Pix Lab Manual

Cisco Secure Pix Firewall Administration
CSPFA
Lab Manual
Developed by:
Shaik Mohammad Rafi
Contact :-
PIX / FIREWALL LAB MANUAL
rafi.shaik4 @ gmail.com
Page 1
BY SHAIK MOHAMMD RAFI
LABS OUTLINE
1234567891011121314151617181920212223-
Basic PIX Firewall Commands 2

Static NAT ...11
Dynamic NAT..13
PAT ..15
PAT with Outside Interface Address ...17
Port Redirection ...19
NAT 0 ..21
DHCP Server and DHCP Client ..23
Syslog Server ...26
Oubound, ACL and ICMP ACL ..29
Secure Shell .35
Filter Java, ActiveX, URL ...38
Fixup HTTP, FTP, H.323 40
TCP Intercept Max Connections and Embroynic Connections ...42
Intrusion Detection System ..44
AAA Server .46
Virtual Http and Telnet.50
IPSec Implementation ..53
Certificate Authority Server .55
Password Recovery ..56
IOS and PDM Upgradation...57
Object Grouping ...58
Object Grouping on PIX Deveice Manager..61
Page 2
BASIC PIXFIREWALL COMMANDS

ESPpix > enable
Password:
ESPpix # config ter
ESPpix (config)# enable password esp
ESPpix (config)# exit
ESPpix # exit
Logoff
ESPpix> ena
Password: ****
ESPpix# show enable password
enable password 0YvvkDz2sdCxrJJB encrypted
Note!!! Enable password can not be removed but we can recover it from TFTP server
(PASSWORD RECOVERY).
Telnet password can be set and clear in both privilege and configuration mode.
Telnet Is Only Allowed From Inside Interface E1

ESPpix# config t
ESPpix(config)# passwd pix
ESPpix# sh passwd
passwd H8FagjK1gVCNRzBO encrypted
ESPpix# clear passwd
ESPpix# sh passwd
(cisco is default password for telnet)
passwd 2KFQnbNIdI.2KYOU encrypted
ESPpix# conf t
ESPpix(config)#Telnet 10.0.0.1 [netmask]
Note!!!! Enable you to specify which host can access the pix firewall console via
telnet.
ESPpix(config)#kill [telnet-id]
Note!!!! To terminate a telnet session
ESPpix(config)#who
Note!!!!! It enable you to view which ip address are currently accessing the pix.
Page 3
ESPpix# conf t
ESPpix(config)# int e1 shutdown
ESPpix# sh int e1
interface ethernet1 "inside" is admi
Hardware is i82559 ethernet, address is 0008.a34d.7499 (cable is attached)
IP address 10.1.3.1, subnet mask 255.0.0.0
MTU 1500 bytes, BW 10000 Kbit full duplex
ESPpix(config)# interface e1 10full
ESPpix(config)# sh int e1
interface ethernet1 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0008.a34d.7497
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
ESPpix(config)# int e0 shut
interface ethernet0 "outside" is administratively down, line protocol is down
ESPpix(config)# int e0 10baset
ESPpix(config)# int e0 10baseT
ESPpix(config)#sh int e0
interface ethernet0 "outside" is up, line protocol is up
ESPpix(config)# ip address inside 10.0.0.1 255.0.0.0
interface ethernet1 "inside" is up, line protocol is up
ESPpix(config)# ip address outside 20.0.0.1 255.0.0.0
interface ethernet0 "outside" is up, line protocol is down
Page 4
ESPpix# sh ip address
System IP Addresses:
ip address outside 20.0.0.1 255.0.0.0
ip address inside 10.0.0.1 255.0.0.0
Current IP Addresses:
ESPpix# sh route
outside 0.0.0.0 0.0.0.0 172.23.103.2 1 OTHER static
inside 10.0.0.0 255.0.0.0 10.0.0.1 1 CONNECT static
inside 10.1.3.0 255.255.255.0 10.1.3.1 1 OTHER static
outside 20.0.0.0 255.0.0.0 20.0.0.1 1 CONNECT static
ESPpix#
ESPpix# conf t
ESPpix(config)# hostname ESPpix
ESPpix(config)# exit
ESPpix# sh nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ESPpix # conf t
ESPpix(config)# nameif e0 remote 0
ESPpix (config)# nameif e1 local 100
Error!
security 100 is reserved for the "inside" interface
Type help or '?' for a list of available commands.
ESPpix(config)# nameif e1 local 99
ESPpix# sh nameif
nameif ethernet0 remote security0
nameif ethernet1 local security99
ESPpix# sh int e0
interface ethernet0 "remote" is up, line protocol is down
Page 5
ESPpix# sh int e1
interface ethernet1 "local" is up, line protocol is up
ESPpix # conf t
ESPpix(config)# no nameif
ESPpix# show nameif
ESPpix# conf t
ESPpix(config)# clock set 14:15:05 aug 14 2002
ESPpix # sh clock
14:15:13 Aug 14 2002
ESPpix# ping 10.0.0.1
10.0.0.1 ronse received -- 0ms
ESPpix# ping 10.0.0.10
10.0.0.10 NO ronse received -- 1000ms
ESPpix# show running-configration(Show Running Configuration In Router
IOS)
OR
ESPpix#write terminal (Show Running Configuration In Router IOS)
Page 6
ESPpix#write terminal (Show Running Configuration In Router IOS)

