© 2003, Cisco Systems, Inc. All Rights Reserved. FNS 1.0-8-1

For review only.
Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights

© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0—8-11
For review only. Please do not distribute
FNS 1.0—8-2
© 2003, Cisco Systems, Inc. All rights reserved.
Module 3
Basic PIX Firewall
Configuration
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-3

PIX Firewall Basic Commands

• nameif
• interface
• ip address
• nat
• global
• route

nameif Command

pixfirewall(config)#
nameif hardware_id if_name security_level
• Assigns a name to each perimeter interface on the
PIX Firewall and specifies its security level.
pixfirewall(config)# nameif ethernet2

dmz sec50

interface Command

interface hardware_id [hardware_speed] [shutdown]

• Enables an interface and configures its type and speed.
pixfirewall(config)# interface ethernet0 100full

pixfirewall(config)# interface ethernet1 100full
• The outside and inside interfaces are set for 100 Mbps Ethernet
full-duplex communication.

ip address Command
ip address if_name ip_address [netmask]

• Assigns an IP address to each interface.
ip address outside dhcp [setroute] [retry
retry_cnt]
• Enables the DHCP client feature on the outside interface.
pixfirewall(config)# ip address outside dhcp

pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0
• The outside interface obtains an IP address from a DHCP
server, but the DMZ interface is assigned the static address of
172.16.0.1
nat Command

nat [(if_name)] nat_id address
[netmask][timeout hh:mm:ss]
• Enables IP address translation.
pixfirewall(config)# nat (inside)

1 0.0.0.0 0.0.0.0

global Command

global[(if_name)] nat_id {global_ip[-global_ip]

[netmask global_mask]} | interface
• Works with the nat command to assign a registered or public IP
address to an internal host when accessing the outside network
through the firewall.
pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0

pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254
• When internal hosts access the outside network through the firewall, they
are assigned public addresses from the
192.168.0.20–192.168.0.254 range.

route Command

route if_name ip_address netmask
gateway_ip [metric]
• Defines a static or default route for an
interface.
pixfirewall(config)# route outside

0.0.0.0 0.0.0.0 192.168.0.1 1

Static Routes

pixfirewall(config)# route inside

10.1.1.0 255.255.255.0 10.0.0.3
pixfirewall(config)# route outside
0 0 192.168.0.1
pixfirewall(config)# show route

outside 0.0.0.0 0.0.0.0 192.168.0.1 1 OTHER static
inside 10.1.1.0 255.255.255.0 10.0.0.3 1 OTHER static
inside 10.0.0.0 255.255.255.0 10.0.0.1 1 CONNECT static
outside 192.168.0.2 255.255.255.0 192.168.0.1 1 CONNECT static

DHCP

PIX DHCP

Client
Server

DHCP
The PIX Firewall’s DHCP server can

be used to dynamically assign

• An IP address and subnet mask.
• The IP address of a DNS server.
• The IP address of a WINS server.
• A domain name.
• The IP address of a TFTP server.
• A lease length.

DHCP Server

1. DHCPDISCOVER—The
client seeks an address
2. DHCPOFFER—The
server offers 10.0.0.3
3. DHCPREQUEST—The
client requests 10.0.0.3
4. DHCPACK—The server
acknowledges the
assignment of 10.0.0.3

Configuring the PIX Firewall
as a DHCP Server
• Step 1—Assign a static IP address to the inside interface.

• Step 2—Specify a range of addresses for the DHCP server to

distribute.
• Step 3—Specify the IP address of the DNS server (optional).
• Step 4—Specify the IP address of the WINS server (optional).
• Step 5—Specify the IP address of the TFTP server (optional).
• Step 6—Specify the lease length (default = 3,600 seconds).
• Step 7—Specify the ping timeout value (optional).
• Step 8—Configure the domain name (optional).
• Step 9—Enable DHCP.

dhcpd address Command

dhcpd address ip1[-ip2][if_name]

• Specifies a range of addresses for DHCP to assign.
pixfirewall(config)# dhcpd address

10.0.0.2–10.0.0.15 inside
• The DHCP server assigns addresses
10.0.0.2–10.0.0.15 to DHCP clients on the
inside. Addresses are assigned in
numerical order beginning with 10.0.0.2.

dhcpd dns Command

dhcpd dns dns1 [dns2]
• Specifies the IP address of the DNS server the client
will use (optional)
pixfirewall(config)# dhcpd dns 10.0.0.20

• The DHCP server notifies the DHCP client that
10.0.0.20 is the address of the DNS server to use

dhcpd wins Command

dhcpd wins wins1 [wins2]
• Specifies the IP address of the WINS server that the client will use (optional)
pixfirewall(config)# dhcpd wins 10.0.0.21

