pixfirewall help
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: pixfirewall help

  1. #1
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648

    pixfirewall help

    Hello AO

    Well my company wants me to learn Cisco routers and they gave me a PIX 501 firewall router and i understand how to get into the router and some basic commands like:

    enable = administration mode
    disable = user mode
    configure = enter into configuration mode
    terminal = terminal mode
    memory = memory mode

    and other well known commands like:
    ping
    passwrd
    kill
    logout
    copy
    help or ?

    what im looking for is other commands that can help me in configuring the router so that I can support this router for our customers.

    Can you add some commands and explain alittle about what that command does. Thank you.
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Well I can help you solve this rather quickly...


    PIX != Router

    That can't be emphasised enough... The only way that pix is routing is with static routes... (or I suppose RIP learned routes if you really want to run RIP on it)...

    Needless to say, you have in your hands a hardware firewall... not a router.... What functions do you want to perform, we may be able to recommend a device that will do the trick for you.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Not sure how much you know, or need to know but these three links may be of help to you!

    Configuration Manual:
    http://www.cisco.com/en/US/products/...ides_list.html

    Tech overview
    http://www.cisco.com/en/US/products/...080091b18.html

    Hardware Inst http://www.cisco.com/en/US/products/...080172799.html

    I couldnt get the links to work when I checked em for some reason - if you goto Cisco.com > Technical Support & Documentation > Security and VPN > Cisco PIX Firewall Software > Configuration Guides , this will give you all the configuration giudes for the PIX range!
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  4. #4
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    DjM

  5. #5
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    Originally posted here by HTRegz

    Needless to say, you have in your hands a hardware firewall... not a router
    HT
    It has its own internal IP address and suppports DHCP for other computers so why isnt it a router?

    internal IP 192.168.0.1
    external 69.145.xxx.xxx
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  6. #6
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Ghost_25inf
    It has its own internal IP address and suppports DHCP for other computers so why isnt it a router?

    internal IP 192.168.0.1
    external 69.145.xxx.xxx
    It isn't a router because it's a firewall... cisco makes several products.. Switches, Routers and Firewalls are the big three... they are all seperate products, however some have cross over functions (Layer 3 switches for example)..

    A Pix is a firewall... it's designed to be a firewall.. it supports static routes and can learn through RIP but it can't send it's own RIP packets.

    Basic Concept

    Inside Router --- Pix --- Perimeter Router --- ISP
    or
    Inside Router --- Pix --- ISP

    You don't generally buy a Pix to plug into a DSL or Cable modem... and have a small internal network, which is what you a describing, from the sounds of it... from the cisco side you'd be looking at the 800 series routers.

    If you're dealing with one IP Address and no need for an actual router, then I suppose you can make the Pix work, however it still doesn't seem like the best idea... especially if you've never worked with them before... Have you asked them why they've decided to go with a hardware firewall and not a router.. even if it was just a crappy linksys...

    you're going to have to define your NAT pool, and then setup your translations... It's definately not something that I would recommend doing.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  7. #7
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    Well to tell you the truth I think they want me to understand cisco in general. the firewall was purchased for me to learn, from there we have clients that have cisco routers that we need to configure. Once I learn the firewall we will sell it to a customer to add to there network for security reasons. thank you for the clerifaction on the differences of a firewall and router. wasnt getting snotty about your post just need to understand the differences.
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  8. #8
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Ghost_25inf
    Well to tell you the truth I think they want me to understand cisco in general. the firewall was purchased for me to learn, from there we have clients that have cisco routers that we need to configure. Once I learn the firewall we will sell it to a customer to add to there network for security reasons. thank you for the clerifaction on the differences of a firewall and router. wasnt getting snotty about your post just need to understand the differences.
    It's all good... If they really want you to learn, get them to get you an 800 series... or a old 2500... even a 2600... prolly the 2600 would be better... bu tthe 800's are nice to learn on... and nice to sell to small businesses...

    Because there's a huge difference in command sets... also though... Cisco's not really a small business type name... (not sure on the size of your clients)... that's why they acquired linksys to give them the SoHo/Home User business... but you'll definately want to find some sort of cisco router (or get them to buy you Boson RouterSim to play with)... because there are many differences between a cisco router and a pix
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  9. #9
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    here is a list of different commands I found on the firewall:

    pixfirewall(config)# ?

