The PIX Firewall

When you think about the role of the PIX firewall in an SMR example, it might be segregating traffic inside the edgecreating a DMZ, for instanceand it might be terminating IPSec tunnels (quite possibly with NAT), which dovetails with the previous example of the perimeter router. We cover the basic traffic segregation first and then discuss configuring the PIX for NAT and tunnel termination.

Traffic Segregation

The PIX (originally Private Internet Exchange) firewall uses the Adaptive Security Algorithm (ASA) to manage traffic passing through it. Outbound connections (from a higher to a lower security level) are ordinarily allowed unless they are specifically denied. The stateful traffic monitoring allows response traffic to enter. However, unsolicited traffic from a lower to a higher security level is denied unless specifically permitted. The security level is set on a per-interface basis, with a range of 0100 (typical settings are 0 for the outside, 50 for the DMZ, and 100 for the inside interfaces).

Specifically permitting incoming traffic can be done in two ways: with conduits and static mappings (old), or with access lists (new, beginning with PIX release 5.0.(1)). ACLs are now preferred over conduits (static address mappingsusually just called staticsare required with conduits because the outside host must have a reliable address to seek out). Conduits grant access based on the same basic kind of criteria as ACLs (source and destination address, destination port, and protocol). The latter, of course, offers many refinements (such as time-of-day access) that conduits do not. Although both types of expression are valid in configuring a PIX, expect to see ACLs favored in Cisco documentation as part of the more extensive use of IOS syntax. However , PIX ACLs do not use wildcard masks (as IOS ACLs do); they use network masks.

NAT on a PIX

To configure NAT on the PIX, you must designate the inside addresses to be NATed and the global address pool (or single address for PAT) to be used. To use the situation in Figure 9.3 again, assuming that you have only one outbound IP address (global address) of 192.168.47.3 (192.168.47.2 is the interface address only) and you want to allow all inside users outbound access, your NAT commands would look like this:

1. nat (inside) 1 172.20.32.0 255.255.255.0

2. global (outside) 1 192.168.47.3

This is very simple and easy; the NAT ID (1, in this case) ties together the two commands. You could have been lazy, and used 0 0 in the first command to specify all hosts, but suppose that someone compromised a host on this network, and it was sending traffic with spoofed source IP addresses. It is better to be safe than sorry: Specify the inside hosts that are to be NATed.

It is quite possible that the PIX end of the connection might be the larger network and would have multiple global addresses available. In that case, the second command would change to global (outside) 1 192.168.47.3-192.168.47.30 netmask 255.255.255.0 . That covers the basics of NAT on a PIX firewall; it is discussed in more detail, of course, on the Advanced PIX Firewall Configuration Exam.

IPSec on a PIX

Configuring IPSec on a PIX is very similar to configuring it on a router, with just enough differences to keep you alert. There are two basic processes to configure, ISAKMP and IPSec. To take them in the same order used on the router, three steps are involved for the ISAKMP process:

1. Enable ISAKMP.

2. Create the key to be used with a given peer address.

3. Create the ISAKMP policy.

For IPSec configuration, there are six steps (two of which are optional but recommended), again not in a required order; they are listed here in a useful order:

1. Create the crypto access list (define the traffic to be encrypted).

2. Allow incoming IPSec traffic to bypass the ACL or conduit checks (if desiredyou are deciding to implicitly trust all traffic arriving over the IPSec tunnel).

3. Create the transform set.

4. Set the SA lifetime in seconds (if you do not want to use the default of 28,800 secondsrecall that the router's default IPSec SA lifetime is 3600 seconds, so 1 hour might be a better choice than 8 hours if security is a strong concern).

5. Create the crypto map.

6. Apply the crypto map to the appropriate interface.

For this example, to match the IKE configuration created on the perimeter router, you would use this:

1. isakmp enable outside

2. isakmp key nitT4agM#0C2%5 address 192.168.12.1 netmask 255.255.255.255

3. isakmp policy 13 authentication pre-share

   isakmp policy 13 hash md5

   isakmp policy 13 group 1

Now, to match the IPSec configuration:

1. access-list ch9 permit ip 172.20.32.0 255.255.255.0 172.18.24.0 255.255.255.0

2. sysopt connection permit-ipsec

3. crypto ipsec transform-set example esp-des esp-md5-hmac

4. crypto ipsec security-association lifetime 3600

5. crypto map ch9_example 13 ipsec-isakmp

   crypto map ch9_example 13 match address ch9

   crypto map ch9_example 13 set peer 192.168.12.1

   crypto map ch9_example 13 set transform-set example

6. crypto map ch9_example interface outside

Note that the last command does not include the crypto-map ID; that's an easy mistake to make. Also, saving your configuration on the PIX is not the same as in the IOS: Use write memory instead (or configure memory if you want to merge the new configuration with the existing one).

If you will terminate a number of tunnels on a PIX, you might want to consider using the VPN Accelerator Card, which offloads the VPN functions from the main system. This card has been supported since PIX release 5.3(1) (with a DES or 3DES license). If your software is older than that, consider upgrading it to use the new hardware.

Configuring the PIX to be the other end of the example is a little more tedious than it was on the router. Setting up VPNs using the VPN concentrator and VPN client is rather different.