title: CISCO 506E Firewall Configuration
date: 2012-08-27 14:09:18
tags:#
The Cisco PIX 506E firewall is an enhanced version of the widely used Cisco PIX506 firewall. It provides enterprise-level security for remote offices and branch locations through a reliable and powerful security device. The PIX 506E firewall is part of the market-leading Cisco PIX firewall series and offers rich security features and robust remote management capabilities through a cost-effective and high-performance solution, making it particularly suitable for securing internet connections for remote/branch locations. The PIX 506E also provides higher 3DES VPN performance, offering a 70% performance improvement over the PIX 506 in certain applications.
Enterprise-level security for remote offices/branch locations
The Cisco PIX 506E firewall is a security device designed for specific needs, providing a wide range of security services in a single device, including stateful firewall, virtual private network (VPN), and intrusion prevention. Utilizing Cisco's latest Adaptive Security Algorithm (ASA) and PIX operating system, the PIX 506E ensures the security of all authorized users and helps protect against potential internet threats. Its powerful stateful inspection technology tracks all network requests from authorized users, preventing unauthorized network access. With the flexible access control capabilities of the PIX 506E, administrators can implement customized policies for network traffic passing through the firewall. The PIX 506E seamlessly integrates with your backend enterprise databases, allowing strict authentication of external access to network resources through direct use of TACACS/RADIUS or indirect use of Cisco Secure Access Control Server (ACS).
The Cisco PIX 506E firewall also utilizes its standards-based Internet Key Exchange (IKE)/IP Security (IPSec) VPN functionality to ensure the security of all network communications between remote offices and the corporate network over the internet. By encrypting data using 56-bit Data Encryption Standard (DES) or optional advanced 168-bit Triple DES (3DES) encryption, sensitive enterprise data can be securely transmitted over the internet without being intercepted.
The integrated intrusion prevention capabilities of the PIX 506E prevent your network from various common attacks. By detecting over 55 different attack "signatures," the PIX can rigorously detect and block various attacks in real-time or notify you.
Powerful remote management capabilities
The Cisco PIX 506E is a reliable and easy-to-maintain platform that provides multiple configuration, monitoring, and diagnostic options. The range of PIX management solutions is extensive, ranging from an integrated web-based management tool to centralized policy-based tools, as well as support for various remote monitoring protocols such as Simple Network Management Protocol (SNMP) and system logs.
The PIX Device Manager (PDM) provides administrators with an intuitive web-based interface for easy configuration and monitoring of a PIX 506E without the need to install any software on the administrator's computer (except for a standard web browser). Administrators can remotely configure, monitor, and diagnose the PIX 506E using its command-line interface (CLI) through various methods, including remote login, Secure Shell (SSH), and out-of-band access through the control port.
Administrators can also conveniently manage multiple PIX 506E firewalls remotely through the Cisco VPN/Security Management Solution (VMS) using the Cisco Security Policy Manager (CSPM). CSPM 3.0 is an extensible, next-generation centralized management solution for PIX firewalls, offering various features such as task-based interfaces, interactive network topology maps, policy wizards, policy output functions, and more.
Opening a specific port for a machine (assuming the IP is 1.1.1.1):
conduit permit tcp host 1.1.1.1 eq 2000 any any
To check the status of an open port, you should use "show static," but I'm not entirely sure.
Here is the basic configuration for the PIX 506:
- Connect the PIX 506 to power and turn on the computer.
- Connect the CONSOLE port to the computer's serial port and run the Hyperterminal program to access the PIX system through the CONSOLE port.
- Enter privileged mode:
PIX> enable
PIX# - Enter global configuration mode and set a password:
PIX# configure terminal
PIX(config)# passwd chenhong - Change the PIX hostname and set the allowed range of addresses for TELNET to the PIX:
PIX(config)# hostname MFPIX
MFPIX(config)# telnet 10.8.0.0 255.255.254.0 inside - Configure Ethernet interface parameters and set all ports (E0, E1) to auto-negotiation:
MFPIX(config)# interface ethernet0 auto
MFPIX(config)# interface ethernet1 auto - Specify internal and external interfaces and assign security levels (by default, Ethernet0 is the external interface and Ethernet1 is the internal interface, so it is generally not recommended to change this step):
MFPIX(config)# nameif e0 outside security0
MFPIX(config)# nameif e1 inside security100 - Configure IP addresses for the internal and external interfaces:
MFPIX(config)# ip address inside 192.168.2.1 255.255.255.252
MFPIX(config)# ip address outside 211.96.81.30 255.255.255.240 - Specify an external IP address or range:
MFPIX(config)# global (outside) 1 211.96.81.18-211.96.81.29 - Define the IP address ranges that require address translation:
MFPIX(config)# nat (inside) 1 10.8.0.0 255.255.254.0
MFPIX(config)# nat (inside) 1 10.8.6.0 255.255.192.0
MFPIX(config)# nat (inside) 1 10.8.7.0 255.255.192.0
MFPIX(config)# nat (inside) 1 10.8.8.0 255.255.224.0 - Configure a static public IP address for a specific host on the internal network:
MFPIX(config)# static (inside, outside) 211.96.81.20 10.8.0.9
MFPIX(config)# static (inside, outside) 211.96.81.21 10.8.0.79 - Set up missing routes to the internal and external networks:
MFPIX(config)# route outside 0.0.0.0 0.0.0.0 211.96.81.17
MFPIX(config)# route inside 10.8.0.0 255.255.254.0
MFPIX(config)# route inside 10.8.6.0 255.255.255.192
MFPIX(config)# route inside 10.8.7.0 255.255.255.192
MFPIX(config)# route inside 10.8.8.0 255.255.255.224 - Set control options:
Allow WEB and mail servers:
MFPIX(config)# conduit permit tcp host 211.96.81.20 eq www any
MFPIX(config)# conduit permit tcp host 211.96.81.20 eq smtp any
MFPIX(config)# conduit permit tcp host 211.96.81.20 eq pop3 any
MFPIX(config)# conduit permit tcp host 211.96.81.21 eq 3389 any
Allow PING from internal and external hosts:
MFPIX(config)# conduit permit icmp any any - Basic configuration is complete.