Table of Contents

Download Report

Transcript Table of Contents

PIX Firewall
© 2002, Cisco Systems, Inc.
CSPFA 2.1—3-1
What Is a Firewall?
A firewall is a
system or group
of systems that
manages access
between two
networks.
Firewall Technologies
Firewall operations
are based on one of
three technologies:
• Packet filtering
• Proxy server
• Stateful packet
filtering
Packet Filtering
Limits information into a network based
on destination and source address
Proxy Server
Requests
connections
between a client
on the inside of
the firewall and
the outside
Stateful Packet Filtering
Limits information
into a network
based not only
on destination
and source
address, but also
on packet data
content
PIX Firewall—What Is it?
• Stateful firewall with high security and fast
performance
• Adaptive security algorithm provides stateful
security
• Cut-through proxy eliminates application-layer
bottlenecks
• Secure, real-time, embedded operating system
Adaptive Security Algorithm
• Provides “stateful” connection control through
the PIX Firewall
• Tracks source and destination ports and
addresses, TCP sequences, and additional
TCP flags
• TCP sequence numbers are randomized to
minimize the risk of attack
• Tracks UDP and TCP session state
• Connections allowed out—allows return
session back flow (TCP ACK bit)
ASA Security Level Example
Outside network
e0
• Security level 0
• Interface name = outside
Internet
e0
PIX Firewall
e1
e2
Inside network
Perimeter network
e1
• Security level 100
• Interface name = inside
e2
• Security level 50
• Interface name = pix/intf2
Cut-Through Proxy Operation
1. The user makes a
request to an
IS resource.
Internal/
external
user
3.
2. The PIX Firewall
intercepts the connection.
3. The PIX Firewall prompts the
user for a username and
password, authenticates the
user, and checks the security
policy on a RADIUS or TACACS+
server.
IS resource
Username and Password Required
PIX Firewall
Enter username for CCO at www.com
User Name:
student
Password:
123@456
OK
Cisco
Secure
Cancel
4. The PIX Firewall initiates
a connection from the
PIX Firewall to the
destination IS resource.
5. The PIX Firewall directly connects the
internal or external user to the IS
resource via ASA.
Authenticates once at the application layer (OSI Layer 7) for each supported service
Connection is passed back to the PIX Firewall high-performance ASA engine, while maintaining
session state
Stateful Failover
172.26.26.0 /24
Internet
.50
Backbone, web,
FTP, and
TFTP server
.1
192.168.0.0 /24
Failover cable
e0 .2
Primary
PIX Firewall
e1 .1
e3 .1
e0 .7
172.17.0.0 /24 e3 .7
e2 .1
Secondary
PIX Firewall
172.16.0.0/24
10.0.0.0 /24
.3
e2 .7
e1 .7
.2
DMZ
Summary
• There are three firewall technologies: packet
filtering, proxy server, and stateful packet
filtering.
• The PIX Firewall features include: Secure
operating system, Adaptive Security Algorithm,
cut-through proxy, stateful failover, and stateful
packet filtering.
PIX Command Line Interface
© 2002, Cisco Systems, Inc.
CSPFA 2.1—3-13
Access Modes
The PIX Firewall has
four administrative
access modes:
• Unprivileged mode
• Privileged mode
• Configuration mode
• Monitor mode
enable Command
pixfirewall>
enable
• Enables you to enter different
access modes
pixfirewall> enable
password:
pixfirewall# configure terminal
pixfirewall(config)#
pixfirewall(config)# exit
pixfirewall#
enable password and passwd
Commands
pixfirewall#
enable password password
• The enable password command is used to
control access to the privileged mode.
pixfirewall#
passwd password
• The passwd command is used to set a
Telnet password.
hostname and ping
Commands
pixfirewall(config)#
hostname newname
• hostname command
pixfirewall (config)# hostname
proteus
proteus(config)# hostname
pixfirewall
pixfirewall(config)#
ping [if_name] ip_address
• ping command
pixfirewall(config)# ping 10.0.0.3
10.0.0.3 response received -- 0Ms
10.0.0.3 response received -- 0Ms
10.0.0.3 response received -- 0Ms
write Commands
The following are the write commands:
• write net
• write erase
• write floppy
• write memory
• write standby
• write terminal
show Commands
The following are show commands:
• show history
• show memory
• show version
• show xlate
• show cpu usage
• show interface
• show ip address
show?
