When you think about the role of the PIX firewall in an SMR example, it might be segregating traffic inside the edgecreating a DMZ, for instanceand it might be terminating IPSec tunnels (quite possibly with NAT), which dovetails with the previous example of the perimeter router. We cover the basic traffic segregation first and then discuss configuring the PIX for NAT and tunnel termination. Traffic SegregationThe PIX (originally Private Internet Exchange) firewall uses the Adaptive Security Algorithm (ASA) to manage traffic passing through it. Outbound connections (from a higher to a lower security level) are ordinarily allowed unless they are specifically denied. The stateful traffic monitoring allows response traffic to enter. However, unsolicited traffic from a lower to a higher security level is denied unless specifically permitted. The security level is set on a per-interface basis, with a range of 0100 (typical settings are 0 for the outside, 50 for the DMZ, and 100 for the inside interfaces). Specifically permitting incoming traffic can be done in two ways: with conduits and static mappings (old), or with access lists (new, beginning with PIX release 5.0.(1)). ACLs are now preferred over conduits (static address mappingsusually just called staticsare required with conduits because the outside host must have a reliable address to seek out). Conduits grant access based on the same basic kind of criteria as ACLs (source and destination address, destination port, and protocol). The latter, of course, offers many refinements (such as time-of-day access) that conduits do not. Although both types of expression are valid in configuring a PIX, expect to see ACLs favored in Cisco documentation as part of the more extensive use of IOS syntax. However , PIX ACLs do not use wildcard masks (as IOS ACLs do); they use network masks. NAT on a PIXTo configure NAT on the PIX, you must designate the inside addresses to be NATed and the global address pool (or single address for PAT) to be used. To use the situation in Figure 9.3 again, assuming that you have only one outbound IP address (global address) of 192.168.47.3 (192.168.47.2 is the interface address only) and you want to allow all inside users outbound access, your NAT commands would look like this:
This is very simple and easy; the NAT ID (1, in this case) ties together the two commands. You could have been lazy, and used 0 0 in the first command to specify all hosts, but suppose that someone compromised a host on this network, and it was sending traffic with spoofed source IP addresses. It is better to be safe than sorry: Specify the inside hosts that are to be NATed. It is quite possible that the PIX end of the connection might be the larger network and would have multiple global addresses available. In that case, the second command would change to global (outside) 1 192.168.47.3-192.168.47.30 netmask 255.255.255.0 . That covers the basics of NAT on a PIX firewall; it is discussed in more detail, of course, on the Advanced PIX Firewall Configuration Exam. IPSec on a PIXConfiguring IPSec on a PIX is very similar to configuring it on a router, with just enough differences to keep you alert. There are two basic processes to configure, ISAKMP and IPSec. To take them in the same order used on the router, three steps are involved for the ISAKMP process:
For IPSec configuration, there are six steps (two of which are optional but recommended), again not in a required order; they are listed here in a useful order:
For this example, to match the IKE configuration created on the perimeter router, you would use this:
Now, to match the IPSec configuration:
Note that the last command does not include the crypto-map ID; that's an easy mistake to make. Also, saving your configuration on the PIX is not the same as in the IOS: Use write memory instead (or configure memory if you want to merge the new configuration with the existing one). If you will terminate a number of tunnels on a PIX, you might want to consider using the VPN Accelerator Card, which offloads the VPN functions from the main system. This card has been supported since PIX release 5.3(1) (with a DES or 3DES license). If your software is older than that, consider upgrading it to use the new hardware. Configuring the PIX to be the other end of the example is a little more tedious than it was on the router. Setting up VPNs using the VPN concentrator and VPN client is rather different. |