PIX Firewall modes

PIX Firewall modes

A Cisco PIX firewall can operate in one of two modes-

Routed Mode- This is the default mode. In Routed mode, the PIX firewall is considered to be a network hop. It can perform NAT between connected networks, and run OSPF, RIP & EIGRP (PIX OS version 8.0.4). This mode can support many interfaces.
Transparent Mode- A firewall in Transparent mode is a Layer-2 firewall that acts as a "bump in the fire" and is not seen as a network hop to connected devices. The firewall connects to the same network on inside and outside ports. Even though the firewall acts as a Layer-2 firewall, Layer-3 traffic cannot pass through the firewall unless explicitly allowed. The only traffic allowed through transparent firewall is ARP traffic by default.

Network Topology:

1. Routed Mode-

Here, all PIX interfaces are assigned an IP address. 10.1.1.0/24 is the INSIDE network. 10.2.2.0/24 is the OUTSIDE network. The inside network is assigned the security-level of 100 while the outside network is assigned the security-level of 0.

PIX interfaces configuration

interface ethernet 0

 nameif inside

 security-level 100

 ip address 10.1.1.2 255.255.255.0

interface ethernet 1

 nameif outside

 security-level 0

 ip address 10.2.2.1 255.255.255.0

Traffic is allowed from higher security-level to lower security-level (i.e. inside to outside) by default. However, traffic from outside to inside must be allowed explicitly using access-lists. OSPF is run within the network.

PIX OSPF configuration

router ospf 1

 network 10.1.1.0 255.255.255.0 area 0

 network 10.2.2.0 255.255.255.0 area 0

! Exact mask is used instead of wildcard mask.

To allow traffic through the firewall, ACLs are configured and applied to "outside" interface for traffic coming "into" the interface.

Allowing traffic through PIX using ACLs

access-list 101 extended permit icmp any any echo

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit ip any any

access-list 101 extended permit ospf any any

access-group 101 in interface outside

The following output was taken once OSPF neighbors were discovered and full-adjacency was established.

PIX OSPF neighbors

PIX# show ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

192.168.1.1       1   FULL/DR         0:00:33     10.1.1.1        inside

1.1.1.1           1   FULL/BDR        0:00:32     10.2.2.2        outside

2. Transparent Mode-

To change firewall mode from Routed to Transparent, use firewall transparent command from global configuration mode. To revert back to default Router mode, use no firewall transparent command.

Transparent mode configuration

PIX# show firewall

Firewall mode: Router

PIX# configure terminal

PIX(config)# firewall transparent

PIX(config)# show firewall

Firewall mode: Transparent

When the PIX is allowed to pass OSPF traffic both ways as above in Routed mode, OSPF adjacency comes UP between R1 & R2 routers.

OSPF adjacency on R1

23:17:16.350: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0

from LOADING to FULL, Loading Done

R1# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

1.1.1.1           1   FULL/BDR        00:00:30    10.1.1.2        FastEthernet0/0

R1# show ip route ospf

     1.0.0.0/32 is subnetted, 1 subnets

O       1.1.1.1 [110/2] via 10.1.1.2, 00:00:23, FastEthernet0/0

When R1 pings 1.1.1.1, PIX scans all the traffic going through it.

ICMP debug on PIX

PIX# debug icmp trace

ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=0 len=72

ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=0 len=72

ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=1 len=72

ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=1 len=72

ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=2 len=72

ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=2 len=72

ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=3 len=72

ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=3 len=72

ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=4 len=72

ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=4 len=72