Beruflich Dokumente
Kultur Dokumente
CSPFA
Lab Manual
Developed by:
Shaik Mohammad Rafi
Contact :-
rafi.shaik4 @ gmail.com
Page 1
LABS OUTLINE
1234567891011121314151617181920212223-
Page 2
Page 3
ESPpix# conf t
ESPpix(config)# int e1 shutdown
ESPpix# sh int e1
interface ethernet1 "inside" is admi
Hardware is i82559 ethernet, address is 0008.a34d.7499 (cable is attached)
IP address 10.1.3.1, subnet mask 255.0.0.0
MTU 1500 bytes, BW 10000 Kbit full duplex
ESPpix(config)# interface e1 10full
ESPpix(config)# sh int e1
interface ethernet1 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0008.a34d.7497
IP address 172.23.103.1, subnet mask 255.255.0.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
ESPpix(config)# int e0 shut
ESPpix(config)# sh int e0
interface ethernet0 "outside" is administratively down, line protocol is down
Hardware is i82559 ethernet, address is 0008.a34d.7497
IP address 172.23.103.1, subnet mask 255.255.0.0
MTU 1500 bytes, BW 10000 Kbit half duplex
ESPpix(config)# int e0 10baset
ESPpix(config)# int e0 10baseT
ESPpix(config)#sh int e0
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0008.a34d.7497
IP address 172.23.103.1, subnet mask 255.255.0.0
MTU 1500 bytes, BW 10000 Kbit half duplex
ESPpix(config)# ip address inside 10.0.0.1 255.0.0.0
ESPpix(config)# sh int e1
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0008.a34d.7499
IP address 10.0.0.1, subnet mask 255.0.0.0
MTU 1500 bytes, BW 10000 Kbit full duplex
ESPpix(config)# ip address outside 20.0.0.1 255.0.0.0
ESPpix(config)# sh int e0
interface ethernet0 "outside" is up, line protocol is down
Hardware is i82559 ethernet, address is 0008.a34d.7497
IP address 20.0.0.1, subnet mask 255.0.0.0
MTU 1500 bytes, BW 10000 Kbit half duplex
Page 4
ESPpix# sh ip address
System IP Addresses:
ip address outside 20.0.0.1 255.0.0.0
ip address inside 10.0.0.1 255.0.0.0
Current IP Addresses:
ip address outside 20.0.0.1 255.0.0.0
ip address inside 10.0.0.1 255.0.0.0
ESPpix# sh route
outside 0.0.0.0 0.0.0.0 172.23.103.2 1 OTHER static
inside 10.0.0.0 255.0.0.0 10.0.0.1 1 CONNECT static
inside 10.1.3.0 255.255.255.0 10.1.3.1 1 OTHER static
outside 20.0.0.0 255.0.0.0 20.0.0.1 1 CONNECT static
ESPpix#
ESPpix# conf t
ESPpix(config)# hostname ESPpix
ESPpix(config)# exit
ESPpix# sh nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ESPpix # conf t
ESPpix(config)# nameif e0 remote 0
ESPpix (config)# nameif e1 local 100
Error!
security 100 is reserved for the "inside" interface
Type help or '?' for a list of available commands.
ESPpix(config)# nameif e1 local 99
ESPpix(config)# exit
ESPpix# sh nameif
nameif ethernet0 remote security0
nameif ethernet1 local security99
ESPpix# sh int e0
interface ethernet0 "remote" is up, line protocol is down
Hardware is i82559 ethernet, address is 0008.a34d.7497
IP address 20.0.0.1, subnet mask 255.0.0.0
MTU 1500 bytes, BW 10000 Kbit half duplex
Page 5
ESPpix# sh int e1
interface ethernet1 "local" is up, line protocol is up
Hardware is i82559 ethernet, address is 0008.a34d.7499
IP address 10.0.0.1, subnet mask 255.0.0.0
MTU 1500 bytes, BW 10000 Kbit full duplex
ESPpix # conf t
ESPpix(config)# no nameif
ESPpix(config)# exit
ESPpix# show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ESPpix# conf t
ESPpix(config)# clock set 14:15:05 aug 14 2002
ESPpix(config)# exit
ESPpix # sh clock
14:15:13 Aug 14 2002
ESPpix# ping 10.0.0.1
10.0.0.1 ronse received -- 0ms
10.0.0.1 ronse received -- 0ms
10.0.0.1 ronse received -- 0ms
ESPpix# ping 10.0.0.10
10.0.0.10 NO ronse received -- 1000ms
10.0.0.10 NO ronse received -- 1000ms
10.0.0.10 NO ronse received -- 1000ms
ESPpix# show running-configration(Show Running Configuration In Router
IOS)
OR
ESPpix#write terminal (Show Running Configuration In Router IOS)
Page 6
Building configuration...
