FNS10 Mod09

DRAFT May 2003. All rights reserved.
For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights
© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0—9-11
Module 9
PIX Firewall Translations and Connections
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-2

Learning Objectives
Upon completion of this chapter, you will be


able to perform the following tasks:
• Describe how the TCP and UDP protocols
function within the PIX Firewall.
• Describe how static and dynamic translations
function.
• Configure the PIX Firewall to permit inbound
connections.
• Explain the PIX Firewall’s PAT feature.

Learning Objectives (cont.)

• Explain how to configure the PIX Firewall to
perform port redirection.
• Explain how to configure the PIX Firewall to
translate the IP address in a DNS A-record.
• Configure additional interfaces on the PIX
Firewall.
• Test and verify correct PIX Firewall operation.

Overview

This module will examine how the PIX Firewall
interacts with network traffic beginning with a
review of Transmission Control Protocol (TCP)
and User Datagram Protocol (UDP) sessions.
The student will then find out how these
sessions are allowed through the PIX Firewall.

Key terms

• NAT
• PAT
• Statics
• Conduits
• Inside NAT
• Outside NAT

Transport Protocols

Sessions in an IP World

In an IP world, a network session is a
transaction between two end systems.
It is carried out primarily over two
transport layer protocols:
• TCP
• UDP

TCP

• TCP is a connection-oriented, reliable-delivery,
robust, and high performance transport layer
protocol.
• TCP features
– Sequencing and acknowledgement of data.
– A defined state machine (open connection, data
flow, retransmit, close connection).
– Congestion detection and avoidance
mechanisms.

TCP Initialization—Inside to Outside
Private network The PIX Firewall checks for Public network

Source address 10.0.0.11 a translation slot. If one is 192.168.0.20
not found, it creates one

Destination address 172.30.0.50 after verifying NAT, global, 172.30.0.50
access control, and
Source port 1026 authentication or 1026
Destination port 23 authorization, if any. If OK, 23
a connection is created.
Initial sequence # 49091 49769
Ack
#1 #2
10.0.0.11 Flag Syn
PIX Firewall Syn 172.30.0.50
Start the embryonic
No data connection counter
#4 172.30.0.50 172.30.0.50
#3
10.0.0.11 192.168.0.20
The PIX Firewall follows the
23 Adaptive Security Algorithm: 23
1026 • (source IP, source port, 1026

destination IP, destination
IP header 92513 92513
port) check
TCP header 49092 • Sequence number check 49770
Syn-Ack
• Translation check Syn-Ack

TCP Initialization—Inside to Outside
(cont.)
Private network

Public network
Source address 10.0.0.11 192.168.0.20
Reset the embryonic
Destination address 172.30.0.50 counter for this client.. 172.30.0.50
It then increases the
Source port 1026 1026
connection counter for
Destination port 23 this host. 23
Initial sequence # 49092 49770
Ack 92514 92514
#5 Flag Ack PIX Firewall Ack #6

10.0.0.11 172.30.0.50
Data flows Strictly follows the

Adaptive Security
Algorithm
IP header
TCP header

UDP

• Connectionless protocol.
• Efficient protocol for some services.
• Resourceful but difficult to secure.

UDP (cont.)
Private network The PIX Firewall checks for Public network


a translation slot. If one is
Source address 10.0.0.11 not found, it creates one 192.168.0.20
Destination address 172.30.0.50 after verifying NAT, global, 172.30.0.50

access control, and
Source port 1028 authentication or 1028
authorization, if any. If OK,
Destination port 45000 a connection is created. 45000
#1
10.0.0.11
PIX Firewall #2
172.30.0.50
All UDP responses arrive
from outside and within UDP
user-configurable timeout
(default=2 minutes).
#4 #3
172.30.0.50 The PIX Firewall follows the 172.30.0.50
Adaptive Security Algorithm:
10.0.0.11 192.168.0.20
• (source IP, source port,
45000 destination IP, destination 45000
Port ) check
1028 1028
• Translation check
IP header
TCP header

Network Address Translations

Connections versus Translations

• Translations (xlates)—IP address to IP address
translation.
• Connections (conns)—TCP or UDP sessions.

