One of the most popular firewall products for the small business market is the Cisco PIX 501. Out of the box, it only requires a few configuration inputs and you are up and running.
In this guide, we’ll walk through the steps to set up your new image at the network edge.
This guide is written for the user who is unaware of the PIX firewall. As such, it’s not a treatise on network security, but rather a quick, step-by-step guide to configuring a PIX firewall with as little jargon as possible.
We assume that you have an Internet connection with at least one static IP address. While the PIX can easily handle a dynamic IP address (that’s the default setting), you won’t be able to easily configure remote access, VPNs, mail, or web servers without a static IP address.
Your PIX should have come with an AC adapter, a yellow CAT 5 cable, an orange CAT5 cable, and a light blue (usually) ribbon cable with a 9-pin serial connector on one end and an RJ-45 plug on the other.
The yellow CAT5 cable is a standard Ethernet cable and is used to connect your PC or server to the 4-port Ethernet switch built into the PIX. The Orange CAT5 cable is a crossover cable and may be required to connect the external interface of the PIX to your ISP’s router (if your PC or workstations are connected to a Cisco switch within the network, you will also need a crossover cable to connect to one of the switch ports on the PIX).
What we are going to use for our setup is the baby blue rollover cable. Insert the serial connector into one of the serial ports on the back of the PC or laptop that you will use to configure the PIX. Next, insert the RJ-45 plug into the port on the back of the PIX labeled “console.”
Windows has a built-in application that is used (among other things) to configure serial devices. Using the start menu, go to Start > Programs > Accessories > Communications > HyperTerminal.
Choose the Hyper Terminal app. A dialog box may appear asking if you want Hyper Terminal to be your default telnet application. Unless you have a preference, go ahead and choose yes.
You will then be asked for the area code you are dialing from, although it is not applicable here, the program still wants to know it, so fill it in and click ‘next’ or ‘ok’.
You can call the connection whatever you want; in this example we will use PIX. Click “OK” to continue.
Next, we will be asked to enter the details of the phone number we would like to dial. Since we are not dialing a phone number, use the dropdown selector at the bottom of the box to choose COM1 or COM2 (whichever applies). If you have no idea which is which, you may need to try both ways.
Now, you are expected to tell the application some details about the port settings so that it can communicate effectively with the PIX.
Fortunately, it’s not too complex, just remember 9600, 8, none, and 1. Enter these settings in the dropdown selectors in the box on your screen.
Now we are ready to configure the PIX. Insert the power cord and you’ll be greeted with the startup monologue (not a dialog in this case, just letting you know what’s going on).
A screen will then appear asking if you want to program the PIX using interactive prompts. For the purpose of this exercise, type no and click ‘enter’.
Now you will get a message that looks like this:
Type the word ‘enable’ (without quotes), when prompted for the password, just click ‘enter’ as the default is no password.
The flag has changed to a hash mark:
Type the phrase ‘configure terminal’ (without quotes); you are telling the PIX that you want to enter global configuration mode and it will perform its configuration through the terminal window.
Your message will now look like this:
The first thing we want to do is give your image a hostname. The PIX command syntax is:
Thus, to establish the hostname we will enter:
pixfirewall(config)# hostname mypix
Now, the domain name; it’s ok if you don’t have a domain set up on your network, you can call it whatever you want. However, give some thought to whether a domain might be a possibility at some point, and plan your naming scheme accordingly.
pixfirewall(config)# domain-name mydomain.com
As you can see in the configuration above, the ethernet0 interface is the external interface, with a security setting of 0, while ethernet1 is the internal interface with a security setting of 100. Also, you can see that the interfaces are closed. All we need to do for them to appear is enter the speed at which they should operate. Since they are Ethernet interfaces, any software version after 6.3(3) will take 100full, before that, use 10full.
pixfirewall(config)# interface ethernet0 100full
pixfirewall(config) # lnterface ethernet1 100full
Now to assign an address to the internal and external interfaces; the ip address command sets the IP address of an interface. The syntax is as follows:
An example could be the following:
ip address out
pixfirewall(config)# IP address outside of 18.104.22.168 255.255.255.252 (This combination of IP address and netmask should not be used, it is shown here for example only. Use the IP address/mask provided by your ISP.)
So the internal IP address
IP address inside
pixfirewall(config)# IP address within 192.168.0.1 255.255.255.0
A short word on IP addressing is in order here.
One way that public IP addresses are preserved is by using the non-routable IP address blocks specified in RFC 1597. You may sometimes hear them referred to as “private” IP addresses, which is fine, but not quite technically accurate. There are three different blocks to choose from:
10.0.0.0 – 10.255.255.255 with a netmask of 255.0.0.0
172.16.0.0 – 172.31.255.255 with a netmask of 255.255.0.0
192.168.0.0 – 192.168.255.255 with a netmask of 255.255.255.0
As long as your internal network IP addresses are all within one of those blocks of address space, you don’t need to introduce the complexity of routing within your LAN. Below is an example schematic for those unfamiliar:
PIX – 192.168.0.1 netmask 255.255.255.0
File server/DHCP – 192.168.0.2 netmask 255.255.255.0
Workstations – 192.168.0.10 – 192.168.0.254 netmask (each) 255.255.255.0
* I intentionally omitted the 192.168.0.3-9 addresses to plan for future expansion and the possible need for additional servers, you do not need to do this.
* Configure your DHCP server to deliver addresses in the specified block using the DNS servers provided by your ISP for name resolution. Be sure to change this if you ever decide to install a nameserver within your own network.
* If you don’t want to set up a DHCP server, just set each PC with IP address, default gateway, netmask and DNS servers
Now it is very important to add a default route to the PIX configuration. Another term for the default route is “default gateway”. You need to tell the PIX that if it receives traffic destined for a network that is not directly connected, it should send it to the connected ISP router. Your ISP should have given you the IP address of your default gateway when it received your configuration information.
Here is the syntax:
The English translation is “if packets destined for the interface on the network specified by the network address are delimited by a mask, then route them via a next hop in the optional command that is used to give an indication of the distance .
pixfirewall(config)# Path out 0 0 1
(if the packets are destined outside the network to any IP address with any netmask, send them through the ISP’s default gateway, which is one hop away, which means it’s the device you’re connected the PIX on the external interface).
To password protect your PIX to prevent unauthorized access, use something that is secure and hard to guess. Try to stay away from the names of spouses, children, pets, birthdays, or another easy-to-guess variable. Whenever possible, use a combination of letters and numbers. The syntax is as follows (but don’t use cisco as your actual password)
pixfirewall(config)# Passwd cisco (note the abbreviated spelling of password) this will set a password for basic access (remember the pixfirewall> prompt?)
pixfirewall(config) # enable password cisco this will set the password for administrative access
Now that your PIX has been given a basic configuration, it should be able to access the Internet, while preventing unauthorized access to your resources.