Firewall is networking device that can protect unauthorized internet users from accessing private network. it has the concept of inside / private network and outside / internet by assigning security level. The outside has a security level of 0 and inside has a security level of 100. Meaning that traffic from lower security level interface will not pass higher security level interface. We can modifiy the rule to make the traffic flow from outside interface to inside interface.
Diagram :
Basic Configuration
1. Set the hostname :
pixfirewall# configure terminal
pixfirewall(config)#hostname pix-jtpd
2. Set the password :
Login password :
pix-jtpd(config)# password cisco
Enable password :
pix-jtpd(config)# enable password cisco
3. Verifiying security level :
pix-jtpd# show nameif
Interface Name Security
Ethernet0 outside 0
Ethernet1 inside 100
pix-jtpd#
4. Set ip address :
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.78.182 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.78.186 255.255.255.252
Verify interface ip address :
pix-jtpd# sh interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 192.168.78.182 YES manual up up
Ethernet1 192.168.78.186 YES manual up up
pix-jtpd#
Ping back to back ip address :
pix-jtpd# ping 192.168.78.181
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.78.181, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
pix-jtpd# ping 192.168.78.185
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.78.185, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
pix-jtpd#
5. Configure default route
pix-jtpd(config)# route outside 0.0.0.0 0.0.0.0 192.168.78.181 1
pix-jtpd# show ip route
C 192.168.78.180 255.255.255.252 is directly connected, outside
C 192.168.78.184 255.255.255.252 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.78.181, outside
pix-jtpd#
6. Configuring NAT and define subscriber network :
a. Set ip address to name :
pix-jtpd(config)# name 192.168.32.0 subscriber
b. Set subscriber route :
route inside chat-subs 255.255.255.0 192.168.78.185 1
c. Setting nat :
inside network :
pix-jtpd(config)# nat (inside) 1 chat-subs 255.255.255.0
pix-jtpd(config)# nat (inside) 1 192.168.78.184 255.255.255.252
global network :
global (outside) 1 192.168.78.188 netmask 255.255.255.255
NOTE : must configure route from PE to global (outside)
d. Veryfiy nat is working :
pix-jtpd# sh xlate
94 in use, 3299 most used
PAT Global 192.168.78.188(1095) Local 192.168.32.30(2182)
PAT Global 192.168.78.188(1053) Local 192.168.32.30(59266)
PAT Global 192.168.78.188(1052) Local 192.168.32.30(65524)
PAT Global 192.168.78.188(1051) Local 192.168.32.30(50954)
7. Making Rule / Access-list
Setting ACL :
pix-jtpd(config)# access-list acl_grp extended permit icmp any any
pix-jtpd(config)# access-list acl_grp extended permit tcp any any
pix-jtpd(config)# access-list acl_grp extended permit ip any any
Apply to the interface :
pix-jtpd(config)# access-group acl_grp in interface outside
pix-jtpd(config)# access-group acl_grp in interface inside
Have a good try :D
Posts
No comments:
Post a Comment