Вы находитесь на странице: 1из 10


Cisco’s PIX firewall is one of the more common hardware devices used to protect small-
to medium-size networks from outside attacks. Correctly configured PIX also helps you
maintain some level of control over resources that internal users can access. In this
article, we’ll walk through the steps to get a PIX firewall up and running in a useful

We’ll be using the relatively lightweight PIX 501 for our example setup. The PIX 501
includes a console port, a WAN port, four 10/100 Ethernet ports, and it supports up to 10
internal IP addresses as well as optional DES encryption. We’ll be installing under PIX
management software version 6.2(1). Your configuration steps may differ slightly from
the ones presented in this article if you’re using a different version of the software.

Getting started

First of all, physically install your PIX where you’ll be able to connect it to both the
network and directly to a Windows-based PC via a serial cable. The new PIX operating
system includes two methods of management, either from the command line or the Pix
Device Manager (PDM), a Web-based GUI that can handle almost the entire
configuration process. Of course, you’ll have to use the command line to set up an IP
address for the PIX before you actually are able to use the PDM.
The default IP address

The PIX 501 assigns an address of to the PIX to be accessed from the
internal network. In the likely case that we are willing to accept this default, we could
skip the command line setup on this particular unit. We’ll walk through the IP assignment
process here to give a more thorough overview of the configuration steps for other PIX

To begin the configuration process, you must connect your administrative PC to the PIX
via HyperTerminal. Simply link the PIX’s console port to the PC via the serial cable. In
HyperTerminal, set the baud rate to 9600. Once connected, the PIX ask you to do some
basic configuration via a number of prompts at the command line.

The command line setup process

Listing A provides a transcript of our sample setup routine for our PIX 501. The items in
bold are our responses to the prompts. We’ve also included a few notes about some of the

Listing A
Pre-configure PIX Firewall now through interactive prompts [yes]? yes
Enable password [<use current password>]: admin123

Note: The password that will be used to make configuration changes to the PIX.
Clock (UTC):
Year [2008]: 2008
Month [Aug]: Aug
Day [8]: 7
Time [11:15:30]: 11:15:00

Note: Set the date and time on the PIX.

Inside IP address:

Note: The IP address (on the local network) that will be used on the LAN side of the PIX,
as well as the default gateway for the devices on the network.
Inside network mask:
Note: The subnet mask that goes along with your internal IP address
Host name: Mypix

Note: Assigns a name to your firewall. You’ll see this question every time you use the
command line.
Domain name: myowndomain.com

Note: This is your domain name. Configuring this will expedite the routing of internal
IP address of host running PIX Device Manager:

Note: Restricts what devices are allowed to configure the PIX via the GUI
The following configuration will be used:
Enable password: admin123
Clock (UTC): 11:15:00 Aug 7 2008
Inside IP address:
Inside network mask:
Host name: Mypix
Domain name: myowndomain.com
IP address of host running PIX Device Manager:
Use this configuration and write to flash? yes
Building configuration...
Cryptochecksum: 988d9391 701b1c05 1175826a 1278dea5

End of Listing A

Getting current

If you have a new PIX, you should check the version of the management software
installed on it using the version command at the command prompt. To do an upgrade,
you’ll need to download the newest images from the Cisco support Web site. You’ll need
a support contract on your firewall to successfully download the upgrade. It is always
recommended support contracts on single points of failure in a network; the contracts
aren’t terribly expensive considering how much they can end up saving you. If you do not
have a support contract, you’ll have to register your product and purchase a contract on
the Customer Registration page.

As of this writing, the most current PIX software image available is 6.2.1 / 6.3.x (login
required) and the PIX Device Manager is in version 2.0.1 / PDM v3.0(2) (login required).
Going to the new PDM is critical if you want to use VPNs because version 1.x does not
support their configuration. The files are named pix621.bin and pdm-201.bin,

The PIX software

Installing the newest version of the PIX software is as easy as following these steps:

1. 1. Save the PIX files into a directory accessible by your TFTP server. If you
need a TFTP server, Cisco provides one for free.
2. 2. Connect via HyperTerminal to make sure the serial link is still working.
3. 3. Reboot the PIX by either power cycling it or issuing a reboot command at
the command line.
4. 4. When a message appears indicating that the configuration is about to load
from flash, press [Esc] to put the PIX into monitor mode.
5. 5. Provide the PIX with some information about its addressing and where it
can find your TFTP server, as well as the name of the binary to install. We entered
the information in Table A for our set up.

Table A
Value Purpose
address Internal address of the PIX.
server IP address of my TFTP server.
file pix621.bin Name of the file to download.
tftp Starts the TFTP transfer of the new image.

When the install routine is complete, elect to save this image to flash. The unit will reboot
with the new PIX software loaded.

Updating the PDM software

My PIX 501 came with version 1.x of the PDM, which is out-of-date. To upgrade it, I
used the copy tftp:// flash:pdm command at the PIX prompt to
update the GUI tool.

Move to the GUI

Once you’ve completed the basic configuration, you’ll be able to use the PDM to
complete the installation. From the workstation with the IP address that you provided in
the command-line configuration, you can browse to your PIX using HTTPS. For my
installation, I will browse to The PDM works with any browser that
supports Java and JavaScript, but Internet Explorer 5.0 or higher is recommended.

You’ll be asked to provide a username and password to access the PDM. The PIX PDM
does not use a username, but it does use the password field, which needs to match the
enable password that we configured during the command-line setup. For our
configuration, this password is “admin”.

The PDM will ask you whether or not you want to install the PDM software. Choosing
either Grant Always or Grant This Session will allow the connection either every time or
just this once, respectively. The other option is to deny the session by clicking Deny.
We’ll choose the Grant Always option.

Next, the PDM informs us that since this is the first time the PDM has been used, it must
do a one-time configuration. We’ll allow this by choosing the Proceed button. The PDM
then loads the configuration from your PIX and populates the various GUI screens with
that information. The final result is the opening screen for the PDM, shown in Figure A.

Figure A

The PDM provides a number of configuration screens.

The tabs
Each of the PDM’s tabs represent a different service.

• · Access Rules: Shows your network access policy listed as rules. If you have
used Checkpoint’s policy editor software, the look and feel of this tab will be
somewhat familiar.
• · Translation Rules: Shows your NAT and PAT (port address translation)
• · VPN: Lets you set up your VPN configuration.
• · Hosts/Networks: Lets you edit the list of hosts and networks defined for a
selected interface. Access rules reference these hosts and networks.
• · System Properties: Lets you make changes to the configuration of network
• · Monitoring: Lets you watch various aspects of the system.

Basic configuration

The PIX needs to have certain parameters supplied to it before it can begin its work.
While some of these parameters, such as the internal IP address, were defined during the
initial command line configuration, the PIX still needs some vital information, such as
the outside interface IP address and Access rules.

Setting up the outside interface

On our PIX 501, the inside interface is set to and the outside interface is
configured to obtain an IP address from my ISP’s DHCP server. If you want to assign a
static IP address to this interface, you can do this from the PDM’s System Properties tab,
as shown in Figure B.

Figure B

You can configure the interface from the System Properties tab.
As you can see in the Interfaces table shown in Figure B, we have two interfaces on my
PIX 501: inside and outside. These interface names were assigned during the initial
system configuration; the inside interface name can be changed to anything you want. To
change the IP address of an interface, select the interface entry in the list and then click
the Edit button at the bottom of the screen to open the Edit Interface screen shown in
Figure C. we’ve set the IP address of the WAN interface to and retained the
name “outside.”

Figure C

Making addressing changes is easy with the PDM.

We click OK and return to the main PDM window, where the now-active Apply To PIX
button will let me save my changes in this session. To make our changes permanent, we’ll
need to save them to flash on the PIX. As shown in Figure D, the PDM lets you know
when a flash save is needed; simply clicking the message will write the new
configuration to the PIX. Once you save to flash, the message goes away.
Figure D

The PDM lets you know when you need to save to flash.

Access rules
Access rules form the basis of the PIX’s security policies and need to be carefully
administered. Many organizations have access rules that allow certain traffic, such as
SMTP, to traverse the firewall from the outside, or they block the use of a specific
service, such as IM, from inside the firewall.

Let’s suppose you want to block access to a specific Web site, such as
www.whitehouse.com. First, you need to look up the IP address for
www.whitehouse.com, which happens to be On the PDM’s Access Rules
tab, right-click anywhere and choose Add from the shortcut menu.

In Figure E, I have configured the PIX to deny all traffic from the inside interface to the
IP address on the outside.

Figure E
Blocking access to a Web site is a snap with the PDM.

When I click OK, I get a message indicating that the host does not exist on the outside
network, and PDM offers to let me set it up, as you can see in Figure F.

Figure F
The PDM helps you set up a new external host.

To check this operation, I can click on Outside Interface in the Hosts/Network tab and see
(Figure G) that the White House has been added as a host.

Figure G
Whitehouse.com is now on the hosts list.

Compatibility and responsibility

Remember to administer your PIX responsibly by saving your configuration every so
often and keeping a hard copy. You will have to rebuild a PIX configuration from scratch
in the middle of a frantic day as a result of a very simple mistake.