Lab Visual Objective

Internet

192.168.P.0/24

PIX Firewall

Pod perimeter router eO outside .2

Bastion host, Web, and FTP server

Backbone server, Web, FTP, and TFTP server

Inside host, Web, and FTP server

(D2000. Cisco Systems.

Setup

Before starting this lab exercise, access the PIX Firewall console port using a HyperTerminal connection.

Directions

You will assign IP addresses and review all entries. Substitute your pod number wherever you see the letter P.

Perform the following steps in this lab exercise:

■ Configure the PIX Firewall interfaces.

■ Test the inside, outside, and DMZ interface connectivity.

■ Configure global addresses, NAT, and routing for inside and outside interfaces.

Task 1: Configure PIX Firewall Interfaces

To configure PIX Firewall Ethernet interfaces, complete the following steps: Step 1 Change to privileged mode:

pixfirewall^ enable

Step 2 When prompted for the password, leave blank and press Enter.

Step 3 Enter the configure terminal command to enter into configuration mode:

pixfirewall^ config terminal

Step 4 Assign a hostname to your PIX Firewall:

pixfirewall(config)# hostname pixP

(where P = pod number) Step 5 Assign the PIX Firewall DMZ interface a name (dmz) and security level (50):

pixfirewall(config)# nameif e2 dmz securitySO

pixfirewall(config)# show nameif nameif ethernetO outside securityO nameif ethernetl inside securitylOO nameif ethernet2 dmz securitySO

Step 6 Enable the Ethernet 0, Ethernet 1, and Ethernet 2 interfaces for an Intel 100 full interface card.

Note By default the interfaces are disabled. You must enable all interfaces you intend to use.

pixfirewall(config)# interface eO lOOfull pixfirewall(config)# interface el lOOfull pixfirewall(config)# interface e2 lOOfull pixfirewall(config)# show interface interface ethernetO "outside" is up, line protocol is up Hardware is i82558 ethernet, address is 0090.2724.fdOf IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 10000 Kbit full duplex

0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns interface ethernetl "inside" is up, line protocol is up Hardware is i82558 ethernet, address is 0090.2716.43dd IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 100000 Kbit full duplex

184 packets input, 15043 bytes, 0 no buffer Received 179 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns interface ethernet2 "dmz" is up, line protocol is up Hardware is i82558 ethernet, address is 0090.2725.060d

IP address 127.0.0.1, subnet mask 255.255.255.255 MTU 1500 bytes, BW 10000 Kbit full duplex

0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns

Step 7 Assign IP addresses to the inside, outside, and DMZ network interface cards:

pixfirewall(config)# ip address outside 192.168.P.2 255.255.255.0 pixfirewall(config)# ip address inside 10.0.P.1 255.255.255.0 pixfirewall(config)# ip address dmz 172.16.P.1 255.255.255.0

(whereP = pod number)

Step 8 Ensure that the IP addresses are correctly configured and are associated with the proper network interface:

pixfirewall(config)# show ip address System IP Addresses:

ip address outside 192.168.P.2 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0

ip address dmz 172.16.P.1 255.255.255.0Current IP Addresses: ip address outside 192.168.P.2 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.P.1 255.255.255.0

Step 9 Write the configuration to the Flash memory:

pixf irewall (conf ig) # write manory Building configuration...

Cryptochecksum: d4d9ae69 9f7c734c babeef58 54b69c91

Task 2: Configure Global Addresses

To configure a global address pool, NAT, and routing, complete the following steps:

Step 1 Assign one pool of NIC-registered IP addresses for use by outbound connections:

pixfirewall# config terminal pixfirewall(config)# global (outside) 1 192.168.P.10-192.168.P.254 netmask 255.255.255.0

pixf irewall(config)# show global global (outside) 1 192.168.P.10-192.168.P.254 netmask 255.255.255.0

(whereP = pod number)

Step 2 Configure the PIX Firewall to allow all inside hosts to use NAT for outbound access:

pixfirewall(config)# nat (inside) 10 0

Step 3 Display the currently configured NAT:

pixf irewall(config)# show nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Step 4 Assign a default route:

