Basic PIX Firewall Configuration

enable config t hostname BostonPIX name 200.0.1.2 bastionhost name 200.0.1.3 dns-server name 10.0.1.2 insidehost nameif e2 dmz security50 interface e0 100full interface e1 100full interface e2 100full ip address inside 10.0.1.1 255.255.255.0 ip address dmz 200.0.1.1 255.255.255.0 ip address outside 172.16.1.1 255.255.255.0 global (outside) 1 172.16.1.20-172.16.1.254 netmask 255.255.255.0 nat (inside) 1 10.0.1.0 255.255.255.0 route outside 0 0 172.16.1.1 write mem ! Step 11. Test the operation of the global and NAT statements: a. Open a web browser on the Inside Host (configured with IP address 10.0.1.2). b. Use the web browser to access the Boston Web server at IP address 11.0.11.1: http://11.0.11.1

Your attempt to show the Boston web page should fail. The Boston router does not know how to return information to the PIX yet. c. Observe the translation table in HyperTerminal: show xlate

The display should look like this: 1 in use, 1 most used Global 172.16.1.20 Local insidehost

The PIX chooses a low-end global address to represent the inside host. Step 12. Test the Inside, Outside, and DMZ Interface Connectivity:

First you must enable/permit ping. We will use an old ACL method, the Conduit command. conduit permit icmp any any

Then ping the inside interface from inside the PIX: ping 10.0.1.1

10.0.1.1 response received —— 10ms 10.0.1.1 response received —— 10ms 10.0.1.1 response received —— 10ms

Ping the inside host: ping insidehost insidehost response received —— 10ms insidehost response received —— 10ms insidehost response received —— 10ms

Ping the outside interface: ping 172.16.1.1

172.16.1.2 response received —— 10ms 172.16.1.2 response received —— 10ms 172.16.1.2 response received —— 10ms e. Ping the backbone router: ping 172.16.1.2

172.16.1.2 response received —— 10ms 172.16.1.2 response received —— 10ms 172.16.1.2 response received —— 10ms f. Ping the DMZ interface: ping 200.0.1.1

200.0.1.1 response received —— 10ms 200.0.1.1 response received —— 10ms 200.0.1.1 response received —— 10ms Ping the bastion host: ping bastionhost bastionhost response received —— 10ms bastionhost response received —— 10ms bastionhost response received —— 10ms

Step 13. Test connectivity from the Inside Host to the External Host

Ping 11.0.13.2

Were you successful?

The pings should know where to go, but they don’t know how to get back yet. See Lab 13.