TABLE OF CONTENTS Once the Cisco PIX firewall has been unboxed, plugged in, booted up, and configured with its initial system parameters, the first thing most security professionals want to do is configure it to pass traffic appropriately (i.e., according to the organization security policy). A firewall would not serve any purpose if it indiscriminately blocked all traffic. To properly protect a network environment, network traffic must be filtered in both outbound and inbound directions. The key to configuring a firewall is to permit only the traffic you want and block the traffic you do not want. This concept is easy to understand, but not always an easy task.
This chapter provides the basics needed to pass traffic through Cisco PIX firewalls. Perhaps one of the most important fundamentals to traffic passing is address translation, of which there are two types: static and dynamic. Once translation has been configured, the PIX will automatically allow all connections from a higher security interface to a lower security interface and deny all connections from a lower security interface to a higher security interface. To configure more granular access, you can permit or deny specific traffic using access lists.
The decisions to permit or deny specific traffic compose the firewall rules, typically in the form of access lists. Whether you are configuring rules for outbound or inbound traffic, the process is the generally the same:
Configure address translation.
Define an access list and apply it to an interface.
You must ensure that users can access the...