Cryptochecksum: 8b14435d fdfe0df4 7427e2a0 d180be47
[OK]
Page 7
ESPpix(config)# sh config
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 0YvvkDz2sdCxrJJB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname ESPpix
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 20.0.0.1 255.0.0.0
ip address inside 10.0.0.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 172.23.103.3
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.23.103.3 10.1.3.103 netmask 255.255.255.255 0 0
conduit permit icmp any any
!
terminal width 80
Cryptochecksum:8b14435dfdfe0df47427e2a0d180be47
For default setting of interfaces
ESPpix(config)# clear config primary
ESPpix(config)# sh int e1
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0008.a34d.7499
IP address 127.0.0.1, subnet mask 255.255.255.255
MTU 1500 bytes, BW 10000 Kbit full duplex
ESPpix(config)# sh int e0
interface ethernet0 "outside" is up, line protocol is down
Hardware is i82559 ethernet, address is 0008.a34d.7497
IP address 127.0.0.1, subnet mask 255.255.255.255
MTU 1500 bytes, BW 10000 Kbit half duplex
Page 8
ESPpix(config)# reload
Proceed with reload? [confirm]
Rebooting....
CISCO SYSTEMS PIX-501
Embedded BIOS Version 4.3.200 07/31/01 15:58:22.08
Compiled by morlee
16 MB RAM
PCI Device Table.
Bus Dev Func VendID DevID Class
00 00 00 1022 3000 Host Bridge
00 11 00 8086 1209 Ethernet
00 12 00 8086 1209 Ethernet
Irq
9
10
Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001
Platform PIX-501
Flash=E28F640J3 @ 0x3000000
Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 2466304 bytes of image from flash.
16MB RAM
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000
mcwa i82559 Ethernet at irq 9 MAC: 0008.a34d.7497
mcwa i82559 Ethernet at irq 10 MAC: 0008.a34d.7499
----------------------------------------------------------------------||
||
||
||
|||| ||||
..:||||||:..:||||||:..
ciscoSystems
Private Internet eXchange
----------------------------------------------------------------------Cisco PIX Firewall
Cisco PIX Firewall Version 6.1(1)
Licensed Features:
Failover:
Disabled
VPN-DES:
Enabled
VPN-3DES:
Enabled
Maximum Interfaces: 2
Cut-through Proxy:
Enabled
Guards:
Enabled
PIX / FIREWALL LAB MANUAL
Page 9
Websense:
Enabled
Inside Hosts: 10
Throughput: Limited
ISAKMP peers: 5
.
