PIX Firewall modes
PIX Firewall modes
A Cisco PIX firewall can operate in one of two modes-
- Routed Mode- This is the default mode. In Routed mode, the PIX firewall is considered to be a network hop. It can perform NAT between connected networks, and run OSPF, RIP & EIGRP (PIX OS version 8.0.4). This mode can support many interfaces.
- Transparent Mode- A firewall in Transparent mode is a Layer-2 firewall that acts as a "bump in the fire" and is not seen as a network hop to connected devices. The firewall connects to the same network on inside and outside ports. Even though the firewall acts as a Layer-2 firewall, Layer-3 traffic cannot pass through the firewall unless explicitly allowed. The only traffic allowed through transparent firewall is ARP traffic by default.
Network Topology:
1. Routed Mode-
Here, all PIX interfaces are assigned an IP address. 10.1.1.0/24 is the INSIDE network. 10.2.2.0/24 is the OUTSIDE network. The inside network is assigned the security-level of 100 while the outside network is assigned the security-level of 0.
PIX interfaces configuration
interface ethernet 0
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.0
!
interface ethernet 1
nameif outside
security-level 0
ip address 10.2.2.1 255.255.255.0
!
Traffic is allowed from higher security-level to lower security-level (i.e. inside to outside) by default. However, traffic from outside to inside must be allowed explicitly using access-lists. OSPF is run within the network.
PIX OSPF configuration
router ospf 1
network 10.1.1.0 255.255.255.0 area 0
network 10.2.2.0 255.255.255.0 area 0
!
! Exact mask is used instead of wildcard mask.
To allow traffic through the firewall, ACLs are configured and applied to "outside" interface for traffic coming "into" the interface.
Allowing traffic through PIX using ACLs
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit ip any any
access-list 101 extended permit ospf any any
!
access-group 101 in interface outside
!
The following output was taken once OSPF neighbors were discovered and full-adjacency was established.
PIX OSPF neighbors
PIX# show ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.1.1 1 FULL/DR 0:00:33 10.1.1.1 inside
1.1.1.1 1 FULL/BDR 0:00:32 10.2.2.2 outside
2. Transparent Mode-
To change firewall mode from Routed to Transparent, use firewall transparent command from global configuration mode. To revert back to default Router mode, use no firewall transparent command.
Transparent mode configuration
PIX# show firewall
Firewall mode: Router
PIX# configure terminal
PIX(config)# firewall transparent
PIX(config)# show firewall
Firewall mode: Transparent
When the PIX is allowed to pass OSPF traffic both ways as above in Routed mode, OSPF adjacency comes UP between R1 & R2 routers.
OSPF adjacency on R1
23:17:16.350: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0
from LOADING to FULL, Loading Done
R1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/BDR 00:00:30 10.1.1.2 FastEthernet0/0
R1# show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 10.1.1.2, 00:00:23, FastEthernet0/0
When R1 pings 1.1.1.1, PIX scans all the traffic going through it.
ICMP debug on PIX
PIX# debug icmp trace
ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=0 len=72
ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=0 len=72
ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=1 len=72
ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=1 len=72
ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=2 len=72
ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=2 len=72
ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=3 len=72
ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=3 len=72
ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=4 len=72
ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=4 len=72