PIX Configuration
Commands
© 2002, Cisco Systems, Inc.
CSPFA 2.1—3-20
Six Primary Configuration
Commands
•
•
•
•
•
•
nameif
interface
ip address
nat
global
route
nameif command
pixfirewall(config)#
nameif hardware_id if_name security_level
• The nameif command assigns a name to each
interface on the PIX Firewall and specifies its security
level.
pixfirewall(config)# nameif ethernet2
dmz sec50
interface command
pixfirewall(config)#
interface hardware_id hardware_speed
• The interface command configures the speed and duplex.
pixfirewall(config)# interface ethernet0 100full
pixfirewall(config)# interface ethernet1 100full
• The outside and inside interfaces are set for 100 Mbps Ethernet
full-duplex communication.
ip address command
pixfirewall(config)#
ip address if_name ip_address [netmask]
• The ip address command assigns an IP address to
each interface.
pixfirewall(config)# ip address dmz
172.16.0.1 255.255.255.0
PIX Firewall
Translations
© 2002, Cisco Systems, Inc.
CSPFA 2.1—3-25
Sessions in an IP World
In an IP world, a network session is a
transaction between two end systems.
It is carried out over two transport layer
protocols:
• TCP (Transmission Control Protocol)
• UDP (User Datagram Protocol)
TCP
• TCP is a connection-oriented,
reliable-delivery, robust, and high performance
transport layer protocol.
• TCP features
– Sequencing and acknowledgement of data
– A defined state machine (open connection,
data flow, retransmit, close connection)
– Congestion management and avoidance
mechanisms
TCP Initialization—Inside
to Outside
Private network The PIX Firewall checks for
Source addr
Destination addr
Source port
10.0.0.3
172.30.0.50
1026
Destination port
Initial sequence #
#1
Ack
10.0.0.3
Flag
23
49091
PIX Firewall
Syn
192.168.0.20
172.30.0.50
1026
23
49769
#2
Syn
172.30.0.50
Start the embryonic
connection counter
No data
#4
a translation slot. If one is
not found, it creates one
after verifying NAT, global,
access control, and
authentication or
authorization, if any. If OK, a
connection is created.
Public network
172.30.0.50
10.0.0.3
23
1026
IP header
92513
TCP header
49092
Syn-Ack
172.30.0.50
The PIX Firewall follows the
Adaptive Security Algorithm:
• (Src IP, Src Port,
Dest IP, Dest Port ) check
• Sequence number check
• Translation check
192.168.0.20
23
1026
92513
49770
If the code bit is not syn-ack,
PIX drops the packet.
Syn-Ack
#3
TCP Initialization—Inside to
Outside (cont.)
Private network
10.0.0.3
Source addr
Destination addr
172.30.0.50
1026
Source port
Destination port
#5
23
Public network
Reset the embryonic
counter for this client. It
then increments
the connection counter
for this host.
192.168.0.20
172.30.0.50
1026
23
Initial sequence #
49092
49770
Ack
92514
92514
Flag
Ack
PIX Firewall
Ack
#6
172.30.0.50
10.0.0.3
Data flows
IP header
TCP header
Strictly follows the
Adaptive Security
Algorithm
UDP
• Connectionless protocol
• Efficient protocol for some services
• Resourceful but difficult to secure
UDP (cont.)