ESPpix #write floppy
ESPpix #write standby
ESPpix#show history
ESPpix#show memory
ESPpix#show version
ESPpix#show xlate
ESPpix#show cpu usage
ESPpix#name 172.16.2.1 Bastionhome (To assign a name on ip address)
ESPpix(config)#route outside 0.0.0.0 0.0.0.0 192.168.0.1 (To specify the default
or static route)
Page 10
NAT ON PIXFIREWALL
Static NAT
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
File Name :pix622.bin
PIXFirewall Configuration:
ESPpix(config)# static (inside,outside) 20.0.0.51 10.0.0.1
ESPpix(config)# static (inside,outside) 20.0.0.52 10.0.0.2
ESPpix(config)# conduit permit icmp host 20.0.0.51 host 20.0.0.4
ESPpix(config)# conduit permit icmp host 20.0.0.52 host 20.0.0.4
At Machine 10.0.0.1:
Go the Command Prompt & type ping 20.0.0.4 OR
Can browse to web server of and type 20.0.0.4
Repeat same procedure on the Machine 10.0.0.2 & verify result
Verification Commands:
ESPpix(config)# show static
ESPpix(config)# show xlate
Page 11
NAT ON PIXFIREWALL
Dynamic NAT
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
File Name: pix622.bin
PIXFirewall Configuration:
ESPpix(config)# nat (inside) 1 0 0
ESPpix(config)# global (outside) 1 20.0.0.51-20.0.0.60
ESPpix(config)# conduit permit icmp any any
At Machine 10.0.0.1:
Go the Command Prompt & type ping 20.0.0.4 OR
Can browse to web server of and type 20.0.0.4
Repeat same procedure on the Machine 10.0.0.2 & verify result
Verification Commands:
ESPpix(config)# show global
ESPpix(config)# show nat
ESPpix(config)# show xlate
Page 12
NAT ON PIXFIREWALL
Port Address Translation
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
File Name: pix622.bin
PIXFirewall Configuration:
ESPpix(config)# nat (inside) 1 0 0
ESPpix(config)# global (outside) 1 20.0.0.50
ESPpix(config)# conduit permit icmp any any
At Machine 10.0.0.1:
Go the Command Prompt & type ping 20.0.0.4 OR
Can browse to web server of and type 20.0.0.4
Repeat same procedure on the Machine 10.0.0.2 & verify result
Verification Commands:
ESPpix(config)# show global
ESPpix(config)# show nat
ESPpix(config)# show xlate
Page 13
NAT ON PIXFIREWALL
PAT WITH OUTISDE INTERFACE ADDRESS
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
File Name: pix622.bin
PIXFirewall Configuration:
Esppix(config)# ip address inside 10.0.0.10 255.0.0.0
Esppix(config)# ip address outside 20.0.0.10 255.0.0.0
Esppix(config)# int e1 10full
Esppix(config)# int e0 10full
Esppix(config)# nat (inside) 1 10.0.0.0. 255.0.0.0
Esppix(config)# global (outside) 1 interface e0
Esppix(config)# conduit permit icmp any any
At Machine 10.0.0.1:
Go the Command Prompt & type ping 20.0.0.4 OR
Can browse to web server of and type 20.0.0.4
Repeat same procedure on the Machine 10.0.0.2 & verify result
Verification Commands:
Esppix(config)# debug icmp trace
Esppix(config)# show global
Esppix(config)# show nat
Esppix(config)# show xlate
Page 14
PORT REDIRECTION
10.0.0.10
Temporary
WWW
Server
20.0.0.10
E1
E0
20.0.0.4
10.0.0.1
10.0.0.2
Local
WWW
Server
20.0.0.60
Translated
Address
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
File Name: pix622.bin
PIXFirewall Configuration:
ESPpix(config)# ip address inside 10.0.0.10 255.0.0.0
ESPpix(config)# ip address outside 20.0.0.10 255.0.0.0
ESPpix(config)# int e1 10full
ESPpix(config)# int e0 10full
ESPpix(config)# static (inside,outside) tcp 20.0.0.60 8080 10.0.0.1 80
At Machine 20.0.0.4:
Go to Internet Explorer & browse to the http://20.0.0.60 & the pix will directs you to the
temporary webserver.
