PIX Commands

Heres a few PIX commands that may come in useful.  Performance / Usage sh mem Shows memory used and amount free sh cpu                                                           Shows % of CPU used sh perfmon Show the performance of various connections sh traffic Show the traffic stats sh resource usage system Shows the system utilization sh service-policy Shows the amount … Read more

Check Point – Exporting SmartCentre settings

This will show you the steps involved in exporting the settings of a Smart Centre Server for importing into a newly installed Smart Centre server, Download the upgrade_export utility and run it from $FWDIR/bin to export the config to a .tgz Transfer the tgz to another machine Uninstall all ngx packages and reboot Install new … Read more

Check Point – Useful Files

Below are some of the various files and commands which you may find useful on a Check Point. Smart Centre Server $CPDIR/conf – Contains parts of the CPShared system    * cp.license  – license of machine    * sic_cert.p12 – SIC certificate$FWDIR/lib – .def files which are used when the rulebase is complied into inspection code for … Read more

Check Point – FW Monitor

Check Point Inspection Points

FW monitor is a great tool for troubleshooting traffic flow issues with your checkpoint. It works by using 4 inspection points, i – Pre Inbound I – Post Inbound o – Pre Outbound O – Post Outbound Examples fw monitor -e “accept dport=6000;” fw monitor -m iO -e ‘accept dport=80;’ fw monitor -e ‘accept dport;’ … Read more

Check Point – Authentication

When adding an authentication action to a rule there are 3 types, User Session Client User authentication works by intercepting connects going through the FW-1 and prompting the user for authentication. To do this the firewall has to modify the traffic, so this authentication type can only be used with FTP, HTTP, Telnet and RLOGIN. … Read more

Check Point – NAT Explained

There are many types of NAT in the land of Check Point. Here’s a quick overview, Static NAT – One to one translation Hide/Dynamic NAT – Allows you to NAT multiple IPs behind one IP/Interface Automatic NAT – Quick basic address NAT translation. Manual NAT – Allows greater flexibility over automatic NAT. Proxy ARP is … Read more

Check Point – Client vs Server Side NAT

Introduction Client and Server side NAT relates to when we perform destination NAT`ing. The “Translate destination on Server side” option is an legacy option which was included due to pre NG versions of checkpoint using Server-Side NAT. Client Side NAT – The destination address is NAT`d by the inbound Kernel Server Side NAT – The … Read more


How do I configure proxy ARP on my SPLAT firewall ?  There are 2 ways to get a packet to a firewall. A Route or a Proxy ARP. Using routes is the perferred method but it may be the case where you havent access to the routers and need to use Proxy ARP. Please note: … Read more

PEMU – Free Cisco PIX Firewall Emulator / Simulator

Introduction This is a guide on how to install a Free pix emulator / simulator onto a linux platform. You can also obtain the windows version, which you can find (along with other tutorials and forum) at the ariscahyadi blog. This software was written by mmm123, and is called PEMU, which is based on the … Read more

PIX – Static NAT

Below is an example of static NAT for FTP when using the outside interface with a DHCP address assigned to it. static (dmz,outside) tcp interface ftp ftp netmask static (dmz,outside) tcp interface ftp-data ftp-data netmask  

Nokia`s VRRP

Nokia`s VRRP protocol allows for an active-standby firewall cluster. Nokia have added an extension to VRRP called VRRP monitored circuit which handles both total firewall failure as well as interface failures. Each virtual router uses a mac address of 00-00-5E-00-01-XX. XX being the Virtual Router ID (VRID).The multicast of and IP protocol number 112 … Read more

PIX – Advanced Protocol Handling

When using a “inspect policy map” you need to add it to a “standard policy-map” to allow you to add it to the service policy.For each policy map there would be a class map, the inspect would match the FTP command, and then use the classmap “inspection-default” in the standard policy map. Running Config policy-map … Read more

