PIX%20in%20a%20Day

1
PIX in a Day

2
Objective

• This is a two part course designed for people
  with good knowledge of IP and some knowledge.
• It is presented in two parts. The first part,
  this course, shows how how to configure a PIX V6
  firewall in a number of scenarios. The second
  covers trouble shooting.
• This is not a security course base principles
  are not covered - a good knowledge of Networks.
  It will not teach anyone to design a firewall
  (leave that to experts like me) only how to
  implement one.

3
Marketing fluff
4
Pix Features according to Cisco

• Embedded system (Cisco PIX firewall OS) is
  real-time and secure not subject to operating
  system vulnerabilities
• Adaptive security Algorithm (ASA) provides
  stateful connection control. Packet information
  is placed in a table information from the packet
  must match information in the table
• Cut-through proxy user-based authentication of
  inbound and outbound connections Improved
  performance over proxy filters
• Low overhead processing better performance
• Stateful failover/hot standby Fully redundant
  topology (failover) can be configured

5
PIX Firewall ASA
Adaptive Security Algorithm is Cisco's name for
the subroutines that performs stateful packet
filtering. A data packet is analyzed, and its
information is placed in a table the state
table or xlate table. On the receipt of return
traffic, the incoming packet is checked against
the table. In order for the connection to be
established, there must be a match between the
two. ASA is part of the PIX operating system.
6
PIX Firewall Cut-Through Proxy
The cut-through proxy provides a method for
user-based authentication. Inbound and outbound
connections can be authenticated. Better
performance than a proxy filter because the
processing overhead on the PIX is reduced by
using the cut-through proxy feature. Sockets are
not terminated and re-opened the device never
becomes an end point. After authentication by a
TACACS or RADIUS server, per-user connection
state information is maintained by the firewall.
For protocols that dont support authentication,
a virtual telnet server exists.  
7
PIX Stateful Filtering
PIX obtains the IP address and port from each
layer 4 protocol. PIX logs the connection data in
the statefull connection table. A session object
is created at this stage of the process. The
inbound and outbound packets are compared to the
table. If a connection entry exists, the packets
are allowed to pass. Once the connection is
terminated, the connection information, including
the session object, is eventually deleted . For
protocols where no state exists timers are used
to tear down the connection object
8
PIX Firewall features
Failover Pix supports active-passive in a
stateful and non-stateful mode. Two PIX Firewalls
must be identical models. which are identically
configured. In stateful failover, connections do
not have to be restarted
9
PIX Firewall commandsThese are basically the
Version 10 IOS commands

• enable as IOS
• configure terminal - changes PIX configuration
  changes merged with running config in RAM and
  takes place at once
• passwd - sets password for Telnet access
• option encrypted sets an encrypted
  password
•  show config - displays startup configuration
•   write terminal / show run
• - shows running config on terminal
•  write net - sends config to TFTP
•  write standby writes config to standby PIX
•  write erase - clears Flash memory configuration
• (startup configuration)

10
PIX Firewall commands

• show xlate - shows translation slots IP
  addresses allocated for address translation
• configure net - merges running configuration with
  TFTP server stored file of the same name
• configure memory - merges running configuration
  with startup configuration in Flash
• show interface - shows many parameters of the
  named interface
• show history - shows recently entered commands
• show ip address - shows all IP addresses

11
PIX Firewall commands

• Clear xlate - clears translation slots disrupts
  service
• Shun temporary blocks IPS
• Reload - restarts
• kill kills telnet /ssh sessions

12
The basic configuration

13
First 4 config commands
pixfirewall(config) interface ethernet0
autopixfirewall(config) interface ethernet1
100full pixfirewall(config) nameif ethernet0
outside security0pixfirewall(config) nameif
ethernet1 inside security100pixfirewall(config)
ip address outside 61.2.93.93 255.255.255.240pixf
irewall(config) ip address inside 10.0.0.2
255.255.255.0pixfirewall(config) route outside
0.0.0.0 0.0.0.0 61.2.93.81 1