Verification Commands:
ESPpix(config)# show static
ESPpix(config)# show xlate
Page 15
NAT ON PIXFIREWALL
NAT 0
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
PIX IOS filename pix622.bin
PIXFirewall Configuration:
ESPpix(config)# ip address inside 10.0.0.10 255.0.0.0
ESPpix(config)# ip address outside 20.0.0.10 255.0.0.0
ESPpix(config)# int e1 10full
ESPpix(config)# int e0 10full
ESPpix(config)# nat (inside) 0 10.0.0.1 255.0.0.0
ESPpix(config)# conduit permit icmp any any
At Machine 10.0.0.1:
Go the Command Prompt & type ping 20.0.0.4 OR
Can browse to web server of and type 20.0.0.4
Repeat same procedure on the Machine 10.0.0.2 & verify result
Verification Commands:
ESPpix(config)# debug icmp trace
ESPpix(config)# show nat
ESPpix(config)# show global
ESPpix(config)# show xlate
Page 16
10.0.0.51
to
10.0.0.60
10.0.0.10
E1
PC B
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
File Name : pix622.bin
Page 17
E0
20.0.0.4
20.0.0.51
to
20.0.0.60
PIXFirewall Configuration:
ESPpix(config)# ip address outside dhcp
Verification Commands:
ESPpix(config)# debug dhcpd events
ESPpix(config)# debug dhcpd packet
ESPpix(config)# debug dhcpd detail
ESPpix(config)# debug dhcpd error
Page 18
SYSLOG SERVER
10.0.0.10
E1
20.0.0.10
E0
Syslog
Server
20.0.0.4
10.0.0.1
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
PIX IOS filename pix622.bin
Kiwi Syslog Software
PIXFirewall Configuration:
ESPpix(config)# logging host inside 10.0.0.1
ESPpix(config)# logging trap 7
ESPpix(config)# logging on
At PIXFirewall:
You can verify this lab by typing any command OR
You can type invalid password of the privilege mode OR
You can telnet from any inside machine.
Page 19
Verification Commands:
ESPpix(config)# show logging
Page 20
OUTBOUND ACL
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
PIXFirewall Configuration:
Esppix(config)# ip address inside 10.0.0.10 255.0.0.0
Esppix(config)# ip address outside 20.0.0.10 255.0.0.0
Esppix(config)# int e0 10baset
Esppix(config)# int e1 10full
Esppix(config)# outbound 1 permit 10.0.0.1 255.255.255.255 http
Esppix(config)# outbound 1 deny 10.0.0.2 255.255.255.255 http
Esppix(config)# apply (inside) 1 outgoing_src
OR
Esppix(config)# outbound 1 permit 20.0.0.4 255.255.255.255 http
Esppix(config)# apply (inside) 1 outgoing_dest
At Machine 10.0.0.1:
Go to Internet Explorer & type address 20.0.0.4 in Address bar & repeat same procedure on Machine
10.0.0.2
Verification Commands:
Esppix(config)# sh apply
Esppix(config)# sh outbound
Esppix(config)# clear outbound
Page 21
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Local
WWW
Server
PIXFirewall Configuration:
ESPpix(config)# access-list esp permit tcp host 10.0.0.1 any eq www
ESPpix(config)# access-list esp deny tcp host 10.0.0.2 any eq www
ESPpix(config)# access-group esp in interface inside
At Machine 10.0.0.1:
Go to the Internet Explorer and type and type 20.0.0.4 in address bar
Repeat same procedure on Machine 10.0.0.2 & verify result.
