Let’s see how to protect our home LAN by configuring a Cisco firewall, or PIX 501 (see image below).
First we set the name and the security level associated to the external and the internal interface we are using (after entering the configuration mode by typing commands and then ena conf t):
pixfirewall (config) # nameif ethernet0 outside security0
pixfirewall (config) # nameif inside Ethernet1 security100
As you can see, we call interface ethernet0 “outside” and to it we associate the level of security “security0. A similar concerns interface Ethernet1.
Now set the speed of the interfaces mentioned above:
pixfirewall (config) # interface ethernet0 auto
pixfirewall (config) # interface Ethernet1 100full
In this case, the external interface automatically negotiates the speed depending on the device connected to it, while the internal interface works at 100 Mbit/sec full duplex.
Set the password for enable mode:
pixfirewall (config) # enable password
This password is saved in the configuration file in encrypted form.
We define the hostname for our firewall:
pixfirewall (config) # hostname
Associate to the external and internal that their IP addresses and subnet mask:
pixfirewall (config) # ip address outside 192.168.100.2 255 255 255 252
pixfirewall (config) # ip address inside 172.30.4.1 255.255.255.0
Obviously the choice of private class IP address and its subnet mask is at your discretion.
We define now the ARP timeout, or how many seconds each table of MAC address belonging to our firewall must be emptied:
pixfirewall (config) # arp timeout 14400
We define also the so-called MTU, or maximum packet size that can pass through the interface:
pixfirewall (config) # mtu outside 1500
pixfirewall (config) # mtu inside 1500
Now you must go and put your hand on one of the most delicate parts of our configuration or NAT. Through NAT, it will be possible to translate a private address from our network in a public address, allowing us to navigate and access resources located on the Internet. To do this, type:
pixfirewall (config) # global (outside) 1 interface
pixfirewall (config) # nat (inside) 1 172.30.4.0 255.255.255.0
In this way we are forcing the firewall to translate the private addresses belonging to the internal LAN (172.30.4.0/24) the address associated to the external interface, or 192.168.100.2. The router will then perform a new NAT outside interface the address private, public and translate the address as assigned by your ISP.
To go on the Internet is also necessary to set the firewall in a static route using the following command:
pixfirewall (config) # route 0.0.0.0 0.0.0.0 192.168.100.1 otuside
In this way we are telling the firewall to route all traffic destined to an address not present in its routing table to the address 192.168.100.1, or router. It will then be of the router, through a new default route, make sure that traffic can be directed outwards.
Now, suppose that within our LAN this is a resource (eg Web server) that must necessarily be contacted outside. Obviously, the best thing to do in this case would be to place the server in the DMZ but for simplicity this server will be relocated within the same LAN.
The server’s IP address is 172.30.4.2, then be dialed:
pixfirewall (config) # static (inside, outside) 192.168.100.2 172.30.4.2 netmask 255.255.255.0 0 0
where the IP address must be placed outside of a private before always associated with the server.
Now define the type of traffic that must be accepted to the external input. It can be done by an ACL rated:
pixfirewall (config) # access-list inbound permit tcp host 192.168.100.2 eq 80 Any
pixfirewall (config) # access-list inbound permit icmp host 192.168.100.2 Any
In this way, our web server can be contacted through port 80 and respond to pings from the outside run. We just have to associate the ACL you just created at the interface of interest:
pixfirewall (config) # access-group inbound in interface outside
It would be useful to enable remote management of firewalls, without necessarily having to connect to this device via console cable (otherwise known as rollovers). To do this you must enable Telnet:
pixfirewall (config) # telnet 172.30.4.0 255.255.255.0 inside
or we are forcing the firewall to only accept telnet connections coming from the internal interface, in this case the hosts on the LAN.
pixfirewall (config) # telnet timeout 5
this command with the firewall shut down any Telnet session after five minutes of inactivity.
It should be noted that our firewall (by default) does not allow the transit of echo-reply from the interface “outside” and directed to the interface “inside”. This means that any table originating from the LAN and directed outwards can not be answered. To avoid this, simply following rules insirire ACL inbound previously created:
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any time-exceeded
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any source-quench
Well, we save our configuration and you’ve done:
write memory