Translation Types
• Inside NAT—Translates addresses of hosts on


higher security level (inside) interfaces:
– Dynamic
– Static
• Outside NAT—Translates addresses of hosts on
lower security level (outside) interfaces:
– Dynamic
– Static

Dynamic Inside Translations

Configures dynamic translations:
• nat (inside) 1 0.0.0.0 0.0.0.0
• global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
Two Interfaces with NAT

pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# nat (inside) 2 10.2.0.0 255.255.255.0
pixfirewall(config)# global(outside) 1 192.168.0.1-192.168.0.14 netmask
255.255.255.240
pixfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask
255.255.255.240
• All hosts on the inside networks can start outbound connections.
• A separate global pool is used for each internal network.

Three Interfaces with NAT

pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask
255.255.255.0
pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask
255.255.255.0
• Inside users can start outbound connections to both the DMZ and the Internet.
• The nat (dmz) command gives DMZ services access to the Internet.
• The global (dmz) command gives inside users access to the web server on the DMZ.
static Command
pixfirewall(config)#
static [(prenat_interface, postnat_interface)]

mapped_address | interface real_address [netmask
mask]
pixfirewall(config)# static
(inside,outside) 192.168.0.10 10.0.0.11
netmask 255.255.255.255
• Packet sent from 10.0.0.11 has a source
address of 192.168.0.10.
• Permanently maps a single IP address.
• Recommended for internal service hosts.

Static Inside Translations

pixfirewall(config)# static (inside, outside)
192.168.0.18 10.0.0.10
• Packet from 10.0.0.10 has a source address of
192.168.0.18.
• Permanently maps a single IP address.
• Recommended for internal service hosts like a DNS
server.
nat Command for Outside NAT

nat [(if_name)] nat_id address [netmask]
[outside][dns][timeout hh:mm:ss]
• Enables dynamic outside NAT.
pixfirewall(config)# nat (outside) 1 172.26.26.0

255.255.255.0 outside dns
pixfirewall(config)# global (inside) 1 10.0.0.20-
10.0.0.254 netmask 255.255.255.0
• Addresses on the outside network 172.26.26.0 are translated,
and DNS replies that match the xlate are translated.

Dynamic Outside Translations
pixfirewall(config)# nat (outside) 1

172.26.26.0 255.255.255.0 outside

pixfirewall(config)# global (inside) 1
10.0.0.20-10.0.0.254 netmask
255.255.255.0
pixfirewall(config)# static
(inside,outside) 10.0.2.2 10.0.2.2
pixfirewall(config)# access-list ACLIN
permit 172.26.26.0 255.255.255.0
host 10.0.2.2 eq ftp
pixfirewall(config)# access-group
ACLIN in interface outside

static Command for Outside NAT

static [(prenat_interface, postnat_interface)]

mapped_address | interface real_address [dns]
[netmask mask]
• Enables static outside NAT.

Static Outside Translations

pixfirewall(config)# static (inside, outside) 192.168.0.10
10.0.0.11 dns netmask 255.255.255.255
pixfirewall(config)# static (outside, inside) 192.168.0.12
10.0.0.2 dns netmask 255.255.255.255
pixfirewall(config)# static (outside, inside) 192.168.0.14
10.0.0.4 dns netmask 255.255.255.255
pixfirewall(config)# route outside 10.0.0.0 255.255.255.128
192.168.0.1
pixfirewall(config)# route outside 10.0.0.128 255.255.255.128
192.168.0.1
Identity NAT
pixfirewall(config)# nat (inside) 0 192.168.0.9


255.255.255.255
pixfirewall(config)# show nat
nat 0 192.168.0.9 will be non-translated
• NAT 0 ensures that

192.168.0.9 is not translated.
• ASA remains in effect with
NAT 0.

xlate Command
clear xlate [global_ip [local_ip]]

• Clears the contents of the translation slots.
show xlate
• Enables you to view translation slot information.
pixfirewall(config)#show xlate
2 in use, 2 most used
Global 172.16.P.20 Local insidehost
Global 192.168.P.11 Local bastionhost

Configuring DNS Support

alias Command

alias [(if_name)] dnat_ip foreign_ip [netmask]
• Can be used to do address translation on a destination address.
• Can be used to do DNS Doctoring.
pixfirewall(config)# alias (inside) 10.0.0.10

192.168.0.17 255.255.255.255
• Client on the inside initiates DNS Doctoring.
• IP address 192.168.0.17 is translated to 10.0.0.10.