Verification Commands:
ESPpix(config)# show access-list
ESPpix(config)# show access-group
ESPpix(config)# clear access-list
Page 22
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
AAA
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2, 500 Series PIX
IOS file name pix622.bin
PIXFirewall Configuration:
ESPpix(config)# ip address inside 10.0.0.10 255.0.0.0
ESPpix(config)# ip address outside 20.0.0.10 255.0.0.0
ESPpix(config)# int e0 10baset
ESPpix(config)# int e1 10full
ESPpix(config)# icmp deny 0 0 inside
ESPpix(config)# icmp deny 0 0 outside
At Machine 10.0.0.1
Go to the command prompt & ping the inside interface which is ping 10.0.0.10
& at machine 20.0.0.4 repeat same procedure & type ping 20.0.0.10
Verification Command:
ESPpix(config)# show icmp
ESPpix(config)# clear icmp
Page 23
SECURE SHELL
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
AAA
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2, 500 Series
IOS file name pix622.bin
Putty Software
PIXFirewall Configuration:
ESPpix(config)# ip address inside 10.0.0.10 255.0.0.0
ESPpix(config)# ip address outside 20.0.0.10 255.0.0.0
ESPpix(config)# int e1 10full
ESPpix(config)# int e0 10full
ESPpix(config)# domain-name esp.com
ESPpix(config)# ca generate rsa key 1024
ESPpix(config)# ssh 10.0.0.1 inside
ESPpix(config)# ssh 20.0.0.4 255.255.255.255 outside
ESPpix(config)# aaa-server esp protocol tacacs+
ESPpix(config)# aaa-server esp (inside) host 10.0.0.2 cisco
ESPpix(config)# aaa authentication ssh console esp
Verification Commands:
ESPpix(config)# show ssh
ESPpix(config)# show ssh session
ESPpix(config)# ssh disconnect session_id
ESPpix(config)# show ca mypubkey rsa
Page 24
At Machine 10.0.0.1:
Or if you want secure shell from outside interface you have to specify the outbound
interface which is 20.0.0.10 in the hostname parameter of Putty
PIX / FIREWALL LAB MANUAL
Page 25
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Requirements:
Windows 98 Operating System
PIX IOS V6.2, 500 Series
IOS file name pix622.bin
PIXFirewall Configuration:
ESPpix(config)# ip address inside 10.0.0.10 255.0.0.0
ESPpix(config)# ip address outside 20.0.0.10 255.0.0.0
ESPpix(config)# int e1 10full
ESPpix(config)# int e0 10baset
ESPpix(config)# nat (inside) 1 0 0
ESPpix(config)# global (outside) 1 20.0.0.51-20.0.0.60
Filter Java
ESPpix(config)# filter java 80 0 0 0 0
Filter ActiveX
ESPpix(config)# filter activex 80 0 0 0 0
At Machine 10.0.0.1:
Go to the Internet Explorer and type and type 20.0.0.4 in address bar
Repeat same procedure on Machine 10.0.0.2 & verify result.
Page 26
FIXUP PROTOCOL
PROTOCOL
HTTP
FTP
H.323
EFFECT
No change
CHANGING A PORT
In working condition both
for 80 & change port.
The Connection for the
In working condition only
requested web server cannot for the change port
be established.
No Change
You Cant be able to
change the port
(Used to mark up or to fix drawbacks in the existing protocol going from inside to outside)
10.0.0.10
20.0.0.10
20.0.0.1
10.0.0.1
E1
E0
HTTP
Server
20.0.0.2
FTP
Server
HTTP FIXUP
ESPpix(config)# no fixup protocol http 80
Still you can view the web site
ESPpix(config)# fixup protocol http 8080
You can view the website that is either
running on port 80 or 8080
FTP FIXUP
ESPpix(config)# no fixup protocol ftp 21
Now you are unable to view the ftp site
ESPpix(config)# fixup protocol ftp 2021
Now you are able to view the ftp site at port
2021
H.323 FIXUP
ESPpix(config)# no fixup protocol h323 1720
Still you can call on NetMeeting
Page 27
20.0.0.10
E1
E0
20.0.0.1
20.0.0.50
10.0.0.1
20.0.0.2
FTP
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
File Name: pix622.bin
PIXFirewall Configuration:
ESPpix(config)# static (inside,outside) 20.0.0.50 10.0.0.1 1 0
ESPpix(config)# conduit permit ip any any
At Machine 20.0.0.1:
Go to the Internet Explorer & browse to ftp://20.0.0.50 & copy the folder to the local
hard disk & at the same time go to Machine 20.0.0.2 & browse to the ftp://20.0.0.5
after some interval of time it will unable to retrieve the desired page.
