cisco_pix_exam_preparation

7/30/2019 Cisco_Pix_Exam_preparation

1/14

Visit Examnotes.netfor all your certification needs.

VisitCert21.com for the best online practice exams.

Visit CertPortal.com most powerful IT certifications search engine.

Study guide by ExamNotes.net

Cisco PI X Fi rew a l l Fun dam ent a ls

Te st I n f o r m a t i on

Exam PIX Firewall Fundamentals

Certification If all prerequisites are met: Security Specialist

Abst rac t This Study Guide will begin to guide you in preparing for the Cisco PIX FirewallFundamentals exam. This exam is part of a series of exams you will need to take to achieve

the Secur i ty Specia l is t designation from Cisco.

W h a t t o K n ow W hat you need t o k now t o be success f u l i n ob t a in ing t he Secu r i t y Designa t i on :

Go over the necessary steps to obtaining the certification and what your steps will bethrough the entire process. This will make your studying easier

You need a basic understanding of TCP/IP and a Valid CCNA

Then to obtain the Security Specialist Designation take the following exams:

640-442 MCNS

Managing Cisco Network Security (MCNS)

9E0-571 CSPFA

Cisco Secure PIX Firewall Advanced (CSPFA)

(See also prerequisite course Cisco Secure PIX Firewall Fundam ent als CSPFF)

9E0-558 CSIDS

Cisco Secure Intrusion Detection System (CSIDS)

9E0-570 CSVPN

Cisco Secure VPN (CSVPN)

Note: Please take note where the PIX Fundamentals Sits in the line-up
http://www.examnotes.net/http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.examnotes.net/http://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/http://www.examnotes.net/


2/14

Visit Examnotes.net for all your certification needs.

VisitCert21.comfor the best online practice exams.

VisitCertPortal.com most powerful IT certifications search engine.

St udy Tips DO not take this test lightly. The test covers a lot of information mainly on HOW TO

configure something. Use this study guide to get the main idea of the topic and then

use the online resources to go through all the configs to familiarize your self with

HOW TO set these configs up

You need to be a CCNA prior to starting this track. The track is for the SecuritySpecialist designation. The designation is passing 4 out of 5 different exams. This

guide is half of the PIX firewall track. You can take the first exam but the second

exam for the Advanced track counts for credit. All the information from theFundamentals track is a prerequisite for the advanced track. Use them both to passthe last exam.

You no longer have to be a CCNP for this (The CCNP+Security track will bediscontinued this year) You MUST have your CCNA.

Make sure you use the links provided to aid your studies. Like most of Ciscos tests, a

lot of your information to study from is free and available on their web site. Use thisas a supplement to aid your studies.

Do not solely rely on this or any study guide alone.

L ink s and Resour ces

Everything you need to know about this topic can be found online.

This is one of the few exams and courses that have most of the information at your

disposal online

Make sure you use all the online resources you can for this exam

o About This Guideo Introductiono Configuring the PIX Firewallo Advanced Configurationso Configuration Exampleso Command Referenceo PIX 515 Configurationo Configuration Forms

o Acronyms and Abbreviationso Configuring for MS-Exchange Useo Subnet Masking and Addressingo Index

Go through the above information and it should be all you need. Hands onexperience will make the above information stick harder and you will understand itbetter
http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.certportal.com/http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44abt.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44abt.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44cfg.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44adv.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44exs.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44cmd.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44cmd.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44bmd.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44frm.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44frm.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44acr.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44acr.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44msx.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44msx.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44sub.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44sub.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44bk.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44bk.htmhttp://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44bk.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44sub.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44msx.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44acr.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44frm.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44bmd.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44cmd.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44exs.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44adv.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44cfg.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44abt.htm


3/14


Visit Cert21.comfor the best online practice exams.


PI X Fu n d am en t a ls

PI X Fi rew a l l The PIX Firewall, when properly configured, helps prevent unauthorized

connections between two or more networks

The PIX Firewall can protect one or more networks from an outer,unprotected network

The PIX Firewall optionally supports multiple outside or perimeter networks

also known as demilitarized zones or DMZs

Connections between the networks can all be controlled by the PIX Firewall

To effectively use a firewall in your organization, you need a security policy to

ensure that all traffic from the protected networks passes only through the

firewall to the unprotected network - You can then control who may accessthe networks with which services, and how to implement your security policyusing the features PIX Firewall provides

Within this architecture, the PIX Firewall forms the boundary between the

protected networks and the unprotected networks

All traffic between the protected and unprotected networks must flow through

the firewall to maintain security

The unprotected network is typically accessible to the Internet

PIX Firewall lets you locate servers such as those for web access, SNMP,electronic mail (SMTP) in the protected network and control who on the

outside can access these servers

The PIX Firewall also lets you implement your security policies for connectionto and from the inside network

Typically, the inside network is an organization's own internal network, or

intranet, and the outside network is the Internet, but the PIX Firewall can alsobe used within an intranet to isolate or protect one group of internalcomputing systems and users from another
http://www.examnotes.net/http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/


4/14

Visit Examnotes.net for all your certification needs.

VisitCert21.com for the best online practice exams.


Basic Fi rew a l l se tu p

INTERNET

1

2

3

I n t h i s d iag r am w e can see t he 3 m a jo r po r t i ons o f a DM Z set up :

1. The Outside Filtering router with the Firewall feature set on it. This is generallyused to connect your company to the Internet and has major filtering going on atthis portion.

2. As you come into the DMZ, we see the first segment and thats where you DNS,FTP and web servers sit. This is an Isolated segment. After this segment, we now

go through a set of PIX firewalls setup in a Failover situation with a Failover cable

in between them.

3. This is your internal network and anything can be here. You could put anotherFirewall or nothing at all. This is where you protected network lies and all your

clients should be located here.

Note: This is very flexible and every setup will be different based on what you

need to implement. This is just a common setup.
http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/


5/14




How Data Moves Th r ough t he Fi rew a l l

When an outbound packet arrives at a PIX Firewall higher security level

interface (security levels are set with the nam e i f command), the PIX Firewall

checks to see if the packet is valid based on the ASA or Adaptive Security

Algorithm, and then whether or not previous packets have come from thathost

If not, then the packet is for a new connection, and PIX Firewall creates atranslation slot in its state table for the connection

The information that PIX Firewall stores in the translation slot includes the

inside IP address and a globally unique IP address assigned by NetworkAddress Translation (NAT), Port Address Translation (PAT), or Identity (whichuses the inside address as the outside address)

The PIX Firewall then changes the packet's source IP address to the globally

unique address, modifies the checksum and other fields as required, andforwards the packet to the lower security level interface

When an inbound packet arrives at an unprotected interface, it must first passthe PIX Firewall Adaptive Security criteria

If the packet passes the security tests, the PIX Firewall removes thedestination IP address, and the internal IP address is inserted in its place. Thepacket is forwarded to the protected interface

The PIX Firewall permits all outbound connections from the protectednetworks to the unprotected networks, and rejects any connections inbound

from the unprotected networkPI X Fi rew a l l Conn ect i ons

Maximum number of connections you can have on your PIX Firewall

I ns ta l led RAM M ax im um Num ber o f Connec t i ons

16 MB 32,768 connections

32 MB 65,536 connections

128 MB Approx 260,000 connections with the optional memory upgrade

Access List s Can control which inside systems can establish connections to the outside

network

The default security policy can be modified to be consistent with the sitesecurity policy by limiting outgoing connections based on inside source

address, outside destination address, or protocol Configure access lists carefully if your security policy limits outgoing

connections
http://www.examnotes.net/http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/


6/14




Act i veX B lock in g ActiveX controls, formerly known as OLE or OCX controls, are components

you can insert in a web page or other application The PIX Firewall ActiveX blocking feature blocks HTML

commands and comments them out of the HTML web page

Adap t i ve Secur i t y A lgo r i t hm ( ASA) Implements stateful connection control through the firewall

Allows one way (inside to outside) connections without an explicit

configuration for each internal system and application Always in operation monitoring, return packets to ensure they are valid.

Actively randomizes TCP sequence numbers to minimize the risk of TCP

sequence number attack

Condu i t s Conduits allows connections from the outside network to the inside network

For some applications or business requirements, it is desirable to establish

connections to the inside or perimeter networks Each conduit is a potential hole through the PIX Firewall and their use should

be limited as your security policy and business needs may require

Make conduits as specific as possible

Be aware that as the PIX grows up the conduit command will be replaced byIOS features like access lists. This is what new forms of PIX images areoffering

Fai lover PIX Firewall failover allows you to configure two PIX Firewall units in a fully

redundant topology to provide fault tolerance

Both PIX Firewall units must be configured identically; failover does notprovide stateful redundancy. You need to set up specific cabling to provide

this failover as well

Java Fi l t e r in g

Lets an administrator prevent Java applets from being downloaded by aninside system (This is kind of the same as ActiveX Blocking except ActiveX ispretty specific to Microsoft technologies)

Java applets are executable programs and can provide a vehicle throughwhich an inside system can be invaded. These attacks are VERY common and

any firewall implementation should provide applet blocking
http://www.examnotes.net/http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.certportal.com/http://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/


7/14

VisitExamnotes.netfor all your certification needs.



