PIX Firewall - Cal State L.A.
Download
Report
Transcript PIX Firewall - Cal State L.A.
PIX Firewall
Features
Stateful Packet Filter
Runs on its own Operating System
Assigning varying security levels to interfaces (0
– 100)
Access Control Lists
Extensive Logging Capability
Network Address Translation
Stateful Failover Recovery
Advanced Filtering
Adaptive Security Algorithm (ASA)
Foundation of PIX firewall
Keep track of connections forms from private network to
public network
Allows traffic to go from private to public, and allow
return traffic from public to private network
Does not allow public network to initiate traffic to private
network, unless specified in ACL
Use following information to keep track of sessions
passing through PIX:
–
–
–
IP packet source and destination
TCP sequence number and flags
UDP packet flow and timers
TCP Initiation and Transmission
TCP Termination
UDP Transmission
Lab Environment
Rented Lab at www.gigavelocity.com
Lab consists of routers, switches, PIX
firewall, control console, etc
Connecting to the Rack
Telnet to the main control console
From console, initiate connections to different
devices
Our test bed
Whole lab consists of many components
Needed to test PIX firewall only
Used PIX firewall with two routers
–
–
–
–
Set up Router address
Set up PIX firewall interfaces
Set up PIX routing
Ping from different components
Showing Router 1’s IP Address
Rack1R1#show ip int brief
Interface
FastEthernet0/0
Serial0/0
BRI0/0
BRI0/0:1
BRI0/0:2
FastEthernet0/1
Serial0/1
IP-Address
OK? Method Status
Protocol
1.1.1.2
YES manual up
up
unassigned
YES NVRAM administratively down down
unassigned
YES NVRAM administratively down down
unassigned
YES unset administratively down down
unassigned
YES unset administratively down down
unassigned
YES NVRAM administratively down down
unassigned
YES NVRAM administratively down down
Showing Router 2’s IP Address
Rack1R2#show ip int brief
Interface
FastEthernet0/0
Serial0/0
BRI0/0
BRI0/0:1
BRI0/0:2
FastEthernet0/1
Serial0/1
Virtual-Access1
IP-Address
OK? Method Status
Protocol
10.0.0.2
YES manual up
up
unassigned
YES NVRAM administratively down down
unassigned
YES NVRAM administratively down down
unassigned
YES unset administratively down down
unassigned
YES unset administratively down down
unassigned
YES NVRAM administratively down down
unassigned
YES NVRAM administratively down down
unassigned
YES unset up
up
Showing PIX’s IP Address
pixfirewall# show config
: Saved
: Written by enable_15 at 21:02:07.582 UTC Sat Mar 5 2005
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
……
ip address outside 1.1.1.1 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
Network Topology
Router 1
1.1.1.2
1.1.1.1
PIX
10.0.0.1
10.0.0.2
Router 2
PIX Configuration
See Configuration File
Results
Pinging from Router 2 to PIX
Rack1R2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1,timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Results
Pinging from PIX to Router 2
pixfirewall# ping 10.0.0.2
10.0.0.2 response received -- 0ms
10.0.0.2 response received -- 0ms
10.0.0.2 response received -- 0ms
Results
Pinging from Router 2 to Router 1
Rack1R2#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2,timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Results
Pinging from Router 1 to Router 2
Rack1R1#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Conclusion
The PIX firewall is a highly configurable
device
We used a simplified network model
Configured the PIX and two routers
Able to pass traffic to, from, and through the
PIX firewall