The Six Basic Commands

The PIX firewall's basic setup is based on six primary commands. The commands shown in the following list provide the most basic configuration settings to allow traffic to flow through the firewall. This section covers each command in detail.

Here's a preview of the commands:





ip address


Naming Interfaces

Before we begin discussing these commands, a brief explanation is necessary to understand how interfaces are handled by the PIX. A name association needs to be designated for each hardware interface; it is this associated name rather than the hardware ID that is used in most of the configuration commands. For example, the interface e1 is by default named inside . This name of inside is used throughout the PIX command structure as a pointer to the real hardware ID of interface e1 .

Network Address Translation

Network address translation ( NAT ) is the process of translating multiple internal addresses to multiple global addresses. Every packet leaving the NAT translator uses the next available global address, and a translation table entry is made to record a link between the internal address and the outgoing global address. As packets flow back, the translated global address is reverted to the original internal address. This is known as dynamic mapping , and the global addresses are only temporarily used. Table 4.4 displays the subnet of, which all share a global address pool of

Table 4.4. NAT Mapping Table

NAT Internal Addresses

Global Address Pool

Table 4.5 shows a temporary mapping of the internal address of to If the internal host closes the session or loses the session, or the connection times out, is released so another internal address can use it.

Table 4.5. Internal-to-Global Address Mapping

Internal Addresses

Globally Mapped Addresses (temporary) (temporary) (temporary) (temporary) (temporary)

For example, as Jack's computer talks to the Internet, his IP address of is translated by the PIX using NAT to an address of and subsequently passes the interface connected to the Internet. If another user , such as Timmy with an IP address of, is going through the PIX to the Internet, Timmy's IP address is translated to the next available global IP address, which is This process continues to allocate the next available global IP address until none are left. At this point, a process of NAT overloading also known as PAT takes over. Figure 4.1 displays Jack's computer being translated to as it travels through the PIX firewall.

Figure 4.1. A NAT diagram.


Port Address Translation

Port address translation (PAT) is also called NAT overloading and is the process of translating multiple internal addresses to a single global address. Every packet leaving the PAT translator uses the same global address with a modified source port number. For example, as Jack's packet travels through the PIX, his IP address and port number are changed. An address of port 1237 is modified to an address of and the next available port, such as port 5001. When Timmy requests information from the Internet, his address of port 2403 is modified to the same address but the port number is the next available port, such as 5002. When a request comes back from the Internet with port 5001, this is referenced in the translation table to show that the packet should be changed back to port 1237, and the packet is delivered to Jack.

Table 4.6. PAT Address Table

Nat Internal Address

Global Address Pool

Table 4.7. PAT IP Address and Port Mapping Table

Internal Addresses

Globally Mapped Addresses 1237 5001 (temporary) 1937 5002 (temporary)

Steps to Setting Up the PIX with the Six Basic Commands

  1. nameif Assign a name to a hardware ID interface and set the security level.

  2. interface Set the interface speed and enable the interface.

  3. ip address Assign an IP address to a named interface.

  4. nat Create a NAT ID that defines which local IP addresses will be translated on a specific named interface.

  5. global Create a global list of addresses to be used by the NAT ID in step 4.

  6. route Create any necessary static routes or default routes.

The nameif Command

The nameif command creates a name that is associated with a hardware interface and that is used throughout several other commands. Some examples of good names to use are inside , outside , and DMZ . The syntax of the nameif command is as follows :

 nameif <hardware_id> <if_name> <security_lvl> 
Table 4.8. nameif Options




The hardware ID is the name of the physical hardware, such as e0 or Ethernet0 .


This is the name you want to call the interface.


The security level setting is between 0 and 100. 0 is reserved for the outside interface, and 100 is used for the most secure inside interface.

The following example shows that hardware interface Ethernet 1 is being set to inside :

 pixfirewall(config)# nameif e1 inside security100 pixfirewall(config)# 

The interface Command

The interface command sets the hardware speed and enables or disables an interface. Here's the syntax of the interface command:

 interface <hardware_id> [<hw_speed> [<shutdown>]] 
Table 4.9. interface Options




The hardware ID is the name of the physical hardware, such as e0 or Ethernet0 .


This determines the connection speed used by this interface.

