Name the inside and outside interfaces.

Name interfaces and assign the security level (configuration mode):

nameif hardware_id if_name security_level

The nameif command lets you assign a name to an interface. You can use this command to assign interface names if you have more than two network interface circuit boards in your PIX Firewall. The first two interfaces have the default names inside and outside. For now, leave the default names and values. The inside interface has default security level 100, and the outside interface has default security level 0.

Table 9-2 describes the PIX command nameif as documented on the Cisco documentation CD, which is delivered with the device. The Cisco documentation CD can also be found at http://www.cisco.com/univercd/home/home.htm.

Table 9-2. nameif Command and Required Fields

Syntax	Description
hardware_id	The hardware name for the network interface that specifies the interface's slot location on the PIX Firewall motherboard. Interface boards are numbered from the leftmost slot nearest the power supply as slot 0. The internal network interface must be in slot 1. The lowest security_level external interface board is in slot 0, and the next lowest security_level external interface board is in slot 2. Possible choices are Ethernet for Ethernet or Token-ring for Token Ring. The internal interface is ethernet1. These names can be abbreviated with any leading characters in the name, for example, ether1, e2, token0, or t0.
if_name	A name for the internal or external network interface up to 48 characters in length. This name can be uppercase or lowercase. By default, PIX Firewall names the inside interface "inside," the outside interface "outside," and any perimeter interface "intfn" where n is 2 through 5.
security_level	Either 0 for the outside network or 100 for the inside network. Perimeter interfaces can use any number between 1 and 99. By default, PIX Firewall sets the security level for the inside interface to security100 and the outside interface to security0. The first perimeter interface is initially set to security10, the second to security15, the third to security20, and the fourth perimeter interface to security25. (A total of six interfaces are permitted, with a total of four perimeter interfaces permitted.)

In this example, the names are assigned as follows:

nameif ethernet0 outside security0
nameif ethernet1 inside security100

Identify the hardware interfaces, speed, and duplex type installed with the interface command.

interface hardware_id [hardware_speed] [shutdown]

Table 9-3 defines and describes the options for the interface command.

Table 9-3. interface Command Options

Options	Description
hardware_id	Identifies the network interface type. Possible values are ethernet0, ethernet1 to ethernetn, gb-ethernetn, fddi0, or fddi1, depending on how many network interfaces are in the firewall.
hardware_speed	Network interface speed (optional). Do not specify hardware_speed for a Fiber Distributed Data Interface interface. Possible Ethernet values are as follows: 10baset Set for 10 Mbps Ethernet half duplex communication. 10full Set for 10 Mbps Ethernet full duplex communication. 100basetx Set for 100 Mbps Ethernet half duplex communication. 100full Set for 100 Mbps Ethernet full duplex communication. 1000sxfull Set for 1000 Mbps Gigabit Ethernet full duplex operation. 1000basesx Set for 1000 Mbps Gigabit Ethernet half duplex operation. 1000auto Set for 1000 Mbps Gigabit Ethernet to autonegotiate full or half duplex. aui Set for 10 Mbps Ethernet half duplex communication with an AUI cable interface. auto Set Ethernet speed automatically. The auto keyword can only be used with the Intel 10/100 automatic speed sensing network interface card, which shipped with the PIX Firewall units manufactured after November 1996. bnc Set for 10 Mbps Ethernet half duplex communication with a BNC cable interface. Possible Token Ring values are: 4mbps 4 Mbps data transfer speed. You can specify this as 4. 16mbps (default) 16 Mbps data transfer speed. You can specify this as 16.
shutdown	Disable an interface.

For the case study in Figure 9-12, you need to have the following commands configured:

interface ethernet0 10full
interface ethernet1 10full

Define the IP addresses.

The next step involves defining the inside and outside IP address. The ip address if_name ip_address [netmask] command lets you assign an IP address to each interface.

Use the show ip command to view which addresses are assigned to the network interfaces.

