- Execute general commands.
- Configure the boot system variable.
- Configure security appliance interfaces.
- Configure global address, NAT, and routing for inside and outside interfaces.
- Test the inside, outside, and DMZ interface connectivity.
- Configure syslog output to a syslog server.
pix(config)# write erase
Erase PIX configuration in flash memory? [confirm]
pix(config)# reload
Proceed with reload? [confirm}
Use the show xxx command to display the security appliance configuration on the terminal screen.
pix#show run
pix#show memory
pix#show version
pix#show history
Assign the name bastionhost to the server on your DMZ.
pixP(config)# name 172.16.P.2 bastionhost
pixP(config)# name 10.0.P.11 insidehost
Save your configuration to Flash memory.
pix(config)#write memory
Task 2: Configure the Boot System Variable
PixP(config)# show bootvar
BOOT variable = flash:/pix701.bin
Current BOOT variable = flash:/pix701.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
Determine if a version of the operating software
PixP(config)# dir
3 -rw- 5124096 13:37:33 Apr 12 2005 pix701.bin
If operating system software is stored in Flash memory, set the boot system variable
PixP(config)# boot system flash:/pix701.bin
Task 3: Configure Security Appliance Interfaces
Configure the outside interface Ethernet0 on the security appliance
pixP(config)# interface e0
pixP(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
pixP(config-if)# ip address 192.168.P.2 255.255.255.0
pixP(config-if)# speed 100
pixP(config-if)# duplex full
pixP(config-if)# no shut
pixP(config-if)# exit
pixP(config)# interface e2 (g0/2)
pixP(config-if)# nameif dmz
INFO: Security level for “dmz” set to 0 by default.
pixP(config-if)# ip address 172.16.P.1 255.255.255.0
pixP(config-if)# speed 100
pixP(config-if)# duplex full
pixP(config-if)# security 50
pixP(config-if)# no shut
pixP(config-if)# exit
pixP(config)# show interface
pixP(config)# show ip address
Task 4: Configure Global Addresses, NAT, and Routing for Inside and Outside Interfaces
(refer to SNPA_Lab04)
nat-control
global (outside) 1 10.10.10.4 netmask 255.255.255.0
global (dmz) 1 192.168.4.4 netmask 255.255.255.0
nat (inside) 1 192.168.3.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
Task 5: Test the Inside, Outside, and DMZ Interface Connectivity
Complete the following steps to test and troubleshoot interface connectivity using the security
appliance ping command.
Task 6: Configure Syslog Output to a Syslog Server
pixP(config)# logging on
pixP(config)# logging host inside insidehost
pixP(config)# logging trap debugging
pixP(config)# show logging
Open the Kiwi Syslog Daemon on your desktop.
Configure
Summary:
1. Adaptive Security Algorithm (ASA)
+ ASA is a stateful, secure connection via the PIX firewall.
+ Every packet is tested by ASA and State Info in PIX memory.
+ Allow one-way outbound connections with minimal configuration.
+ Monitors validity of return traffic.
+ "Ramdomizes" first TCP sequence number.
2. Basic Interface Setup.
3. NAT Fundamental.
---> NAT is implemented in the security appliance with the nat and global commands.
+ The nat command can specify translation for a single host or a range of hosts.
+ The dynamic addresses are chosen from a mapped address pool that is created with the global command.
4. Show Commands.5. NAT revisited.
+ To help with public IP address shortage.
+ To hide interface address schemes and enhance security.
+ Helpful when changing service providers.
+ PIX support 2 type of address translations: Dynamic and Static.
6. Port Address Translation (PAT).
+ PAT address = IP address + Source port number.
+ Multiplexes many addresses on Single IP address.
+ Sessions are distinct by port numbers.
+ 1 outside IP address can practically represent ~ 4000 inside host addresses.
+ PAT can map IP address to TCP and UDP ports.
+ PAT can be implemented with NAT.
+ Avoid PAT with Multimedia Applications.
7. Identify NAT.
8. Policy NAT Essentials:
+ Local traffic is identified for address translation by using Access control lists (ACL's).
+ The ACL can be applied to the "NAT" command or the "Static" command.
+ Administrator can designate source address, destination address, and ports.
0 comments
Post a Comment