14
IP address Route
The IP address command adds an IP address to an
interfacepixfirewall(config) ip address inside
10.0.0.2 255.255.255.0Usage no ip address
ltif_namegt ltip_addressgt ltmaskgt no
ip address ltif_namegt dhcp setroute retry
ltretry_cntgtAnd everyone recognises a static
route Usage route ltif_namegt ltforeign_ipgt
ltmaskgt ltgatewaygt ltmetricgt pixfirewall(config)
route inside 0.0.0.0 0.0.0.0 61.2.93.81 1In
the above example inside is the interface that
the packet will leave from

15
Interface command
pixfirewall(config) interface ethernet1
100full Usage interface lthardware_idgt
lthw_speedgt shutdown The interface command
enables properties of an interface. Options
include Auto / 10baseT / 10full 100baseTX /
100full / 1000auto 1000full / 1000full
nonegotiate For dot1q virtual interfaces Usage
interface hardware_id vlan_id logical
pixfirewall(config) interface ethernet1 vlan99
logical
16
PIX ASA Security Levels
One of two interfaces must be of a higher level.
Packets can pass from lower to higher level
interfaces but not from higher to lower level
interfaces without an access list. (except
ICMP) Security levels range from 0 through
100. 100 is most secure default for inside
interface can't be changed 0 is least secure
default for outside interface can't be changed
1 through 99 can be assigned to other
interfaces such as a DMZ
17
PIX ASA Security Levels
Inside to outside data traveling from more
secure to less secure requires an address
translation (only see caveat) Outside to
inside data traveling from a less secure to a
more secure interface needs one of the following
to pass through a Static translation AND an
Access list No traffic can pass through
identical security level interfaces. For example,
if two DMZS have a security level of 50, they
can't talk to each other. Dont rely on this
it has changed in versions
18
EXCEPT ICMP
Inside to outside data traveling from more
secure to less secure requires an address
translation (only) Security people DONT LIKE
ICMP THEREFORE WE MAKE IT DIFFICULT TO USE TO
GET A RETURNED ECHO-REPLY YOU NEED A ACCESS_LIST
19
PIX ASA Security Levels
Inside 100
DMZ 50
Outside 0
20
nameif command
The Nameif command assigns a logical name or
label to an interface. It also assigns a
security value 0 100Usage nameif
lthardware_idgt lt label gt ltsecurity_lvlgt
nameif ltvlan_idgt lt label gt ltsecurity_lvlgt
hardware_id interface label a logical name
Securitylevel - 0 is the dirtiest -
Traditionally outside 100 is the cleanest
Traditionally inside pixfirewall(config)
nameif ethernet1 inside security100

21
But your firewall still wont work You need
GLOBAL and NAT

22
Global Nat

• PIX relies on address translation to provide
  security. Under normal circumstances connection
  will have its
• Source address translated on outbound connections
• Dest address translated on inbound connection
• For the Exam Global address is a valid outside
  address
• - Local is a internal address
• - Private is an 1918 address

23
Global NatTypes of Address translation

• Static NAT (network address translation)
  One2one translation based on a STATIC table -
  explained later
• Dynamic NAT Dynamically translate a source
  address to an address selected from a GLOBAL
  address pool

Dynamic nat
a,b 10.0.0.1 port1500 to196.1.1.1 port
80 c,b 10.0.0.11 port1800 to196.1.1.1 port 80
a,b 212.23.35.117 port1500 to196.1.1.1 port
80 c,b 212.23.35.118 port1800 to196.1.1.1 port 80
A S A
global-pool 212.23.35.117-118
24
Global Nat
Dynamic PAT Dynamically translate a source
address to the address of the outbound interface
and change the source port to a free ephemeral
port

a,b 10.0.0.1 port1500 to196.1.1.1 port
80 c,b 10.0.0.11 port1800 to196.1.1.1 port 80
a,b 212.23.35.117 port132,001 to196.1.1.1 port
80 c,b 212.23.35.117 port132,002 to196.1.1.1
port 80
A S A
25
Global Nat
Global command defines a a global pool of
addresses to use for address translation usage
Global (if-label) pool-no ip_address -to
ipaddress mask global (outside) 1
212.23.35.117 212.23.35.127 NAT command defines
a range of source addresses that may use a
particular global pool usage nat (if-label)
pool-no ip_address subnet-mask nat (inside) 1
10.0.0.0 255.255.0.0