The IP address assignment for the devices in Figure 9-12 is defined as follows:

ip address inside 10.0.0.1 255.0.0.0

This assignment assumes that the entire private network is a flat IP network, and for the purposes of this design example, this is adequate.

ip address outside 131.108.1.1 255.255.255.0

Table 9-4 defines the options and meaning of the interface command.

Table 9-4. interface Command

Options	Description
if_name	The internal or external interface name designated by the nameif command.
ip_address	PIX Firewall unit's network interface IP address.
netmask	Network mask of ip_address.

Define NAT with the nat command.

The nat command lets you enable or disable address translation for one or more internal addresses. With address translation, when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. NAT lets your network have any IP addressing scheme, and the firewall protects these addresses from visibility on the external network.

The command syntax is as follows:

nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]] [norandomseq]

Table 9-5 defines the options of the nat command as documented on Cisco documentation CD.

Table 9-5. nat Command Options

Options	Description
if_name	Any internal network interface name.
nat_id	The nat_id is an arbitrary positive number between 0 and 2 billion. Specify 0 with IP addresses and netmasks to identify internal networks that require only outbound identity address translation. Specify 0 with the access-list option to specify traffic that should be exempted from NAT. The access list should already be defined; otherwise, PIX gives an error message.
access-list	Associate an access-list command statement to the nat 0 command.
local_ip	Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0.
netmask	Network mask for local_ip. You can use 0.0.0.0 to allow all outbound connections to translate using IP addresses from the global pool.
max_conns	The maximum TCP connections permitted from the interface you specify.
em_limit	The embryonic connection limit. The default is 0, which means unlimited connections. Set it lower for slower systems, higher for faster systems.
Norandomseq	Do not randomize the TCP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the PIX Firewall.

In Figure 9-12, the following pool is assigned to the PIX:

nat  (inside) 1 0.0.0.0 0.0.0.0

This command enables all inside hosts to have access to the Internet.

Define the global pool.

The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for those inbound connections resulting from outbound connections.

If the nat command is used, you must use the global command as well. Basically, when an outbound IP packet is sent from the inside network, the PIX extracts the source address and compares that address to the list of current NAT translations. If there is no entry, a new entry is created. If a NAT translation entry already exists, the packet is forwarded. (An alternative to the global command is nat 0.)

The PIX syntax for the global command is defined as follows:

global [if_name] nat_id global_ip [-global_ip] [netmask global_mask]

In Figure 9-12, the pool of addresses is defined as follows:

global (outside) 1 192.192.1.2-192.192.1.30 netmask 255.255.255.224

The pool of addresses is typically assigned to you by the InterNIC or by your ISP.

Table 9-6 defines the options of the global command as documented on the Cisco documentation CD.

Table 9-6. global Command Options

Options	Description
if_name	The external network where you use these global addresses.
nat_id	A positive number shared with the nat command that groups the nat and global command statements together. The valid ID numbers can be any positive number up to 2,147,483,647.
global_ip	One or more global IP addresses that the PIX Firewall shares among its connections. If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC). You can specify a range of IP addresses by separating the addresses with a dash (-). You can create a PAT global command statement by specifying a single IP address. You can have one PAT global command statement per interface. A PAT can support up to 65,535 xlate objects.
netmask	Reserved word that prefaces the network global_mask variable.
global_mask	The network mask for global_ip. If subnetting is in effect, use the subnet maskfor example, 255.255.255.128. If you specify an address range that overlaps subnets, global does not use the broadcast or network addresses in the pool of global addresses. For example, if you use 255.255.255.224 and an address range of 209.165.201.1 to 209.165.201.30, the 209.165.201.31 broadcast address and the 209.165.201.0 network address are included in the pool of global addresses.

Finally, you must define how to route IP data with the route command.

Use the route command to enter a default or static route for an interface. The PIX syntax is as follows:

route if_name ip_address netmask gateway_ip [metric]