I couldnt get the links to work when I checked em for some reason - if you goto Cisco.com > Technical Support & Documentation > Security and VPN > Cisco PIX Firewall Software > Configuration Guides , this will give you all the configuration giudes for the PIX range!
Originally posted here by HTRegz
Needless to say, you have in your hands a hardware firewall... not a router
It has its own internal IP address and suppports DHCP for other computers so why isnt it a router?
internal IP 192.168.0.1
February 9th, 2006, 06:13 PM
Originally posted here by Ghost_25inf It has its own internal IP address and suppports DHCP for other computers so why isnt it a router?
internal IP 192.168.0.1
It isn't a router because it's a firewall... cisco makes several products.. Switches, Routers and Firewalls are the big three... they are all seperate products, however some have cross over functions (Layer 3 switches for example)..
A Pix is a firewall... it's designed to be a firewall.. it supports static routes and can learn through RIP but it can't send it's own RIP packets.
You don't generally buy a Pix to plug into a DSL or Cable modem... and have a small internal network, which is what you a describing, from the sounds of it... from the cisco side you'd be looking at the 800 series routers.
If you're dealing with one IP Address and no need for an actual router, then I suppose you can make the Pix work, however it still doesn't seem like the best idea... especially if you've never worked with them before... Have you asked them why they've decided to go with a hardware firewall and not a router.. even if it was just a crappy linksys...
you're going to have to define your NAT pool, and then setup your translations... It's definately not something that I would recommend doing.
February 9th, 2006, 06:21 PM
Well to tell you the truth I think they want me to understand cisco in general. the firewall was purchased for me to learn, from there we have clients that have cisco routers that we need to configure. Once I learn the firewall we will sell it to a customer to add to there network for security reasons. thank you for the clerifaction on the differences of a firewall and router. wasnt getting snotty about your post just need to understand the differences.
February 9th, 2006, 06:29 PM
Originally posted here by Ghost_25inf Well to tell you the truth I think they want me to understand cisco in general. the firewall was purchased for me to learn, from there we have clients that have cisco routers that we need to configure. Once I learn the firewall we will sell it to a customer to add to there network for security reasons. thank you for the clerifaction on the differences of a firewall and router. wasnt getting snotty about your post just need to understand the differences.
It's all good... If they really want you to learn, get them to get you an 800 series... or a old 2500... even a 2600... prolly the 2600 would be better... bu tthe 800's are nice to learn on... and nice to sell to small businesses...
Because there's a huge difference in command sets... also though... Cisco's not really a small business type name... (not sure on the size of your clients)... that's why they acquired linksys to give them the SoHo/Home User business... but you'll definately want to find some sort of cisco router (or get them to buy you Boson RouterSim to play with)... because there are many differences between a cisco router and a pix
February 9th, 2006, 09:48 PM
here is a list of different commands I found on the firewall:
At the end of show <command>, use the pipe character '|' followed by:
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.
aaa Enable, disable, or view TACACS+, RADIUS or LOCAL
user authentication, authorization and accounting
aaa-server Define AAA Server group
access-group Bind an access-list to an interface to filter inbound traffic
access-list Add an ac
activation-key Modify activation-key.
age This command is deprecated. See ipsec, isakmp, map, ca commands
alias Administer overlapping addresses with dual NAT.
apply Apply outbound lists to source or destination IP addresses
arp Change or view arp table, set arp timeout value, view statistics
auth-prompt Customize authentication challenge, reject or acceptance prompt
auto-update Configure auto update support
banner Configure login/session banners
ca CEP (Certificate Enrollment Protocol)
Create and enroll RSA key pairs into a PKI
(Public Key Infrastructure).
capture Capture inbound and outbound packets on one or more interfaces
clock Show and set the date and time of PIX
conduit Add conduit access to higher security level network or ICMP
configure Configure from terminal, floppy, memory, network, or
factory-default. The configuration will be merged with the
active configuration except for factory-default in which case
the active configuration is cleared first.
