© 2004, cisco systems, inc. all rights reserved. cspfa 3.2—6-1 lesson 6 translations and...

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1

Lesson 6

Translations and Connections


Objectives


Objectives

Upon completion of this lesson, you will be able to perform the following tasks:• Describe how the TCP and UDP protocols

function within the PIX Firewall.• Describe how static and dynamic translations

function.• Configure the PIX Firewall to permit outbound

connections.• Explain the PIX Firewall PAT feature.


Transport Protocols


Sessions in an IP World

In an IP world, a network session is a transaction between two end systems. It is carried out primarily over two transport layer protocols:• TCP • UDP


TCP

• TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol.

• TCP features–Sequencing and acknowledgement of data.–A defined state machine (open connection, data

flow, retransmit, close connection).–Congestion detection and avoidance mechanisms.


TCP Initialization—Inside to Outside

PIX Firewall

TCP headerIP header

The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created.

10.0.0.11

The PIX Firewall follows the Adaptive Security Algorithm:• (source IP, source port, destination IP, destination port) check• Sequence number check • Translation check

# 1172.30.0.50

# 2

# 3# 4

Start the embryonicconnection counterNo data

Private network

Source port

Destination addressSource address

Initial sequence #

Destination port

Flag

Ack

172.30.0.50

10.0.0.11

1026

23

49091

Syn

10.0.0.11

172.30.0.50

23

1026

92513

Syn-Ack

49092

Public network

172.30.0.50

192.168.0.20

49769

Syn

192.168.0.20

172.30.0.50

23

1026

92513

Syn-Ack

49770

1026

23


TCP Initialization—Inside to Outside (Cont.)

Private network Public network

PIX Firewall

Reset the embryonic counter for this client.. It then increases the connection counter for this host.

10.0.0.11# 5

172.30.0.50# 6

Strictly follows theAdaptive SecurityAlgorithm

Data flows

172.30.0.50

192.168.0.20

1026

23

49770

Ack

92514

Source port


Initial sequence #

Destination port

Flag

Ack

172.30.0.50

10.0.0.11

1026

23

49092

Ack

92514

TCP headerIP header


UDP

• Connectionless protocol.• Efficient protocol for some services.• Resourceful but difficult to secure.


UDP (Cont.)

PIX Firewall

UDP headerIP header

The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created.

10.0.0.11

The PIX Firewall follows the Adaptive Security Algorithm:• (source IP, source port, destination IP, destination Port ) check• Translation check

# 1172.30.0.50# 2

# 3# 4

Private network

Source port


Destination port

172.30.0.50

10.0.0.11

1028

45000

10.0.0.11

172.30.0.50

45000

1028

Public network

172.30.0.50

192.168.0.20

192.168.0.20

172.30.0.50

45000

1028

1028

45000

All UDP responses arrive from outside and within UDP user-configurable timeout (default=2 minutes).


Network Address Translations


Addressing Scenarios

• NAT was created to overcome several addressing problems that occurred with the expansion of the Internet:–Mitigate global address depletion–Use RFC 1918 addresses internally–Conserve internal address plan

• Additionally, NAT increases security by hiding the internal topology

10.0.0.11

10.0.0.4

10.0.0.11192.168.6.1Internet

NAT


Access Through the PIX Firewall

e0 outsidesecurity level 0

e1 insidesecurity level 100

nat and global

static and access list

Internet

More secureLess secure

More secureLess secure

(or static and conduit)

(or static)


Inside Address Translations

10.0.0.4

10.0.0.11

10.0.0.4192.168.6.1

NAT

Outside globalIP address

192.168.6.10

InsideIP address10.0.0.11

Static translation

Dynamic translation 10.0.0.4

Outside globalIP address pool192.168.6.20-254

Inside NAT—Translates addresses of hosts on higher security level to a less secure interface: • Dynamic translation• Static translation

Internet

WWWServer


Dynamic Inside NAT

• Dynamic translations

pixfirewall(config)# nat(inside) 1 0.0.0.0 0.0.0.0pixfirewall(config)# global(outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

10.0.0.11

10.0.0.4

10.0.0.11192.168.0.20

NAT

Internet


Two Interfaces with NAT

pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0

pixfirewall(config)# nat(inside) 2 10.2.0.0 255.255.255.0

pixfirewall(config)# global(outside) 1 192.168.0.3-192.168.0.14 netmask 255.255.255.0

pixfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.0

• All hosts on the inside networks can start outbound connections.• A separate global pool is used for each internal network.

10.2.0.0 /24

192.168.0.0

10.0.0.0/24

Internet

Global pool192.168.0.17-30

Global pool192.168.0.3-14


Three Interfaces with NAT

192.168.0.0 10.0.0.0

Global pool172.16.0.20-254

pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

• Inside users can start outbound connections to both the DMZ and the Internet.• The nat (dmz) command gives DMZ services access to the Internet. • The global (dmz) command gives inside users access to the DMZ web server.

