Transcript Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty
August 23, 2005
Cisco PIX firewall
Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu
PIX with 3 interfaces - 3 security zones
Purpose
- This is the most used PIX config. in use in most enterprise networks today - It allows company servers sitting on the DMZ interface to be accessed from the public network while other computers sitting on the inside remain secured and inaccessible by intruders.
Firewall policy rules
- Inside users can initiate connections to the outside and DMZ.
- Outside users can initiate connections only to the DMZ but not to the inside. - DMZ servers can only initiate connections to the outside but not to the inside.
Outside Inside DMZ Pix with 3 interfaces - 3 security zones
Our environment of work
Our setup
Our setup - Simplified
Config. on Switch S2 - Vlan
Config. on Router R5
Config. on Router R6
Detailed config. command On the Cisco
PIX Firewall
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 interface ethernet0 100basetx interface ethernet1 100basetx interface ethernet2 100basetx ip address outside 209.165.201.3 255.255.255.224
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 192.168.0.1 255.255.255.0
fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 arp timeout 14400 names name 192.168.0.2 webserver pager lines 24 logging console 7 nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 192.168.0.0 255.255.255.0
global (outside) 1 209.165.201.10-209.165.201.30
global (outside) 1 209.165.201.5
global (dmz) 1 199.168.0.10-199.168.0.20
static (dmz,outside) 209.165.201.6 webserver
Detailed config. command On the Cisco
PIX Firewall
access-list acl_out permit tcp any host 209.165.201.6 eq http Access-group acl_out in interface outside rip outside passive version 2 rip outside default version 2 rip inside passive version 1 rip dmz passive version 2 route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 mtu outside 1500 mtu inside 1500 mtu dmz 1500 telnet 10.0.0.199 inside telnet timeout 5 terminal width 80
Config. on Pix firewall
Scenario of traffic from inside to the outside –
Telnet to the router R4
“This traffic is allowed”
Scenario of traffic from inside to the outside –
ping to the router R4
“This traffic is allowed”
Scenario of traffic from outside to the inside –
Telnet to Router R6 “Dest. Unreachable, since R6 is using private ip”
Scenario of traffic from outside to the DMZ –
ping to Router R5 “Only http traffic is allowed to the dmz from outside”
Scenario of traffic from outside to the DMZ –
Status on the Pix firewall
after ping to Router R5
“Only http traffic is allowed to the dmz from outside”
Scenario of traffic from outside to the DMZ –
Telnet to Router R5 “Telnet is no allowed to the dmz from outside”
Scenario of traffic from outside to the DMZ –
Status on the Pix firewall
after telnet to Router R5
“Telnet is no allowed to the dmz from outside”
Conclusion
This lab project has shown an example of how to configure a stateful packet filter Cisco PIX Firewall.
The set up of the Cisco PIX firewall through the 3 security zones scheme is used today in complex networks and can provide an effective security protection for enterprise networks .