Private network The PIX Firewall checks for
Source addr
Destination addr
10.0.0.3
172.30.0.50
Source port
1028
Destination port
45000
a translation slot. If one is
not found, it creates one
after verifying NAT, global,
access control, and
authentication or
authorization, if any. If OK, a
connection is created.
Public network
192.168.0.20
172.30.0.50
1028
45000
PIX Firewall
#1
#2
10.0.0.3
172.30.0.50
All UDP responses arrive
from outside and within UDP
user-configurable timeout.
(default=2 minutes)
#4
172.30.0.50
10.0.0.3
45000
1028
IP header
TCP header
The PIX Firewall follows the
Adaptive Security Algorithm:
• (Src IP, Src Port,
Dest IP, Dest Port ) check
• Translation check
#3
172.30.0.50
192.168.0.20
45000
1028
Static Translations
Internet
Perimeter router
192.168.0.1
192.168.0.2
PIX Firewall
10.0.0.1
10.0.0.10 DNS Server
pixfirewall(config)# static (inside, outside)
192.168.0.18 10.0.0.10
• Packet from 10.0.0.10 has source address of 192.168.0.18
• Permanently maps a single IP address
• Recommended for internal service hosts like a DNS server
Dynamic Translations
• Configures dynamic translations
– nat (inside) 1 0.0.0.0 0.0.0.0
– global (outside) 1 192.168.0.20-192.168.0.254
netmask 255.255.255.0
Internet
192.168.0.1
192.168.0.2
10.0.0.1
Global Pool
192.168.0.20-192.168.0.254
10.0.0.3
Connections vs. Translations
• Translations—xlate
– IP address to IP address translation
– 65,536 translations supported
• Connections—conns
– TCP or UDP sessions
xlate Command
pixfirewall(config)#
clear xlate [global_ip [local_ip]]
• The clear xlate command clears the contents of
the translation slots.
Summary
• The PIX Firewall manages the TCP and UDP
protocols through the use of a translation table.
• Static translations assign a permanent IP address to
an inside host. Mapping between local and global
addresses is done dynamically with the nat
command.
• Dynamic translations use NAT for local clients and
their outbound connections and hides the client
address from others on the Internet.
NAT terminology when using
the PIX
NAT terminology
– an inside (or local) network is the network,
from which we translate addresses (local
addresses)
– an outside (or global) network is the network,
to which we translate local addresses which
become global addresses
– a translation is a one-to-one mapped pair of
(local, global) IP addresses
NAT terminology when using
the PIX
– a translation slot (xlate slot)is a software
structure inside PIX/OS used to describe active
translations
– a connection slot is a software structure
inside PIX/OS describing an active connection
(many connection slots can be bound to a
translation slot)
– the translation table (xlate table) is the
software structure inside PIX/OS containing all
active translation and connection slot
objects
NAT Example
Inside
Source addr
Destination addr
Outside
Source addr
10.0.0.3
Destination addr
200.200.200.10
Source port
Destination port
10.0.0.3
49090
Source port
23
Destination port
192.168.0.20
192.168.0.20
200.200.200.10
49090
23
Internet
10.0.0.3
10.0.0.4
Translation table
Inside Local
IP Address
Global
IP Pool
10.0.0.3
10.0.0.4
192.168.0.20
192.168.0.21
nat command
pixfirewall(config)#
nat [(if_name)] nat_id local_ip
[netmask]
• The nat command defines which addresses can
be translated.
pixfirewall(config)# nat (inside)
1 0.0.0.0 0.0.0.0
global command
pixfirewall(config)#
global[(if_name)] nat_id {global_ip[-global_ip]
[netmask global_mask]} | interface
• Works with the nat command to assign a registered or public IP
address to an internal host with the same nat_id.
pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254
• When internal hosts access the outside network through the firewall,
they are assigned addresses from the 192.168.0.20–192.168.0.254
range.