PIX – VPN – Site 2 Site

Below shows the configuration syntax for configuring a Site to Site VPN on a Cisco PIX firewall. Configuration (config)#isakmp enable outside(config)#isakmp policy 10(config-isakmp-policy)# encryption aes-256(config-isakmp-policy)# hash sha(config-isakmp-policy)# authentication pre-share(config-isakmp-policy)# group 1(config-isakmp-policy)# lifetime 86400(config)#isakmp key shabba address netmask no-xauth(config)#access-list ED permit ip nonat permit ip (inside) … Read more

PIX – VPN – Remote Access

Below shows 2 examples of a Remote Access configuration on version 6.x and 7.x of the Cisco PIX firewall. 6.x (config)#username 123 password 123(config)#isakmp enable outside(config)#ip local pool VPNIP mask policy 1 authentication pre-share(config)#isakmp policy 1 encryption 3des(config)#isakmp policy 1 hash sha(config)#isakmp policy 1 group 2(config)#isakmp policy 1 lifetime 43200 (config)# crypto ipsec … Read more

PIX Protocol Handling

Below are the steps involved in configuring protocol handling, Create the class-map – Tell the class-map which traffic to match Create Policy-map – Assign class-map to policy map. Tell the class-map what to do to the matched traffic Assign policy map globally or to interface Below will inspect http traffic on port 801 using, and … Read more

PIX – Logging Buffer – View logs on your PIX

If you need to view the logs on your pix, as you haven’t got a syslog server, or you haven’t got access to it, you can access the logs on the pix itself and grep your way through, by using and enabling the logging buffer. Below shows you how to enable and disable the logging … Read more

PIX – Create a Read Only account

Below shows you the commands for creating a read only account on a Cisco PIX firewall. hostname(config)# username client password 123 privilege 5hostname(config)# privilege show level 5 command running-confighostname(config)# privilege show level 5 command startup-confighostname(config)# privilege show level 5 command access-listhostname(config)#aaa authentication ssh console LOCAL

Configuring AAA on a Cisco PIX

Below shows the required configuration commands for configuring AAA. Authentication Interactive user #(config) aaa-server <server name> protocol <tacacs/radius>#(config) aaa-server <server name> <interface> host <AAA server IP>#(config) aaa authentication include <https/https/ftp/telnet>  inbound 0 0 0 0#(config) access-list 111 permit tcp any any eq ftp#(config) aaa authentication match 111 <interface> <AAA server name> Console Access #(config) aaa … Read more

Cisco PIX – Routing

Static To send all traffic to out the outside interface.To send any traffic in to out the inside interface (config)#Route outside 0 0 inside RIP Allow RIP updates to be received on the outside interface with a key of cisco and id of 2.Pass RIP updates out the … Read more

Enabling ASDM upon your PIX

Below shows you how to enable ASDM upon your PIX. First of all you will need to copy the ASDM image to you PIX firewall. I find the easiest way to do this is to enable scopy (scp) on your pix using the command ssh scopy enable. And then using the putty tool pscp to … Read more

Configuring HA Failover on a PIX Firewall

Below shows you how to configure stateful LAN based failover. Primary (config)#interface eth0(config-if)#nameif inside(config-if)#ip add standby (config)#interface eth1(config-if)#no nameif(config-if)#no shut (config)#interface eth2(config-if)#no nameif(config-if)#no shut (config)#failover(config)#failover lan unit primary(config)#failover lan interface failover eth1(config)#failover lan enable(config)#failover key <key>(config)#failover link state eth2(config)#failover interface ip failover standby interface ip state standby … Read more

How do I Enable SNMP on a PIX / ASA ?

Below shows you the commands to enable SNMP (polls or traps) on PIX/ASA v7.x or later….. pix(config)# snmp-server host [interface_name] [ip_address] trap community [community string] pix(config)# snmp-server host [interface_name] [ip_address] poll community [community string]

How to enable SSH on a PIX

Below shows you the necessary steps required to enable SSH on a PIX firewall, crypto key generate rsa modulus 1024ssh [ip] [mask] [interface]aaa authentication ssh console LOCALusername [username] password[password] privilege 15

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial