The PIX firewall can be emulated using PEMU (customized version of QEMU) which will run PIX image. It starts using the below script on windows:
@echo off
ECHO Telnet to 127.0.0.1 on port 4000 to access PIX Console
ECHO -------------------------------------------------------
ECHO * * * * * * *DO NOT CLOSE THIS WINDOWS* * * * * * * *
pemu.exe -net nic,vlan=1,macaddr=00:00:00:00:00:01 -net udp,vlan=1,sport=3000,dport=3001,daddr=127.0.0.01 -net nic,vlan=2,macaddr=00:00:00:00:00:02 -net udp,vlan=2,sport=3002,dport=3003,daddr=127.0.0.01 -net nic,vlan=3,macaddr=00:00:00:00:00:03 -net udp,vlan=3,sport=3004,dport=3005,daddr=127.0.0.01 -m 128 -serial telnet::4000,server,nowait FLASH_context
ECHO Telnet to 127.0.0.1 on port 4000 to access PIX Console
ECHO -------------------------------------------------------
ECHO * * * * * * *DO NOT CLOSE THIS WINDOWS* * * * * * * *
pemu.exe -net nic,vlan=1,macaddr=00:00:00:00:00:01 -net udp,vlan=1,sport=3000,dport=3001,daddr=127.0.0.01 -net nic,vlan=2,macaddr=00:00:00:00:00:02 -net udp,vlan=2,sport=3002,dport=3003,daddr=127.0.0.01 -net nic,vlan=3,macaddr=00:00:00:00:00:03 -net udp,vlan=3,sport=3004,dport=3005,daddr=127.0.0.01 -m 128 -serial telnet::4000,server,nowait FLASH_context
Config file at boot was "startup-config"
pixfirewall up 6 secs
Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 0000.0000.0001, irq 9
1: Ext: Ethernet1 : address is 0000.0000.0002, irq 11
2: Ext: Ethernet2 : address is 0000.0000.0003, irq 11
Licensed features for this platform:
Security Contexts : 2
This platform has an Unrestricted (UR) license.
And assignment of interfaces on PIX
PIX Version 8.0(4)
hostname pixfirewall
interface Ethernet0
interface Ethernet1
interface Ethernet1.121
vlan 121
interface Ethernet1.122
vlan 122
interface Ethernet2
autostart = False
[localhost:7200]
workingdir = C:\Program Files\Dynamips\PIX\wrk
[[3640]]
image = C:\Program Files\Dynamips\images\c3640-jk9o3s-mz.123-14.T7.bin
ram = 128
ghostios = True
[[router R1]]
model = 3640
f0/0 = SW1 1
[[Router R2]]
model = 3640
f0/0 = SW1 2
[[Router R3]]
model = 3640
f0/0 = NIO_udp:3001:127.0.0.1:3000 # outside PIX e0
[[Router R4]]
model = 3640
f0/0 = NIO_udp:3005:127.0.0.1:3004 # dmz PIX e2
[[ETHSW SW1]]
1 = access 121
2 = access 122
5 = dot1q 1 NIO_udp:3003:127.0.0.1:3002 #inside PIX e1 (TRUNK)
There is no difference between PIX and ASA in terms of contex configuration (at least since PIX version 7). The PIX firewall is configured using two context CustomerA and CustomerB, see below:
pixfirewall# sh context
Context Name Class Interfaces URL
*admin default flash:/admin.cfg
CustomerA default Ethernet0,Ethernet1.121, flash:/CustomerA.cfg Ethernet2
CustomerB default Ethernet0,Ethernet1.122, flash:/CustomerB.cfg Ethernet2
Total active Security Contexts: 3
R1 (f0/0 136.1.0.1) can ping R4 loopback (150.1.4.4) in dmz and R3 fast ethernet interface 136.1.123.3 located outside
R1#ping 150.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/116/148 ms
R1 address is translated on PIX to 136.1.124.121 in dmz which is assigned to CustomerA (R2 will be translated to 136.1.124.122 – dmz context interface for CustomerB)
pixfirewall/CustomerA# sh x
2 in use, 2 most used
PAT Global 136.1.123.100(80) Local 136.1.0.1(80)
PAT Global 136.1.124.121(1) Local 136.1.0.1 ICMP id 0
Outside router R3 can ping R1 through PAT translated 136.1.123.121 which is outside interface for CustomerA (R2 could be reached by 136.1.123.122 – outside context interface for CustomerB)
R3#ping 136.1.123.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.123.121, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/46/72 ms
pixfirewall/CustomerA# sh x
2 in use, 2 most used
PAT Global 136.1.123.100(80) Local 136.1.0.1(80)
PAT Global 136.1.123.121(1) Local 136.1.0.1 ICMP id 1
As you can see from the output of ‘sh x’ on PIX there is also static translation to Global 136.1.123.100 port www from Local 136.1.0.1(80) allowing connect to Customer A internal web server (simulated here by http server on router R1)
R3#telnet 136.1.123.100 80
Trying 136.1.123.100, 80 ... Open
GET /
Cisco Systems
Accessing Cisco 3640 "R1"
Same for Customer B , R2 can ping R4 loopback (150.1.4.4) in dmz and R3 fast ethernet interface 136.1.123.3 located outside. This is PAT translated on PIX to 136.1.124.122 in dmz and 136.1.123.122 outside (dmz and outside interfaces for CustomerB)
R2#ping 150.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/122/144 ms
pixfirewall/CustomerB# sh x
3 in use, 3 most used
PAT Global 136.1.123.101(23) Local 136.1.0.2(23)
PAT Global 136.1.124.122(2) Local 136.1.0.2 ICMP id 1
PAT Global 136.1.124.122(1) Local 136.1.0.2 ICMP id 0
R2#ping 136.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/122/144 ms
pixfirewall/CustomerB# sh x
2 in use, 5 most used
PAT Global 136.1.123.101(23) Local 136.1.0.2(23)
PAT Global 136.1.123.122(3) Local 136.1.0.2 ICMP id 4
R3#ping 136.1.123.122
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.123.122, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/78/132 ms
Because of static Global 136.1.123.101(23) Local 136.1.0.2(23) dmz R3 can telnet to inside R2
R3#telnet 136.1.123.101
Trying 136.1.123.101 ... Open
User Access Verification
Password:
R2>
In the above scenario PC (Windows XP) with CPU of 2.66Ghz with 2GB RAM was used. During this lab CPU was 100% which resulted in relatively big response time. But this didn’t impact quality of typing or using browser on this computer.
Configuration of interfaces on pix firewall :
pixfirewall/CustomerA# sh int ip b
Interface IP-Address OK? Method Status Protocol
outside 136.1.123.121 YES CONFIG up up
insideA 136.1.0.12 YES CONFIG up up
dmz 136.1.124.121 YES CONFIG up up
pixfirewall/CustomerA# changeto context CustomerB
pixfirewall/CustomerB# sh int ip b
Interface IP-Address OK? Method Status Protocol
outside 136.1.123.122 YES CONFIG up up
insideB 136.1.0.12 YES CONFIG up up
dmz 136.1.124.122 YES CONFIG up up
and translations
pixfirewall# changeto context CustomerA
pixfirewall/CustomerA# sh run nat
nat (inside) 1 0.0.0.0 0.0.0.0
pixfirewall/CustomerA# sh run static
static (inside,outside) tcp 136.1.123.100 www 136.1.0.1 www netmask 255.255.255.255
pixfirewall/CustomerA# sh run global
global (outside) 1 interface
global (dmz) 1 interface
pixfirewall/CustomerA# changeto context CustomerB
pixfirewall/CustomerB# sh run nat
nat (inside) 1 0.0.0.0 0.0.0.0
pixfirewall/CustomerB# sh run static
static (inside,outside) tcp 136.1.123.101 telnet 136.1.0.2 telnet netmask 255.255.255.255
pixfirewall/CustomerB# sh run global
global (outside) 1 interface
global (dmz) 1 interface
Configuration of interfaces on routers :
R1#sh ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 136.1.0.1 YES NVRAM up up
R1#sh ip route
Gateway of last resort is 136.1.0.12 to network 0.0.0.0
136.1.0.0/24 is subnetted, 1 subnets
C 136.1.0.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 136.1.0.12
R2#sh ip int b
Interface IP-Address OK? Method Status Prot
FastEthernet0/0 136.1.0.2 YES NVRAM up up
R2#sh ip route
Gateway of last resort is 136.1.0.12 to network 0.0.0.0
136.1.0.0/24 is subnetted, 1 subnets
C 136.1.0.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 136.1.0.12
R3>sh ip int b
Interface IP-Address OK? Method Status Prot
FastEthernet0/0 136.1.123.3 YES NVRAM up up
R4>sh ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 136.1.124.4 YES NVRAM up up
Loopback0 150.1.4.4 YES NVRAM up up
No comments:
Post a Comment