Two Interfaces with NAT (Multiple
Internal Networks)
Internet
Pod perimeter router
.1
192.168.0.0/24
PIX Firewall
10.0.0.0 /24
e0 outside .2
security level 0
e1 inside .1
security level 100
172.26.26.50
Backbone,
web, FTP, and TFTP server
10.1.0.0 /24
pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# nat (inside) 2 10.1.0.0 255.255.255.0
pixfirewall(config)# global(outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240
pixfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.240
• Use separate nat_id’s to assign different global address pools.
• The mask used in the nat and global commands is not a mask for host ranges but the mask
for each address .
Three Interfaces with NAT
Internet
Pod perimeter router
.1
192.168.0.0/24
e0 outside .2
security level 0
PIX Firewall
e1 inside .1
security level 100
172.26.26.50
Backbone, web,
FTP, and TFTP server
e2 dmz .1
security level 50
172.16.0.0/24
.2
Bastion host, and
web and FTP server
10.0.0.0 /24
.3
Inside host, and
web and FTP server
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#
nat(inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0
• Inside users can start outbound connections to both the DMZ and the Internet.
• DMZ users can start outbound connections to the Internet.
Port Address Translation
PAT Global
192.168.0.15
10.0.0.2
Source addr
10.0.0.2
192.168.0.15
Source addr
Destination
addr
172.30.0.50
172.30.0.50
Destination addr
Source port
49090
2000
Destination
port
23
23
Source port
Destination port
Internet
10.0.0.3
Source addr
10.0.0.3
192.168.0.15
Source addr
Destination
addr
172.30.0.50
172.30.0.50
Destination
addr
Source port
49090
2001
Source port
23
Destination
port
Destination
port
23
PAT Example
Perimeter router
192.168.0.1
pixfirewall(config)#
255.255.255.0
pixfirewall(config)#
255.255.255.0
pixfirewall(config)#
192.168.0.1
pixfirewall(config)#
pixfirewall(config)#
255.255.255.0
192.168.0.2
PIX Firewall
Bastion host
10.0.0.1
Engineering
10.0.1.0
172.16.0.2
Sales
10.0.2.0
ip address (inside) 10.0.0.1
ip address (outside) 192.168.0.2
route (outside) 0.0.0.0 0.0.0.0
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 192.168.0.9 netmask
• Assign a single IP address (192.168.0.9) as a
global pool
• Source addresses of hosts in network
10.0.0.0 are translated to 192.168.0.9 for
outgoing access
• Source port changes to a unique number
greater than 1024
Information systems
PAT Using Outside Interface
Address
Perimeter router
192.168.0.1
pixfirewall(config)#
255.255.255.0
pixfirewall(config)#
255.255.255.0
pixfirewall(config)#
192.168.0.1
pixfirewall(config)#
pixfirewall(config)#
ip address (inside) 10.0.0.1
ip address (outside) 192.168.0.2
route (outside) 0.0.0.0 0.0.0.0
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 interface
192.168.0.2
PIX Firewall
Bastion host
10.0.0.1
Engineering
10.0.1.0
172.16.0.2
Sales
• Use the interface option to enable use of the
outside interface ip address as the PAT
address.
• Source addresses of hosts in network
10.0.0.0 are translated to 192.168.0.2 for
outgoing access.
10.0.2.0
• The source port is changed to a unique
number greater than 1024.
Information systems
Augmenting a Global Pool
with PAT
pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0
pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0
Perimeter router
192.168.0.1
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254
netmask 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.19 netmask
255.255.255.0
192.168.0.2
PIX Firewall
Bastion host
10.0.0.1
Engineering
10.0.1.0
172.16.0.2
Sales
• When hosts on the 10.0.0.0 network access
the outside network through the firewall,
they are assigned public addresses from the
192.168.0.20-192.168.0.254 range.
• When the addresses from the global pool
are exhausted, PAT begins.