The options are as follows:

Auto Autodetects the network speed

10BASE-T 10Mbp Ethernet half-duplex

10full 10Mbp Ethernet full-duplex

100BASE-TX 100Mbp Ethernet half-duplex

100full 100Mbp Ethernet full-duplex


Defines whether the interface is administratively shut down.

The first command in the example enables the interface with 10BASE-T, and the second command disables the interface:

 pixfirewall(config)# interface e1 10baseT pixfirewall(config)# interface e1 10baseT shutdown 

The ip address Command

The ip address command defines the layer 3 IP address on the interface and uses the name of the interface, as opposed to the hardware address. Its syntax is shown here:

 ip address <if_name> <ip_address> [<mask>] 
Table 4.10. ip adddress Options




This is the name given to the hardware ID using the nameif command.


This is the IP address you want to have on the address.


This is the network mask.

In the following example, the inside interface ( e1 ) is being set to an IP address of and a subnet mask of

 pixfirewall(config)# ip address inside 

The nat and global Commands

The nat and global commands work together to determine which addresses need translating and to what those addresses will be translated. NAT defines which addresses need to be translated. The ID field in the nat command corresponds to a global command that contains a pool of addresses used for translation. The nat command's syntax is shown here:

 nat [(<if_name>)] <nat_id> <local_ip> [<mask> [dns] [outside]                [<max_conns> [emb_limit> [<norandomseq>]]]] 
Table 4.11. The nat Command's Options




This is the name of the internal interface to which this command is linked.


This is the ID number that groups the nat command with the global command


This defines which IP addresses are within this nat_id group .


This defines the local_IP network mask.


This specifies that the DNS replies that match xlate tables are translated.


This specifies that the nat command applies to the outside interface.


This defines the maximum number of TCP connections allowed.


This specifies the embryonic limit. The default is , which is unlimited embryonic connections.


This states not to randomize the normal TCP packet sequence numbering.

The global command is used to allocate the address to which the internal address will be assigned. The syntax shown here details the global command:

 global [(<ext_if_name>)] <nat_id> {<global_ip>[-<global_ip>] [netmask <global_mask>]}  interface 
Table 4.12. The global Command's Options




Defines the external interface on which these global addresses will be used.


The ID number that links the nat command with the global address pool command.


Assigns a single address or a pool of addresses to which the nat command will translate its internal address.


If you use this option, the interface is to set up to use PAT or NAT overloading on the same IP address assigned to the interface.

In Listing 4.6, the address on the inside interface is translated to an IP address of on the outside interface. These two commands are linked by the nat_id of 12 .

Listing 4.6 The nat and global Commands for a Single Host
 pixfirewall(config)# nat (inside) 12 pixfirewall(config)# global (outside) 12 

In Listing 4.7, the network of on the inside interface is translated to a global pool of addresses on the outside interface. These two commands are linked by the nat_id of 5 .

Listing 4.7 The nat and global Commands for a Subnet
 pixfirewall(config)# nat (inside) 5 pixfirewall(config)# global (outside) 5 

In Listing 4.8, all the addresses on the inside interface are translated to the global address that is defined as the outside interface IP address. This many-to-one solution uses PAT.

Listing 4.8 nat and global Commands
 pixfirewall(config)# nat (inside) 1 pixfirewall(config)# global (outside) 1 interface 

In Listing 4.9, three networks on different interfaces are all part of the nat_id 3 group. The global command linked to nat_id 3 defines an address range of to be used.

Listing 4.9 The nat and global Commands for Multiple Interfaces
 pixfirewall(config)# nat (inside) 3 pixfirewall(config)# nat (dmz) 3 pixfirewall(config)# nat (dmz2) 3 pixfirewall(config)# global (outside) 3       netmask 

You can use the show nat and show global commands to display the list of NAT and global entries made, and you can use the no nat and no global commands to disable the entries made.

The route Command

The route command is used to add a static or default route to an interface. This syntax shows the command:

 route <if_name> <foreign_ip> <mask> <gateway> [<metric>] 
Table 4.13. route Command Options




This is the internal or external interface name the traffic will use to exit from the PIX.


The foreign IP is the destination network address. To define a default route, you can use as the address and as the mask.


This is the gateway, which is also known as the next hop router .


This is the metric value used to define the number of hops away the destination network is.

In this example a default route has been created that will forward traffic to a router at with a metric of 1:

 pixfirewall(config)# route outside 1 

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218 © 2008-2017.
If you may any questions please contact us: