pix advanced lab 1v2

Task 1—Configure PIX Firewall Interfaces To configure PIX Firewall Ethernet interfaces, complete the following steps: Step 1 On the main lab diagram, click on the “CONSOLE” icon associ

Trang 1

Lab Exercise―Configure the PIX Firewall

Complete the following lab exercises to practice what you have learned

Objectives

In this lab exercise, you will complete the following tasks:

■ Configure basic PIX Firewall features to protect Internet access to an enterprise network

■ Test and verify basic PIX Firewall operation

Visual Objective

The following figure displays the topology of the lab environment used in this exercise

Lab Visual Objective

Inside host Internet server

web, FTP, and TFTP server

PIX Firewall

192.168.P.0/24

e1 inside 1

.2 10.0.P.0 /24

e0 outside 1

e2 dmz 172.16.1.P Bastion host

web and FTP server

192.168.P.2

.50 172.16.1.0/24

Internet

Trang 2

Access and Lab Setup

To do this lab exercise, you must be connected to the lab at www.labgear.net Your instructor will provide the username and password for logging into this site Once logged on, the lab diagram will be displayed (the picture below is for Pod #1):

To access the PIX Firewall from the main lab diagram, click on the “CONSOLE” icon

associated with the PIX Firewall A window will open to the PIX console To access the

inside or outside hosts, click on the appropriate ”PC Desktop” icon For these devices you must first authenticate at the “VNC Authentication” screen before you can access the PC

desktop

Passwords

Use the following passwords for this lab:

■ Lab Gear password: Your instructor will provide it

■ PIX password: Either no password (just press the Enter key) or cisco

■ PC client or server: The username is administrator and there is no password (just press the Enter key)

■ VNC password: When you connect to the PCs or servers, use a password of

cisco at the VNC screen

Trang 3

Task 1—Configure PIX Firewall Interfaces

To configure PIX Firewall Ethernet interfaces, complete the following steps:

Step 1 On the main lab diagram, click on the “CONSOLE” icon associated with the PIX

Firewall A window will open to the PIX console Press Enter, and one of two

things will happen

Step 2 If there is currently a configuration in the PIX, a PIX prompt will be displayed:

pixP> or pixP# or firewall>

(where P = pod number)

Step 3 If you get the pixfirewall> prompt, go to step 7 Otherwise, continue (we want to

start this lab with an un-configured PIX)

Step 4 Enter the privileged mode of the PIX Firewall If prompted for a password press

Enter:

pixP> enable

Password:

pixP#

Step 5 Erase the configuration and reload the firewall:

pixP# write erase pixP# reload

Step 6 If there is no configuration in the PIX, after a reload it will start the basic setup

routine This routine will ask you a series of questions in order to build a basic

configuration We do not want to use the setup routine Enter no at the

“Pre-configure PIX Firewall now through interactive prompts [yes]?” prompt

Step 7 Enter the privileged mode of the PIX Firewall If prompted for a password press

Enter Enter configuration mode and change the hostname to pixP (where P = pod

number) using the hostname command:

pixfirewall> enable

Password:

pixfirewall#

pixfirewall# configure terminal pixfirewall(config)# hostname pixP

pixP(config)#

Step 8 Assign the PIX Firewall DMZ interface a name (dmz) and security level (50)

Display the interface names and security levels with the show nameif command

Your output should be similar to that shown below:

pixP(config)# nameif e2 dmz security50 pixP(config)# show nameif

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10

Trang 4

Step 9 Enable the Ethernet 0, Ethernet 1, and Ethernet 2 interfaces for Auto sensing 10/100

communications Use the show interface command to display information about the

interfaces:

Note By default the interfaces are disabled You must enable all interfaces you intend to

use

pixP(config)# interface e0 auto pixP(config)# interface e1 auto pixP(config)# interface e2 auto pixP(config)# show interface

interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 0090.2724.fd0f MTU 1500 bytes, BW 10000 Kbit full duplex

0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is 0090.2716.43dd MTU 1500 bytes, BW 100000 Kbit full duplex

0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) interface ethernet2 "dmz" is up, line protocol is up

Hardware is i82558 ethernet, address is 0090.2725.060d MTU 1500 bytes, BW 10000 Kbit full duplex

0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) interface ethernet3 "intf3" is administratively down, line protocol is down Hardware is i82558 ethernet, address is 0090.2716.43dc

MTU 1500 bytes, BW 100000 Kbit full duplex

184 packets input, 15043 bytes, 0 no buffer

Trang 5

Received 179 broadcasts, 0 runts, 0 giants

0 lost carrier, 0 no carrier interface ethernet4 "intf4" is administratively down, line protocol is down Hardware is i82558 ethernet, address is 0090.2716.43db

0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) interface ethernet5 "intf5" is administratively down, line protocol is down Hardware is i82558 ethernet, address is 0090.2716.43da

0 packets output, 0 bytes, 0 underruns

0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/0)

output queue (curr/max blocks): hardware (0/0) software (0/0)

Step 10 Assign IP addresses to the inside, outside, and dmz network interface cards Insert

your pod number wherever you see the letter P:

pixP(config)# ip address outside 192.168.P.1 255.255.255.0 pixP(config)# ip address inside 10.0.P.1 255.255.255.0 pixP(config)# ip address dmz 172.16.1.P 255.255.255.0

Step 11 Ensure that the IP addresses are correctly configured and are associated with the

proper network interface:

pixP(config)# show ip address

System IP Addresses:

ip address outside 192.168.P.1 255.255.255.0

ip address inside 10.0.P.1 255.255.255.0

ip address dmz 172.16.1.P 255.255.255.0

no ip address intf3

no ip address intf4

no ip address intf5 Current IP Addresses:

ip address dmz 172.16.1.P 255.255.255.0

Trang 6

no ip address intf3

no ip address intf4

no ip address intf5

Step 12 Write the configuration to the flash memory:

pixP(config)# write memory

Building configuration

Cryptochecksum: d4d9ae69 9f7c734c babeef58 54b69c91 [OK]

pixP(config)#

Task 2—Configure Global Addresses, NAT, and Routing for Inside and Outside Interfaces

To configure a global address pool, NAT, and routing, complete the following steps:

Step 1 Assign one pool of NIC-registered IP addresses for use by outbound connections:

pixP(config)# global (outside) 1 192.168.P.20-192.168.P.250 netmask 255.255.255.0 pixP(config)# show global

global (outside) 1 192.168.P.20-192.168.P.250 netmask 255.255.255.0

Step 2 Configure the PIX Firewall to allow all inside hosts to use NAT for outbound

access:

pixP(config)# nat (inside) 1 0 0 Step 3 Display the currently configured NAT:

pixP(config)# show nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Note The nat ID in the global and nat commands must match That allows you to have

multiple different nat pools So, nat pool 1 could be used for hosts from subnet A, and nat pool 2 could be used for hosts from subnet B In the above example, the nat ID is 1

Step 4 In order to direct traffic to other networks, you need to add routes You assign a

default route on the outside network this way:

pixP(config)# route outside 0 0 192.168.P.254

Step 5 Display the currently configured routes:

pixP(config)# show route

outside 0.0.0.0 0.0.0.0 192.168.P.254 1 OTHER static inside 10.0.P.0 255.255.255.0 10.0.P.1 1 CONNECT static dmz 172.16.1.0 255.255.255.0 172.16.1.P 1 CONNECT static outside 192.168.P.0 255.255.255.0 192.168.P.1 1 CONNECT static

Step 6 Write the current configuration to flash memory:

Trang 7

Step 7 Display a list of the most recently entered commands:

Your history list should be similar to the following:

pixP(config)# show history

interface e0 auto interface e1 auto interface e2 auto show interface

ip address dmz 172.16.1.P 255.255.255.0 show ip address

write memory global (outside) 1 192.168.P.20-192.168.P.254 netmask 255.255.255.0 show global

nat (inside) 1 0 0 show nat

route outside 0 0 192.168.1.254 show route

write memory show history

Note You can use the up and down cursor keys on your keyboard to recall commands

Step 8 Write the current configuration to the terminal and verify that you have entered the

previous commands correctly:

pixP(config)# write terminal

Building configuration

: Saved : PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix1 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80

Trang 8

fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names

pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500

ip address dmz 172.16.1.P 255.255.255.0

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover failover timeout 0:00:00 failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5 pdm history enable

arp timeout 14400 global (outside) 1 192.168.P.20-192.168.P.250 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.P.254 1 timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact snmp-server community public

no snmp-server enable traps floodguard enable

telnet timeout 5 ssh timeout 5 console timeout 0

Trang 9

terminal width 80 Cryptochecksum:f937dddaa79ad7a8b39ac14f6cd87ee5

: end [OK]Test the operation of the globals and NAT statements you configured by originating connections through the PIX Firewall:

1 Click on the “PC Desktop” icon on the inside client

2 The “VNC Authentication” screen is displayed The password is cisco (The

password is case-sensitive.)

3 Open a web browser on the inside client

4 Use the web browser to access the outside server at IP address 192.168.P.2 by entering http://192.168.P.2 If you are successful, the browser page will have a

message like “Pod P Outside HTTP Server” (You may have to scroll the page down to see this.)

Step 9 Observe the translation table:

pixP(config)# show xlate

Your display should appear similar to the following:

Global 192.168.P.20 Local 10.0.P.2

A global address chosen from the low end of the global range has been mapped to the inside client

Task 3—Configure Inside Multiple Interfaces

Configure the PIX Firewall to allow access to the DMZ from the inside and outside network Enter the following commands to configure the global address pools, NAT, and routing for the DMZ interface:

Step 1 Assign one pool of IP addresses for hosts on the public DMZ:

pixP(config)# global (dmz) 1 172.16.1.1P0-172.16.1.1P9 netmask 255.255.255.0

(where P = pod number) Use 100-.109 for pod 10 Step 2 Clear the translation table so that the global IP address will be updated in the table:

pixP(config)# clear xlate

Step 3 Write the current configuration to flash memory:

Step 4 Test web access to your bastion host from the inside client by doing the following:

1 Open a web browser on the inside client

2 Use the web browser to access your bastion host by entering http://172.16.1.50

3 The home page of the bastion host should appear on your web browser The

browser page will have a message like “DMZ HTTP Server” (You may have

to scroll the page down to see this.)

4 Use the show arp, show conn, and show xlate commands to observe the

transaction:

pixP(config)# show arp

outside 192.168.P.2 00e0.1e41.8762

Trang 10

inside 10.0.P.2 00e0.b05a.d509 dmz 172.16.1.50 00e0.1eb1.78df

pixP(config)# show xlate

Global 172.16.1.1P0 Local 10.0.P.2

pixP(config)# show conn

1 in use, 3 most used TCP out 172.16.1.50:80 in 10.0.P.2:1074 idle 0:00:07 Bytes 989 flags UIO

Note If you have successfully reached the web page but do not see any connection

information, you probably need to turn off the caching on your web browser For

Internet Explorer: Tools->Internet Options…->Click on General Tab->Click on

Settings… in the Temporary Internet files area->Under Check for new versions

of stored pages: select the Every visit to the page option->Click OK->Click OK

Task 4—Test the Inside, Outside, and DMZ Interface Connectivity

To test and troubleshoot interface connectivity using the PIX Firewall ping

command, complete the following steps:

Step 1 Ping the inside interface:

pixP(config)# ping 10.0.P.1

10.0.P.1 response received 0ms 10.0.P.1 response received 0ms

10.0.P.1 response received 0ms

Step 2 Ping your inside host:

10.0.P.2 response received 0ms

Step 3 Ping the outside interface:

192.168.P.1 response received 0ms 192.168.P.1 response received 0ms 192.168.P.1 response received 0ms

Step 4 Ping your pod outside host:

Định dạng
Số trang	11
Dung lượng	289,94 KB