26
Global NatExample
global (outside) 1 212.23.35.117 212.23.35.118
create a translation pool on the outside
interface nat (inside) 1 10.0.0.0 255.255.255.0
allow any address 10.0.0. coming in on
inside to use

a,b 10.0.0.1 port1500 to196.1.1.1 port
80 c,b 10.0.0.11 port1800 to196.1.1.1 port 80
a,b 212.23.35.117 port1500 to196.1.1.1 port
80 c,b 212.23.35.118 port1800 to196.1.1.1 port 80
A S A
outside
inside
global-pool 212.23.35.117-118
27
Global Nat
Only define 1 address in global for PAT
global (outside) 1 212.23.35.117 or
global (outside) 1 Interface To
turn of NAT use NAT 0 nat (inside) 0 0 0

28
Nat
Or to be a right smart arse use an access-list
nat (inside) 1 access-list natlist

29
You now know enough to get a basic firewall
working

30
basic
pixfirewall(config) interface ethernet0
autopixfirewall(config) interface ethernet1
100full pixfirewall(config) nameif ethernet0
outside security0pixfirewall(config) nameif
ethernet1 inside security100pixfirewall(config)
ip address outside 61.2.93.93 255.255.255.240pixf
irewall(config) ip address inside 10.0.0.2
255.255.255.0pixfirewall(config) route outside
0.0.0.0 0.0.0.0 61.2.93.81 1pixfirewall(config)
global (outside) 1 interfacepixfirewall(config)
nat (inside) 1 0.0.0.0 0.0.0.0 0 0But this
configuration only allows information out

31
Lab

• Configure a PIX to have the addresses provided
• So that it can browse the WWW
• PATs all requests to the outside interface
• Allows no traffic in
• Time 45 minutes

32
Allowing information IN

33
Static
The ASA will only allow traffic to travel from a
low to a high interface if a static address
translation is configured This is done with the
static command usage static (if-src, if-dest)
ip-dest ip-src netmask netmask static
(inside,outside) 61.2.93.82 10.0.0.2 netmask
255.255.255.255 0 0 You now have an
external address but it has an implied
access-list of ip deny any any

34
Access-lists

35
access-list

• Pix access-list are different from IOS
  access-lists. The key differences are
• They are stateful so they allow return traffic
• The mask is a genuine subnet mask
• The identifier (i.e. name) is alphanumeric
• IOS access-list 101 permit
• PIX access-list one0one
• Line numbers can be used to edit access-lists

36
access-list
Example access list access-list acl-outside
permit tcp any host 217.64.230.186 eq https
access-list acl-outside permit tcp any
217.64.230.0 255.255.255.0 eq https
access-list acl-outside deny ip any any
Applying an access list to an interface
access-group acl-outside in interface outside
Removing an access list from an interface no
access-group acl-outside in interface outside

37
Object-group

38
Object-group

• With version 5, Pix worked brilliantly in small
  organisations. But larger organisations always
  chose Checkpoint firewall 1
• One reason that was complexity, when I converted
  one small bank from FW1 to PIX one screen of
  FW1access-lists turned into 7 pages of PIX
  access-list-
• services could not be grouped
• addresses could not be grouped
• Which resulted in pages of repetition

39
Object-group
Imagineaccess-list oldlist permit tcp host
10.0.0.1 any eq wwwaccess-list oldlist permit
tcp host 10.0.0.1 any eq https access-list
oldlist permit tcp host 10.0.0.2 any eq
wwwaccess-list oldlist permit tcp host 10.0.0.2
any eq https access-list oldlist permit tcp host
10.0.0.3 any eq wwwaccess-list oldlist permit
tcp host 10.0.0.3 any eq httpsaccess-list
oldlist permit tcp host 10.0.0.9 any eq
wwwaccess-list oldlist permit tcp host 10.0.0.9
any eq httpsaccess-list oldlist permit tcp host
10.0.0.22 any eq wwwaccess-list oldlist permit
tcp host 10.0.0.22 any eq https

