...

Monday, June 7, 2010

Misc 30

I'll now do a quick run-through on the PIX7/ASA to set up a basic topology. The theory would not be covered in depth. This article will focus on getting you used to setting up PIX in a basic environment. The topology we'll be using is:


In this topology, I'll use routers in place of a User and a WebServer since a router can support both functions. The router named User will solely be used for inside to outside access, while the position marked You is where your physical computer will be, to test outside to inside connectivity.

First off we'll begin by describing the interfaces:
PIX7/ASA
e0 - Outside - 1.1.1.2
e1 - DMZ - 2.2.2.1
e2 - Inside - 3.3.3.1

Perimeter
f0/0 - 1.1.1.1
f0/1 - 192.168.1.1

WebServer
f0/0 - 2.2.2.2

User
f0/0 - 3.3.3.2

You
eth0 - 192.168.1.150

This topology uses a fixed subnet mask of /24.

Notice that the interfaces of the firewall are named. This actually is required when designing your firewall topology. PIX/ASA uses an algorithm coincidentally known as the ASA (Adaptive Security Algorithm) which manages stateful connections. A firewall being stateful means that it actually keeps the state table of connections. A stateful firewall dynamically allows return traffic from a connection originating from the inside network to go through, will blocking all connection attempts from outside by default.

PIX/ASA works around a security level system. Traffic going from a higher security interface to a lower security interface will be statefully permitted. This means that traffic originating from inside will be allowed and return traffic would be allowed once the connection is established. On the other hand, traffic going from a a lower security interface to one with higher or equal security will be denied by default.

We'll first begin by setting up basic connectivity. We'll start with the basic routers. We'll throw in OSPF to do routing for us. Hop on over to User and type:
en
conf t
ho User
in f0/0
ip add 3.3.3.2 255.255.255.0
no shut
line vty 0 4
pass cisco
router ospf 1
network 3.3.3.2 0.0.0.0 area 0


Next, hop on to WebServer and type:
en
conf t
ho WebServer
in f0/0
ip add 2.2.2.2 255.255.255.0
no shut
line vty 0 4
pass cisco
router ospf 1
network 2.2.2.2 0.0.0.0 area 0


Finally we set up the Perimeter router:
en
conf t
ho Perimeter
in f0/0
ip add 1.1.1.1 255.255.255.0
no shut
in f0/1
ip add 192.168.1.1 255.255.255.0
no shut
line vty 0 4
pass cisco
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0
passive f0/1


Now we'll focus on the PIX7/ASA. By default, the password is blank, so go ahead and move into privileged mode:
en

Now we'll set up the enable secret and hostname:
enable password cisco
ho ASA


For any connectivity to take place, we'll need to set up the interfaces. The process for setting up the interfaces is to first give it a name, assign it a security level and an IP, then turning it on:
in e0
nameif Outside
security 0
ip add 1.1.1.2 255.255.255.0
no shut
in e1
nameif DMZ
security 50
ip add 2.2.2.1 255.255.255.0
no shut
in e2
nameif Inside
security 100
ip add 3.3.3.1 255.255.255.0
no shut


At this point, Inside hosts can statefully exit to any interface. DMZ hosts can statefully exit to Outside. Outside hosts will require explicit authorization to enter the network.

Recall that we actually enabled the OSPF routing protocol on the routers. It's time to enable it on the PIX as well. OSPF is strikingly similar. The biggest difference is that you no longer deal with wildcard masks:
router ospf 1
network 1.1.1.0 255.255.255.0 area 0
network 2.2.2.0 255.255.255.0 area 0
network 3.3.3.0 255.255.255.0 area 0


It's time for some verification. To see the routing table similar to how "show ip route" in IOS works, type:
show route

For an equivalent of "show ip int br" in the IOS, type:
show int ip br

Now it's the first test of statefulness. We'll attempt to telnet from an inside host to an outside host. Coincidentally, we have User and Perimeter routers right for the job. Hop on to User and type:
telnet 1.1.1.1

The connection should go through just fine! Now, we'll try it the other way round. Hop on to Perimeter and type:
telnet 3.3.3.2

The router would be trying and failing! This is happening because inside-out connections are statefully allowed, while outside-in connections are all blocked! In the next article, we'll describe a few ways of allowing access outside-in and talk about NAT in the process.

No comments :

Post a Comment

<