10.0.2.0
10.0.0.0
Information systems
• Make sure PAT address is not part of global
pool.
route
pixfirewall(config)#
route if_name ip_address netmask gateway_ip
[metric]
• The route command defines a static or default route for an
interface.
pixfirewall(config)# route outside 0.0.0.0
0.0.0.0 192.168.0.1 1
Other Configuration
Commands
• static
• conduit
• name
• fixup protocol
Statics and Conduits
• The static and conduit commands allow
connections from a lower security
interface to a higher security interface.
• The static command is used to create a
permanent mapping between an
inside IP address and a global
Outside
IP address.
Security 0
• The conduit command is an
exception in the ASA’s
inbound security
policy for a given host.
Inside
Security 100
static Command
pixfirewall(config)#
static [(internal_if_name, external_if_name)]
global_ip local_ip [netmask
network_mask][max_conns[em_limit]][norandomseq]
• Maps a local IP address to a global IP address
pixfirewall(config)# static
(inside,outside) 192.168.0.10 10.0.0.3
netmask 255.255.255.255 0 1000
• Packet sent from 10.0.0.3 has a source
address of 192.168.0.10
• Permanently maps a single IP address
(external access)
• Recommended for internal service hosts
Perimeter router
192.168.0.1
192.168.0.2
PIX Firewall
10.0.0.1
10.0.0.3
conduit Command
pixfirewall(config) #
conduit permit|deny protocol global_ip
global_mask [operator port[port]] foreign_ip
foreign_mask[operator port[port]]
• A conduit maps specific IP address and TCP/UDP connection
from the outside host to the inside host.
Perimeter router
192.168.0.1
pixfirewall(config)# conduit permit
tcp host 192.168.0.10 eq ftp any
192.168.0.2
PIX Firewall
10.0.0.1
• The conduit statement is backwards from an ACL.
10.0.0.3
Port Redirection
pixfirewall(config)#
static [(internal_if_name, external_if_name)]
{tcp|udp}{global_ip|interface}global-port local_ip localport[netmask mask][max_conns[emb_limit [norandomseq]]]
• Allows outside users to connect to a particular IP address or port and
have the PIX redirect traffic to the appropriate inside server.
pixfirewall(config)# static (inside,outside) tcp
192.168.0.9 8080 172.16.0.2 www netmask
255.255.255.255 0 0
• The external user directs an HTTP port 8080 request to the
PIX Firewall PAT address, 192.168.0.9. The PIX Firewall
redirects this request to host 172.16.0.2 port 80.
http://192.168.0.9:8080
http://172.16.0.2:80
172.16.0.2
Web Server
Conduit Example
Internet
192.168.0.0/24
e0 .2
e2
e1 .1 .1
10.0.0.0/24
.2
Bastion
host
172.16.0.0/24
pixfirewall(config)# nameif ethernet0 outside
sec0
pixfirewall(config)# nameif ethernet1 inside
sec100
pixfirewall(config)# nameif ethernet2 dmz sec50
pixfirewall(config)# ip address outside
192.168.0.2 255.255.255.0
pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0
pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0
pixfirewall(config)# nat (inside) 1 10.0.0.0
255.255.255.0
pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254 netmask
255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside)
192.168.0.11 172.16.0.2
pixfirewall(config)# conduit permit tcp host
192.168.0.11 eq http any
Another Conduit Example
pixfirewall(config)# nameif ethernet0 outside sec0
pixfirewall(config)# nameif ethernet1 inside sec100
pixfirewall(config)# nameif ethernet2 dmz sec50
Internet
pixfirewall(config)# nameif ethernet3 partnernet
sec40
pixfirewall(config)# ip address outside 192.168.0.2
255.255.255.0
pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0
192.168.0.0/24
pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0
e0 .2
pixfirewall(config)#
ip address partnernet
Bastion
e3
e2
.2
172.18.0.1 255.255.255.0
host
pixfirewall(config)#
nat (inside) 1 10.0.0.0
.1
.1
e1 .1
255.255.255.0
172.16.0.0/24
172.18.0.0/24
pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254 netmask 255.255.255.0
DMZ
Partnernet
pixfirewall(config)# global (dmz) 1 172.16.0.20172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside)
10.0.0.0/24
192.168.0.11 172.16.0.2
pixfirewall(config)# conduit permit tcp host
192.168.0.11 eq http any
pixfirewall(config)# static (dmz,partnernet)
172.18.0.11 172.16.0.2
pixfirewall(config)# conduit permit tcp host
172.18.0.11 eq http any
Fixup Protocol Command
PIX has a protocol fixup feature to recognize
applications running on non-standard ports
fixup protocol <protocol> <port>[<port>]
NAT uses the fixup information for badly
behaved protocols to handle those connections
properly
fixup protocol ftp 2021
fixup protocol sqlnet 1600
Attack Guards
The PIX has special handling for DNS and SMTP
using the fixup protocol command.
fixup protocol DNS <port>[-<port>]
fixup protocol SMTP <port>[-<port>]
DNS will only allow one response back to a
query.
SMTP will only allow RFC 821 specified
commands such as HELO, MAIL, RCPT, DATA,
RSET, NOOP, and QUIT.
Defending against
denial-of-service attacks
The PIX can defend against inbound SYNflooding (excess connection requests) attacks
with the option for maximum number of
embryonic (SYN only) connections per
translation slot
static (int_if_name, out_if_name) global_ip
local_ip [max_conn [max_embr]][norandomseq]
AAA and SYN Floodguards
AAA Floodguard protects against DoS attacks of authorization
requests. It is enabled by default.
Floodguard enable | disable
SYN Floodgaurd protects against DoS half-open connection
attacks.
Nat(inside) 1 0 0 [max_conns [em_limit]]
static(inside,outside) 200.1.1.1 10.1.1.1
netmask 255.255.255.255 [max_conns [em_limit]]
Max_conns is the maximum connections permitted to hosts
accessed from local_ip.
Em_limit is the maximum embryonic connections permitted to
hosts accessed from local_ip.
Summary
• The PIX Firewall has four administrative access
modes: unprivileged, privileged, configuration, and
monitor.
• Interfaces with a higher security level can access
interfaces with a lower security level, while
interfaces with a lower security level cannot access
interfaces with a higher security level unless given
permission.
• The primary commands necessary to configure the
PIX Firewall are the following: nameif, interface, ip
address, nat, global, static, conduit, and route.
Summary (continued)
• The nat and global commands work together to hide
internal IP addresses.
• The nat 0 command allows an address to go out of
the PIX untranslated while providing ASA security
features for inbound requests.
• The static and conduit commands work together to
provide access though the PIX.
• The PIX firewall supports protocol redirection and
has advanced protocol handling features.
• The PIX firewall has DoS attack guards and
Floodguards.
Configuring Failover
© 2002, Cisco Systems, Inc.
CSPFA 2.1—3-62
Failover
Primary
PIX Firewall
Internet
The primary and secondary units
must:
• be the same model number.
• have identical software versions and
activation key types.
• have the same amount of Flash
memory and RAM.
failover
cable
Secondary
PIX Firewall
IP Address for Failover
on PIX Firewalls
Primary PIX Firewall
Internet
(active/standby)
(system IP/failover IP)
192.168.0.0 /24
10.0.0.0 /24
.1
e0 .2
e1 .1
e0 .7
e1 .7
Secondary PIX Firewall
(standby/active)
(failover IP/system IP)
.3
Configuration Replication
Configuration replication occurs:
• When the standby firewall completes its initial
bootup.
• As commands are entered on the active
firewall.
• By entering the write standby command.
Failover and Stateful Failover
• Failover
– Connections are dropped.
– Client applications must reconnect.
– Provides redundancy .
• Stateful failover
– Connections remain active.
– No client applications need to reconnect.