Building configuration...
: Saved
:
PIX Version 6.1(1)
hostname ESPpix
names
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip audit info action alarm
[OK]
ESPpix# sh config
No Configuration
(Show Startup Config In Router Ios)
ESPpix# write memory
(Copy Running To Startup Config)
Building configuration...
Cryptochecksum: 8b14435d fdfe0df4 7427e2a0 d180be47
[OK]
Page 7
ESPpix(config)# sh config
: Saved
:
PIX Version 6.1(1)
hostname ESPpix
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.23.103.3
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.23.103.3 10.1.3.103 netmask 255.255.255.255 0 0
conduit permit icmp any any
!
terminal width 80
Cryptochecksum:8b14435dfdfe0df47427e2a0d180be47
For default setting of interfaces
ESPpix(config)# clear config primary
interface ethernet1 "inside" is up, line protocol is up
interface ethernet0 "outside" is up, line protocol is down
Page 8
ESPpix(config)# reload
Proceed with reload? [confirm]
Rebooting....
CISCO SYSTEMS PIX-501
Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08
Compiled by morlee
16 MB RAM
PCI Device Table.
Bus Dev Func VendID DevID Class
00 00 00 1022 3000 Host Bridge
00 11 00 8086 1209 Ethernet
00 12 00 8086 1209 Ethernet
Irq
9
10
Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
Platform PIX-501
Flash=E28F640J3 @ 0x3000000
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 2466304 bytes of image from flash.
16MB RAM
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000
mcwa i82559 Ethernet at irq 9 MAC: 0008.a34d.7497
mcwa i82559 Ethernet at irq 10 MAC: 0008.a34d.7499
----------------------------------------------------------------------||
||
||
||
|||| ||||
..:||||||:..:||||||:..
ciscoSystems
Private Internet eXchange
----------------------------------------------------------------------Cisco PIX Firewall
Cisco PIX Firewall Version 6.1(1)
Licensed Features:
Failover:
Disabled
VPN-DES:
Enabled
VPN-3DES:
Enabled
Maximum Interfaces: 2
Cut-through Proxy:
Enabled
Guards:
Enabled
Page 9
Websense:
Enabled
Inside Hosts: 10
Throughput: Limited
ISAKMP peers: 5
Global 172.23.103.3 will be Port Address Translated

Cryptochecksum(changed): 0d9f0939 c71dd298 c4f8f08b 9992ed30
Cannot select private keyType help or '?' for a list of available commands.
ESPpix# write erase
(Erase Startup Configuration)
Erase PIX configuration in flash memory? [confirm]
ESPpix#
ESPpix #write net
.
ESPpix #write floppy
ESPpix #write standby
ESPpix#show history
ESPpix#show memory
ESPpix#show version
ESPpix#show xlate
ESPpix#show cpu usage
ESPpix#name 172.16.2.1 Bastionhome (To assign a name on ip address)
ESPpix(config)#route outside 0.0.0.0 0.0.0.0 192.168.0.1 (To specify the default
or static route)
Page 10
NAT ON PIXFIREWALL
Static NAT
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
File Name :pix622.bin
PIXFirewall Configuration:
ESPpix(config)# static (inside,outside) 20.0.0.51 10.0.0.1
ESPpix(config)# static (inside,outside) 20.0.0.52 10.0.0.2
ESPpix(config)# conduit permit icmp host 20.0.0.51 host 20.0.0.4
ESPpix(config)# conduit permit icmp host 20.0.0.52 host 20.0.0.4
At Machine 10.0.0.1:
Go the Command Prompt & type ping 20.0.0.4 OR
Can browse to web server of and type 20.0.0.4
Repeat same procedure on the Machine 10.0.0.2 & verify result
Verification Commands:
ESPpix(config)# show static
ESPpix(config)# show xlate
ESPpix(config)# show conduit
Page 11
NAT ON PIXFIREWALL
Dynamic NAT
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
PIX IOS V6.2
File Name: pix622.bin
ESPpix(config)# nat (inside) 1 0 0
ESPpix(config)# global (outside) 1 20.0.0.51-20.0.0.60
ESPpix(config)# conduit permit icmp any any
ESPpix(config)# show global
ESPpix(config)# show nat
Page 12
NAT ON PIXFIREWALL
Port Address Translation
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
PIX IOS V6.2
ESPpix(config)# global (outside) 1 20.0.0.50
Page 13
NAT ON PIXFIREWALL
PAT WITH OUTISDE INTERFACE ADDRESS
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
PIX IOS V6.2
Esppix(config)# ip address inside 10.0.0.10 255.0.0.0
Esppix(config)# ip address outside 20.0.0.10 255.0.0.0
Esppix(config)# int e1 10full
Esppix(config)# nat (inside) 1 10.0.0.0. 255.0.0.0
Esppix(config)# global (outside) 1 interface e0
Esppix(config)# conduit permit icmp any any
Esppix(config)# debug icmp trace
Esppix(config)# show global
Esppix(config)# show nat
Esppix(config)# show xlate
Esppix(config)# show conduit
Page 14
PORT REDIRECTION
10.0.0.10
Temporary
WWW
Server
20.0.0.10
E1
E0
20.0.0.4
10.0.0.1
10.0.0.2
Local
WWW
Server
20.0.0.60
Translated
Address
REQUIREMENTS:
PIX IOS V6.2
ESPpix(config)# int e1 10full
ESPpix(config)# static (inside,outside) tcp 20.0.0.60 8080 10.0.0.1 80
Go to Internet Explorer & browse to the http://20.0.0.60 & the pix will directs you to the
temporary webserver.
Page 15
NAT ON PIXFIREWALL
NAT 0
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
PIX IOS V6.2
PIX IOS filename pix622.bin
ESPpix(config)# nat (inside) 0 10.0.0.1 255.0.0.0
ESPpix(config)# debug icmp trace
Page 16
DYNAMIC HOST CONFIGURATION ON PIXFIREWALL

PC A
10.0.0.51
to
10.0.0.60
10.0.0.10
E1
PC B
REQUIREMENTS:
PIX IOS V6.2
File Name : pix622.bin
PIXFirewall as DHCP Server (For Inside Interface Only)

ESPpix(config)# dhcpd address 10.0.0.51-10.0.0.60
ESPpix(config)# dhcpd dns 10.0.0.30
ESPpix(config)# dhcpd wins 10.0.0.40
ESPpix(config)# dhcpd domain esp.com
ESPpix(config)# dhcp lease 3000
ESPpix(config)# dhcpd enable inside
At Machine PCA:
Go to the command prompt & type a command ipconfig /release it will release the
current IP address & type ipconfig /renew and type ipconfig again it will show you
the IP address which you will get from the DHCP server.
Repeat same procedure on Machine PCB & verify results.
ESPpix(config)# show dhcpd
ESPpix(config)# clear dhcpd
ESPpix(config)# debug dhcpd events
ESPpix(config)# debug dhcpd packet
ESPpix(config)# debug dhcpd detail
ESPpix(config)# debug dhcpd error
Page 17
PIXFirewall as DHCP Server (For Outside Interface Only)

