The majority of the tasks that you perform in Firewall MC involves configuration tasks. Configuration settings control individual features of a firewall device. When defining these settings, you can apply them either to a specific firewall or to all of the firewalls in a group by selecting a group instead of an individual firewall. The scope of the changes that you make depends on the object that you select using the Object Selector before making the configuration changes (see the section entitled “Object Selector” earlier in this chapter). These tasks can be broken down into the following categories, each of which is discussed in detail in this section:
Configuring device settings
Defining access rules
Defining translation rules
Creating building blocks
Generating and viewing configuration information
Configuring Device Settings
Through the Firewall MC, you can configure many device-specific properties on your managed firewalls. Following are the majority of the device settings that you can configure through Firewall MC:
PIX operating system version
PIX Firewall administration
Servers and services
Firewall MC controls
One common task is changing the properties of the interfaces on the firewalls managed by the Firewall MC software. If you configure a firewall using Setup, it configures only the inside interface. Before you can define the access or translation rules, you must configure the rest of the interfaces on the firewall.
Defining Access Rules
Access rules, which control the traffic that flows through your firewall, are used to define your network security policy. Each access rule is a member of an order list of rules that Firewall MC stores in a table. Rules are processed from first to last. A firewall uses the first matching rule to determine whether the traffic is permitted or denied.
You can configure the following three types of access rules (see Figure 14-10):
Authentication, authorization, and accounting (AAA) rules
Web filter rules
Figure 14-10 Access Rules
In Firewall MC, you can view a list of access rules that spans all of the different interfaces (see Figure 14-10). Each access rule shown is converted into a single entry in an access control list (ACL) on a specific interface for the managed firewall.
Defining Translation Rules
Translation rules enable you to configure and view the address translations that you are using on the network. You can configure the following types of translation rules using Firewall MC:
Static translation rules
Dynamic translation rules
Translation exception rules (NAT 0 ACL)
Firewall MC supports both Network Address Translation (NAT) and Port Address Translation (PAT).
Static translation rules permanently map an internal IP address to a publicly accessible global IP address. These rules assign a host on a higher-security-level interface to a global IP address on a lower-security interface. This enables the hosts from the lower-security zone to communicate with the host from the higher-security zone. Figure 14-11 shows a static translation rule that assigns the local address of a protected host (10.10.10.20/32 on the inside interface) to a global address (192.168.10.20/32 on the outside) that is accessible by external systems.
Figure 14-11 Static Translation Rules
Unlike static translation rules, dynamic translation rules do not permanently map an internal IP address to a global IP address. These rules dynamically map an internal IP address to a global IP address from a pool of IP addresses when using NAT or to a single IP address when using PAT. Figure 14-12 shows a dynamic translation rule that translates traffic from any address on the inside interface to a global address using the address translation pool named public for outbound traffic.
Figure 14-12 Dynamic Translation Rules
Before you can configure a dynamic translation rule, however, you need to define the appropriate address translation pool. This pool identifies which addresses can be temporarily associated with outbound traffic from a specific internal host. For more information on address translation pools, refer to the following section, “Creating Building Blocks.”
Creating Building Blocks
Building blocks enable you to optimize your configuration. Building blocks define groups of objects such as hosts, protocols, or services. You can then issue a command that affects every item in the group by specifying the name of the group. Basically, you can use the names of the building blocks in place of corresponding data values when configuring device settings or defining rules. You can configure the following types of building blocks, each of which is described within this section:
AAA server groups
Address translation pools
Network objects enable you to group a range of network addresses specified by an IP address and a network mask. These network objects can then be used in access rules and translation rules. In Figure 14-13, the network object named DMZ is associated with the Class C network 172.16.10.0/24.
Figure 14-13 Network Objects
You can use DMZ in access and translation rules by clicking the Select button whenever you normally specify an IP address (see Figure 14-14). The Selecting Network Objects window is displayed (see Figure 14-15). To use one of the list objects, click the object name, and then click Select=> to move the name to the Selected Objects column.
Figure 14-14 Creating a Static Translation Rule
Figure 14-15 Selecting Network Objects
Service definitions enable you to define objects that associate IP protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) source and destination ports, and Internet Control Message Protocol (ICMP) message types with a specific name (see Figure 14-16). These service definitions are then used in firewall device protocol groups, service groups, and ICMP-type groups, respectively.
Figure 14-16 Service Definitions
Similar to other building blocks, you can use service definitions whenever you would normally specify a service (such as defining firewall rules) by clicking the Add button. This opens the Selecting Services window (see Figure 14-17), enabling you to select the appropriate service definition.
Figure 14-17 Selecting Services
Service groups enable you to define objects that associate a name with a group of service definitions (see Figure 14-18). For instance, you can create a service group that permits both HTTPS and Secure Shell (SSH) traffic.
Figure 14-18 Service Groups
AAA Server Groups
AAA server groups enable you to define separate groups of Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS) servers that are used for different types of traffic. Traffic will attempt to authenticate with the fist server in the AAA server group. If this server is inaccessible, the next server in the group is tried.
You can define 14 AAA server groups, each containing 14 distinct AAA servers, supporting a total of 196 AAA servers.
Address Translation Pools
Address translation pools enable you to associate a name with a group of addresses that will be used to create dynamic address translations for outbound traffic. When defining an address translation pool, you need to specify the parameters shown in Table 14-6.
Table 14.6 Address Translation Pool Parameters
Name used when applying the pool to a dynamic translation rule.
Logical name of the interface where the pool will be used.
PAT: Use interface address for closing PAT Check Box
Select this check box to indicate that the IP address of the interface will be used as the PAT address when all of the other addresses in the pool have been used.
Address Range(s)/Mask (optional)
Set of addresses (in addition to the interface address) that will be used for dynamic translations.
For address translation pools, PAT is used when you have more internal addresses than external addresses. The firewall automatically uses the last available address to perform PAT. If you select the PAT check box (see Figure 14-19) when defining the address translation pool, after all of the addresses in the pool are used, the interface address is used for PAT.
Figure 14-19 Defining an Address Translation Pool
Generating and Viewing Configuration Information
Selecting Configuration > View Config > Generate Config allows you to generate the configuration for a specific device. The Scope bar indicates for which device the configuration will be generated. Once the configuration is generated, you can then view the information in the content area (see Figure 14-20).
Figure 14-20 Viewing Generated Configuration
Selecting Configuration > MC Settings allows you to control how Firewall MC operates when it discovers commands configured outside of Firewall MC or unsupported and error commands imported into Firewall MC. It also identifies the directories in which imported and deployed configurations will be placed.
When configuring the MC settings, you have the following options:
When configuring the AUS, you use the Deployment option to redirect configuration updates to the AUS instead of sending them directly to the managed device.