Configuring the PIX

To configure the PIX, you'll need to connect to the unit via some sort of modem terminal program such as HyperTerm for Windows. The settings for the serial port should be 9600 8-N-1 with hardware flow control. Once this is set, you will be able to configure the unit.

Connect to the PIX via the serial port.

Put the PIX into privileged mode by typing EN or Enable.

The default password is nothing (leave the field blank) -- just press the Enter key.

This takes you to the main console screen, where you type in Config Terminal . This will put the interface into configuration mode, which will let you set up the unit itself.

Configure the interfaces

You should first configure the PIX interfaces. To do this, you will use the command nameif . The command syntax is nameif hardware_id interface_name security_level . So if you were going to configure E0, you would type in nameif ethernet0 outside security0. There are several things to keep in mind when setting the security level of each interface:

• The security level can be between 1 and 99 (0 and 100 are reserved values for the external and internal interfaces respectively).
• Make sure you have one interface with a security level of 0 (the least trusted level) and one of 100 (the most trusted level). 
• Use different security levels for your outside and inside interfaces.
• If you set two or more interfaces at the same security level, you will not be able to route traffic between them. You can only create routes between interfaces with different security levels. Remember, the PIX is not a router -- it is only a filter: it looks at incoming traffic and compares it to the route, NAT, static, or conduit commands to see if it can pass the packet(s) through to the destination address.
• The lower the security level, the less trusted the interface will be for routing traffic. If you set the interface to a security level of 100, the most trusted level, a lower-level security interface will not be allowed to send data through unless allowed by your configuration (you'll have to add in a route command). If you need to route data from a higher security level to a lower security level, you will need to use the NAT command.

Set IP addresses

Next, you'll need to set the IP addresses to the interfaces. The command syntax is ip address interface_name ip_address subnet_mask . So if you set Ethernet0 to a public IP address on the Internet, and the IP address is 206.10.80.50 with subnet mask of 255.255.255.192, then the command would look like ip address ethernet0 206.10.80.50 255.255.255.192 . You will do the same for the other interfaces and IP addresses.

If you need to change the interface speed, use the command syntax interface hardware_id hardware_speed .

At this point, it would be a good idea to write the configuration to Flash. To do so, type in write terminal .

Enable NAT

To let users connect to the Internet or a server that might be located in your DMZ, you'll need to use the NAT and global commands. Using the NAT command will allow the higher interfaces to connect to lower interfaces for users to start connections.

The NAT command syntax is nat (hardware_id) nat_id ip_address (range) subnet_mask . So if you wanted to allow your inside interface to connect to the outside interface, the command would be nat (inside) 1 0 0 .

Now, the 1 is the NAT ID, which you can use for all NAT commands on all of your interfaces. However, if you don't want the lower-security interfaces to connect to your internal interface(s), use unique NAT IDs. The NAT ID also helps the PIX determine which global command will be used for which NAT command. Use the 0 0 to specify that any node from the subnet will be able to establish connections. You could also specify a host or network address and subnet mask.

With NAT enabled on the interfaces, you then need to create a global IP address pool. (The outbound connection needs to have its own IP address in the outside world.) The command syntax is global (interface_id) nat_id ip_address (range) netmask subnet_mask . For example, I would enter global (outside) 1 206.10.80.51 netmask 255.255.255.192 . Since I have specified only one IP address, this is a PAT (Port Address Translation) address, which means only 65,535 hosts will be able to initiate connections. If I need more connections for my hosts, then I will specify an IP address range rather than using one address. The range will be typed out fully, for example, 206.20.80.51-206.20.80.60. You cannot use the same IP address or range for any other NAT ID. If you have more than one interface, you will need to specify an additional IP address or range per interface_id.

Specify routes

Now that we have the interfaces with IP addresses and NAT configured, we need to put in a default route -- the packets need to be forwarded to their destination, don’t they? To add in a route command, use the syntax route interface_id destination_ip destination_subnet_mask router_ip hop_count . The command route outside 0 0 206.10.80.1 1 means that for destination address 0.0.0.0 with subnet mask 0.0.0.0, route the packets to 206.10.80.1. The 1 at the end indicates hop counts, or how many routers a packet will have to travel through to get to its destination.

The only other thing you will have to configure is whether to let users ping IP addresses. To allow this, use the command conduit permit icmp any any . The conduit command syntax is conduit permit/deny protocol global_ip global_mask [operator-port [port]] foreign_ip foreign_mask [operator_port [port]] . To remove the conduit command once it's added, put no in front of that command, with the rest of the syntax you entered before right after it.

Save the configurations

After you have configured your PIX, make sure you type in write terminal and write memory . This will save all configurations to Flash. Don’t forget to reboot the machine by typing in reload .