DHCP Server
E0
20.0.0.4
20.0.0.51
to
20.0.0.60
ESPpix(config)# ip address outside dhcp
ESPpix(config)# debug dhcpd events
ESPpix(config)# debug dhcpd packet
ESPpix(config)# debug dhcpd detail
ESPpix(config)# debug dhcpd error
Page 18
SYSLOG SERVER
10.0.0.10
E1
20.0.0.10
E0
Syslog
Server
20.0.0.4
10.0.0.1
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
PIX IOS V6.2
PIX IOS filename pix622.bin
Kiwi Syslog Software
ESPpix(config)# logging host inside 10.0.0.1
ESPpix(config)# logging trap 7
ESPpix(config)# logging on
At PIXFirewall:
You can verify this lab by typing any command OR
You can type invalid password of the privilege mode OR
You can telnet from any inside machine.
Page 19
ESPpix(config)# show logging
Page 20
OUTBOUND ACL
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Esppix(config)# int e0 10baset
Esppix(config)# outbound 1 permit 10.0.0.1 255.255.255.255 http
Esppix(config)# outbound 1 deny 10.0.0.2 255.255.255.255 http
Esppix(config)# apply (inside) 1 outgoing_src
OR
Esppix(config)# outbound 1 permit 20.0.0.4 255.255.255.255 http
Esppix(config)# apply (inside) 1 outgoing_dest
Go to Internet Explorer & type address 20.0.0.4 in Address bar & repeat same procedure on Machine
10.0.0.2
Esppix(config)# sh apply
Esppix(config)# sh outbound
Esppix(config)# clear outbound
Page 21
ACCESS CONTROL LIST
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Local
WWW
Server
ESPpix(config)# access-list esp permit tcp host 10.0.0.1 any eq www
ESPpix(config)# access-list esp deny tcp host 10.0.0.2 any eq www
ESPpix(config)# access-group esp in interface inside
Go to the Internet Explorer and type and type 20.0.0.4 in address bar
Repeat same procedure on Machine 10.0.0.2 & verify result.
ESPpix(config)# show access-list
ESPpix(config)# show access-group
ESPpix(config)# clear access-list
Page 22
ICMP ACCESS CONTROL LIST
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
AAA
Server
REQUIREMENTS:
PIX IOS V6.2, 500 Series PIX
IOS file name pix622.bin
ESPpix(config)# icmp deny 0 0 inside
ESPpix(config)# icmp deny 0 0 outside
At Machine 10.0.0.1
Go to the command prompt & ping the inside interface which is ping 10.0.0.10
& at machine 20.0.0.4 repeat same procedure & type ping 20.0.0.10
Verification Command:
ESPpix(config)# show icmp
ESPpix(config)# clear icmp
Page 23
SECURE SHELL
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
AAA
Server
REQUIREMENTS:
PIX IOS V6.2, 500 Series
Putty Software
ESPpix(config)# domain-name esp.com
ESPpix(config)# ca generate rsa key 1024
ESPpix(config)# ssh 10.0.0.1 inside
ESPpix(config)# ssh 20.0.0.4 255.255.255.255 outside
ESPpix(config)# aaa-server esp protocol tacacs+
ESPpix(config)# aaa-server esp (inside) host 10.0.0.2 cisco
ESPpix(config)# aaa authentication ssh console esp
ESPpix(config)# show ssh
ESPpix(config)# show ssh session
ESPpix(config)# ssh disconnect session_id
ESPpix(config)# show ca mypubkey rsa
Page 24
Or if you want secure shell from outside interface you have to specify the outbound
interface which is 20.0.0.10 in the hostname parameter of Putty
Page 25
FILTER JAVA APPLETS & ACTIVEX

10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Requirements:
PIX IOS V6.2, 500 Series
ESPpix(config)# global (outside) 1 20.0.0.51-20.0.0.60
Filter Java
ESPpix(config)# filter java 80 0 0 0 0
Filter ActiveX
ESPpix(config)# filter activex 80 0 0 0 0
Go to the Internet Explorer and type and type 20.0.0.4 in address bar
Repeat same procedure on Machine 10.0.0.2 & verify result.
Page 26
FIXUP PROTOCOL
PROTOCOL
HTTP
FTP
H.323
EFFECT
No change
CHANGING A PORT
In working condition both
for 80 & change port.
The Connection for the
In working condition only
requested web server cannot for the change port
be established.
No Change
You Cant be able to
change the port
(Used to mark up or to fix drawbacks in the existing protocol going from inside to outside)
10.0.0.10
20.0.0.10
20.0.0.1
10.0.0.1
E1
E0
HTTP
Server
20.0.0.2
FTP
Server
HTTP FIXUP
ESPpix(config)# no fixup protocol http 80
Still you can view the web site
ESPpix(config)# fixup protocol http 8080
You can view the website that is either
running on port 80 or 8080
FTP FIXUP
ESPpix(config)# no fixup protocol ftp 21
Now you are unable to view the ftp site
ESPpix(config)# fixup protocol ftp 2021
Now you are able to view the ftp site at port
2021
H.323 FIXUP
ESPpix(config)# no fixup protocol h323 1720
Still you can call on NetMeeting
Page 27
TCP Intercept Maximum Connection