– Provides redundancy and stateful connection.
failover Commands
pixfirewall(config)#
failover
• The failover command enables failover between the active and standby
PIX Firewalls.
pixfirewall(config)#
failover ip address if_name ip_address
• The failover ip address command creates an IP address for the standby
PIX Firewall.
pixfirewall# failover ip address inside 10.0.0.4
pixfirewall(config)#
failover link [stateful_if_name]
• The failover link command enables stateful failover.
pixfirewall(config)#
failover [active]
• The failover active command makes a PIX Firewall the primary firewall.
failover poll Command
pixfirewall(config)#
failover poll seconds
•Specifies how long failover waits before sending special
failover “hello” packets between the primary and standby units
over all network interfaces and the failover cable.
pixfirewall(config)# failover poll 10
•Failover waits ten seconds before sending special failover "hello“
packets.
show failover Command
Before failover
After failover
pixfirewall(config)# show failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
This host: Primary - Active
Active time: 360 (sec)
Interface dmz (172.16.0.1): Normal
Interface outside (192.168.0.2): Normal
Interface inside (10.0.0.1): Normal
Other host: Secondary - Standby
Active time: 0 (sec)
Interface dmz (172.16.0.4): Normal
Interface outside (192.168.0.4): Normal
Interface inside (10.0.0.4): Normal
pixfirewall(config)# show failover
Failover On
Cable status: Normal
Reconnect timeout 0:00:00
This host: Primary - Standby
Active time: 0 (sec)
Interface dmz (172.16.0.4): Normal
Interface outside (192.168.0.4): Normal
Interface inside (10.0.0.4): Normal
Other host: Secondary - Active
Active time: 150 (sec)
Interface dmz (172.16.0.1): Normal
Interface outside (192.168.0.2): Normal
Interface inside (10.0.0.1): Normal
Stateful Failover Logical Update Statistics
Link : dmz
Stateful Failover Logical Update Statistics
Link : dmz
Summary
• The primary and secondary PIX Firewalls are the two
firewalls used for failover. The primary PIX Firewall is
usually active, while the secondary PIX Firewall is
usually standby, but during failover the primary PIX
Firewall goes on standby while the secondary
becomes active.
• The configuration of the primary PIX Firewall is
replicated to the secondary PIX Firewall during
configuration replication.
• During failover, connections are dropped, while
during stateful failover, connections remain active.
Access Control
Configuration and
Content Filtering
© 2002, Cisco Systems, Inc.
CSPFA 2.1—3-71
Access Control List
• An ACL enables you to determine what traffic
will be allowed or denied through the PIX
Firewall.
• ACLs are applied per interface (traffic is
analyzed inbound relative to an interface).
• The access-list and access-group commands are
used to create an ACL.
• The access-list and access-group commands are
an alternative for the conduit and outbound
commands.
ACL Usage Guidelines
• Higher to lower security level
– Use an ACL to restrict outbound traffic.
– The ACL source address is the actual (untranslated) address of the host or network.
• Lower to higher security level
– Use an ACL to restrict inbound traffic.
– The destination host must have a statically
mapped address.
– The ACL destination address is the “global
ip” assigned in the static command.
access-list Command
pixfirewall(config)#
access-list acl_name [deny | permit] protocol
{src_addr | local_addr} {src_mask |
local_mask} operator port {destination_addr
| remote_addr} {destination_mask |
remote_mask} operator port
• Enables you to create an ACL
• ACLs associated with IPSec are known as “crypto” ACLs
pixfirewall(config)# access-list dmz1 deny
tcp 192.168.1.0 255.255.255.0 host
192.168.0.1 lt 1025
• ACL “dmz1” denies access from the 192.168.1.0 network
to TCP ports less than 1025 on host 192.168.0.1
access-group Command
pixfirewall(config)#
access-group acl_name in interface
interface_name
• Binds an ACL to an interface
• The ACL is applied to traffic inbound to an
interface
pixfirewall(config)# access-group
dmz1 in interface dmz
• ACL “dmz1” is bound to interface “dmz”
ACLs Versus Conduits
ACL
An ACL applies to a single interface,
affecting all traffic entering that interface
regardless of its security level.
