[email protected]
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
[email protected] is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.

states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the
Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack
Proofing®,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress
Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of
their respective companies.
KEY SERIAL NUMBER
001 27GYW9HV43
002 Q26UUN7TJM
003 STX3AD4HF5
004 Z6KB6Y2B7Y
005 T5RZU8MPD6
006 AQ8NC4E8S6
007 PH7PQ2A7EK
008 9RD7BK43HG
009 SX7V6CVPFH
010 5M39ZBVBR2
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Cisco Security Specialist’s Guide to PIX Firewall
Copyright © 2002 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for

Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates
for all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at
Jaguar Book Group for their help with distribution of Syngress books in Canada.
David Scott, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Tricia Herbert
of Woodslane for distributing our books throughout Australia, New Zealand, Papua
New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of
Syngress books in the Philippines.
v
235_PIX_FM.qxd 11/8/02 3:56 PM Page v
vi
Contributors
C. Tate Baumrucker (CISSP, CCNP, Sun Enterprise Engineer, MCSE)
is a Senior Consultant with Callisma, where he is responsible for leading
engineering teams in the design and implementation of secure and highly
available systems infrastructures and networks.Tate is an industry recog-
nized subject matter expert in security and LAN/WAN support systems
such as HTTP, SMTP, DNS, and DHCP.Tate has spent eight years pro-
viding technical consulting services for the Department of Defense, and
other enterprise and service provider industries for companies including:
American Home Products, Blue Cross and Blue Shield of Alabama,
Amtrak, Iridium, National Geographic, Geico, GTSI, Adelphia
Communications, Digex, Cambrian Communications, and BroadBand
Office.Tate has also contributed to the book Managing Cisco Network
Security, Second Edition (Syngress Publishing, ISBN: 1-931836-56-6).
Brian Browne (CISSP) is a Senior Consultant with Callisma. He pro-
vides senior-level strategic and technical security consulting to Callisma
clients, has 12 years of experience in the field of information systems
security, and is skilled in all phases of the security lifecycle.A former

Information Systems Security Association. He received his CISSP certifica-
tion in 1999. Derek resides in Southern California with his family.
Timothy “TJ” Schuler (CCIE #8800) works as a Senior Network
Engineer for Coleman Technologies in Denver, CO.TJ has over seven
years of experience with network implementation and design including
security, large routing and switching networks, ATM, wireless, IP
Telephony and IP based video technologies.TJ is currently pursuing the
Security CCIE certification, which would be his second CCIE. He would
like to dedicate this work to his family.
Michael Sweeney (CCNA, CCDA, CCNP, MCSE) is the owner of the
IT consulting firm, Packetattack.com. His specialties are network design,
network troubleshooting, wireless network design, security, network anal-
ysis using Sniffer Pro, and wireless network analysis using AirMagnet.
Michael is a graduate of the extension program at the University of
California, Irvine with a certificate in Communications and Network
Engineering. Michael currently resides in Orange, CA with his wife,
Jeanne, and daughter,Amanda.
235_PIX_FM.qxd 11/8/02 3:56 PM Page vii
viii
Robert “Woody” Weaver (CISSP) is the Field Practice Lead for
Security at Callisma. As an information systems security professional,
Woody’s responsibilities include field delivery and professional services
product development.Woody’s background includes a decade as a tenured
professor, teaching mathematics and computer science.Woody also spent
time as the most senior Network Engineer for Williams Communications
in the San Jose/San Francisco Bay area, providing client services for their
network integration arm, and as Vice President of Technology for
Fullspeed Network Services, a regional systems integrator. He is also a
contributiong author to Managing Cisco Network Security, Second Edition
(Syngress Publishing, ISBN: 1-931836-56-6).Woody holds a bachelor’s

