200 likes | 288 Views
PIX Firewall. Features. Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0 – 100) Access Control Lists Extensive Logging Capability Network Address Translation Stateful Failover Recovery Advanced Filtering.
E N D
Features • Stateful Packet Filter • Runs on its own Operating System • Assigning varying security levels to interfaces (0 – 100) • Access Control Lists • Extensive Logging Capability • Network Address Translation • Stateful Failover Recovery • Advanced Filtering
Adaptive Security Algorithm (ASA) • Foundation of PIX firewall • Keep track of connections forms from private network to public network • Allows traffic to go from private to public, and allow return traffic from public to private network • Does not allow public network to initiate traffic to private network, unless specified in ACL • Use following information to keep track of sessions passing through PIX: • IP packet source and destination • TCP sequence number and flags • UDP packet flow and timers
Lab Environment • Rented Lab at www.gigavelocity.com • Lab consists of routers, switches, PIX firewall, control console, etc
Connecting to the Rack • Telnet to the main control console • From console, initiate connections to different devices
Our test bed • Whole lab consists of many components • Needed to test PIX firewall only • Used PIX firewall with two routers • Set up Router address • Set up PIX firewall interfaces • Set up PIX routing • Ping from different components
Showing Router 1’s IP Address Rack1R1#show ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 1.1.1.2 YES manual up up Serial0/0 unassigned YES NVRAM administratively down down BRI0/0 unassigned YES NVRAM administratively down down BRI0/0:1 unassigned YES unset administratively down down BRI0/0:2 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES NVRAM administratively down down Serial0/1 unassigned YES NVRAM administratively down down
Showing Router 2’s IP Address Rack1R2#show ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 10.0.0.2 YES manual up up Serial0/0 unassigned YES NVRAM administratively down down BRI0/0 unassigned YES NVRAM administratively down down BRI0/0:1 unassigned YES unset administratively down down BRI0/0:2 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES NVRAM administratively down down Serial0/1 unassigned YES NVRAM administratively down down Virtual-Access1 unassigned YES unset up up
Showing PIX’s IP Address pixfirewall# show config : Saved : Written by enable_15 at 21:02:07.582 UTC Sat Mar 5 2005 PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown interface ethernet3 auto shutdown …… ip address outside 1.1.1.1 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0
Network Topology Router 1 1.1.1.2 PIX 1.1.1.1 10.0.0.1 10.0.0.2 Router 2
PIX Configuration • See Configuration File
Results • Pinging from Router 2 to PIX Rack1R2#ping 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1,timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Results • Pinging from PIX to Router 2 pixfirewall# ping 10.0.0.2 10.0.0.2 response received -- 0ms 10.0.0.2 response received -- 0ms 10.0.0.2 response received -- 0ms
Results • Pinging from Router 2 to Router 1 Rack1R2#ping 1.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2,timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Results • Pinging from Router 1 to Router 2 Rack1R1#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Conclusion • The PIX firewall is a highly configurable device • We used a simplified network model • Configured the PIX and two routers • Able to pass traffic to, from, and through the PIX firewall