PIX Firewall

Stateful Packet Filter Runs on its own Operating System Assigning varying security levels to interfaces (0

– 100) Access Control Lists Extensive Logging Capability Network Address Translation Stateful Failover Recovery Advanced Filtering

Features

Adaptive Security Algorithm (ASA)

Foundation of PIX firewall Keep track of connections forms from private network to

public network Allows traffic to go from private to public, and allow

return traffic from public to private network Does not allow public network to initiate traffic to private

network, unless specified in ACL Use following information to keep track of sessions

passing through PIX:– IP packet source and destination– TCP sequence number and flags– UDP packet flow and timers

TCP Initiation and Transmission

TCP Termination

UDP Transmission

Lab Environment

Rented Lab at www.gigavelocity.com Lab consists of routers, switches, PIX

firewall, control console, etc

Connecting to the Rack

Telnet to the main control console From console, initiate connections to different

devices

Our test bed

Whole lab consists of many components Needed to test PIX firewall only Used PIX firewall with two routers

– Set up Router address– Set up PIX firewall interfaces– Set up PIX routing– Ping from different components

Showing Router 1’s IP Address

Rack1R1#show ip int brief

Interface IP-Address OK? Method Status ProtocolFastEthernet0/0 1.1.1.2 YES manual up upSerial0/0 unassigned YES NVRAM administratively down downBRI0/0 unassigned YES NVRAM administratively down downBRI0/0:1 unassigned YES unset administratively down downBRI0/0:2 unassigned YES unset administratively down downFastEthernet0/1 unassigned YES NVRAM administratively down downSerial0/1 unassigned YES NVRAM administratively down down

Showing Router 2’s IP Address

Rack1R2#show ip int brief

Interface IP-Address OK? Method Status ProtocolFastEthernet0/0 10.0.0.2 YES manual up upSerial0/0 unassigned YES NVRAM administratively down downBRI0/0 unassigned YES NVRAM administratively down downBRI0/0:1 unassigned YES unset administratively down downBRI0/0:2 unassigned YES unset administratively down downFastEthernet0/1 unassigned YES NVRAM administratively down downSerial0/1 unassigned YES NVRAM administratively down downVirtual-Access1 unassigned YES unset up up

Showing PIX’s IP Address

pixfirewall# show config: Saved: Written by enable_15 at 21:02:07.582 UTC Sat Mar 5 2005PIX Version 6.3(3)interface ethernet0 autointerface ethernet1 autointerface ethernet2 auto shutdowninterface ethernet3 auto shutdown……ip address outside 1.1.1.1 255.255.255.0ip address inside 10.0.0.1 255.255.255.0

Network Topology

Router 1

Router 2

PIX

1.1.1.2

1.1.1.1

10.0.0.1

10.0.0.2

PIX Configuration

See Configuration File

Results

Pinging from Router 2 to PIX

Rack1R2#ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1,timeout is 2 seconds:!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Results

Pinging from PIX to Router 2

pixfirewall# ping 10.0.0.2

10.0.0.2 response received -- 0ms

10.0.0.2 response received -- 0ms

10.0.0.2 response received -- 0ms

Results

Pinging from Router 2 to Router 1

Rack1R2#ping 1.1.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.2,timeout is 2 seconds:!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Results

Pinging from Router 1 to Router 2

Rack1R1#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Conclusion

The PIX firewall is a highly configurable device

We used a simplified network model Configured the PIX and two routers Able to pass traffic to, from, and through the

PIX firewall