If you’re using Windows 2000 (service pack 4 and higher), HyperTerminal is included. To access it, go to Start > Programs > Accessories > Communications, and click the HyperTerminal icon. When the program starts, type in “PIX.” At the bottom of the box, select COM 1. In Properties, select 9600 bits per second; data bits: 8; parity: none; stop bits: 1; and flow control: none.

If you’re using the console to configure your PIX for the first time, you should see a message that says:

Pre-configure PIX Firewall now

through interactive prompts? [yes]?

Hit the Control-Z keys, and you’ll see the prompt. The “>” sign tells you that you’re in unprivileged mode, and that you can only view your current configuration. In order to change settings, you’ll have to switch to privileged mode. To do this, type “en” at the prompt. (You’ll see the hash symbol “#” when you’re in privileged mode.) It should look like this:

pixfirewall#

Wait a second: We haven’t entered a password yet. To do this, hit Return again to get to the prompt and enter a password.

Configuration Time

Because your router is “out of the box,” it has no default configuration. It doesn’t know its place in the universe, nor does it know what type of traffic you’d like it to forward or restrict. To tell it these things, we’ll go into “configure terminal” mode (or “conf t” for short). At the prompt, enter:

pixFirewall#config t

Now the prompt should look like this:

pixFirewall (config)#

The router, on the other hand, has no configuration (because we cancelled out of the setup). Any time you’d like to see the configuration, type the following at the command prompt:

pixFirewall(config)# wr t 

You should see it spit out something like the following:

PIX Version 6.3(3)
interface ethernet0 auto shutdown
interface ethernet1 100full shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<— More —>

Hit the space bar to continue, and you should see:

pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
no ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no -server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
[OK]
pixfirewall(config)#

Assigning a Password

Fresh out of the box, a PIX firewall doesn’t have a password, so let’s assign one now. Type “enable password” and then enter a password. In our example, we’ll use the word “techst0ck.”

pixFirewall(config)# enable password techst0ck

Now we’ll bring up those two interfaces, as out of the box, they’re down.

pixFirewall(config)# interface ethernet0 auto
pixFirewall(config)# interface ethernet1 100full

You can see the status of these interfaces by typing:

pixFirewall(config)# show interfaces

That command will give you this:

interface ethernet0 “outside” is up, line protocol is up
Hardware is i82559 ethernet, address is 0011.92c5.6b92
MTU 1500 bytes, BW 100000 Kbit full duplex
28354 packets input, 2040341 bytes, 0 no buffer
Received 28383 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/0) software (0/0)
interface ethernet1 “inside” is up, line protocol is up
Hardware is i82559 ethernet, address is 0011.92c5.6b94
MTU 1500 bytes, BW 100000 Kbit full duplex
246 packets input, 29521 bytes, 0 no buffer
Received 246 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks):
hardware (128/128) software
(0/1) output queue (curr/max blocks):
hardware (0/0) software (0/0)

Now that the interfaces are up, it’s time to assign both an inside and an outside IP address. It is between these two addresses that your PIX will permit or deny traffic, so if this step isn’t done correctly, traffic cannot come in or leave your network correctly.

Let’s assume you assign your outside address dynamically (for instance, your ISP automatically assigns you an IP address). To let your ISP autoassign one, type:

pixfirewall(config)# ip address outside dhcp

If there is a DHCP server upstream from you that is properly configured to lease you an IP address, you’ll get a message similar to this one:

Allocated IP address =12.110.110.91, netmask =255.255.252.0, gateway = 12.110.110.1

If this doesn’t work, then you’ll need to manually assign your IP address on ethernet0. If your ISP told you your IP address is, say, 12.110.110.91/24, then you’d type in this:

pixFirewall(config)# ip address
outside 12.110.110.91
255.255.255.0

Once you’ve finished, you’ll need to set the IP addresses of the inside (ethernet1) interface as well.

pixFirewall(config)# ip address inside 10.1.1.1 255.255.255.0

The 10.x.y.z address we choose is a private IP address (also called a non-routable IP). We could’ve a chosen a wide range of IP addresses (10.0.0.0 through 10.255.255.255; 172.16.0.0 through 172.31.255.255; or 192.168.0.0 through 192.168.255.255), but we arbitrarily chose 10.1.1.0.24.

If everything goes according to plan, type:

pixFirewall(config)# show ip address

You’ll get something like this:

System IP Addresses:
ip address outside 12.110.110.91
255.255.252.0
ip address inside 10.1.1.1
255.255.255.0
Current IP Addresses:
ip address outside 12.110.110.91
255.255.252.0
ip address inside 10.1.1.1
255.255.255.0

Ethernet Considerations

In order for our inside (Ethernet1) and outside (Ethernet0) interfaces to work, they need to be configured properly with global addresses, NAT (network address translation), and routing. Without these, your PIX is just a box with two IP addresses and no way to translate inbound traffic to your public IP or public traffic to your internal addresses.