40
Object-group
object-group network inside10 description
inside 10 class objects network-object host
10.0.0.1 network-object host 10.0.0.2
network-object host 10.0.0.3 network-object
host 10.0.0.9 network-object host 10.0.0.22

41
Object-group access-list
pixfirewall(config) show objectobject-group
network inside10 description inside 10 class
objects network-object host 10.0.0.1
network-object host 10.0.0.2 network-object
host 10.0.0.9 network-object host
10.0.0.22object-group service browsing tcp
description this is the web tcp ports
port-object eq www port-object eq
httpspixfirewall(config) access-list obj-exmple
permit tcp object-group inside10 any object-group
browsingpixfirewall(config)

42
Legacy access-lists

43
Conduit, outbound apply
The access-list command was introduced at 5.4 to
make it like IOS At 6.3 these legacy commands
were deprecated not even in v7.0 Example
access list conduit permit tcp host
212.23.35.119 eq https any Old style access
list for an outbound interface
usage outbound ID permit deny ip_address
netmask portprotoPix outbound 11 deny
161.73.0.0 255.255.0.0 412 tcpApplying an
outbound list to an interface usage apply
(if_name) ID outgoing_src outgoing_dest
Pix apply (inside) 11 outgoing_src

44
Advanced PIXProto analysis

45
fixup
Protocols are not designed with security in mind
they often have features that are insecure or
difficult to embody in access-list Firewalls use
packet inspection and protocol analysis to
overcome these difficulties Pix enables the
protocol feature and assign the processing to a
particular port with the fixup command

46
fixup
fixup protocol ftp strict port fixup
protocol http port-port fixup protocol h323
h225 ras port -port fixup protocol ils
port-port fixup protocol rsh 514 fixup
protocol rtsp port fixup protocol sip 5060
fixup protocol skinny 2000 fixup protocol
smtp port-port fixup protocol sqlnet
port-port fixup protocol skinny port -port
Add at version 6.3 fixup protocol icmp errors
lt- theres always 1 smart arse fixup
protocol ctiqbe 2748 no fixup protocol dns
maximum-length length fixup protocol esp-ike
fixup protocol snmp 161-162 fixup protocol
tftp port-port

Fixup disappears with version 7
47
Other protection
MailGuard (enabled by fixup protocol smtp ) only
allows the smtp commands mail to, rcpt frm, data,
end quit DnsGuard (enabled by fixup protocol
dns or on by default pre 6.3 ) only accespts
first dns datagram FloodGuard (FloodGuard enable
) enables flood protection FragGuard ( sysopt
security fragguard replaced by the fragment
command)

48
Advanced PIXDealing with attacks

49
IDS/IPS
Basic IDS/IPS functions are enabled
bypixfirewall(config) ip audit info action
alarmpixfirewall(config) ip audit attack action
alarmip audit attack action alarm drop ip
audit signature 2000 disable ip audit signature
2001 disable ip audit signature 2004 disable
ip audit signature 2005 disable Sysloglt162gtMay
29 2005 102415 10.0.0.2 PIX-2-106017 Deny
IP due to Land Attack from 61.2.93.93 to
61.2.93.93lt162gtMay 29 2005 102415 10.0.0.2
PIX-2-106017 Deny IP due to Land Attack from
61.2.93.93 to 61.2.93.93lt162gtMay 29 2005
102415 10.0.0.2 PIX-2-106017 Deny IP due to
Land Attack from 61.2.93.93 to 61.2.93.93

50
Anti-spoofing investigations
Anti spoofing is enabled by pixfirewall(config)
ip verify reverse-pathSyslog167gtMay 29 2005
102121 10.0.0.2 PIX-7-710005 UDP request
discarded from 61.2.93.87/137 to
outside61.2.93.95/netbios-nslt161gtMay 29 2005
102122 10.0.0.2 PIX-1-106021 Deny udp
reverse path check from 10.0.0.55 to 61.2.93.93
on interface outsidelt161gtMay 29 2005 102122
10.0.0.2 PIX-1-106021 Deny udp reverse path
check from 10.0.0.55 to 61.2.93.93 on interface
outsideGetting a packet trace in pcap format
pix capture snifer access-list sniflist
packet-length 74 interface inside