consists of Cisco switching gear end-to-end, dark fiber, OC-48 SONET,
DWDM, 802.11 wireless, multi-vendor virtual private networks (VPNs),
and voice over IP (VoIP) technology.The information security group
deals with policies, intrusion detection and response, strong authentica-
tion, and firewalls. Umer has contributed to several other books, including
the Sun Certified System Administrator for Solaris 8 Study Guide (ISBN: 007-
212369-9) and Sniffer Pro Network Optimization & Troubleshooting Handbook
(Syngress Publishing, ISBN: 1-931836-57-4). Umer received a bachelor’s
degree in Computer Engineering from the Illinois Institute of
Technology.
235_PIX_FM.qxd 11/8/02 3:56 PM Page x
Contents
xi
Foreword xxiii
Introduction xxv
Chapter 1 Introduction to Security and Firewalls 1
Introduction 2
The Importance of Security 2
What Is Information Security? 3
The Early Days of Information Security 5
Insecurity and the Internet 5
The Threats Grow 6
Attacks 7
Creating a Security Policy 8
Cisco’s Security Wheel 11
Securing the Environment 12
Monitoring Activity 14
Testing Security 15
Improving Security 17
Firewall Concepts 17

State 47
Security Levels 49
How ASA Works 49
Technical Details for ASA 50
User Datagram Protocol 54
Advanced Protocol Handling 55
VPN Support 56
URL Filtering 57
NAT and PAT 57
High Availability 59
PIX Hardware 59
Models 59
PIX 501 61
PIX 506 61
PIX 506E 61
PIX 515 61
PIX 515E 62
PIX 520 62
PIX 525 63
PIX 535 63
235_PIX_TOC.qxd 11/8/02 5:26 PM Page xii
Contents xiii
The Console Port 63
Software Licensing and Upgrades 65
Licensing 67
Upgrading Software 67
Password Recovery 69
The Command-Line Interface 71
Factory Default Configurations 71
PIX 501 and 506E 71

xiv Contents
Port Redirection 115
TurboACLs 116
Object Grouping 117
Configuring and Using Object Groups 118
ICMP-Type Object Groups 118
Network Object Groups 119
Protocol Object Groups 119
Service Object Groups 120
Case Study 122
Access Lists 124
Conduits and Outbound/Apply 127
Summary 130
Solutions Fast Track 130
Frequently Asked Questions 132
Chapter 4 Advanced PIX Configurations 135
Introduction 136
Handling Advanced Protocols 136
File Transfer Protocol 141
Active vs. Passive Mode 141
Domain Name Service 146
Simple Mail Transfer Protocol 148
Hypertext Transfer Protocol 150
Remote Shell 150
Remote Procedure Call 152
Real-Time Streaming Protocol, NetShow, and VDO Live 153
SQL*Net 157
H.323 and Related Applications 159
Skinny Client Control Protocol 161
Session Initiation Protocol 162

More Secure Interface 204
SMR Configuration with Clients on
a Less Secure Interface 206
Access Control and Other Options 207
PPPoE 209
Summary 212
Solutions Fast Track 213
Frequently Asked Questions 215
Chapter 5 Configuring Authentication,
Authorization, and Accounting 217
Introduction 218
AAA Concepts 218
Authentication 221
Authorization 222
Accounting 223
AAA Protocols 223
RADIUS 223
TACACS+ 225
235_PIX_TOC.qxd 11/8/02 5:26 PM Page xv
xvi Contents
Cisco Secure ACS for Windows 228
Introduction and Features 229
Installing and Configuring Cisco Secure ACS 230
Adding an NAS to Cisco Secure ACS 237
Adding a User to Cisco Secure ACS 240
Configuring Console Authentication 242
Configuring Local Console Authentication 243
Configuring RADIUS and TACACS+
Console Authentication 244
Configuring TACACS+ Enable Console

Console Logging 293
Terminal Logging 293
Syslog 293
Logging Levels 299
Logging Facility 302
Disabling Specific Syslog Messages 303
Configuring Remote Access 304
Secure Shell 305
Enabling SSH Access 306
Troubleshooting SSH 311
Telnet 314
Restrictions 315
HTTP Via the PIX Device Manager 316
Configuring Simple Network Management Protocol 316
Configuring System Identification 317
Configuring Polling 318
Configuring Traps 320
Configuring System Date and Time 321
Setting and Verifying the Clock and Time Zone 322
Configuring and Verifying the Network Time Protocol 324
NTP Authentication 325
Summary 327
Solutions Fast Track 328
Frequently Asked Questions 330
Chapter 7 Configuring Virtual Private Networking 333
Introduction 334
IPsec Concepts 334
IPsec 335
IPsec Core Layer 3 Protocols: ESP and AH 335
IPsec Communication Modes:Tunnel and Transport 338