Step 5 Display currently configured routes:

pixfirewall(config)# show route outside 0.0.0.0 0.0.0.0 192.168.P.1 1 OTHER static

Step 6 Write the current configuration to Flash memory:

pixf irewall (conf ig) # write manory

Task 3: Test the Inside, Outside, and DMZ Interface Connectivity

To test and troubleshoot interface connectivity using the PIX Firewall ping command, complete the following steps:

Step 1 Ping the inside interface:

pixfirewall# ping inside 10.0.P.1 10.0.P.1 response received -- 10ms 10.0.P.1 response received -- 10ms 10.0.P.1 response received -- 10ms

(where P = pod number) Step 2 Ping your inside host:

pixfirewall# ping inside 10.O.P.3 10.O.P.3 response received -- 10ms 10.O.P.3 response received -- 10ms 10.O.P.3 response received -- 10ms

(where P = pod number) Step 3 Ping the outside interface:

pixfirewall# ping outside 192.168.P.2

192.168.P.2 response received -- 10ms 192.168.P.2 response received -- 10ms 192.168.P.2 response received -- 10ms

(where P = pod number) Step 4 Ping your pod perimeter router:

pixfirewall# ping outside 192.168.P.1

192.168.P.1 response received -- 10ms 192.168.P.1 response received -- 10ms 192.168.P.1 response received -- 10ms

(where P = pod number) Step 5 Ping the DMZ interface:

pixfirewall# ping dmz 172.16.P.1

172.16.P.1 response received -- 10ms 172.16.P.1 response received -- 10ms 172.16.P.1 response received -- 10ms

Step 6 Ping your bastion host:

pixfirewall# ping dmz 172.16.P.2

172.16.P.2 response received -- 10ms 172.16.P.2 response received -- 10ms 172.16.P.2 response received -- 10ms

(whereP = pod number)

Task 4: Configure Global and NAT

Enter the following commands to configure PIX Firewall global address pools and routing:

Step 1 Remove NAT:

pixfirewall(config)# no nat (inside) 10 0

Step 2 Configure NAT for the internal network range of IP addresses pixfirewall(config)# nat (inside) 1 10.0.P.0 255.255.255.0 0 0

Display currently configured NAT

pixfirewall(config)# show nat nat (inside)1 10.0.P.0 255.255.255.0 0 0

(whereP = pod number)

Step 3 Allow ICMP and ping packets through the PIX Firewall:

pixfirewall(config)# conduit permit icnp any any

Step 4 Display the currently configured conduit:

pixfirewall(config)# show conduit Step 5 Write the current configuration to Flash memory:

pixf irewall (conf ig) # write manory

Step 6 Write the current configuration to the terminal:

pixfirewall(config)# write terminal

Step 7 Use the clear xlate command after configuring with the nat and global commands to make the global IP addresses available in the translation table:

pixfirewall(config)# clear xlate pixf irewall(config)# show xlate

Task 5: Test Globals and NAT Configuration

To test the globals and NAT configuration, you must complete the following:

Step 1 From your Windows command line, ping the perimeter router:

ping 192.168.P.1

(whereP = pod number)

Step 2 Test the operation of the global and NAT you configured by originating connections through the PIX Firewall:

1. Open a web browser on the Windows NT server.

2. Use the web browser to access the IP address perimeter router backbone server and open the server's HTTP server: http://172.30.1.50. Stop the connection and then initiate a new connection.

Step 3 Observe the translation table with the show xlate command:

pixfirewall(config)# show xlate

Your display should appear similar to the following:

Global 192.168.P.X Local 10.0.P.3 nconns 1 econns 0 flags -

Note how the global addresses have incremented and are chosen from the low end of the global range.

Task 6: Configure a Static and Conduit from the PIX Firewall Outside Interface to the Windows NT Server Inside the Network

Configure a static translation so that traffic originated from the internal Windows NT server always has the same source address on the outside interface of the PIX Firewall. Test the static and conduit by pinging the Windows NT server from the perimeter router. In a production environment, you should remove the conduit permit icmp any any command to prevent a potential security breach. Use the following commands:

Step 1 Clear the translation table:

pixfirewall(config)# clear xlate

Step 2 Create a static translation from the outside PIX Firewall interface to the internal host pixfirewall(config)# static (inside,outside) 192.168.P.10 10.0.P.3 pixfirewall(config)# conduit permit tap host 192.168.P.10 eq www any

(where P = pod number) Step 3 Turn on ICMP monitoring at the PIX Firewall:

pixfirewall(config)# debug icnp trace

ICMP trace on Warning: this may cause problems on busy networks

Step 4 Ping the perimeter router from your Windows NT server to test the translation. Observe the source and destination of the packets at the console of the R1 perimeter router from each of the following locations ping 192.168.P.1

Note the example display for pixfirewall:

Outbound ICMP echo request 10.0.P.3 192.168.P.10 192.168.P.1 Inbound ICMP echo reply 192.168.P.1 192.168.P.10 10.0.P.3

Outbound ICMP echo request 10.0.P.3 192.168.P.10 192.168.P.1 Inbound ICMP echo reply 192.168.P.1 192.168.P.10 10.0.P.3

Outbound ICMP echo request 10.0.P.3 192.168.P.10 192.168.P.1 Inbound ICMP echo reply 192.168.P.1 192.168.P.10 10.0.P.3

Outbound ICMP echo request 10.0.P.3 192.168.P.10 192.168.P.1

Inbound ICMP echo reply 192.168.P.1 192.168.P.10 10.0.P.3 (whereP = pod number)

Observe the source, destination, and translated addresses on the PIX Firewall console.

Step 5 Use the web browser to access the IP address of the peer's host by entering http://192.168.Q.10 (where Q = peer pod number) in your web browser..

Step 6 Ping a peer inside host from your inside host as allowed by the conduit via the static.

ping 192.168.Q.10

(whereQ = peer pod number) Step 7 Turn off ICMP monitoring at the PIX Firewall.

pixfirewall(config)# no debug icnp trace

Task 7: Configure Inside Multiple Interfaces

Configure the PIX Firewall to allow access to the DMZ from the inside and outside network. Complete the following steps to configure the global address pools, NAT, and routing for the DMZ interface:

Step 1 Assign one pool of IP addresses for hosts on the public DMZ:

pixfirewall(config)# global (dmz) 1 172.16.P.10-172.16.P.254 netmask 255.255.255.0

(whereP = pod number)

Step 2 Name the bastion host using the name command. The name configured here will be used in a later lab step:

pixfirewall(config)# name 172.16.P.2 bastiorihost pixfirewall(config)# show name name 172.16.P.2 bastiorihost

(whereP = pod number)

Step 3 Clear the translation table so that the global IP address will be updated in the table:

pixfirewall(config)# clear xlate Step 4 Write the current configuration to Flash memory:

pixfirewall (config) # write manory

Step 5 Test connectivity to the bastion host from your internal host.

ping 172.16.P.2

(whereP = pod number)

Step 6 Test web access to your bastion host from the Windows NT server by doing the following:

1. Open a web browser on the Windows NT server.

2. Use the web browser to access the IP address of your bastion host: http://172.16.P.2.. The home page of the bastion host should appear on your web browser. (where P =pod number)

3. Use the show arp, show conn, and show xlate commands to observe the transaction:

pixfirewall(config)# show arp outside 192.168.P.1 00e0.le41.8762 inside 10.0.P.3 00e0.b05a.d509 dmz bastionhost 00e0.lebl.78df pixfirewall(config)# show xlate

Global 172.16.P.2 Local 10.0.P.10 static nconns 0 econns 0 flags s Global 192.168.P.3 Local 10.0.P.10 nconns 0 econns 0 flags -pixfirewall(config)# show conn 0 in use, 3 most used

Step 7 Test FTP access to the bastion host from your Windows NT server by doing the following:

1. Establish an FTP session to the bastion host: Start>Run>ftp 172.16.P.2. You have reached the bastion host if you receive the message "Connected to 172.16.P.2"(where P = pod number).

