The following are some of the primary commands that are needed to configure
the PIX Security Appliance
.
-
hostname – assigns a hostname to the PIX.
-
interface – Configures the type and capability of each
perimeter interface.
-
nameif – Assigns a name to each perimeter
interface.
-
ip address – Assigns an IP address to each
interface.
-
security level – Assigns the security level for the
perimeter interface.
-
speed – Assigns the connection speed.
-
duplex – Assigns the duplex communications.
The hostname Command
In
the example in the Figure
, notice
that the PIX Security Appliance default hostname label is pixfirewall. In a
network of multiple PIX Security Appliances, it may be advantageous to assign a
unique hostname label to each one. To accomplish this, use the
hostname command. The hostname command
changes the hostname label on the prompts. The hostname can be up to 16
alphanumeric characters, and upper- and lower-case. The default hostname is for
a PIX Security Appliance is pixfirewall. The default name for the Adaptive
Security Appliance is ciscoasa. In Figure
, the
default hostname label of pixfirewall is changed to
"fw1" using the hostname
command.
The interface Command
The
interface command identifies a perimeter interface and its
slot location on the PIX Security Appliance. The PIX Security Appliance
interfaces are numbered from 0 to X, X being the highest number interface on
the PIX. The Adaptive Security Appliance interfaces are numbered 0/0, 0/1, 0/2,
and so on. For each PIX in your network, enter the appropriate interface type,
slot and port number. In Figure
, if the device
is a PIX, enter interface ethernet0. If the device is an
Adaptive Security Appliance, enter interface
GigabitEthernet0/0. After entering the interface
command, the CLI prompt changes to the interface configuration sub-command
level. In the interface configuration sub-commands, hardware speed and duplex,
interface name, security level, IP address, and many other settings can be
configured. For an interface to pass traffic, the nameif,
ip address, security level, and
no shutdown interface configuration sub-commands are
necessary. For physical interfaces, the default state is shut down, so the
no shutdown command must be entered to enable the
interface. The default security level for the interface can be used, or the
security level can be changed so that interfaces can communicate with each
other.
The syntax for the interface command is shown
in Figure
.
The nameif Command
The
command nameif assigns a name to each interface on the PIX
Security Appliance. The first two interfaces have the default names inside and
outside. In Figure
, interface
Ethernet 2 was assigned a name of DMZ.
The syntax for the
nameif command is shown in Figure
.
The ip address Command
Each
interface on the PIX Security Appliance can be configured with an IP address.
Use the ip address command for this purpose. The
clear ip command resets all interface IP addresses to no IP
address. In Figure
, the dmz
interface is configured with an IP address of 172.16.0.1 and a mask of
255.255.255.0. This command also sets the standby address for failover.
The syntax for the ip address command is shown in Figure
.
The ip address
dhcp Command
Instead of manually configuring an IP
address on the PIX Security Appliance interface, the Dynamic Host Configuration
Protocol (DHCP) client feature can be used to have the PIX dynamically retrieve
an IP address from a DHCP server. With the PIX configured as a DHCP client, a
DHCP server can configure the PIX interface with an IP address, subnet mask,
and optionally a default route. Use the ip address dhcp
sub-command to enable this feature. In Figure
, the PIX is configured to receive an IP address on the outside
interface via DHCP.
Re-entering the ip address dhcp
sub-command to release and renew a DHCP lease from the PIX Security Appliance.
To delete the DHCP leased IP address, use the no form of
this command. The debug dhcpc event | packet | error
command provides debugging tools for the DHCP client feature.
The security
level Command
The security level
sub-command specifies the PIX Security Appliance security level, except for the
inside and outside interfaces, which are assigned security levels by default
. The inside
interface has a default security level of 100 and the outside interface has a
default security level of 0. As other interfaces are named, the system assigns
a default security level of 0 to each interface. For these newly named
interfaces, the administrator should change the security level to a unique
number between 1 and 99.
Normally, interfaces on the same security level
cannot communicate. If it is necessary that interfaces with the same security
level are able to communicate, use the
same-security-traffic command. Two interfaces could be
assigned to the same level to allow them to communicate without using NAT, if
more than 100 communicating interfaces are needed, or if protection features
are to be applied equally for traffic between two interfaces.
If the
security level of an interface is changed, the clear xlate
command can be used to clear al existing connections before they are timed out.
Clearing the translation table disconnects all current connections.
The speed Command
Although
the hardware speed is set to automatic speed sensing by default, it is
recommended that the speed of the network interfaces is specified. This enables
the PIX Security Appliance to operate in network environments that may include
devices that do not handle auto sensing correctly.
To set the speed of a
Fast Ethernet or Gigabit Ethernet interface, use the speed
command in interface configuration sub-command. To restore the speed setting to
the default, use the no form of this command.
The
syntax for the speed command is shown in Figure
.
The duplex Command
To set
the duplex of a Fast Ethernet or copper Gigabit Ethernet interface, use the
duplex command in interface configuration mode. To restore
the duplex setting to the default, use the no form of this
command.
The syntax for the duplex command is shown
in Figure
.