Dynamic Crypto Maps 384
Configuration 386
Setting Up the Windows 2000 Client 389
Configuring Support for the Cisco Software VPN Client 390
Mode Configuration 391
Extended Authentication 392
VPN Groups 394
Sample Configurations of PIX and VPN Clients 397
Summary 407
Solutions Fast Track 408
Frequently Asked Questions 410
Chapter 8 Configuring Failover 413
Introduction 414
Failover Concepts 414
Configuration Replication 417
IP and MAC Addresses Used for Failover 418
235_PIX_TOC.qxd 11/8/02 5:26 PM Page xviii
Contents xix
Failure Detection 419
Stateful Failover 420
Standard Failover Using a Failover Cable 422
Configuring and Enabling Failover 423
Monitoring Failover 430
Failing Back 432
Disabling Failover 433
LAN-Based Failover 434
Configuring and Enabling Failover 434
Monitoring Failover 440
Failing Back 443
Disabling Failover 443

The Routing Category 478
The DHCP Server Category 480
The PIX Administration Category 481
The Logging Category 490
The AAA Category 491
The URL Filtering Category 492
The Auto Update Category 494
The Intrusion Detection Category 495
The Advanced Category 497
The Multicast Category 498
The History Metrics Category 499
Maintaining Hosts and Networks 500
Configuring Translation Rules 505
Configuring Access Rules 512
Access Rules 513
AAA Rules 517
Filter Rules 518
Configuring VPN 519
Configuring a Site-to-Site VPN 521
Configuring for the Cisco Software VPN Client 525
Monitoring the PIX Firewall Using PDM 532
Sessions and Statistics 534
Graphs 537
VPN Connection Graphs 539
System Graphs 540
Connection Graphs 541
Miscellaneous Graphs 543
Interface Graphs 544
Monitoring and Disconnecting Sessions 547
Summary 548

The show xlate Command 610
The show conn Command 610
The show block Command 610
Network Performance Monitoring 611
The show interface Command 611
The show traffic Command 612
Identification (IDENT) Protocol and PIX Performance 613
Summary 614
Solutions Fast Track 615
Frequently Asked Questions 617
Index 619
235_PIX_TOC.qxd 11/8/02 5:26 PM Page xxi
235_PIX_TOC.qxd 11/8/02 5:26 PM Page xxii
As one of the first technologies employed to protect networks from unauthorized
access, the firewall has come to exemplify network security.While an overall security
strategy requires the harmonious integration of people, process, and technology to
reduce risk, there is no doubt that firewalls can be a very valuable security tool when
properly implemented.Today, the use of firewalls has become such an accepted prac-
tice that their deployment in one fashion or another is virtually a foregone conclu-
sion when designing and building networks. Recognizing this need, Cisco Systems
has developed and continues to improve upon its line of PIX firewalls.These systems
have steadily gained market leadership by demonstrating an excellent mix of func-
tionality, performance, and flexibility.
Firewalls have become increasingly sophisticated devices as the technology has
matured.At its most basic level, a firewall is intended to enforce a security policy
governing the network traffic that passes through it.To this basic functionality, Cisco
has added many features such as network address translation (NAT), virtual private
networks (VPN), and redundant architectures for high availability. Management sys-
tems are typically installed along with the firewall to assist with monitoring and
administrating the device. A maxim of IT security is that technology is only as effec-

headquartered in Silicon Valley, with offices located throughout the United States. For
more information, visit the Callisma Web site at www.callisma.com or call
888.805.7075
www.syngress.com
235_PIX_fore.qxd 11/8/02 2:58 PM Page xxiv