• The DHCP server notifies the DHCP client that it will
use 10.0.0.21 as its WINS server

dhcpd option Commands

dhcpd option 66 ascii {server_name | server_ip_str}

• Enables the PIX Firewall to distribute the IP address of a TFTP server for IP Phone
connections
dhcpd option 150 ip server_ip1 [server_ip2]
• Enables the PIX Firewall to distribute the IP addresses of a list of
TFTP servers for IP Phone connections
pixfirewall(config)# dhcpd option 150 ip 10.0.0.11

dhcpd lease Command

dhcpd lease lease_length
• Specifies the lease length to grant the client
• Default = 3,600 seconds
pixfirewall(config)# dhcpd lease 3600

• The DHCP clients can use their
allocated leases for 3600 seconds

dhcpd ping_timeout Command

dhcpd ping_timeout timeout
• Specifies the length of time the DHCP server waits before
allocating an address to a client.
• Default = 750 milliseconds
pixfirewall(config)# dhcpd ping_timeout 10000

• The DHCP server waits 10000 milliseconds (10 seconds)
before allocating an address to a client.

dhcpd domain Command

dhcpd domain domain_name
• Specifies the domain name the client will use (optional)
pixfirewall(config)# dhcpd domain cisco.com

• The DHCP server notifies the client that the domain name is
cisco.com

dhcpd enable Command

dhcpd enable [if_name]
• Enables the DHCP daemon within the PIX Firewall to
listen for DHCP client requests on the enabled
interface
pixfirewall(config)# dhcpd enable inside

• The DHCP server feature is enabled on the inside
interface

debug dhcpd and
clear dhcpd Commands

debug dhcpd event | packet
• Displays information associated with the DHCP server
clear dhcpd
• Removes all dhcpd command
statements from the
configuration

dhcpd auto_config Command
dhcpd auto_config[client_ifx_name]

• Enables the PIX Firewall to automatically configure DNS, WINS, and

domain name values from the DHCP client to the DHCP server.
pixfirewall(config)# ip address outside dhcp

pixfirewall(config)# dhcpd address 10.0.0.51-10.0.0.60
inside
pixfirewall(config)# dhcpd enable inside
pixfirewall(config)# dhcpd auto_config
• The PIX Firewall obtains its outside IP address and other configuration
parameters from a DHCP server on its outside interface.
• The PIX Firewall distributes IP addresses from the 10.0.0.51–10.0.0.60
range to its own DHCP clients, the hosts on its inside interface.
• The PIX Firewall passes other configuration parameters it obtained from
the DHCP server on its outside interface to the hosts on its inside
interface.
Summary

© 2003, Cisco Systems, Inc. All Rights Reserved. FNS 1.0-8-1

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

© 2003, Cisco Systems, Inc. All Rights Reserved. FNS 1.0-8-1

Încărcat de

Drepturi de autor:

Formate disponibile

For review only.

Please do not distribute

© 2003, Cisco Systems, Inc. All rights

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-3

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-4

For review only. Please do not distribute

pixfirewall(config)# nameif ethernet2

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-5

For review only. Please do not distribute

interface hardware_id [hardware_speed] [shutdown]

pixfirewall(config)# interface ethernet0 100full

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-6

For review only. Please do not distribute

• Assigns an IP address to each interface.

pixfirewall(config)# ip address outside dhcp

For review only. Please do not distribute

pixfirewall(config)# nat (inside)

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-8

For review only. Please do not distribute

global[(if_name)] nat_id {global_ip[-global_ip]

pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-9

For review only. Please do not distribute

pixfirewall(config)# route outside

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-10

For review only. Please do not distribute

pixfirewall(config)# route inside

pixfirewall(config)# show route

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-11

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-12

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-13

The PIX Firewall’s DHCP server can

For review only. Please do not distribute

be used to dynamically assign

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-14

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-15

• Step 1—Assign a static IP address to the inside interface.

For review only. Please do not distribute

• Step 2—Specify a range of addresses for the DHCP server to

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-16

For review only. Please do not distribute

dhcpd address ip1[-ip2][if_name]

pixfirewall(config)# dhcpd address

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-17

For review only. Please do not distribute

pixfirewall(config)# dhcpd dns 10.0.0.20

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-18

For review only. Please do not distribute

pixfirewall(config)# dhcpd wins 10.0.0.21

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-19

For review only. Please do not distribute

dhcpd option 66 ascii {server_name | server_ip_str}

pixfirewall(config)# dhcpd option 150 ip 10.0.0.11

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-20

For review only. Please do not distribute

pixfirewall(config)# dhcpd lease 3600

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—8-21

For review only. Please do not distribute

pixfirewall(config)# dhcpd ping_timeout 10000