51
(No Transcript)
52
Site 2 site VPN

53
Imagine 2 separate tunnels used for IPSEC
vpnConstructed in 3 steps covering 2 distinct
IPSEC phases

1. Identify need for a VPN
IKE/ ISAKMP
2.Phase1- ISAKMP -identify/authenticate
peers -establish IKE SA (security association)

Encrypted data

• 3. Phase 2- IPSEC
• negotiate IPSEC SA (security association)
• Encrypt and transmit data

54
ISAKMP
pixfirewall(config) access-list a1 permit ip
any anypixfirewall(config) isakmp policy 10
authen pre-sharepixfirewall(config) isakmp
policy 10 encrypt despixfirewall(config) isakmp
policy 10 hash md5pixfirewall(config) isakmp
policy 10 lifetime 3600pixfirewall(config)
isakmp policy 10 group 2pixfirewall(config)
isakmp key my-secret address 10.0.0.1pixfirewall(
config) isakmp enable outside

55
IPSEC
pixfirewall(config) sysopt connection
permit-ipsec pixfirewall(config) sysopt ipsec
pl-compatiblepixfirewall(config) access-list a1
permit ip any anypixfirewall(config) crypto
ipsec transform-set mytrans esp-des
esp-md5-hmacpixfirewall(config) crypto map
mymap 10 set transform-set mytranspixfirewall(con
fig) crypto map mymap 10 set peer
10.0.0.10pixfirewall(config) crypto map mymap
10 match address a1pixfirewall(config) crypto
map mymap interface outside

56
Lab

• Using the IPSEC site-2-site template configure
  your PIX to encrypt all traffic between it and
  the IOS router
• Time 1 hr 15 minutes

57
Secure client VPN

58
Cisco Secure client

1. Secure client software on the pc contact the pix
2. Authenticates using info in the vpngroup command
3. Sets up a virtual network interface on the pc
   with info from the IP LOCAL POOL
4. sets up an ipsec tunnel over it to the PIX as
   normal

vpnpool 10.0.1.1-10.0.1.30
61.2.93.91
ipsec tunnel mode 212.1.3.88 ltgt 10.0.1.1
212.1.3.88
10.0.1.1
59
VPNGroup
access-list nonatlist permit ip any 10.0.1.0
255.255.255.0nat (inside) 0 access-list
nonatlistip local pool vpnpool
10.0.1.1-10.0.1.30aaa-server vpnauth protocol
radiusaaa-server vpnauth (inside) host
172.31.30.195 MYSECRET timeout 20crypto
dynamic-map vpn 10 set transform-set
my-transcrypto map mynmap 10 ipsec-isakmp
dynamic vpncrypto map mynmap client
authentication vpnauthcrypto map mymap interface
outsidevpngroup vpn1 address-pool
vpnpoolvpngroup vpn1 dns-server x.x.x.x
vpngroup vpn1 wins-server x.x.x.x vpngroup vpn1
default-domain x.comvpngroup vpn1 password

Turns off nat for VPN clients

VPN label links to dynamic map
VPNAUTH label links to radius
vpnpool links to ip pool
Group name and password stored VPN clients
60
VPNGroup
access-list nonatlist permit ip 10.0.0.0
255.255.255.0 10.0.1.0 255.255.255.0nat (inside)
0 access-list nonatlistip local pool vpnpool
10.0.1.1-10.0.1.30aaa-server vpnauth protocol
radiusaaa-server vpnauth (inside) host
172.31.30.195 MYSECRET timeout 20crypto
dynamic-map vpn 10 set transform-set
my-transcrypto map mynmap 10 ipsec-isakmp
dynamic vpncrypto map mynmap client
authentication vpnauthcrypto map mymap interface
outsidevpngroup vpn1 address-pool
vpnpoolvpngroup vpn1 dns-server x.x.x.x
vpngroup vpn1 wins-server x.x.x.x vpngroup vpn1
default-domain x.comvpngroup vpn1 idle-time
1800vpngroup vpn1 password