10.0.0.10
20.0.0.10
E1
E0
20.0.0.1
20.0.0.50
10.0.0.1
20.0.0.2
FTP
Server
REQUIREMENTS:
PIX IOS V6.2
ESPpix(config)# static (inside,outside) 20.0.0.50 10.0.0.1 1 0
ESPpix(config)# conduit permit ip any any
Go to the Internet Explorer & browse to ftp://20.0.0.50 & copy the folder to the local
hard disk & at the same time go to Machine 20.0.0.2 & browse to the ftp://20.0.0.5
after some interval of time it will unable to retrieve the desired page.
ESPpix(config)# show conn
Page 28
INTRUSION DETECTION SYSTEM

10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.1
20.0.0.2
REQUIREMENTS:
PIX IOS V6.2
Esppix(config)# logging host (inside) 10.0.0.1
Esppix(config)# logging trap 7
Esppix(config)#logging on
Esppix(config)# ip audit name outbound-info info action alarm drop reset
Esppix(config)# ip audit interface outside outbound-info
Go to command prompt & type ping 20.0.0.10 or you can ping to the internal host also
& see the logging messages on the Syslog Server.
Esppix(config)# show ip audit count
Esppix(config)# no ip audit interface outside outbound-info
Esppix(config)# no ip audit name outbound-info
Page 29
AAA WITH PIXFIREWALL
AAA
Server
10.0.0.10
E1
20.0.0.10
E0
20.0.0.4
10.0.0.1
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Pixfirewall Configuration:
Esppix(config)# aaa-server main protocol tacacs+
Esppix(config)# aaa-server main (inside) host 10.0.0.1 cisco
Esppix (config)# aaa authentication any outbound 0 0 0 0 main
Esppix(config)# aaa authorization any outbound 0 0 0 0 main
Esppix(config)# aaa accounting any outbound 0 0 0 0 main
For Authorization:
Page 30
For Accounting:
Go to Internet Explorer and type address in Address bar 20.0.0.4
The new window is prompt, give the user name & password & verify results
Esppix(config)# sh uauth
Esppix(config)# clear uauth
Esppix(config)# clear aaa-server
Page 31
VIRTUAL HTTP AND TELNET
AAA
Server
10.0.0.10
E1
20.0.0.10
E0
20.0.0.4
10.0.0.1
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Pixfirewall Configuration:
Esppix(config)# aaa-server main protocol tacacs+
Esppix(config)# aaa-server main (inside) host 10.0.0.1 cisco
Esppix(config)# aaa authentication any outbound 0 0 0 0 main
Esppix(config)# aaa authentication include 1/8 outbound 0 0 0 0 main
Esppix(config)# aaa authorization include 1/8 outbound 0 0 0 0 main
Esppix(config)# virtual http 20.0.0.8
Esppix(config)# virtual telnet 20.0.0.9
Page 32
For Virutal HTTP:

First go to the web browser and type 20.0.0.8 and provide the right username and
password.
Press OK button, then the following error comes,

Error: 501 Not Implemented
Now you are authenticated to non-telnet, non-ftp and non-http service
Go to the command prompt and ping 20.0.0.4, now the ronse will come.
For Virtual Telnet:
Go to the command prompt and type telnet 20.0.0.9, you will be prompted for username
and password, provide it and the message will come Authentication Successful
Now you can ping to 20.0.0.4
Esppix(config)# sh aaa
Esppix(config)# sh aaa-server
Esppix(config)# sh uauth
Esppix(config)# sh virtual
Page 33
IPSEC BETWEEN PIXFIREWALL & ROUTER

Outside
11.0.0.1
E0
11.0.0.2
PIX Firewall
Router ESPA
PIXFirewall Configuration:ESPpix(config)# isakmp enable outside

