Configuring the Cisco PIX/ASA

Configuring the Cisco PIX/ASA Complete configuration of the Cisco PIX is beyond the scope of this book.
Nội dung trích xuất từ tài liệu:
Configuring the Cisco PIX/ASAConfiguring the Cisco PIX/ASAComplete configuration of the Cisco PIX is beyond the scope of this book. However, wecan cover some of the initial steps required to set up the PIX and to allow anadministrator access to the graphical user interface (GUI), the Adaptive Security DeviceManager (ASDM) (previously known as the PIX Device Manager [PDM] for softwareversions previous to 7.0).To initially configure a PIX out of the box, connect a serial connecter to the console portof the PIX (which is typically outlined with a light blue color). Use the blue serial portcable that came with the PIX. If you cannot find that cable, you may also use a nullmodem or a rollover cable. The serial port settings in the terminal emulation software onthe PC should be as listed in Table 6-1.Table 6-1. Serial Port Setting for PIX ConsoleSetting ValueBaud 9600Parity NoneNumber of Bits 8Number of Stop Bits 1After the console connection has been established, start up the terminal emulationsoftware (Microsoft Windows typically comes with HyperTerminal, and you canalternatively use TeraTerm Pro) with the settings in Table 6-1. The PIX command promptshould immediately appear (if not press the Enter button on the keyboard): pixfirewall>Next, type the enable command to access the privileged mode of execution. By default,the enable password on a new PIX is not set: pixfirewall> enable Password: pixfirewall#By default, the enable command assumes that the user is trying to access privilege level15 (the highest privilege level). To begin configuring the PIX for basic network access,several actions must be performed: • Assign IP addresses for the firewall interfaces. • Configure the firewall name, domain name, and passwords. • Configure the firewall routing settings. • Configure the firewall for remote management access. • Configure the network address translation settings for outbound access. • Configure the ACLs. • Configure logging on the firewall.Assigning IP Addresses to the Firewall InterfacesTo communicate on the network, the firewall needs to have IP addresses assigned to thefirewall interfaces. The process of doing this changed between PIX/ASA version 6.x and7.x, but the fundamental steps are the same: Enable the interface, configure the interfaceitself, and assign an IP address to the interface.Assigning IP Addresses in PIX 6.xTo assign IP addresses to the PIX interfaces, the administrator must enter configurationmode. Because the PIX uses a command interface that is similar to IOS, administratorsenter configuration mode as they would on a Cisco IOS-based router: firewall# configure terminal firewall(config)#When in configure mode, the next item is to enable the interfaces. The PIX interfaces areadministratively shut down in the default configuration. To enable the interfaces, use theinterface hardware-id hardware-speed command: firewall(config)# interface ethernet0 auto firewall(config)# interface ethernet1 autoBy default, the Ethernet0 (or FastEthernet0) hardware-id is considered the outsideinterface and the Ethernet1 (or FastEthernet1) hardware-id is considered the insideinterface. The configuration of the interface itself is performed by the auto commandword. This specifies that the interface speed should automatically be determined by thePIX rather than be specified by the administrator. You can also manually define thehardware speed (for example, 10 or 100).The next step to configuring the interface is to assign a name and security level to theinterface. By default, the outside interface has a security level of 0; the inside interfacehas a security level of 100. The name that you assign is the name that you can usethroughout the configuration to easily identify a given interface. For example, this allowsyou to use inside to refer to the Ethernet1 interface. You can use the command nameifhardware-id if-name security-lvl to configure the interface name and security level: firewall(config)# nameif ethernet0 outside security0 firewall(config)# nameif ethernet1 inside security100With the interfaces now active and configured, the IP addresses can be assigned (it is justas possible to assign the IP addresses prior to enabling the interface, but the interfacesstill will not work until enabled).Assigning IP addresses is performed at the global configuration mode. The firewallsupports static IP addresses on all interfaces and can also be configured to use DHCP orPPPoE-assigned addresses on the outside interface only. To assign a static IP address, usethe ip address interface-name ip-address subnet-mask command: firewall(config)# ip address outside 10.19.24.1 255.255.255.0 firewall(config)# ip ...