Mai l Guar d Provides a safe conduit for Simple Mail Transfer Protocol (SMTP) connections

from the outside to an inside electronic mail server

Allows a single mail server to be deployed within the internal network withoutit being exposed to known security problems

Avoids the need for an external mail relay system (this is very cool!)

Enforces a safe minimal set of SMTP commands to avoid an SMTP serversystem being compromised

Also logs all SMTP connections which is also a big plus

Mul t i p l e I n t e r f aces Additional network interfaces can be added to the PIX Firewall and this is

common with any firewall setup. You want multiple Ethernet interfaces so you

can separate many different segments

PIX Firewall supports up to six interfaces, four of which are on the optional 4-port Ethernet card

Can provide a mixed Token Ring and Ethernet environment

Cond i t i on s fo r i n t e r face use

o Each interface has a unique security level that you specify with thenam e i f command in your configuration:

The inside is always the highest at level 100 and the outside is

always 0

The perimeter interfaces can have a unique number between 1

and 99

o When users on a higher security level interface need to access a hoston a lower security interface, you use the n at command:

If you are using Network Address Translation to specify which

lower security level interface can accept translated addresses,use the g loba l command

o When users on a lower security level interface need to access a serveron a higher security interface, you use the s t a t i c command:

To specify which services users can access, use the condu i t command in conjunction with the s t a t i c command

o It is easier to add n at and g loba l commands to the configuration thans t a t i c and condu i t commands:

The s t a t i c command can specify one host or a network access toa specific host or network
http://www.examnotes.net/http://www.examnotes.net/http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/


8/14




o Interfaces with the same security level:

If you set the perimeter interfaces to the same security level, thetwo interfaces are completely isolated from each other, but each

could access the inside and outside interfaces

Locate servers on the lowest security level perimeter interface,

because if compromised, the attacker could only easily attack aninterface with a lower security level, the outside

The only exception to putting servers on the lowest perimeterinterface is the TFTP server where you download configurationsfrom the TFTP server must be on the inside interface

o Telnet:

Access to the console via Telnet is available on the inside andthird interfaces. The third interface is the network connecting to

the third usable slot in the PIX Firewall

You can view the third interface with the s h ow n a m e i f

command The third entry from the top of the listing is the third interface

With these conditions and the needs of your security policy, you can decide

which network to connect to each interface

Netw ork Add ress Trans la t i on ( NAT) For inside systems, translates the source IP address of outgoing packets per

RFC 1631

Allows inside systems to be assigned private addresses or to retain existinginvalid addresses

Hides the real network identity of internal systems from the outside network

Por t Ad dr ess Tr ans la t ion ( PAT) By using port re-mapping, a single valid IP address can support source

IP address translation for up to 64,000 active xlate objects

PAT minimizes the number of globally valid IP addresses required to supportprivate or invalid internal addressing schemes

Will not work with multimedia applications that have an inbound data stream

different from the outgoing control path Hides the real network identity of internal systems from the outside network
http://www.examnotes.net/http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/


9/14




Sys log Ser ver Provides syslog server for use on Windows NT system that accepts TCP and

UDP syslog messages from PIX Firewall

Syslog server can provide time stamped syslog messages, accept messages

on alternate ports, and be configured to stop PIX Firewall traffic if messagescannot be received

Can stop PIX Firewall connections if Windows NT syslog server log disk fills or

server goes down

URL Fi l t er in g The PIX Firewall URL filtering is provided in partnership with the NetPartners

WebSENSE product. PIX Firewall checks outgoing URL requests with the policy

defined on the WebSENSE server, which runs either on Windows NT or UNIX Based on the response from the NetPartners WebSENSE server, which

matches a request against a list of 17 Web site characteristics deemedinappropriate for business use, PIX Firewall either permits or denies the

connection

Because URL filtering is handled on a separate platform, no additionalperformance burden is placed on the PIX Firewall