DNS Doctoring with the alias
Command

255.255.255.0
pixfirewall(config)# static (inside,outside)
Student PC 192.168.0.17 10.0.0.10
pixfirewall(config)# conduit permit tcp host 192.168.0.17 eq www any
pixfirewall(config)# alias (inside) 10.0.0.10 192.168.0.17 255.255.255.255
Destination NAT with the alias
Command

255.255.255.0
pixfirewall(config)# static (inside,outside) 192.168.0.11 172.16.0.2
Student PC
pixfirewall(config)# conduit permit tcp 192.168.0.11 eq www any
pixfirewall(config)# alias (inside) 192.168.0.11 172.16.0.2 255.255.255.255
DNS Record Translation

pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 dns
Student PC
255.255.255.0
pixfirewall(config)# static (inside,outside) 192.168.0.17 10.0.0.10
Connections

Only Two Ways through the PIX Firewall

For a packet to traverse the PIX Firewall, it
must pass two policies: NAT and access
control. The following are the only two ways
to pass these policies and gain access
through the PIX Firewall:
• Valid user request—Outbound communications.
• Pre-defined static and conduit—Inbound
communications.

Statics and Conduits
• The static and conduit commands allow


connections from a lower security
interface to a higher security interface.
• The static command is used to create a
permanent mapping between an
inside IP address and a global
IP address.
• The conduit command is an
exception in the ASA’s
inbound security
policy for a given host.

conduit Command
pixfirewall(config) #

conduit permit|deny protocol global_ip
global_mask [operator port[port]] foreign_ip
foreign_mask [operator port[port]]
• A conduit maps specific IP address and TCP/UDP connection
from the outside host to the inside host.
Backbone router
192.168.0.1
pixfirewall(config)# conduit permit 192.168.0.2
tcp host 192.168.0.10 eq ftp any PIX Firewall
10.0.0.1
10.0.0.11

Port Address Translation

Port Address Translation

PAT Example
• Assign a single IP address

(192.168.0.9) to global pool.

• IP addresses are typically
registered with InterNIC.
• Source addresses of hosts
in network 10.0.0.0 are
translated to 192.168.0.9 for
outgoing access.
• Source port changed to a
unique number greater than
1024.
pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0

pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
pixfirewall(config)# global (outside) 1 192.168.0.9 netmask
255.255.255.0

PAT Using Outside Interface Address
• The interface option of the

global command enables use

of the outside interface as the
PAT address.
• Source addresses of hosts in
network 10.0.0.0 are
translated to 192.168.0.2 for
outgoing access.
• The source port is changed to
a unique number greater than
1024.

pixfirewall(config)# global (outside) 1 interface

Mapping Subnets to PAT Addresses
• Each internal subnet is mapped
to a different PAT address.

network 10.0.1.0 are translated to
192.168.0.8 for outgoing access.
network 10.0.2.0 are translated to
192.168.0.9 for outgoing access.
• The source port is changed to a
unique number greater than
1024.

pixfirewall(config)# global (outside) 1 192.168.0.8 netmask 255.255.255.0

Backing up PAT Addresses
by Using Multiple PATs


network 10.0.1.0 are translated
to 192.168.0.8 for outgoing
access.
• Address 192.168.0.9 will only be
used when the port pool from
192.168.0.8 is at maximum
capacity.


Augmenting a Global Pool with PAT
• When hosts on the 10.0.0.0

network access the outside

network through the
firewall, they are assigned
public addresses from the
192.168.0.20-192.168.0.254
range.
• When the addresses from
the global pool are
exhausted, PAT begins.

255.255.255.0
Port Redirection

Port Redirection

static [(internal_if_name, external_if_name)] tcp|
udp global_ip | interface global_port local_ip
local_port [netmask mask]
• Allows outside users to connect to a particular IP address or port and
have the PIX redirect traffic to the appropriate inside server.
pixfirewall(config)# static (inside,outside) tcp

192.168.0.15 ftp 10.0.0.11 ftp netmask
255.255.255.255 0 0
• External users direct FTP requests to unique IP address 192.168.0.15.
The PIX Firewall redirects the request to 10.0.0.11.

Port Redirection Example

pixfirewall(config)# static (inside,outside)tcp interface telnet 10.0.0.4
telnet netmask 255.255.255.255 0 0
pixfirewall(config)# static (inside,outside) tcp 192.168.0.9 8080
172.16.0.2 www netmask 255.255.255.255 0 0
• The external user directs a Telnet request to the PIX Firewall’s outside IP address,
192.168.0.2. The PIX Firewall redirects the request to host 10.0.0.4.
• The external user directs an HTTP port 8080 request to the PIX Firewall PAT address,
192.168.0.9. The PIX Firewall redirects this request to host 172.16.0.2 port 80.

Configuring Multiple Interfaces

Additional Interface Support
• Supports up to eight additional

physical interfaces, depending
on licensing

• Version 6.3 support virtual
interfaces, which increases the
number of supported interfaces
• Increases the security of
publicly available services.
• Easily interconnects multiple
extranets or partner networks.
• Easily configured with standard
PIX Firewall commands.
Models 501 506E 515E 525 535

Max Ports - Phy/Vir 1 + 1 (4 FE) 2 6/8 8/10 10/24

Access Through the PIX Firewall

Configuring Three Interfaces
pixfirewall(config)# nameif ethernet0 outside

sec0

pixfirewall(config)# nameif ethernet1 inside
sec100
pixfirewall(config)# nameif ethernet2 dmz sec50
pixfirewall(config)# ip address outside

192.168.0.2 255.255.255.0
pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0
pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0

255.255.255.0
pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254 netmask
255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-
172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside)

192.168.0.11 172.16.0.2
pixfirewall(config)# conduit permit tcp host
192.168.0.11 eq http any

Configuring Four Interfaces
pixfirewall(config)# nameif ethernet0 outside sec0
pixfirewall(config)# nameif ethernet1 inside sec100
pixfirewall(config)# nameif ethernet2 dmz sec50
pixfirewall(config)# nameif ethernet3 partnernet sec40

pixfirewall(config)# ip address outside 192.168.0.2
255.255.255.0
pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0
pixfirewall(config)# ip address dmz 172.16.0.1
255.255.255.0
pixfirewall(config)# ip address partnernet 172.18.0.1
255.255.255.0

255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-
192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-
172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside) 192.168.0.11

172.16.0.2
pixfirewall(config)# conduit permit tcp host
192.168.0.11 eq http any
pixfirewall(config)# static (dmz,partnernet) 172.18.0.11

172.16.0.2
pixfirewall(config)# conduit permit tcp host 172.18.0.11
eq http any

Summary

Summary

• The PIX Firewall manages the TCP and UDP protocols
through the use of a translation table (for NAT sessions)
and a connection table (for TCP and UDP sessions).
• Static translations assign a permanent IP address to an
inside host. Mapping between local and global addresses
is done dynamically with the nat command.
• The nat and global commands work together to hide
internal IP addresses.
• The static and conduit commands are used to allow
inbound communication through the PIX Firewall.

Summary (cont.)

• The PIX Firewall supports PAT, port redirection, and
identity NAT.
• Outside NAT provides transparent support for DNS.
• The PIX Firewall can be configured with up to ten
interfaces.
• Configuring multiple interfaces requires more attention to
detail but can be done with standard PIX Firewall
commands.

© 2003, Cisco Systems, Inc. All rights reserved. 55

FNS10 Mod09

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

FNS10 Mod09

Caricato da

Copyright:

Formati disponibili

DRAFT May 2003. All rights reserved.

For review only. Please do not distribute

PIX Firewall Translations and Connections

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-2

Upon completion of this chapter, you will be

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-3

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-4

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-5

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-6

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-7

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-8

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-9

Private network The PIX Firewall checks for Public network

not found, it creates one

For review only. Please do not distribute

1026 • (source IP, source port, 1026

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-10

For review only. Please do not distribute

Initial sequence # 49092 49770

Ack 92514 92514

#5 Flag Ack PIX Firewall Ack #6

Data flows Strictly follows the

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-11

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-12

Private network The PIX Firewall checks for Public network

For review only. Please do not distribute

Destination address 172.30.0.50 after verifying NAT, global, 172.30.0.50

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-13

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-14

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-15

• Inside NAT—Translates addresses of hosts on

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-16

For review only. Please do not distribute

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-18

For review only. Please do not distribute

static [(prenat_interface, postnat_interface)]

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-20

For review only. Please do not distribute

For review only. Please do not distribute

pixfirewall(config)# nat (outside) 1 172.26.26.0

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-22

pixfirewall(config)# nat (outside) 1

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-23

For review only. Please do not distribute

static [(prenat_interface, postnat_interface)]

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—9-24

For review only. Please do not distribute

pixfirewall(config)# nat (inside) 0 192.168.0.9

For review only. Please do not distribute

• NAT 0 ensures that