ip audit interface DMZ AttacksPolicy ip audit signature 2000 disable ip audit signature 2004 disable setup VPN client: ip local pool vpn-pool 10.10.10.151-10.10.10.152 mask 255.255.255.0 sysopt connection permit-ipsec sysopt connection permit-pptp isakmp key cisco456 address 0.0.0.0 netmask 0.0.0.0 isakmp client configuration address-pool local vpn-pool outside crypto dynamic-map dynmap 20 set transform-set myset crypto map Branch-Map 30 ipsec-isakmp dynamic dynmap crypto map Branch-Map client configuration address initiate crypto map Branch-Map client configuration address respond crypto map Branch-Map interface outside isakmp enable outside ! vpngroup remote-users address-pool vpn-pool

vpngroup remote-users dns-server 203.162.0.11 vpngroup remote-users wins-server 203.162.4.1 vpngroup remote-users default-domain abc.com vpngroup remote-users idle-time 1800 vpngroup remote-users password cisco456 ! vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 required vpdn group 1 client configuration address local vpn-pool vpdn group 1 client configuration dns 203.162.0.11 vpdn group 1 client configuration wins 203.162.4.1 vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username cisco password cisco vpdn enable outside ! End. ###################### BRANCH OFFICE####################### PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full

nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password cisco hostname BRANCH ! access-list 110 permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list VPN permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list VPN permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0 access-list acl-in permit ip 10.20.10.0 255.255.255.0 any access-list acl-in permit icmp any any access-list acl-out permit icmp any any ! ip address outside 192.168.1.2 255.255.255.0 ip address inside 10.20.10.1 255.255.255.0 ! ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name AttacksPolicy attack action drop ip audit name InfoPolicy info action drop ip audit interface outside InfoPolicy ip audit interface outside AttacksPolicy ip audit interface inside InfoPolicy ip audit interface inside AttacksPolicy ip audit signature 2000 disable

ip audit signature 2004 disable ! global (outside) 1 192.168.1.152-192.168.2.250 netmask 255.255.255.0 global (outside) 1 192.168.2.251 netmask 255.255.255.0 nat (inside) 0 access-list VPN nat (inside) 1 10.20.10.0 255.255.255.0 0 0 ! access-group acl-out in interface outside access-group acl-in in interface inside ! route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 ! sysopt connection permit-ipsec sysopt ipsec pl-compatible crypto ipsec transform-set myset esp-des esp-md5-hmac crypto map Central-Map 20 ipsec-isakmp crypto map Central-Map 20 match address 110 crypto map Central-Map 20 set peer 192.168.1.1 crypto map Central-Map 20 set transform-set myset crypto map Central-Map interface outside isakmp enable outside isakmp key cisco123 address 192.168.1.1 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des

isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 ! ######################## End ########################### ########################CENTRAL####################### PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 hostname CENTRAL access-list acl-out permit icmp any any access-list acl-in permit ip 10.10.10.0 255.255.255.0 any access-list acl-in permit icmp any any access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list VPN permit ip 10.10.10.0 255.255.255.0 host 192.168.1.254 access-list VPN permit ip 10.10.10.0 255.255.255.0 host 192.168.1.253

pager lines 24 logging on logging trap informational logging host inside 10.10.10.254 ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.10.10.1 255.255.255.0 ip address DMZ 172.16.31.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip verify reverse-path interface DMZ ip audit name AttacksPolicy attack action alarm drop ip audit name InfoPolicy info action alarm drop ip audit interface outside InfoPolicy ip audit interface outside AttacksPolicy ip audit interface inside InfoPolicy ip audit interface inside AttacksPolicy ip audit interface DMZ InfoPolicy ip audit interface DMZ AttacksPolicy ip audit signature 2000 disable ip audit signature 2004 disable nat (inside) 0 access-list VPN access-group acl-out in interface outside access-group acl-in in interface inside route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto map Branch-Map 20 ipsec-isakmp crypto map Branch-Map 20 match address 120 crypto map Branch-Map 20 set peer 192.168.1.2 crypto map Branch-Map 20 set transform-set myset crypto map Branch-Map interface outside isakmp enable outside isakmp key cisco123 address 192.168.1.2 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 end ####################CENTRAL#######################################