Check http://www.websense.com for more information

Secur i t y Pol icy

The PIX Firewall separates the details of implementing a security policy from

providing network services such as Web, FTP, Telnet, and SMTP A security policy provides:

o Much better scalability and performance

The PIX Firewall is dedicated to the security role and does not

incur the substantial overhead required to offer server

connectionso Greater security

Unless configured to do so, the PIX Firewall does not accept

connections from the outside network and is implemented using

a proprietary embedded system, rather than the full operatingsystem necessary to support server applications

o Reduced complexity Each device performs a dedicated function
http://www.examnotes.net/http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.websense.com/http://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/http://www.websense.com/


10/14




Use the Following links to find more information:o Know Your Enemyo Count the Costo Identify Your Assumptionso Control Your Secrets

o Remember Human Factorso Know Your Weaknesseso Limit the Scope of Accesso Understand Your Environment

o Limit Your Trusto Remember Physical Securityo Make Security Pervasive

M ak i n g I m a g e Ba ck u p s

You should back up your configuration to both Flash memory and disketteafter making changes to the configuration

Use the w r i t e m e m o r y command to store your configuration in Flashmemory

You can enter this command from configuration mode

Flash memory is a special type of memory card that stores images without

the need for a battery or power source to maintain the image

Use the w r i t e f l op p y command to store the configuration on diskette

Each image you store overwrites the last stored image in either Flash memory

or diskette Should the need arise, you can restore your configuration from Flash memory

with the con f igu r e m em or y command, or from diskette with the con f igu r ef l oppy command
http://www.examnotes.net/http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#42652http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#42652http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#33732http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#33732http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#35083http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#29309http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#29309http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#28767http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#28767http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#36891http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#36891http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#18418http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#18418http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#37216http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#37216http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#15950http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#15950http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#29946http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#29946http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#32423http://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#32423http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#29946http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#15950http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#37216http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#18418http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#36891http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#28767http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#29309http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#35083http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#33732http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44int.htm#42652


11/14




Defau l t con f i gu r a t i on com m ands nam e i f Identifies the interface name and specifies its security level.

If you have more than two interfaces, you need to add a nam e i f

command to the configuration for each interfaceenab le

passwor d

Lists the encrypted privileged mode password

passwd Lists the encrypted password for Telnet access to the PIX Firewallconsole

h o s t n a m e Sets the PIX Firewall system name to "pixfirewall."

You can change this name or leave it as is

f i x u p Specifies service port numbers at which the PIX Firewall listens

n a m e s Lets you rename IP addresses with names from your native languageto add clarity to your configuration

It is best to ignore this command until you have established networkconnectivity

l ogg ing Disables Syslog messages from displaying at the console or beingsent to a server

The l ogg ing command lists information about each connection that

starts and ends, whether pings through the PIX Firewall aresuccessful and additional information useful when troubleshootingnetwork connectivity

Set this command to l ogg ing bu f f e r ed debugg ing

To view the messages, use show logg ing i n te r face Identifies the speed of the interface or whether the network interface

card can automatically sense its speed and duplex

If you have Token Ring interfaces, you need to add these commandsby hand

For Ethernet interfaces, the default configuration provides i n te r face

commands for every interface

m t u Sets maximum packet size to 1500 bytes for Ethernet or to the

appropriate size for Token Ring interfaces

ip address Identifies the IP addresses of the each interface

f a i lover Sets Failover

The no fa i lover command disables the failover feature


12/14




I P Addresses ( Pub l i c and Pr i v a te ) Class A The first octet is between 1 and 127 (127 Loopback)

Class B The first octet is between 128 and 191

Class C The first octet is 192 to 223

Use RFC 1918 IP addresses for inside and perimeter addresses:o Class A: 10.0.0.0 to 10.255.255.255

o Class B: 172.16.0.0 to 172.31.255.255o Class C: 192.168.0.0 to 192.168.255.255

Supp or t ed Pro t oco l s

o Address Resolution Protocol (ARP)o Archieo Berkeley Standard Distribution (BSD)-rcmdso Bootstrap Protocol (BOOTP)o Domain Name System (DNS)o File Transfer Protocol (FTP)o Generic Route Encapsulation (GRE)o Gophero Hypertext Transport Protocol (HTTP)o Internet Control Message Protocol (ICMP)o Internet Protocol (IP)o NetBIOS over IP (Microsoft Networking)o Point-to-Point Tunneling Protocol (PPTP)

o Simple Network Management Protocol (SNMP)o Sitara Networks Protocol (SNP)o SQL*Net (Oracle client/server protocol)o Sun Remote Procedure Call (RPC) services, including (NFS)o Telneto Transmission Control Protocol (TCP)o Trivial File Transfer Protocol (TFTP)o User Datagram Protocol (UDP)
http://www.examnotes.net/http://www.examnotes.net/http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/