2. Quit the FTP session if you were able to connect, and log in: ftp> quit.

Task 8: Configure Outside Access to the DMZ

Configure the PIX Firewall to permit outside access to hosts in the DMZ. Configure a static and conduit to test communications using ping between perimeter routers and the bastion host. Then configure HTTP and FTP access. Complete the following steps:

Create a static translation from the outside interface to the bastion host on the DMZ interface:

pixfirewall(config)# static (dmz,outside) 192.168.P.11 bastionhost

Configure a conduit to allow pings from perimeter routers to the static assigned to the DMZ bastion host:

pixfirewall(config)# conduit permit icnp host 192.168.P.11 any

Ping a peer bastion host from your internal host as allowed by the conduit via the static ping 192.168.Q.11

(where Q = peer pod number) View current static translations:

pixfirewall(config)# show xlate

Global 192.168.P.11 Local 10.0.P.3 static nconnsl econnsl Global 192.168.P.11 Local bastionhost static nconnsO econnsO

Step 1

Step 2

Step 3

Step 4

Step 5 Configure conduits to allow web and FTP access to the bastion host from the outside and then test the conduits. Configure the conduits to allow TCP traffic from clients on the outside network to access the DMZ bastion host using the previously configured static:

pixfirewall(config)# conduit permit tap host 192.168.P.11 eq www any pixfirewall(config)# conduit permit tap host 192.168.P.11 eq ftp any

(whereP = pod number)

Step 6 Display the conduits that you have just configured:

pixfirewall(config)# show conduit conduit permit tcp host 192.168.1.11 eq www any (hitcnt-0) conduit permit tcp host 192.168.1.11 eq ftp any (hitcnt-0)

Step 7 Test web access to the bastion hosts of opposite pod groups by doing the following:

1. Open a web browser on the client PC.

2. Identify another pod group that is ready for a test.

3. Use the web browser to access the IP address of the static mapped to the bastion host of the opposite pod group: http://192.168.Q.ll

4. Have an opposite pod group test your static and conduit configuration.

5. Use the show arp, show conn, and show xlate commands to observe the transaction.

Step 8 Test FTP access to the bastion hosts of other pod groups by doing the following:

1. Identify another pod group that is ready for a test.

2. On your client PC, use FTP to get into the bastion host of another pod group. Start>Run>ftp 192.168.Q.11

(where Q = peer pod number)

3. Have an opposite pod group use FTP to get into your bastion host to test your static and conduit configuration.

4. Use the show arp, show conn, and show xlate commands to observe the transaction.

Step 9 Write the current configuration to the terminal and verify that you have entered the previous commands correctly. Your configuration should appear similar to the following:

pixfirewall(config)# write terminal Building configuration... Building configuration... : Saved

PIX Version 5.0(1)

nameif ethernetO outside securityO

nameif ethernetl inside securitylOO

nameif ethernet2 dmz security50

enable password 8Ry2YjIyt7KRXU24 encrypted passwd 2KFQhbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 names pager lines 24 no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 interface ethernetO auto interface ethernetl auto interface ethernet2 auto mtu outside 1500 mtu inside 1500 mtu dmz 1500

ip address outside 192.168.P.2 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.P.1 255.255.255.0 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 arp timeout 14400

global (outside) 1 172.16.21.10-172.16.21.254 netmask 255.255.255.0

no rip outside passive no rip outside default no rip inside passive no rip inside default no rip dmz passive no rip dmz default route outside 0.0.0.0 0.0.0.0 192.168.P.1 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server ccmnunity public no snmp-server enable traps telnet timeout 5

terminal width 80

Cryptochecksum:9963c491006bl296815f3437947fab81 : end

Step 10 Write the current configuration to Flash memory:

pixf irewall (config) # write manory Building configuration...

Cryptochecksum: ae9fc9fc a3005950 f9daec62 5683c88e [OK]

0 0

Post a comment