61
Lab

• Using the IPSEC Secure Client template configure
  your PIX to allow connection from secure client
• Time 1 hr 15 minutes

62
(No Transcript)
63
Additional

64
SNMP
snmp-server host inside X.X.X.X snmp-server
host inside X.X.X.X snmp-server host inside
X.X.X.X snmp-server location Heathrow Data
Center - Rack 31 snmp-server contact Network
Support snmp-server community xxxxx
snmp-server enable traps

65
failover
IP217.64.224.01 mac 00-0C-F1-37-F5-F7
IP217.64.224.47 mac 00-0C-F1-37-F5-F8

IP10.0.0.1 mac 00-0C-F1-37-FF-F1
IP10.0.0.47 mac 00-0C-F1-37-FF-FA
failover failover ip address outside
217.64.224.47 failover ip address inside
10.0.0.47
66
failover
Before
After
pix(config) show failover Failover On Reconnect
timeout 00000 Poll frequency 15 seconds Last
Failover at 183216 UTC Mon Apr 7 2003 This
host Primary Active Active time 510
(sec) Interface outside (192.168.1.1) Normal
Interface inside (10.1.1.1) Normal Other host
Secondary Standby Active time 0
(sec) Interface outside (192.168.1.2) Normal
Interface inside (10.1.1.2) Normal
pix(config) show failover Failover On Reconnect
timeout 00000 Poll frequency 15 seconds Last
Failover at This host Primary
Standby Active time 510 (sec) Interface outside
(192.168.1.2) Normal Interface inside
(10.1.1.2) Normal Other host Secondary
Active Active time 0 (sec) Interface outside
(192.168.1.1) Normal Interface inside
(10.1.1.1) Normal

67
failover
making a HA cluster failover failover
timeout 00000 failover poll 15 failover ip
address outside 217.64.224.47 failover ip
address inside X.X.X.X failover ip address
stateful 192.168.100.102 failover link stateful


68
Telnet ssh
Educate your telnettelnet 10.0.1.2
255.255.255.255 insidetelnet 61.2.93.81
255.255.255.255 insidetelnet 61.2.93.82
255.255.255.255 inside Educate your ssh ssh
10.0.1.2 255.255.255.255 inside ssh 61.2.93.81
255.255.255.255 inside ssh 61.2.93.82
255.255.255.255 inside

69
Operating the Pix

70
pixfirewall show xlate 2 in use, 79 most
used PAT Global 61.2.93.94(1134) Local
10.0.0.1(1038) PAT Global 61.2.93.94(1321) Local
10.0.0.1(1219) pixfirewall show xlate debug 2 in
use, 79 most used Flags D - DNS, d - dump, I -
identity, i - inside, n - no random, o - outside,
r - portmap, s - static UDP PAT from
inside10.0.0.1/1038 to outside61.2.93.94/1134
flags ri idle 000 08 timeout 00030 TCP PAT
from inside10.0.0.1/1219 to outside61.2.93.94/13
21 flags ri idle 000 00 timeout 00030
71
pixfirewall show conn 2 in use, 17 most used UDP
out 61.2.93.81161 in 10.0.0.11038 idle 00016
flags - TCP out 213.19.160.19080 in
10.0.0.11219 idle 00000 Bytes 14137527 flags
UIO
72

• established tcp 9999 0 permitto tcp 1024-65535
  permitfrom tcp 0
• established tcp 9998 0 permitto tcp 1024-65535
  permitfrom tcp 0
• established tcp 135 0 permitto tcp 1024-65535
  permitfrom tcp 0

73
Alias

• alias lt(if_name)gt ltdnat_ipgt ltforeign_ipgt
  ltmaskgt

74
Alias

• alias lt(if_name)gt ltdnat_ipgt ltforeign_ipgt
  ltmaskgtalias (inside) 84.233.190.80
  69.57.146.21 255.255.255.255If the PIX Firewall
  gets a packet destined for the dnat_IP_address,
  send it to the
• foreign_IP_address.
• When the PIX gets a DNS packet containing
• foreign_network_address, it will change the
  contents of the DNS packet - foreign network
  address to dnat_network_address.