Getting Started with the PIX Security Appliance
Basic PIX Security Appliance configuration commands

The following are some of the primary commands that are needed to configure the PIX Security Appliance .

  • hostname – assigns a hostname to the PIX.
  • interface – Configures the type and capability of each perimeter interface.
  • nameif – Assigns a name to each perimeter interface.
  • ip address – Assigns an IP address to each interface.
  • security level – Assigns the security level for the perimeter interface.
  • speed – Assigns the connection speed.
  • duplex – Assigns the duplex communications.

The hostname Command
In the example in the Figure , notice that the PIX Security Appliance default hostname label is pixfirewall. In a network of multiple PIX Security Appliances, it may be advantageous to assign a unique hostname label to each one. To accomplish this, use the hostname command. The hostname command changes the hostname label on the prompts. The hostname can be up to 16 alphanumeric characters, and upper- and lower-case. The default hostname is for a PIX Security Appliance is pixfirewall. The default name for the Adaptive Security Appliance is ciscoasa. In Figure , the default hostname label of pixfirewall is changed to "fw1" using the hostname command.

The interface Command
The interface command identifies a perimeter interface and its slot location on the PIX Security Appliance. The PIX Security Appliance interfaces are numbered from 0 to X, X being the highest number interface on the PIX. The Adaptive Security Appliance interfaces are numbered 0/0, 0/1, 0/2, and so on. For each PIX in your network, enter the appropriate interface type, slot and port number. In Figure , if the device is a PIX, enter interface ethernet0. If the device is an Adaptive Security Appliance, enter interface GigabitEthernet0/0. After entering the interface command, the CLI prompt changes to the interface configuration sub-command level. In the interface configuration sub-commands, hardware speed and duplex, interface name, security level, IP address, and many other settings can be configured. For an interface to pass traffic, the nameif, ip address, security level, and no shutdown interface configuration sub-commands are necessary. For physical interfaces, the default state is shut down, so the no shutdown command must be entered to enable the interface. The default security level for the interface can be used, or the security level can be changed so that interfaces can communicate with each other.

The syntax for the interface command is shown in Figure .

The nameif Command
The command nameif assigns a name to each interface on the PIX Security Appliance. The first two interfaces have the default names inside and outside. In Figure , interface Ethernet 2 was assigned a name of DMZ.

The syntax for the nameif command is shown in Figure .

The ip address Command
Each interface on the PIX Security Appliance can be configured with an IP address. Use the ip address command for this purpose. The clear ip command resets all interface IP addresses to no IP address. In Figure , the dmz interface is configured with an IP address of 172.16.0.1 and a mask of 255.255.255.0. This command also sets the standby address for failover.

The syntax for the ip address command is shown in Figure .

The ip address dhcp Command
Instead of manually configuring an IP address on the PIX Security Appliance interface, the Dynamic Host Configuration Protocol (DHCP) client feature can be used to have the PIX dynamically retrieve an IP address from a DHCP server. With the PIX configured as a DHCP client, a DHCP server can configure the PIX interface with an IP address, subnet mask, and optionally a default route. Use the ip address dhcp sub-command to enable this feature. In Figure , the PIX is configured to receive an IP address on the outside interface via DHCP.

Re-entering the ip address dhcp sub-command to release and renew a DHCP lease from the PIX Security Appliance. To delete the DHCP leased IP address, use the no form of this command. The debug dhcpc event | packet | error command provides debugging tools for the DHCP client feature.

The security level Command
The security level sub-command specifies the PIX Security Appliance security level, except for the inside and outside interfaces, which are assigned security levels by default . The inside interface has a default security level of 100 and the outside interface has a default security level of 0. As other interfaces are named, the system assigns a default security level of 0 to each interface. For these newly named interfaces, the administrator should change the security level to a unique number between 1 and 99.

Normally, interfaces on the same security level cannot communicate. If it is necessary that interfaces with the same security level are able to communicate, use the same-security-traffic command. Two interfaces could be assigned to the same level to allow them to communicate without using NAT, if more than 100 communicating interfaces are needed, or if protection features are to be applied equally for traffic between two interfaces.

If the security level of an interface is changed, the clear xlate command can be used to clear al existing connections before they are timed out. Clearing the translation table disconnects all current connections.

The speed Command
Although the hardware speed is set to automatic speed sensing by default, it is recommended that the speed of the network interfaces is specified. This enables the PIX Security Appliance to operate in network environments that may include devices that do not handle auto sensing correctly.

To set the speed of a Fast Ethernet or Gigabit Ethernet interface, use the speed command in interface configuration sub-command. To restore the speed setting to the default, use the no form of this command.

The syntax for the speed command is shown in Figure .

The duplex Command
To set the duplex of a Fast Ethernet or copper Gigabit Ethernet interface, use the duplex command in interface configuration mode. To restore the duplex setting to the default, use the no form of this command.

The syntax for the duplex command is shown in Figure .