ACL
Conduit
A conduit creates an exception to the PIX
Firewall Adaptive Security Algorithm by
permitting connections from one
interface to access hosts on another.
c
o
n
d
u
i
t
It is recommended to use ACLs to maintain future compatibility.
Convert Conduits to ACLs
pixfirewall(config)#
conduit permit | deny protocol global_ip global_mask [operator
port [port]] foreign_ip foreign_mask[operator port[port]]
pixfirewall(config)#
access-list acl_name [deny | permit] protocol {src_addr | local_addr}
{src_mask | local_mask} operator port {destination_addr | remote_addr}
{destination_mask | remote_mask} operator port
• global_ ip = destination_addr
• foreign_ip = src_addr
pixfirewall(config)# conduit permit tcp host 192.168.0.10
eq www any
pixfirewall(config)# access-list acl_in permit tcp any
host 192.168.0.10 eq www
ACLs
pixfirewall(config)# nat (dmz) 1 0 0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask
255.255.255.0
pixfirewall(config)# static (inside,dmz) 172.16.0.10 10.0.0.3 netmask
255.255.255.255
pixfirewall(config)# static (inside,dmz) 172.16.0.12 10.0.0.4 netmask
255.255.255.255
pixfirewall(config)# access-list 102 permit tcp 172.16.0.0
172.16.0.10 255.255.255.255 eq ftp
255.255.255.0
pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0
172.16.0.12 255.255.255.255 eq smtp
pixfirewall(config)# access-list 102 permit tcp 172.16.0.0 255.255.255.0
any eq www
pixfirewall(config)# access-group 102 in interface dmz
• Users on the DMZ are able to access the Internet, the internal FTP
server, and the internal mail server.
Deny Web Access
to the Internet
nameif ethernet0 outside sec0
nameif ethernet1 inside sec100
access-list acl_out deny tcp any any eq www
access-list acl_out permit ip any any
access-group acl_out in interface inside
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 192.168.0.20-192.168.0.254
netmask 255.255.255.0
• Denies web traffic on port 80 from the inside network to the Internet
• Permits all other IP traffic from the inside network to the Internet
www
IP
Internet
Internet
Permit Web Access
to the DMZ
Internet
192.168.0.0/24
Web server
.2
.2
.1
10.0.0.0/24
.1
172.16.0.0/24
nameif ethernet0 outside sec0
nameif ethernet1 inside sec100
nameif ethernet2 dmz sec50
ip address outside 192.168.0.2
255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
static (dmz,outside) 192.168.0.11
172.16.0.2
access-list acl_in_dmz permit tcp any
host 192.168.0.11 eq www
access-list acl_in_dmz deny ip any any
access-group acl_in_dmz in interface
outside
• The ACL acl_in_dmz permits web
traffic on port 80 from the Internet to
the DMZ web server.
• The ACL acl_in_dmz denies all other
IP traffic from the Internet.
icmp Command
pixfirewall(config)#
icmp permit | deny [host] src_addr [src_mask]
[type] int_name
• Enables or disables pinging to an interface
pixfirewall(config)# icmp deny any echo-reply
outside
pixfirewall(config)# icmp permit any unreachable
outside
• All ping requests are denied at the outside interface, and all
unreachable messages are permitted at the outside interface
Summary
• ACLs enable you to determine which systems can
establish connections through your PIX Firewall.
• Cisco recommends migrating from conduits to ACLs.
• Existing conduits can easily be converted to ACLs.
• With ICMP ACLs, you can disable pinging to a PIX
Firewall interface so that your PIX Firewall cannot be
detected on your network.
• The PIX Firewall can work with URL-filtering software to
control and monitor Internet activity.