Verification Commands:
ESPpix(config)# show static
ESPpix(config)# show xlate
ESPpix(config)# show conduit
ESPpix(config)# show conn
Page 28
20.0.0.10
E0
10.0.0.1
20.0.0.1
20.0.0.2
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2
File Name: pix622.bin
PIXFirewall Configuration:
Esppix(config)# logging host (inside) 10.0.0.1
Esppix(config)# logging trap 7
Esppix(config)#logging on
Esppix(config)# ip audit name outbound-info info action alarm drop reset
Esppix(config)# ip audit interface outside outbound-info
At Machine 20.0.0.4:
Go to command prompt & type ping 20.0.0.10 or you can ping to the internal host also
& see the logging messages on the Syslog Server.
Verification Commands:
Esppix(config)# show ip audit count
Esppix(config)# no ip audit interface outside outbound-info
Esppix(config)# no ip audit name outbound-info
Page 29
AAA
Server
10.0.0.10
E1
20.0.0.10
E0
20.0.0.4
10.0.0.1
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Pixfirewall Configuration:
Esppix(config)# aaa-server main protocol tacacs+
Esppix(config)# aaa-server main (inside) host 10.0.0.1 cisco
Esppix (config)# aaa authentication any outbound 0 0 0 0 main
Esppix(config)# aaa authorization any outbound 0 0 0 0 main
Esppix(config)# aaa accounting any outbound 0 0 0 0 main
For Authorization:
Page 30
For Accounting:
At Machine 10.0.0.1:
Go to Internet Explorer and type address in Address bar 20.0.0.4
The new window is prompt, give the user name & password & verify results
Verification Commands:
Esppix(config)# sh uauth
Esppix(config)# clear uauth
Esppix(config)# clear aaa-server
PIX / FIREWALL LAB MANUAL
Page 31
AAA
Server
10.0.0.10
E1
20.0.0.10
E0
20.0.0.4
10.0.0.1
10.0.0.2
Remote
WWW
Server
Local
WWW
Server
Pixfirewall Configuration:
Esppix(config)# aaa-server main protocol tacacs+
Esppix(config)# aaa-server main (inside) host 10.0.0.1 cisco
Esppix(config)# aaa authentication any outbound 0 0 0 0 main
Esppix(config)# aaa authentication include 1/8 outbound 0 0 0 0 main
Esppix(config)# aaa authorization include 1/8 outbound 0 0 0 0 main
Esppix(config)# virtual http 20.0.0.8
Esppix(config)# virtual telnet 20.0.0.9
Page 32
Page 33
E0
11.0.0.2
PIX Firewall
Router ESPA
Page 34
IP SEC:
ESPA(config)#crypto ipsec transform-set ESPAset -des -md5-hmac
ESPA(cfg-crypto-trans)#exit
ESPA(config)#crypto map ESPAmap 1 ipsec-isakmp
ESPA(config-crypto-map)#match address 101
ESPA(config-crypto-map)#set peer 11.0.0.1
ESPA(config-crypto-map)#set transform-set ESPAset
ESPA(config-crypto-map)#set pfs group2
ESPA(config-crypto-map)#^Z
ESPA#
Apply Crypto Map:
ESPA(config)#int e0
ESPA(config-if)# crypto map ESPAmap
Verification Commands:
ESPA# show crypto isakmp policy
ESPA# show crypto isakmp sa
ESPA# show crypto ipsec sa
Page 35
REQUIREMENTS:
Windows 98/2000 Operating System
PIX IOS v6.2
PIXFirewall Configuration:
ESPpix(config)# name 10.0.0.1 computer
ESPpix(config)# domain-name cisco.com
ESPpix(config)# ca generate rsa key 1024
ESPpix(config)# ca identity computer 10.0.0.1:/certserv/mscep/mscep.dll
ESPpix(config)# ca configure computer ra 1 10 crloptional
ESPpix(config)# ca authenticate computer
ESPpix(config)# ca enroll computer esppassword
For password you have to go to the Internet Explorer and type
http://10.0.0.1/certsrv/mscep/mscep.dll the page returns with a password supply that
password in the CA Enroll command
Verification Commands:
ESPpix(config)# show ca identity
ESPpix(config)# show ca configure
ESPpix(config)# show ca certificate
ESPpix(config)# show ca mypubkey rsa
Page 36
PASSWORD RECOVERY:
10.0.0.1
10.0.0.10
E1
TFTP
Server
PIXFirewall Configuration:
First save the password.