copy Copy image or PDM file from TFTP server into flash.
console Set idle timeout for the serial console of the PIX
Crashinfo Read, write and configure crash write to flash. Force a crash.
crypto Configure IPsec, IKE, and CA
debug Debug packets or ICMP tracings through the PIX Firewall.
dhcpd Configure DHCP Server
dhcprelay Configure DHCP Relay Agent
disable Exit from privileged mode
domain-name Change domain name
dynamic-map Specify a dynamic crypto map template
eeprom show or reprogram the 525 onboard i82559 devices
enable Configure enable passwords
established Allow inbound connections based on established connections
failover Enable/disable PIX failover feature to a standby PIX
filter Enable, disable, or view URL, FTP, HTTPS, Java, and ActiveX filt
fixup Add or delete PIX service and feature defaults
flashfs Show, destroy, or preserve filesystem information
fragment Configure the IP fragment database
global Specify, delete or view global address pools,
or designate a PAT(Port Address Translated) address
help Help list
hostname Change host name
http Configure HTTP server
icmp Configure access for ICMP traffic that terminates at an interfac
interface Set network interface paremeters and configure VLANs
ip Set the ip address and mask for an interface
Define a local address pool
Configure Unicast RPF on an interface
Configure the Intrusion Detection System
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
kill Terminate a telnet session
logout Exit from current user profile, and to unprivileged mode
logging Enable logging facili
mac-list Add a list of mac addresses using first match search
map Configure IPsec crypto map
memory System memory utilization
mgcp Configure the Media Gateway Control Protocol fixup
management-access Enable access to internal management interface
mroute Configure a multicast route
mtu Specify MTU(Maximum Transmission Unit) for an interface
multicast Configure multicast on an interface
name Associate a name with an IP address
nameif Assign a name to an interface
names Enable, disable or display IP address to name conversion
nat Associate a network with a pool of global IP addresses
ntp Configure Network Time Protocol
object-group Create an object group for use in 'access-list', 'conduit', etc
outbound Create an outbound access list
pager Control page length for pagination
passwd Change Telnet console access password
pdm Configure PIX Device Manager
ping Test connectivity from specified interface to <ip>
prefix-list Configure a prefix-list
privilege Configure/Display privilege levels for commands
quit Quit from the current mode, end configuration or logout
reload Halt and reload system
rip Broadcast default route or passive RIP
route Enter a static route for an interface
route-map Create a route-map.
router Create/configure OSPF routing process
routing Configure interface specific unicast routing parameters.
service Enable system services
setup Pre-configure PIX
shun Manages the filtering of packets from undesired hosts
sip Configure IP Address Privacy, show the current data stored for
each SIP session.
snmp-server Provide SNMP and event information
snmp Configure the SNMP fixup
ssh Add SSH access to PIX console, set idle timeout, display
list of active SSH sessions & terminate a SSH session
static Configure one-to-one address translation rule
sysopt Set system functional option
telnet Add telnet access to PIX console and set idle timeout
terminal Set terminal line parameters
tftp-server Specify default TFTP server address and directory
timeout Set the maximum idle times
url-cache Enable URL caching
url-block Enable URL pending block buffer and long URL support
url-server Specify a URL filter server
username Configure user authentication local database
virtual Set address for authentication virtual servers
vpdn Configure VPDN (PPTP, L2TP, PPPoE) Policy
vpnclient Configure Easy VPN Remote
vpngroup Configure group settings for Cisco VPN Clients and
Cisco Easy VPN Remote products
who Show active administration sessions on PIX
write Write config to net, flash, floppy, or terminal, or erase flash
February 9th, 2006, 10:14 PM
PIX hardening guide...
And no firewall administrator is complete without a hardening guide foucussed on the PIX and some methodology behind firewall administration - Get the Guide Here :D