    At the end of show <command>, use the pipe character '|' followed by:
    begin|include|exclude|grep [-v] <regular_exp>, to filter show output.

    aaa Enable, disable, or view TACACS+, RADIUS or LOCAL
    user authentication, authorization and accounting
    aaa-server Define AAA Server group
    access-group Bind an access-list to an interface to filter inbound traffic
    access-list Add an ac
    activation-key Modify activation-key.
    age This command is deprecated. See ipsec, isakmp, map, ca commands
    alias Administer overlapping addresses with dual NAT.
    apply Apply outbound lists to source or destination IP addresses
    arp Change or view arp table, set arp timeout value, view statistics

    auth-prompt Customize authentication challenge, reject or acceptance prompt
    auto-update Configure auto update support
    banner Configure login/session banners
    ca CEP (Certificate Enrollment Protocol)
    Create and enroll RSA key pairs into a PKI
    (Public Key Infrastructure).
    capture Capture inbound and outbound packets on one or more interfaces
    clock Show and set the date and time of PIX
    conduit Add conduit access to higher security level network or ICMP
    configure Configure from terminal, floppy, memory, network, or
    factory-default. The configuration will be merged with the
    active configuration except for factory-default in which case
    the active configuration is cleared first.
    copy Copy image or PDM file from TFTP server into flash.
    console Set idle timeout for the serial console of the PIX
    Crashinfo Read, write and configure crash write to flash. Force a crash.
    crypto Configure IPsec, IKE, and CA
    debug Debug packets or ICMP tracings through the PIX Firewall.
    dhcpd Configure DHCP Server
    dhcprelay Configure DHCP Relay Agent
    disable Exit from privileged mode
    domain-name Change domain name
    dynamic-map Specify a dynamic crypto map template
    eeprom show or reprogram the 525 onboard i82559 devices
    enable Configure enable passwords
    established Allow inbound connections based on established connections
    failover Enable/disable PIX failover feature to a standby PIX
    filter Enable, disable, or view URL, FTP, HTTPS, Java, and ActiveX filt
    ering
    fixup Add or delete PIX service and feature defaults
    flashfs Show, destroy, or preserve filesystem information
    fragment Configure the IP fragment database
    global Specify, delete or view global address pools,
    or designate a PAT(Port Address Translated) address
    help Help list
    hostname Change host name
    http Configure HTTP server
    icmp Configure access for ICMP traffic that terminates at an interfac
    e
    interface Set network interface paremeters and configure VLANs
    ip Set the ip address and mask for an interface
    Define a local address pool
    Configure Unicast RPF on an interface
    Configure the Intrusion Detection System
    ipsec Configure IPSEC policy
    isakmp Configure ISAKMP policy
    kill Terminate a telnet session
    logout Exit from current user profile, and to unprivileged mode
    logging Enable logging facili
    mac-list Add a list of mac addresses using first match search
    map Configure IPsec crypto map
    memory System memory utilization
    mgcp Configure the Media Gateway Control Protocol fixup
    management-access Enable access to internal management interface
    mroute Configure a multicast route
    mtu Specify MTU(Maximum Transmission Unit) for an interface
    multicast Configure multicast on an interface
    name Associate a name with an IP address
    nameif Assign a name to an interface
    names Enable, disable or display IP address to name conversion
    nat Associate a network with a pool of global IP addresses
    ntp Configure Network Time Protocol
    object-group Create an object group for use in 'access-list', 'conduit', etc
    outbound Create an outbound access list
    pager Control page length for pagination
    passwd Change Telnet console access password
    pdm Configure PIX Device Manager
    ping Test connectivity from specified interface to <ip>
    prefix-list Configure a prefix-list
    privilege Configure/Display privilege levels for commands
    quit Quit from the current mode, end configuration or logout
    reload Halt and reload system
    rip Broadcast default route or passive RIP
    route Enter a static route for an interface
    route-map Create a route-map.
    router Create/configure OSPF routing process
    routing Configure interface specific unicast routing parameters.
    service Enable system services
    setup Pre-configure PIX
    shun Manages the filtering of packets from undesired hosts
    sip Configure IP Address Privacy, show the current data stored for
    each SIP session.
    snmp-server Provide SNMP and event information
    snmp Configure the SNMP fixup
    ssh Add SSH access to PIX console, set idle timeout, display
    list of active SSH sessions & terminate a SSH session
    static Configure one-to-one address translation rule
    sysopt Set system functional option
    telnet Add telnet access to PIX console and set idle timeout
    terminal Set terminal line parameters
    tftp-server Specify default TFTP server address and directory
    timeout Set the maximum idle times
    url-cache Enable URL caching
    url-block Enable URL pending block buffer and long URL support
    url-server Specify a URL filter server
    username Configure user authentication local database
    virtual Set address for authentication virtual servers
    vpdn Configure VPDN (PPTP, L2TP, PPPoE) Policy
    vpnclient Configure Easy VPN Remote
    vpngroup Configure group settings for Cisco VPN Clients and
    Cisco Easy VPN Remote products
    who Show active administration sessions on PIX
    write Write config to net, flash, floppy, or terminal, or erase flash
    pixfirewall(config)#
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  10. #10
    Member aciscorouter's Avatar
    Join Date
    Mar 2002
    Location
    Brampton, ON, Canada
    Posts
    35

    PIX hardening guide...

    And no firewall administrator is complete without a hardening guide foucussed on the PIX and some methodology behind firewall administration - Get the Guide Here
    aCISCOrouter

    "I used up all my sick days, so Iím calling in dead."
    http://www.facebook.com/profile.php?id=554370423

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •