Embedded Files
PIX Firewall modes
A Cisco PIX firewall can operate in one of two modes-
- Routed Mode- This is the default mode. In Routed mode, the PIX firewall is considered to be a network hop. It can perform NAT between connected networks, and run OSPF, RIP & EIGRP (PIX OS version 8.0.4). This mode can support many interfaces.
- Transparent Mode- A firewall in Transparent mode is a Layer-2 firewall that acts as a "bump in the fire" and is not seen as a network hop to connected devices. The firewall connects to the same network on inside and outside ports. Even though the firewall acts as a Layer-2 firewall, Layer-3 traffic cannot pass through the firewall unless explicitly allowed. The only traffic allowed through transparent firewall is ARP traffic by default.
Network Topology:
1. Routed Mode-
Here, all PIX interfaces are assigned an IP address. 10.1.1.0/24 is the INSIDE network. 10.2.2.0/24 is the OUTSIDE network. The inside network is assigned the security-level of 100 while the outside network is assigned the security-level of 0.
PIX interfaces configuration
interface ethernet 0 nameif inside security-level 100 ip address 10.1.1.2 255.255.255.0!interface ethernet 1 nameif outside security-level 0 ip address 10.2.2.1 255.255.255.0!Traffic is allowed from higher security-level to lower security-level (i.e. inside to outside) by default. However, traffic from outside to inside must be allowed explicitly using access-lists. OSPF is run within the network.
PIX OSPF configuration
router ospf 1 network 10.1.1.0 255.255.255.0 area 0 network 10.2.2.0 255.255.255.0 area 0!! Exact mask is used instead of wildcard mask.To allow traffic through the firewall, ACLs are configured and applied to "outside" interface for traffic coming "into" the interface.
Allowing traffic through PIX using ACLs
access-list 101 extended permit icmp any any echoaccess-list 101 extended permit icmp any any echo-replyaccess-list 101 extended permit icmp any any unreachableaccess-list 101 extended permit ip any anyaccess-list 101 extended permit ospf any any!access-group 101 in interface outside!The following output was taken once OSPF neighbors were discovered and full-adjacency was established.
PIX OSPF neighbors
PIX# show ospf neighborNeighbor ID Pri State Dead Time Address Interface192.168.1.1 1 FULL/DR 0:00:33 10.1.1.1 inside1.1.1.1 1 FULL/BDR 0:00:32 10.2.2.2 outside2. Transparent Mode-
To change firewall mode from Routed to Transparent, use firewall transparent command from global configuration mode. To revert back to default Router mode, use no firewall transparent command.
Transparent mode configuration
PIX# show firewallFirewall mode: RouterPIX# configure terminalPIX(config)# firewall transparentPIX(config)# show firewallFirewall mode: TransparentWhen the PIX is allowed to pass OSPF traffic both ways as above in Routed mode, OSPF adjacency comes UP between R1 & R2 routers.
OSPF adjacency on R1
23:17:16.350: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0from LOADING to FULL, Loading DoneR1# show ip ospf neighborNeighbor ID Pri State Dead Time Address Interface1.1.1.1 1 FULL/BDR 00:00:30 10.1.1.2 FastEthernet0/0R1# show ip route ospf 1.0.0.0/32 is subnetted, 1 subnetsO 1.1.1.1 [110/2] via 10.1.1.2, 00:00:23, FastEthernet0/0When R1 pings 1.1.1.1, PIX scans all the traffic going through it.
ICMP debug on PIX
PIX# debug icmp traceICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=0 len=72ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=0 len=72ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=1 len=72ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=1 len=72ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=2 len=72ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=2 len=72ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=3 len=72ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=3 len=72ICMP echo request from inside:10.1.1.1 to outside:1.1.1.1 ID=48 seq=4 len=72ICMP echo reply from outside:1.1.1.1 to inside:10.1.1.1 ID=48 seq=4 len=72Page updated
Google Sites
Report abuse