Tips for Implementing a PIX Firewall at Your Company

49

The Cisco PIX 501 is a highly recommended firewall for small businesses. After unboxing, you can get up and running with just a few simple configuration entries.

In this tutorial, you will learn how to set up a pix at the edge of your network.

If you’re unfamiliar with the PIX firewall, this guide is for you. Therefore, it is not a comprehensive reference to network security but a concise, no-nonsense manual for setting up a PIX firewall.

Assume you have access to the internet via a static IP address. The PIX is preconfigured to work with a dynamic IP address, but without a static IP address, you’ll have trouble setting up services like remote access, VPNs, email, and web servers.

A power supply, two CAT5 cables (one yellow and one orange), and a flat, (usually) baby blue cable with a 9-pin serial connector and an RJ-45 plug should have been included with your PIX.

The PIX has an in-built 4-port Ethernet switch, which may be connected to your computer or server using the standard Ethernet cable (yellow CAT5). Connecting the PIX’s external interface to your ISP’s router may necessitate using a cross-over cable, such as the Orange CAT5 cable (if your internal computers and workstations are connected to a Cisco switch).

We’ll use the light blue rollover wire in this setup. To configure the PIX, plug the cable into a serial port on the computer’s or laptop’s back. The RJ-45 plug must be inserted into the “console” port on the PIX’s rear.

One of Windows’ many built-in functions is the management of serial devices. Simply navigate to Hyper Terminal by clicking Start, followed by Programs, Accessories, Communications, and then Hyper Terminal.

Pick the program known as Hyper Terminal. You may be prompted to set Hyper Terminal as the default telnet client. If you don’t have a strong preference, select yes.

Then, even though it isn’t necessary in this case, the application will ask for the area code from which you are dialing; after entering it, click “next” or “ok.”

We’ll use PIX as an example, but you can choose your name. To continue, please select ‘ok.’

The next step is to input the desired phone number’s information. Since we aren’t dialing a phone number, we can ignore the numeric keypad and instead utilize the selector at the box’s base to select either COM1 or COM2. You might have to test it both ways before you can tell which.

You must now provide the application with information regarding the port configurations to communicate with the PIX.

The lucky news is that it’s not too difficult to remember: just 9600, 8, zero, and 1. Put these options in the drop-down menus of the screen’s box.

We may now begin configuring the PIX. The startup speech (not a dialog, just notifying you of what is happening) will start once the power cable has been plugged in.

Then, a screen will appear asking if you want to program the PIX with on-screen prompts. To continue, please write “no” and press “enter.”

A message similar to this one will appear now:
pixfirewall>
When prompted for a password, type “enable” (without quotation marks) and hit “enter,” as there is no password set by default.

A hash sign now serves as the primary prompt:
Pixfirewall#
To configure the PIX in global mode using the terminal, enter the command ‘configure terminal’ (without quotation marks).

This is how your cue will look going forward:
pix firewall(config)#

Creating a hostname for your images is our first order of business. The syntax for PIX commands:
Type of variable

Therefore, we will type in the hostname setting:
hostname pix pix firewall(config)#

As for the domain name, you may give your network any word you wish if you don’t already have one set up. However, arrange your naming scheme accordingly, considering the possibility of a domain in the future.
mydomain.com pixfirewall(config)#

In the configuration above, ethernet0 represents the public network with a security level of 0, whereas ethernet1 means the private network with a security level of 100. You can also notice that the interfaces have been disabled. To speed things up, we input the desired rate of operation. Since these are Ethernet ports, software versions 6.3(3) and later should utilize 100full, while earlier versions should stick to 10full.

To configure the ethernet interface, type: pix firewall(config)#interface ethernet0 100full
I.E., “pix firewall(config)# lnterface ethernet1 100full”

The IP address command is used to change the IP address of a network interface, both inside and outside the network. Here is the syntax:
The IP Address

The following is an example:
This IP address and netmask combination is not recommended and is only used for demonstration purposes: pix firewall (config)# ip address outside 12.25.241.2 255.255.255.252. Use the IP address and mask assigned to you by your Internet service provider.

After that, enter the IP address inside the pix firewall (config)# Ip address within 192.168.0.1 255.255.255.0 to set the IP address inside the firewall.

First, a quick note on IP addresses.

As described in RFC 1597, non-routable IP addressing blocks are used to conserve public IP addresses. It’s OK to call them “private” IP addresses, although that’s not technically correct. There are three distinct building sections available:
Use a 255.0.0.0 netmask for the addresses 10.0.0.0 through 10.255.255.255, a 255.255.0.0 mask 172.16.0.0 through 172.31.255.255, and a 255.255.255.0 mask for the addresses 192.168.0.0 through 192.168.255.255.

You won’t have to deal with the hassle of intra-LAN routing if all of the IP addresses in your network fall within one of those ranges. For the uninitiated, an example plan is provided below:
File/DHCP server: 192.168.0.2, netmask 255.255.255.0 PIX: 192.168.0.1
Netmask (each): 255.255.255.0 Workstations: 192.168.0.10–192.168.0.254
You don’t have to follow my lead and exclude the addresses in the range from 192.168.0.3-9 if you don’t want to, but I did so that I could prepare for potential growth and the eventual need for additional servers.
* Using the DNS servers given by your Internet service provider, set up your DHCP server to distribute addresses within the specified range. If you ever set up a name server on your local network, you must update this. You can avoid setting up a DHCP server by manually assigning an IP address, gateway, netmask, and DNS servers to each computer.

Putting a default route into the PIX setup is crucial at this time. One synonym for “default route” is “default gateway.” If the PIX receives traffic meant for a network that is not directly linked, you must instruct it to forward that traffic to the connected ISP router. The IP address of your network’s default gateway should have been included in the instructions provided by your Internet service provider (ISP).

The grammar is as follows:
Route
If packets destined for an interface on the network given by the network address are within the bounds of the mask, then route it via a next hop at the optional command that specifies the distance.

For instance, you can configure the PIX to use the ISP’s default gateway as the outbound path by entering the following command: pix firewall (config)# Route outside 0 0 1 (if packets are headed outside the network to any IP address with any netmask, route them through the device to which the PIX is attached through the outbound interface).

Protect your PIX with a robust and difficult-to-guess password to keep out intruders. Passwords should not contain obvious information such as the user’s name, children’s names, dogs’ names, birthdays, etc. Always try to employ alphanumeric combinations instead of just numerals. Here’s how it looks in code (but don’t use “Cisco” as your actual password).
Pix firewall (config)Set a password for direct access with # Passwd Cisco (notice the shortened spelling of the word password) (remember the pixfirewall> prompt?)
Pix firewall (config)To enable a password for Cisco router administration, type “# enable password cisco.”

The PIX has been configured with the minimum necessary to allow internet connection while blocking illegal users.

The Fulcrum Technology Group, Inc. was founded by Ron Jones, who also serves as the company’s president. www.fulcrumtechnologygroup.com [http://www.fulcrumtechnologygroup.com] Located in the north of Atlanta, this consulting organization focuses on providing businesses with technological solutions that will help them increase productivity, enhance reliability, and cut costs to maintain a competitive edge.

Read also: On the Internet Backup or Backup Problem Recovery Solutions, What’s most compelling for you?