Lab Configuring Access Through the PIX Firewall

Similar documents
Configuring the Cisco Secure PIX Firewall with a Single Intern

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

Application Notes SL1000/SL500 VPN with Cisco PIX 501

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

Configuring the Cisco PIX Firewall for SSH by Brian Ford

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

2.0 HOW-TO GUIDELINES

Cisco Secure PIX Firewall with Two Routers Configuration Example

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Lab Exercise Configure the PIX Firewall and a Cisco Router

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

Lab Configure a PIX Firewall VPN

Securing Networks with PIX and ASA

Integrating Cisco Secure PIX Firewall and IP/VC Videoconferencing Networks

Configuring the PIX Firewall with PDM

Troubleshooting the Firewall Services Module

BONUS TUTORIAL CISCO ASA 5505 CONFIGURATION WRITTEN BY: HARRIS ANDREA ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Sample Configuration Using the ip nat outside source list C

Cisco ASA, PIX, and FWSM Firewall Handbook

Troubleshooting the Firewall Services Module

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Sample Configuration Using the ip nat outside source static

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Cisco Configuring Commonly Used IP ACLs

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Configuring Static and Dynamic NAT Simultaneously

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example

Lab Configure IOS Firewall IDS

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Lab Developing ACLs to Implement Firewall Rule Sets

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Lab Configure Cisco IOS Firewall CBAC

Cisco ASA Configuration Guidance

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

About Cisco PIX Firewalls

Lab Configure Intrusion Prevention on the PIX Security Appliance

Lab Configuring the PIX Firewall as a DHCP Server

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Lab Configuring Access Policies and DMZ Settings

PIX/ASA 7.x with Syslog Configuration Example

The information in this document is based on these software and hardware versions:

login timeout 30 access list ALL line 20 extended permit ip any any port 9053 interval 15 passdetect interval 30

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewalls. Chapter 3

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Table of Contents. Configuring IP Access Lists

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

TROUBLESHOOTING FIREWALLS

Firewall Firewall August, 2003

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Firewalls: Designing a Secure Environment. October 14, Jennifer L. Bayuk Bear Stearns & Co., Inc jbayuk@bear.com

How To: Configure a Cisco ASA 5505 for Video Conferencing

Successful IP Video Conferencing White Paper

Lab 5.5 Configuring Logging


Cisco NetFlow Security Event Logging Guide: Cisco ASA 5580 Adaptive Security Appliance and Cisco NetFlow Collector

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

Lab Configure Syslog on AP

Multi-Homing Dual WAN Firewall Router

Configuring Network Address Translation

8 steps to protect your Cisco router

Lab Configure Basic AP Security through IOS CLI

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

CCNA Access List Sim

Step-by-Step Configuration

Cisco Secure PIX Firewall Frequently Asked Questions

Scenario: IPsec Remote-Access VPN Configuration

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewall Stateful Inspection of ICMP

Linux Network Security

Monitoring the Firewall Services Module

Security Technology: Firewalls and VPNs

INTRODUCTION TO FIREWALL SECURITY

Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing _06_2000_c1_sec3

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Configuring the MNLB Forwarding Agent

Lab Objectives & Turn In

FTP e TFTP. File transfer protocols PSA1

Load Balancing Router. User s Guide

Tunnels and Redirectors

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

CSCE 465 Computer & Network Security

Load Balance Router R258V

- Basic Router Security -

Transcription:

Lab 5.5.1 Configuring Access Through the PIX Firewall Complete the following lab exercise to practice what you learned in this chapter. Objectives In this lab exercise you will complete the following tasks: Configure a PIX Firewall to protect an enterprise network from Internet access. Test and verify correct PIX Firewall operation. Configure the PIX Firewall third interface. Test and verify access to the third interface. Visual Objectives The following figure displays the configuration you will complete in this lab exercise. Internet Pod perimeter router 192.168.P.0/24 PIX Firewall e1 inside.1 172.26.26.50.1 e0 outside.2 172.16.P.0/24.2 10.0.P.0 /24.3 e2 dmz.1 Bastion Host web and FTP server Backbone server web, FTP, and TFTP server Inside host web and FTP server Copyright 2001, Cisco Systems, Inc. Cisco Secure PIX Firewall Advanced 2.0 Lab 5.5.1 6-1

Directions Your task in this exercise is to configure the PIX Firewall to work with a perimeter router to protect the campus network from intruders. One PIX Firewall is available for each pod group of two students. Work with your pod members to perform the following steps in this lab exercise: Configure global addresses and NAT for inside and outside interfaces. Test globals and NAT configuration. Configure a static and conduit from the PIX Firewall outside interface to the Windows NT server inside the network. Test and verify correct PIX Firewall operation. Configure the PIX Firewall third interface. Test access to the third interface. Task 1 Configure Global Addresses and NAT for Inside and Outside Interfaces Step 1 Enter the following commands to configure PIX Firewall global address pools and routing: Remove NAT: pixp(config)# no nat (inside) 1 0 0 Step 2 Configure NAT for the internal network s range of IP addresses: pixp(config)# nat (inside) 1 10.0.P.0 255.255.255.0 0 0 Step 3 Display currently configured NAT: pixp(config)# show nat nat (inside)1 10.0.P.0 255.255.255.0 0 0 Step 4 Allow ICMP and ping packets through the PIX Firewall: pixp(config)# conduit permit icmp any any Step 5 Write the current configuration to Flash memory: pixp(config)# write memory Step 6 Write the current configuration to the terminal: pixp(config)# write terminal Step 7 Use the clear xlate command after configuring with the nat and global commands to make the global IP addresses available in the translation table: pixp(config)# clear xlate pixp(config)# show xlate Task 2 Test Globals and NAT Configuration To test the globals and NAT configuration, you must complete the following: 6-2 Cisco Secure PIX Firewall Advanced 2.0 Lab 5.5.1 Copyright 2001, Cisco Systems, Inc.

Step 1 From your Windows command line, ping the perimeter router. C:\> ping 192.168.P.1 Step 2 Step 3 Test the operation of the global and NAT you configured by originating connections through the PIX Firewall. 1. Open a web browser on the Windows NT server. 2. Use the web browser to access the Super Server at IP address 172.26.26.50 by entering http://172.26.26.50. Observe the translation table with the show xlate command. pixp(config)# show xlate Your display should appear similar to the following: Global 192.168.P.20 Local 10.0.P.3 Note that a global address chosen from the low end of the global range has been mapped to your NT laptop. Task 3 Configure a Static and Conduit from the PIX Firewall Outside Interface to the Windows NT Server Inside the Network Step 1 Configure a static translation so that traffic originated from the internal Windows NT server always has the same source address on the outside interface of the PIX Firewall. Test the static and conduit by pinging the Windows NT server from the perimeter router. In a production environment, you should remove the conduit permit icmp any any command to prevent a potential security breach. Use the following commands: Create a static translation from the outside PIX Firewall interface to the internal host, and create a conduit to allow web connections from the outside to your NT server on the inside: pixp(config)# static (inside,outside) 192.168.P.10 10.0.P.3 pixp(config)# conduit permit tcp host 192.168.P.10 eq www any Step 2 (where P = your pod number) Turn on ICMP monitoring at the PIX Firewall: pixp(config)# debug icmp trace ICMP trace on Warning: this may cause problems on busy networks Step 3 Clear the translation table: pixp(config)# clear xlate Step 4 Ping the perimeter router from your Windows NT server to test the translation. Observe the source and destination of the packets at the console of the PIX Firewall. C:\> ping 192.168.P.1 Note the example display for pixp: Copyright 2001, Cisco Systems, Inc. Cisco Secure PIX Firewall Advanced 2.0 Lab 5.5.1 6-3

Inbound ICMP echo reply 192.168.P.1 > 192.168.P.10 > 10.0.P.3 Inbound ICMP echo reply 192.168.P.1 > 192.168.P.10 > 10.0.P.3 Inbound ICMP echo reply 192.168.P.1 > 192.168.P.10 > 10.0.P.3 Inbound ICMP echo reply 192.168.P.1 > 192.168.P.10 > 10.0.P.3 Step 5 Observe the source, destination, and translated addresses on the PIX Firewall console. Ping a peer inside host from your inside host as allowed by the conduit via the static: C:\> ping 192.168.Q.10 Step 6 Step 7 (where Q = peer s pod number) Test web access to another pod s inside host as allowed by the static and conduit configured in this task. 1. Open a web browser on the Windows NT server. 2. Use the web browser to access the inside host of another pod by entering http://192.168.q.10. Turn off debug: pixp(config)#no debug icmp trace Example Configuration Your configuration may look as follows at this point: pixp(config)# write terminal Building configuration... : Saved : PIX Version 5.3(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25 enable password 6RD5.96v/eXN3kta encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixp fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 fixup protocol sip 5060 names pager lines 24 6-4 Cisco Secure PIX Firewall Advanced 2.0 Lab 5.5.1 Copyright 2001, Cisco Systems, Inc.

no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 192.168.P.2 255.255.255.0 ip address inside 10.0.P.1 255.255.255.0 ip address dmz 172.16.P.1 255.255.255.0 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover poll 15 failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 arp timeout 14400 global (outside) 1 192.168.P.20-192.168.P.254 netmask 255.255.255.0 nat (inside) 1 10.0.P.0 255.255.255.0 0 0 static (inside,outside) 192.168.P.10 10.0.P.3 netmask 255.255.255.255 0 0 conduit permit icmp any any conduit permit tcp host 192.168.P.10 eq www any route outside 0.0.0.0 0.0.0.0 192.168.P.1 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat isakmp identity hostname Copyright 2001, Cisco Systems, Inc. Cisco Secure PIX Firewall Advanced 2.0 Lab 5.5.1 6-5

telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:9963c491006b1296815f3437947fab81 : end [OK OK] 6-6 Cisco Secure PIX Firewall Advanced 2.0 Lab 5.5.1 Copyright 2001, Cisco Systems, Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information