13/14




Term ino logy

Conduits Use of the PIX Firewall condu i t command to identify what

services can be accessed from a global address (kind of like a

route statement)DNAT address An IP address that has been translated by the al ias command

Global address An IP address that is visible on an unprotected network

Local addresses are translated into global addresses as theypass through the PIX Firewall to protect the local addresses fromoutside detection

Global addresses are created with the g loba l and s t a t i c

commands

Local address An IP address on the PIX Firewall's inside network

Protected network One or more networks that you are protecting from intrusionA protected network is also known as an internal networkOn a PIX Firewall with two interfaces, the protected network is

the inside networkUnprotected

network

One or more networks that feed into the PIX Firewall that

connect the protected networks with access to the rest of yourorganization and to the Internet

An unprotected network is also known as an external networkOn a PIX Firewall with two interfaces, this is the outside network

Translation When a connection moves through the PIX Firewall from a

protected network, PIX Firewall translates the originating local

IP address to a global address so that the local address isprotected from scrutiny on the outside address

Cour se I n fo r m a t i on f r om Ci sco

Cour se Cont ent

Cisco Secure PIX Firewall Fundamentals (CSPFF) course is a new, two-day,instructor-led, lab-intensive course, which will be delivered by Cisco TrainingPartners. This course provides an introduction to network security, focusing on how

the PIX Firewall functions within network security. This course teaches theknowledge and skills needed to install, configure, and operate the Cisco Secure PIXFirewall version 5.0(1)

NOTE: This course will be followed by the Advanced Cisco Secure FirewallTechnologies course (ACSFT) in Q2 CY 2000

Course Ob jec t ivesUpon completion of this course, students will be able to do the following:

Identify PIX Firewall features, models, and components.

Install the PIX Firewall, upgrade software images and perform generalcommands.

Configure PIX Firewall firewalling capabilities.

Configure inbound and outbound access through the PIX Firewall

Configure multiple interfaces on the PIX Firewall.


14/14




Configure syslog and routine maintenance procedures.

Configure PIX Firewall IPSec VPN features in a PIX-to-PIX topology.

Test and verify PIX Firewall operations

The CSPFF 1.1 course is an introductory course for LAN or network administrators. It

introduces the Cisco Secure PIX Firewall and teaches the basic features needed toget the PIX operational on a production network. Security professionals working at

all levels of the enterprise will gain knowledge from this class.

Course Out l ine

Network Security Fundamentals (Lecture)

PIX Firewall Security Features and Options (Lecture)

Installing the PIX Firewall (Lecture)

Upgrading the PIX Firewall Software Image (Lecture/Lab)

Configuring Basic PIX Firewall Commands (Lecture/Lab)

PIX Translation Overview

Configuring Access through the PIX Firewall (Lecture/Lab)

Configuring Multiple Interfaces (Lecture/Lab)

Configuring Syslog and Performing Maintenance (Lecture/Lab)

PIX Firewall Advance Features

Configuring Virtual Private Networks (VPN) using the PIX Firewall

Last T ips All you need to know to pass this exam is to have hands on experience if possible

and to read the online documentation at this URL:

Clcik here

Go t h r ough eve r y p iece o f t h i s docum en t a t i on !

This is the PIX Firewall documentation on HOW TO set up a PIX firewall from scratch

It goes Systematically through everything. There really are no books or study guides

available for this topic but all you need are on the Cisco Documentation home page

Make sure you go through the step by step and do the hands on if possible
http://www.examnotes.net/http://www.examnotes.net/http://www.examnotes.net/http://www.cert21.com/http://www.cert21.com/http://www.cert21.com/http://www.certportal.com/http://www.certportal.com/http://www.certportal.com/http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44cfg.htmhttp://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44cfg.htmhttp://www.certportal.com/http://www.cert21.com/http://www.examnotes.net/http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg/pix44cfg.htm

cisco_pix_exam_preparation

Documents