Internet

DMZ

InsideGlobal pool192.168.0.20-254

Outside


Port Address Translation


Port Address Translation

10.0.0.11

10.0.0.4

10.0.0.11192.168.0.20

Port 2000

PAT

10.0.0.4192.168.0.20

Port 2001

• PAT is a combination of a IP address and a source port number.

• Many different sessions can be multiplexed over a single global IP address.

• Session distinction is made via different port numbers.

Internet


PAT Example

• Outside IP addresses are typically registered with InterNIC.

• Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.9 for outgoing access.

• Assign a single IP address (192.168.0.9) to global pool.

• Source port changed to a unique number greater than 1023.

pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0

pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0

pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1

pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.0.0

pixfirewall(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.255

SalesEngineering

10.0.1.0 10.0.2.0

192.168.0.0

10.0.0.0

Global address192.168.0.9

.2

.1

.1


PAT Using Outside Interface Address

• The interface option of the global command enables use of the outside interface as the PAT address.

• The source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.2 for outgoing access.

• The source port is changed to a unique number greater than 1024.


pixfirewall(config)# ip address outside dhcppixfirewall(config)# nat (inside) 1 10.0.0.0

255.255.0.0pixfirewall(config)# global (outside) 1 interface

SalesEngineering

10.0.1.0 10.0.2.0

192.168.0.0

10.0.0.0

Global address192.168.0.2

.2

.1

.1


Mapping Subnets to PAT Addresses

• Each internal subnet is mapped to a different PAT address.



• The source port is changed to a unique number greater than 1023.





SalesEngineering

10.0.1.0 10.0.2.0

192.168.0.0

10.0.0.0

192 .168.0.8

.2

.1

.1

192 .168.0.9


Backing Up PAT Addresses by Using Multiple PATs


• Address 192.168.0.9 will be used only when the port pool from 192.168.0.8 is at maximum capacity.




SalesEngineering

10.0.1.0 10.0.2.0

192.168.0.0

10.0.0.0

192 .168.0.8

.2

.1

.1

192 .168.0.9



pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.253 netmask 255.255.255.0


Augmenting a Global Pool with PAT

• When hosts on the 10.0.0.0 network access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20–192.168.0.253 range.

• When the addresses from the global pool are exhausted, PAT begins with IP address 192.168.0.254.

SalesEngineering

10.0.1.0 10.0.2.0

192.168.0.0

10.0.0.0

PAT192 .168.0.254

.2

.1

.1

NAT192 .168.0.20


Static NAT


static Command

• Used to create a permanent translation between an inside IP address and a specific global IP address

• Recommended for internal service hosts

Internet

Inside

OutsideDNS server

10.0.0.11

10.0.0.11192.168.0.10

Statictranslation


static Command (Cont.)

pixfirewall(config)#

static [(prenat_interface, postnat_interface)] {mapped_address | interface} real_address [netmask mask]

pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255

• Packet sent from 10.0.0.11 translated to 192.168.0.10• Permanently maps a single IP address• Recommended for internal service hosts

192.168.0.10 10.0.0.11

Internet

InsideOutside10.0.0.11

DNS server

Staticmapping


Identity NAT (NAT 0)


Identity NAT—nat 0 Command

• Identity NAT is used to create a transparent mapping.

• IP addresses on the inside appear on the outside without translation.

Internet

InsideOutside

10.0.0.15

DMZwww.cisco.com

Internetserver

192.168.0.9192.168.0.9


Identity NAT—nat 0 Command (Cont.)

• NAT 0 ensures that Internet server is not translated.• ASA remains in effect with NAT 0.pixfirewall(config)# nat (dmz) 0 192.168.0.9 255.255.255.255

Internet

Inside

Outside

DMZ www.cisco.comInternetserver

192.168.0.9

192.168.0.9


Policy NAT


Policy NAT

• Identify local traffic for address translation by specifying the source and destination addresses in an access list.

• Apply access-list to nat or static command

Internet 10.0.0.15

192.168.0.9192.168.10.11

192.168.10.4

TelnetServer

WebServer 192.168.0.21


Policy NAT—nat plus acl command

pix1(config)# access-list NET1 permit tcp 10.0.0.0 255.255.255.0 host 192.168.10.11 eq 23

pix1(config)# nat (inside) 10 access-list net1pix1(config)# global (outside) 10 192.168.0.9 255.255.255.255pix1(config)# access-list NET2 permit tcp 10.0.0.0 255.255.255.0 host 192.168.10.4 eq 80

pix1(config)# nat (inside) 11 access-list net2pix1(config)# global (outside) 11 192.168.0.21 255.255.255.255