ESPpix(config)# isakmp policy 2 encryption des
ESPpix(config)# isakmp policy 2 hash md5
ESPpix(config)# isakmp policy 2 authentication pre-share
ESPpix(config)# isakmp policy 2 group 2
ESPpix(config)# isakmp key cisco123 address 11.0.0.2
ESPpix(config)# access-list 101 permit ip 11.0.0.1 255.255.255.255 11.0.0.2
255.255.255.255
ESPpix(config)# crypto ipsec transform-set pix -des -md5-hmac
ESPpix(config)# crypto map pixmap 1 ipsec-isakmp
ESPpix(config)# crypto map pixmap 1 match address 101
ESPpix(config)# crypto map pixmap 1 set peer 11.0.0.2
ESPpix(config)# crypto map pixmap 1 set transform-set pix
ESPpix(config)# crypto map pixmap 1 set pfs group2
ESPpix(config)#
Apply Crypto Map:ESPpix(config)# crypto map pixmap interface outside
ESPA Configuration:
ESPA(config)#access-list 101 permit ip 11.0.0.0 0.255.255.255 11.0.0.0 0.255.255.255
ESPA(config)#crypto isakmp policy 1
ESPA(config-isakmp)#authentication pre-share
ESPA(config-isakmp)#encryption des
ESPA(config-isakmp)#group 2
ESPA(config-isakmp)#hash md5
ESPA(config-isakmp)#exit
Key:
ESPA(config)#crypto isakmp key cisco123 address 11.0.0.1
Page 34
IP SEC:
ESPA(config)#crypto ipsec transform-set ESPAset -des -md5-hmac
ESPA(cfg-crypto-trans)#exit
ESPA(config)#crypto map ESPAmap 1 ipsec-isakmp
ESPA(config-crypto-map)#match address 101
ESPA(config-crypto-map)#set peer 11.0.0.1
ESPA(config-crypto-map)#set transform-set ESPAset
ESPA(config-crypto-map)#set pfs group2
ESPA(config-crypto-map)#^Z
ESPA#
Apply Crypto Map:
ESPA(config)#int e0
ESPA(config-if)# crypto map ESPAmap
ESPA# show crypto isakmp policy
ESPA# show crypto isakmp sa
ESPA# show crypto ipsec sa
Page 35
CA SSERVER WITH PIXFIREWALL

Certificate Authority
Server
10.0.0.10
E0
PIX Firewall
Computer
10.0.0.1
REQUIREMENTS:
Windows 98/2000 Operating System
PIX IOS v6.2
ESPpix(config)# name 10.0.0.1 computer
ESPpix(config)# domain-name cisco.com
ESPpix(config)# ca generate rsa key 1024
ESPpix(config)# ca identity computer 10.0.0.1:/certserv/mscep/mscep.dll
ESPpix(config)# ca configure computer ra 1 10 crloptional
ESPpix(config)# ca authenticate computer
ESPpix(config)# ca enroll computer esppassword
For password you have to go to the Internet Explorer and type
http://10.0.0.1/certsrv/mscep/mscep.dll the page returns with a password supply that
password in the CA Enroll command
ESPpix(config)# show ca identity
ESPpix(config)# show ca configure
ESPpix(config)# show ca certificate
ESPpix(config)# show ca mypubkey rsa
Page 36
PASSWORD RECOVERY:
10.0.0.1
10.0.0.10
E1
TFTP
Server
First save the password.
Reboot the PIX & press Ctrl+Break or Esc the prompt will be like this
Monitor> interface 1
Monitor> address 10.0.0.10
Monitor> server 10.0.0.1
Monitor> file np61.bin
Monitor> ping 10.0.0.1
Monitor> tftp
After performing its function it will prompt you for
Do you wish to erase the passwords? [yn] y
Page 37
IOS & PDM UPDATION:

10.0.0.1
10.0.0.10
E1
TFTP
Server
ESPpix(config)# copy tftp flash
ESPpix(config)# sh ver
At CLI you will be prompted for the following parameters:
Address or name of remote host [127.0.0.1]? 10.0.0.1
Source file name [cdisk]? pix622.bin
copying tftp://10.0.0.1/pix622.bin to flash:image
[yes|no|again]? Y
For PDM UPDATION
ESPpix(config)# copy tftp flash:pdm
ESPpix(config)# sh ver
At CLI you will be prompted for the following parameters:
Address or name of remote host [127.0.0.1]? 10.0.0.1
Source file name [cdisk]? pdm-211.bin
copying tftp://10.0.0.1/pdm-202.bin to flash:pdm
[yes|no|again]? y
Erasing current PDM file
Writing new PDM file
In case of updating or changing the PIX IOS you should have to reboot the PIX.
In case of updating or changing the PIX PDM you should not have to reboot the
PIX.
Page 38
OBJECT GROUPING
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Local
WWW
Server
REQUIREMENTS:
Esppix(config)# static (inside,outside) 20.0.0.21 10.0.0.1
Esppix(config)# static (inside,outside) 20.0.0.22 10.0.0.2
ICMP-Type:
Esppix(config)#object-group icmp-type icmpobject
Esppix(config-icmp-type)# icmp-object echo
Esppix(config-icmp-type)# icmp-object echo-reply
Esppix(config-icmp-type)#exit
Esppix(config)# access-list 1 permit icmp any any object-group icmpobject
Esppix(config)# access-group 1 in interface outside
Page 39
Go to command prompt and type ping 20.0.0.4 and repeat same procedure at machine
20.0.0.4 and type ping 20.0.0.1
Network-Type:
Esppix(config)# object-group network ftpobject
Esppix(config-network)# network-object host 20.0.0.1
Esppix(config-network)# exit
Esppix(config)# access-list 1 permit tcp object-group ftpobject any eq ftp
Go to the Internet Explorer and type ftp://20.0.0.21 in address bar the ftp site brings up
to the screen but if you want to access another server or another service at the same
server, you cant have such permissions.
Protocol-Type:
Esppix(config)# object-group protocol protoobject
Esppix(config-protocol)# protocol-object udp
Esppix(config-protocol)# protocol-object tcp
Esppix(config-network)# exit
Esppix(config)# access-list 1 permit object-group protoobject any any
This object-group only allow traffic of tcp and udp but not others like ICMP for outside
users.
Service-Type:
Esppix(config)# object-group service servobject1 tcp
Esppix(config-service)# port-object range 1024 65535
Esppix(config-service)# exit
Esppix(config)# object-group service servobject2 tcp
Esppix(config-service)# port-object eq http
Esppix(config-service)# exit
Esppix(config)# access-list 1 permit tcp any object-group servobject1 any object-group
servobject2
Page 40
This object group permit the outside users to access only http service and if they have
port range from 1024 65535
Esppix(config)# show object-group
Esppix(config)# show access-list
Esppix(config)# show access-group
Esppix(config)# clear access-list
Esppix(config)# clear access-group
Esppix(config)# clear object-group
Page 41
OBJECT GROUPING ON PDM

10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Local
WWW
Server
REQUIREMENTS:
Esppix(config)# http server enable
Esppix(config)# http 10.0.0.1
Page 42
Page 43
Page 44
Press OK Button
Press Apply to PIX
Press OK Button
Page 45
Page 46
Esppix(config)# sh access-list
Esppix(config)# sh access-group
Esppix(config)# sh object-group
User have only privilege to access the webserver at 20.0.0.21
Page 47

Pix Lab Manual

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Pix Lab Manual

Enviado por

Direitos autorais:

Formatos disponíveis

Cisco Secure Pix Firewall Administration

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

Basic PIX Firewall Commands 2

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

BASIC PIXFIREWALL COMMANDS

Telnet Is Only Allowed From Inside Interface E1

BY SHAIK MOHAMMD RAFI

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

ESPpix#write terminal (Show Running Configuration In Router IOS)

(Show Startup Config In Router Ios)

ESPpix# write memory

(Copy Running To Startup Config)

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

BY SHAIK MOHAMMD RAFI

Global 172.23.103.3 will be Port Address Translated

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

ESPpix(config)# show conduit

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

ESPpix(config)# show conduit

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

ESPpix(config)# show conduit

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

Esppix(config)# show conduit

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

ESPpix(config)# show conduit

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

DYNAMIC HOST CONFIGURATION ON PIXFIREWALL

PIXFirewall as DHCP Server (For Inside Interface Only)

BY SHAIK MOHAMMD RAFI

PIXFirewall as DHCP Server (For Outside Interface Only)

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

ACCESS CONTROL LIST

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

ICMP ACCESS CONTROL LIST

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI

PIX / FIREWALL LAB MANUAL

BY SHAIK MOHAMMD RAFI