The Cisco PIX 501 is a top pick among small business owners looking for a reliable firewall. After unboxing, you can get up and running with just a few simple configuration entries.
In this tutorial, you will learn how to set up a pix at the edge of your network.
If you’re unfamiliar with the PIX firewall, this guide is for you. This is not a comprehensive guide to network security; it is meant to be a quick reference for setting up a PIX firewall with as little technical jargon as possible.
If you are connected to the internet, we will assume that you have access to at least one static IP address. The PIX is preconfigured to work with a dynamic IP address, but without a static IP address, you’ll have trouble setting up services like remote access, VPNs, email, and web servers.
An AC adapter, a yellow CAT5 cable, an orange CAT5 cable, and a flat, (usually) baby blue cable with a 9-pin serial connector on one end and an RJ-45 plug on the other should have been included with your PIX.
The yellow CAT5 cable is a typical Ethernet connection for linking your computer or server to the PIX’s 4 Gigabit Ethernet ports. Connecting the PIX’s external interface to your ISP’s router may necessitate using a cross-over cable, such as the Orange CAT5 cable (if your internal computers and workstations are connected to a Cisco switch).
The light blue rollover cable is the one we’ll be using in this setup. To configure the PIX, plug the cable into a serial port on the computer’s or laptop’s back. The RJ-45 plug must be inserted into the “console” port on the PIX’s rear.
One of Windows’ built-in programs handles serial device configuration. Simply navigate to Hyper Terminal by clicking Start, followed by Programs, Accessories, Communications, and then Hyper Terminal.
Pick the program known as Hyper Terminal. You may be prompted to set Hyper Terminal as the default telnet client. If you don’t have a strong preference, select yes.
Then, even though it isn’t necessary in this case, the application will ask for the area code from which you are dialing; after entering it, click “next” or “ok.”
We’ll use PIX as an example, but you can choose your name. Just hit the “ok” button to continue.
The next step is to input the desired phone number’s information. Since we aren’t dialing a phone number, utilize the COM1/COM2 selection at the bottom. You might have to test it both ways before figuring out which.
You must now provide the application with information regarding the port configurations to communicate with the PIX.
Thankfully, you only need to memorize 9600, 8, none, and 1. Fill in the appropriate options using the drop-down menus.
We may now begin configuring the PIX. When you plug in the power, the startup speech (not a dialog, but rather a rundown of what’s happening) will begin.
The PIX can be programmed using on-screen prompts, which will appear after a short delay. For the sake of this exercise, please input “no” and press the “enter” key.
A message similar to this one will appear now:
As no password is set up by default, type “enable” (without the quotations) when prompted to enter one.
The hash symbol has replaced the previous prompt:
To configure the PIX in global mode using the terminal, enter the command ‘configure terminal’ (without quotation marks).
This is how your cue will look going forward:
Creating a hostname for your images is our first order of business. PIX commands follow this syntax:
Type of variable
So, here’s what we’ll type to change the hostname:
hostname my pix pix firewall(config)#
As for the domain name, you may give your network any name you wish if you don’t already have one set up. However, arrange your naming scheme accordingly, considering the possibility of a domain in the future.
The above configuration identifies the ethernet0 interface as the external one, with a security level of 0, and the ethernet1 interface as the internal one, with a security level of 100. In addition, the interfaces have been disabled. To speed things up, we input the desired rate of operation. Because these are Ethernet ports, they require 100full in software starting with version 6.3(3) and beyond.
interface ethernet0 100full pix firewall(config)#
For example: pix firewall(config)# lnterface ethernet1 100full
The IP address command is used to change the IP address of a network interface, both inside and outside the network. Here is the syntax:
Address of a computer network
Here’s a possible illustration:
Pixfirewall(config)# ip address outside 18.104.22.168 255.255.255.252 (this IP address, netmask combination should not be used; it is presented here for example only. Get your IP address and subnet mask from your service provider.
After that, enter the IP address within the pix firewall (config)# Ip address inside 192.168.0.1 255.255.255.0 to set the internal IP address.
First, a quick note on IP addresses.
As described in RFC 1597, non-routable IP addressing blocks are used to conserve public IP addresses. It’s OK to call them “private” IP addresses, although that’s not technically correct. Three distinct building components are available:
Use a 255.0.0.0 netmask for the addresses 10.0.0.0 through 10.255.255.255, a 255.255.0.0 mask 172.16.0.0 through 172.31.255.255, and a 255.255.255.0 mask for the addresses 192.168.0.0 through 192.168.255.255.
You won’t have to deal with the hassle of intra-LAN routing if all of the IP addresses in your network fall within one of those ranges. For those of you who are unfamiliar with such plans, here is an example:
Netmask: 255.255.255.0 PIX: 192.168.0.1 File/DHCP server: 192.168.0.2
Netmask (each): 255.255.255.0 Workstations: 192.168.0.10–192.168.0.254
You don’t have to follow my lead and exclude the addresses in the range from 192.168.0.3-9 if you don’t want to, but I did so that I could prepare for potential growth and the eventual need for additional servers.
* Set up your DHCP server so that it only assigns IP addresses within the range you specify and uses the DNS servers given by your Internet service provider to resolve hostnames. If you ever set up a name server on your local network, you must modify this. Instead of setting up a DHCP server, you can manually assign each computer an IP address, gateway, netmask, and DNS server.
The addition of a default route to the PIX setup is now crucial. One synonym for “default route” is “default gateway.” If the PIX receives traffic meant for a network that is not directly linked, you must instruct it to forward that traffic to the connected ISP router. When you obtained your network configuration details from your ISP, it should have included the IP address of your default gateway.
The grammar is as follows:
If packets destined for an interface on the network provided by the network address are within the bounds of the mask, route it via a next hop at the optional command that specifies a distance.
For instance, you can configure the PIX to use the ISP’s default gateway as the outbound path by entering the following command: pix firewall (config)# Route outside 0 0 1 (if packets are headed outside the network to any IP address with any netmask, route them through the device to which the PIX is attached through the outbound interface).
Use a firm, difficult-to-guess password to safeguard your PIX from unauthorized access. Passwords should not contain obvious information such as the user’s name, children’s names, dogs’ names, birthdays, etc. Make use of both alphabetic and numeric characters. Please don’t use “Cisco” as your actual password. However, the format is as follows.
pixfirewall(config)Remember the pixfirewall> prompt? # Passwd Cisco (notice the shortened spelling of the word password) will set a password for basic access.
pixfirewall(config)To establish an administrator password, enter “# enable password cisco.”
Now that your PIX has been set up with the bare minimum, you should be able to connect to the internet securely.
The Fulcrum Technology Group, Inc. was founded by Ron Jones, who also serves as the company’s president. www.fulcrumtechnologygroup.com [http://www.fulcrumtechnologygroup.com] This consulting organization, located just north of Atlanta, focuses on providing business technology solutions to help you increase productivity, enhance reliability, and decrease costs to keep a competitive edge.