Internet 10.0.0.15

192.168.0.9TelnetServer


192.168.10.11

192.168.10.4


Policy NAT—static plus acl command

Internet 10.0.0.15

192.168.0.9TelnetServer



pix1(config)# static (inside,outside) 192.168.0.9 access-list net1


pix1(config)# static (inside,outside) 192.168.0.21 access-list net2

192.168.10.11

192.168.10.4


Connections and Translations


Connections vs. Translations

• Translations (xlates)—IP address to IP address translation• Connections (conns)—TCP or UDP sessions

Inside local

Outside global pool

10.0.0.11192.168.0.20

10.0.0.11

10.0.0.4Translation

10.0.0.11192.168.0.20

192.168.10.5

Translation

Connections

Connection 192.168.10.11:23 10.0.0.11:1026

Connection 192.168.10.11:80 10.0.0.11:1027

192.168.10.11

Internet

Telnet

HTTP


show conn Command

show conn

pixfirewall#show conn1 in use, 2 most usedTCP out 192.168.10.11:23 in 10.0.0.11:1026 idle 0:00:22 Bytes 1774 flags UIO

pixfirewall#

10.0.0.11

10.0.0.4

192.168.10.11

Connection

Internet

• Enables you to view all active connections


show xlate Command

show xlate• Enables you to view translation slot information

pixfirewall#show xlate1 in use, 2 most usedGlobal 192.168.0.20 Local 10.0.0.11

pixfirewall#

10.0.0.11

10.0.0.4

10.0.0.11192.168.0.20

192.168.10.11

Translation

Internet


PIX Firewall NAT Philosophy

• With the PIX Firewall, translation rules are always configured between pairs of interfaces.

• A packet cannot be switched across the PIX Firewall if it does not match a translation slot in the xlate table.

• If there is no translation slot, the PIX Firewall will try to create a translation slot from its translation rules.

• Otherwise, the packet is dropped.

10.0.0.11

10.0.0.4

10.0.0.11192.168.0.20192.168.10.11

Outside Inside

NAT

Internet


PIX Firewall NAT Algorithm—Outbound Packet Flow

• A packet arrives at an inside interface:- PIX Firewall consults the access rules first.- PIX Firewall makes a routing decision to determine the

outbound interface.• Source address is checked against the local addresses in

the xlate table:- If found, SA is translated according to the xlate slot.

• Otherwise, PIX Firewall looks for a static translation rule from this interface:

- If found, an xlate slot is created, and SA is translated.• Otherwise, PIX Firewall looks for a dynamic translation rule

from this interface:- If found, an xlate slot is created from the destination

interface address pool, and the SA is translated.• Otherwise the packet is dropped.


Configuring Multiple Interfaces


Additional Interface Support

• Supports up to eight additional interfaces.

• Increases the security of publicly available services.

• Easily interconnects multiple extranets or partner networks.

• Easily configured with standard PIX Firewall commands.

e0

e1e2

e4

e3

e6e5

e9

e7

e8

Outside

Inside


Configuring Three Interfaces

pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100pixfirewall(config)# nameif ethernet2 dmz sec50



pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0



pixfirewall(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2

.2

.1.1

10.0.0.0/24

Internet

172.16.0.2

192.168.0.11

172.16.0.20

192.168.0.20

DMZ

Inside


Configuring Four Interfaces

pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100pixfirewall(config)# nameif ethernet2 dmz sec50pixfirewall(config)# nameif ethernet3 partnernet sec40



pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0

pixfirewall(config)# ip address partnernet 172.18.0.1 255.255.255.0



pixfirewall(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2

pixfirewall(config)# static (dmz,partnernet) 172.18.0.11 172.16.0.2

Partnernet

172.16.0.2

DMZ

.1.1 172.16.0.20

10.0.0.0/24

172.18.0.0/24

.1

InternetInternet

Inside

192.168.0.11

192.168.0.20

172.18.0.11


Summary


Summary

• The PIX Firewall manages the TCP and UDP protocols through the use of a translation table (for NAT sessions) and a connection table (for TCP and UDP sessions).

• The static command creates a permanent translation.• Mapping between local and global address pool is

done dynamically with the nat command.• The nat and global commands work together to hide

internal IP addresses.• The PIX Firewall supports PAT. • Configuring multiple interfaces requires more

attention to detail but can be done with standard PIX Firewall commands.


Lab Exercise


Lab Visual Objective

192.168.Q.0192.168.P.0

Student PC

.2.1

.1

Student PC

PIXFirewall

Web/FTPCSACS

Web/FTPCSACS

.1

.2

.1

PIXFirewall

.1

Local: 10.0.P.11 Local: 10.0.Q.11

10.0.P.0 10.0.Q.0

RTS.100

RTS.100

Pods 1–5 Pods 6–10172.26.26.0

.150

.50

WebFTP

RBB

.2.2 “bastionhost”:WebFTP172.16.P.0 172.16.Q.0

“bastionhost”:WebFTP

.1

© 2004, cisco systems, inc. all rights reserved. cspfa 3.2—6-1 lesson 6 translations and...

Documents