Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Help with (very) basic PIX 515e configuration

  • Filter
  • Time
  • Show
Clear All
new posts

  • Help with (very) basic PIX 515e configuration

    Hi All.

    As part of my uni project i hope to assess what effect firewalls have on latency and throughput. One of the firewalls i will be using is the PIX 515e which i dont have any experience of, although i am familiar with cisco ios having done ccna1-4.

    In the first instance, all i want is for the PIX to pass traffic without any restrictions (in one direction anyway). The test network will be very simple i.e. the PIX separating a 'client' and a 'web server'. From what i gather, required commands are as follows:

    # Give each interface a name and security setting:
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    # Set speed and enable interface:
    interface ethernet0 100full
    interface ethernet1 100full

    # Assign IP addresses
    ip address outside
    ip address inside

    The client would of course be on the inside net and the server on the outside net. At this point i am hoping to get the client will be able to reach the server since going from high to low security.

    My questions are:

    1) Am i on the right track or being totally naive?
    2) I dont want to use NAT so does it need disabled? (using NAT ID 0)

    Any comments would be greatly appreciated.


  • #2
    Re: Help with (very) basic PIX 515e configuration

    Your basic setup is fine.

    High to low security means you don't need to give permissions as such.
    If you don't want to use the nat and global commands then use the static.


    static (inside,outside) 10.0.0.x 192.168.0.x
    where the x's are the IP addresses of the host machines.

    The latency is almost untraceable in this situation I would guess.

    While you are automatically allowed high - low security therefore "one direction only" you are also allowing the responses so I wouldn't say "one direction only" because the PIX is stateful, more like the requests are only allowed to be initiated one way.

    You would "normally" be doing this the other way though. The web server would be on the inside and the client would be outside. In which case you would need to setup an acl like

    access-list inbound_on_outside permit tcp any host 192.168.0.x eq http
    access-group inbound_on_outside in interface outside

    Please read this before you post:

    Quis custodiet ipsos custodes?


    • #3
      Re: Help with (very) basic PIX 515e configuration

      Hi Andy, thanks for your reply.

      A few questions:

      1) What is the 'static' command actually doing? Would traffic pass without it?

      2) You say 'normally' this would be done the other way round. Obviously my setup is hypothetical, but the way I see it is that the client (internal – high trust) is accessing a server on the internet (external – low trust). Do you mean if I was (hypothetically) hosting the web server and the client was accessing it from the internet?

      My wording for “one direction only” could have been better, I understand the Statefull aspect. As for the latency, the idea is to get a baseline measurement, then retest with say 10, 50, 100 rules and then with content filtering.

      Thanks again.


      • #4
        Re: Help with (very) basic PIX 515e configuration

        No traffic would pass without the static as it has no "route" for want of a better expression.
        You need a static or a nat statement.
        The PIX isn't a router.

        Well, normally is probably a poor choice of mine
        You can setup whichever way you want. I suppose I have always used the PIX primarily for publishing things rather then restricting what internal hosts can do. Having said that it doesn't matter. The PIX does allow outbound traffic by default so you are automatically allowing all traffic out between the two hosts when you create the static. To stop this you will have to add in an acl to only allow certain traffic.
        If you were publishing the server instead (i.e. the other way round) then the PIX blocks all traffic from low to high security therefore you need to add in ACLs to allow traffic instead (the opposite).
        Hope I explained that ok

        ok no worries on the latency bit.

        Please read this before you post:

        Quis custodiet ipsos custodes?