PIX Firewall-ing (Part 2)

Now to configure PIX we need to go to configuration mode. Type 'enable' from user mode prompt to get privilege mode prompt (#).
pixfirewall>enable
pixfirewall#

In privilege mode, we still can't modify the configuration but we can upgrade the software, reload, and run some debug for troubleshooting. Since this is a new firewall, there is no password to switch from user mode to privilege mode.

Now let's go to configuration mode, by typing 'configure terminal'
pixfirewall#conf t
pixfirewall(config)#

In PIX, you don't have to type the complete command. As long as the word we type is unique pointing to only one command, PIX will accept the command.
Firewall_name(config)# is global configuration mode prompt where normally in Cisco IOS we can configure only parameters that affect the device globally. For example, in Cisco router, in global mode we configure the name of the device. And to configure the IP address for one interface, you must go to that interface configuration mode and get the router(config-if)# prompt.
But this is not the case with PIX, global config mode is the only mode available to configure the firewall.

By default the interfaces are disable, so let's enable them:
pixfirewall(config)#interface ethernet0 auto
pixfirewall(config)#interface ethernet1 auto

Auto means the interface will negotiate the hardware speed automatically with the hub/switch where it's connected to.

Let's give the IP address to the interface, accordingly to the external network and internal network, using interface alias name:
pixfirewall(config)#ip address outside 1.1.1.2 255.255.255.0
pixfirewall(config)#ip address inside 192.168.1.1 255.255.255.0

All hosts in internal network need to use PIX inside interface IP address as default gateway. PIX itself needs to know its default gateway to send the traffic to external network or Internet, so let's specify the gateway (for example, Internet router ethernet IP address):
pixfirewall(config)#route outside 0.0.0.0 0.0.0.0 1.1.1.1

Now, unless we are freaks who have enough public IP for Internal network, I assume we use private IP so we need to NAT them to be able to go to the Internet.pixfirewall(config)#nat (inside) 1 0 0
pixfirewall(config)#global (outside) 1 1.1.1.3

How to read 'nat' command: any network behind interface inside (0 0 means 0.0.0.0 0.0.0.0) will be translated based on rule number '1' in any interfaces set with 'global'
How to read 'global' command: in interface outside, set translation rule number '1' so any network NAT-ed with this rule will be translated as 1.1.1.3 IP address.

We can also use PIX firewall outside interface IP address as translation IP.
pixfirewall(config)#global (outside) 1 interface

It means: inside network (in this case 192.168.1.0/24) will be translated to interface outside IP address (1.1.1.2) when they try to go to the Internet.
We can also use range of public IP address to translate internal network:
pixfirewall(config)#global (outside) 1 1.1.1.10-1.1.1.20

You know what?
That's the only configuration you need to connect your internal network to the Internet. Just try to connect one PC on internal network, give IP address and default gateway accordingly, and this PC should be able to go to the Internet. Obviously you need to have Internet line and proper DNS setting but I won't discuss it because you are so lame if you don't know this!

With this minimal configuration, your internal network should be able to go to the Internet without any restriction and from the Internet no one should be able to connect to you.

Don't forget to save the configuration to make sure it will be available even if we reboot the firewall, by typing 'write memory' or 'wr m' for short:
pixfirewall#wr m

You can save the configuration from global mode or privilege mode, but not from user mode (> prompt). By the way, to go back to privilege mode from global mode just type 'exit'. To go back to user mode from privilege mode, type 'disable' since typing 'exit' from privilege mode will log you out from PIX.

As summary, 6 steps you need to do to be able to connect your internal network to the Internet and protected by PIX firewall:
1. Enable the interfaces
2. Give IP address for all interfaces
3. Put default route to outside network, pointing to Internet router ethernet interface for example
4. Put NAT in interface inside with translation rule number
5. Put Global in interface outside matching the translation rule number and the public IP address, can use PIX outside interface IP address or range public IP address
6. Save the configuration

How about if we want people from the Internet connect to our servers inside the Internal network?

(To be continued in part 3)