Reboot the PIX & press Ctrl+Break or Esc the prompt will be like this
Monitor> interface 1
Monitor> address 10.0.0.10
Monitor> server 10.0.0.1
Monitor> file np61.bin
Monitor> ping 10.0.0.1
Monitor> tftp
After performing its function it will prompt you for
Do you wish to erase the passwords? [yn] y
Page 37
Page 38
OBJECT GROUPING
10.0.0.10
E1
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Local
WWW
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2, 500 Series PIX
IOS file name pix622.bin
PIXFirewall Configuration:
Esppix(config)# int e0 10full
Esppix(config)# int e1 10full
Esppix(config)# ip address outside 20.0.0.10 255.0.0.0
Esppix(config)# ip address inside 10.0.0.10 255.0.0.0
Esppix(config)# static (inside,outside) 20.0.0.21 10.0.0.1
Esppix(config)# static (inside,outside) 20.0.0.22 10.0.0.2
ICMP-Type:
Esppix(config)#object-group icmp-type icmpobject
Esppix(config-icmp-type)# icmp-object echo
Esppix(config-icmp-type)# icmp-object echo-reply
Esppix(config-icmp-type)#exit
Esppix(config)# access-list 1 permit icmp any any object-group icmpobject
Esppix(config)# access-group 1 in interface outside
Page 39
At Machine 10.0.0.1:
Go to command prompt and type ping 20.0.0.4 and repeat same procedure at machine
20.0.0.4 and type ping 20.0.0.1
Network-Type:
Esppix(config)# object-group network ftpobject
Esppix(config-network)# network-object host 20.0.0.1
Esppix(config-network)# exit
Esppix(config)# access-list 1 permit tcp object-group ftpobject any eq ftp
Esppix(config)# access-group 1 in interface outside
At Machine 20.0.0.4:
Go to the Internet Explorer and type ftp://20.0.0.21 in address bar the ftp site brings up
to the screen but if you want to access another server or another service at the same
server, you cant have such permissions.
Protocol-Type:
Esppix(config)# object-group protocol protoobject
Esppix(config-protocol)# protocol-object udp
Esppix(config-protocol)# protocol-object tcp
Esppix(config-network)# exit
Esppix(config)# access-list 1 permit object-group protoobject any any
Esppix(config)# access-group 1 in interface outside
At Machine 20.0.0.4:
This object-group only allow traffic of tcp and udp but not others like ICMP for outside
users.
Service-Type:
Esppix(config)# object-group service servobject1 tcp
Esppix(config-service)# port-object range 1024 65535
Esppix(config-service)# exit
Esppix(config)# object-group service servobject2 tcp
Esppix(config-service)# port-object eq http
Esppix(config-service)# exit
Esppix(config)# access-list 1 permit tcp any object-group servobject1 any object-group
servobject2
Esppix(config)# access-group 1 in interface outside
Page 40
At Machine 20.0.0.4:
This object group permit the outside users to access only http service and if they have
port range from 1024 65535
Verification Commands:
Esppix(config)# show object-group
Esppix(config)# show access-list
Esppix(config)# show access-group
Esppix(config)# clear access-list
Esppix(config)# clear access-group
Esppix(config)# clear object-group
Page 41
20.0.0.10
E0
10.0.0.1
20.0.0.4
10.0.0.2
Local
WWW
Server
REQUIREMENTS:
Windows 98 Operating System
PIX IOS V6.2, 500 Series PIX
IOS file name pix622.bin
PIXFirewall Configuration:
Esppix(config)# http server enable
Esppix(config)# http 10.0.0.1
Page 42
Page 43
Page 44
Press OK Button
Press Apply to PIX
Press OK Button
Page 45
Page 46
Esppix(config)# sh access-list
Esppix(config)# sh access-group
Esppix(config)# sh object-group
At Machine 20.0.0.4:
User have only privilege to access the webserver at 20.0.0.21
Page 47