The PIX 501 is the smallest model from Cisco, so we’ll assume that your network isn’t too large. In this example, we’re only going to NAT your one public IP. Theoretically, you can NAT 254, although you’re limited to 10 devices unless you buy an upgrade license.

If you use DHCP, then you’ll need to configure the PIX to route outgoing traffic. Since it’s DHCP, we don’t really know where that is, as our ISP may very well decide to change our IP address without telling us. In this case, we’ll need to type in the following line:

pixfirewall(config)# ip address
outside dhcp setroute

If all went well, you should see something like this:

Allocated IP address =
12.110.110.91, netmask =
255.255.252.0, gateway =
>12.110.110.1

If all didn’t go as planned, you’ll have to manually add your route:

pixFirewall(config)# route outside
0.0.0.0 0.0.0.0 12.110.110.1

To double-check that route, type:

pixFirewall(config)# sh route

And, in the case of our first DHCP example, you should get something similar to the following:

pixfirewall(config)# sh route
outside 0.0.0.0 0.0.0.0
12.110.110.1 1 DHCP static
outside 12.110.110.0
255.255.252.0 66.215.246.91 1
CONNECT static
inside 10.1.1.0 255.255.255.0
10.1.1.1 1 CONNECT static

Now that the PIX knows what to do with outgoing traffic (send it upstream to another router), we now need to give it specific instructions on how to translate traffic between the two interfaces. Use this command to make that happen:pixfirewall(config)# nat (inside) 1
10.1.1.0 255.255.255.0
pixfirewall(config)# global
(outside) 1 interface

If you did this correctly, the second line will give the message:

outside interface address added to PAT pool

Now your PIX has been configured to translate traffic between your public (12.110.110.91) address and your private 10.1.1.0/24 network. The only thing left now is to configure the DHCP server on the internal interface. Doing so will allow the PIX to automatically assign IP addresses to those on your network; similar to the way an ISP automatically assigns IPs to its users. To do this, follow these instructions:

pixfirewall(config)# dhcpd address 10.1.1.32-10.1.1.63 inside
pixfirewall(config)# dhcpd dns 4.2.2.1 4.2.2.2
pixfirewall(config)# dhcpd lease 3600
pixfirewall(config)# dhcpd ping_timeout 750
pixfirewall(config)# dhcpd enable inside

One note on the DHCP server configuration above is that you may have to obtain DNS numbers from your provider. If you don’t have those numbers readily available or aren’t sure what to do, you can use 4.2.2.1 and 4.2.2.2. The only problem is that these numbers might not quickly resolve your Web pages as your own ISP, so you should consider using numbers your ISP provides.

If all has gone well up to this point, computers that are plugged into the back of your PIX (in slots 1 through 4) should have no problem getting on the Internet. In fact, if you go to any of these computers and (assuming you’re running Windows 2000 or Windows XP) go to Start>Run and type “cmd,” you can test the connection. At the prompt, type:

C:ipconfig

Your IP address, which should lie somewhere between 10.1.1.32 and 10.1.1.63, should be displayed if your network settings were configured to obtain an IP automatically. If an IP address showed up, type:

C:ping 10.1.1.1

And you should get a response similar to this:

Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Saving Your Configuration to Memory

If all went well, and your DNS is properly working, you should be able to open your browser and surf the Internet as usual. If that’s the case, let’s proceed to saving the running configuration to memory.

pixFirewall(config)# wr m
Building configuration…
Cryptochecksum: 2083012d dc56002e ebb9e5d3 f405a373
[OK]

Security Considerations

At this point, the question often arises, “How secure am I?” The answer: Not nearly as secure as you’ll ultimately want to be. Thanks to Cisco’s Adaptive Security Algorithm ( ASA), the firewall settings are similar to the default settings of a home Linksys or Netgear router: All outbound traffic is permitted (unless expressly prohibited), and all inbound traffic is denied (unless expressly permitted). Your network will no doubt need much more security than this, so you will need to either read through Cisco’s documentation or hire a networking consultant.

If you’re curious about Cisco’s ASA settings, type in “wr t” from the command line and you’ll see something like this:

Building configuration…
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

In the end, the “security0” and “security100” both specify the security level of each interface. Cisco’s ASA allows traffic to pass from trusted (100) to untrusted (0), but not the reverse. With our configuration, internal traffic can pass freely to the outside because its security level is higher.If you host a Web server, and most, if not all, of your traffic is coming from the outside, how do you let that traffic in? The answer lies with Cisco’s use of Access Control Lists (ACLs). An in-depth look at how ACLs work is beyond the scope of this article, but Cisco’s Using PIX Firewall Commands can help you configure the firewall. And if you’re really stuck, consider hiring a professional network administrator.

At best, poorly configured ACLs can mean sporadic connectivity; at worst, it can mean huge security breaches in your network. What’s especially dangerous for new network administrators is the temptation to do things a certain way because “it works.” In a desperate effort to make things work, they often create ACLs that are too permissive, leaving open big holes for malicious hackers or crackers to exploit.