I am not an expert at the PIX Firewall. In fact, I don’t even know if you could say that I am a beginner at it. I am certified at working with the Astaro; but even that firewall I am now rusty on as I have not been working with it for a couple of years now. But I was put into a position today where I needed to figure out how to add a new external IP Address to the PIX for it to be network address translated to the latest website I have been creating called http://easytrekking.com. Now you could easily ask why I did not simply use the Godaddy web interface created for the PIX firewall. Well, I use to. However, since I blocked off some of the non standard ports that Godaddy by default left open, I may have locked myself out of the web interface. After putting in a call to Godaddy, we determined that I still had ssh access and that I should be content to do the administration from the console. By the way, I am using PIX version 6.3.
Okay. The problem is that I have never before learned the scripting language used by the PIX. So this was my first attempt. It took me a few hours to figure out this little bit that I will show you here.
1. Connect to the firewall by SSH using the IP Address given to you by your provider – Godaddy in this case. It is interesting to note that you are not using the same IP Address as you would use with say your first website on your server. This is a difference between the PIX and the Astaro. Evidently, when setting up the PIX, you need one static IP Address for the firewall, and one static IP Address for your first website. At least, that is how it appears to me.
2. After logging in, type ‘enable‘. You will be prompted for your password again.
3. Type ‘configure terminal‘. Now you are able to make configuration changes to the firewall.
4. Type ‘show xlate‘. This will show you the existing network address translations currently at work.
5. Type ‘show running config‘. This will show you the settings currently in place. You need to analyze it to see exactly how yours is setup. In my case, I needed to add four lines.
pdm location 192.168.0.4 255.255.255.255 inside
pdm location 97.74.198.125 255.255.255.255 outside
static (inside,outside) 97.74.198.125 192.168.0.4 netmask 255.255.255.255 0 0
static (outside,inside) 192.168.0.4 97.74.198.125 netmask 255.255.255.255 0 0
Simply customize these four lines to match your own environment and drop them onto the console. Afterwards, once again type ‘show running config‘ and you will see your changes added.
6. Now type ‘clear xlate‘.
7. Type ‘show xlate‘ again and you will see the entries cleared. Now access at least one website on each of your IP Addresses and then type again ‘show xlate‘. You should then find your list populated again as well as seeing your new IP Address listed as being translated. Hopefully, your website on the new IP Address will show up in the browser as well.
Now, some of you may be questioning the wisdom of me posting something about my firewall. From where I stand, if you really want to hack my stuff, you will probably find a way. It just depends on how badly you want in. Names and IP Addresses have been changed to protect my stupidity.