© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 6 Translations and Connections
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe how the TCP and UDP protocols function within the PIX Firewall. Describe how static and dynamic translations function. Configure the PIX Firewall to permit outbound connections. Explain the PIX Firewall PAT feature.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Transport Protocols
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out primarily over two transport layer protocols: TCP UDP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA TCP TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol. TCP features –Sequencing and acknowledgement of data. –A defined state machine (open connection, data flow, retransmit, close connection). –Congestion detection and avoidance mechanisms.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA TCP InitializationInside to Outside PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (source IP, source port, destination IP, destination port) check Sequence number check Translation check # # 2 # 3 # 4 Start the embryonic connection counter No data Private network Source port Destination address Source address Initial sequence # Destination port Flag Ack Syn Syn-Ack Public network Syn Syn-Ack
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA TCP InitializationInside to Outside (Cont.) Private network Public network PIX Firewall Reset the embryonic counter for this client.. It then increases the connection counter for this host # # 6 Strictly follows the Adaptive Security Algorithm Data flows Ack Source port Destination address Source address Initial sequence # Destination port Flag Ack Ack TCP header IP header
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA UDP Connectionless protocol. Efficient protocol for some services. Resourceful but difficult to secure.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA UDP (Cont.) PIX Firewall UDP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (source IP, source port, destination IP, destination Port ) check Translation check # # 2 # 3 # 4 Private network Source port Destination address Source address Destination port Public network All UDP responses arrive from outside and within UDP user-configurable timeout (default=2 minutes).
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Network Address Translations
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Addressing Scenarios NAT was created to overcome several addressing problems that occurred with the expansion of the Internet: –Mitigate global address depletion –Use RFC 1918 addresses internally –Conserve internal address plan Additionally, NAT increases security by hiding the internal topology Internet NAT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Access Through the PIX Firewall e0 outside security level 0 e1 inside security level 100 nat and global static and access list Internet More secure Less secure More secure Less secure (or static and conduit) (or static)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Inside Address Translations NAT Outside global IP address Inside IP address Static translation Dynamic translation Outside global IP address pool Inside NATTranslates addresses of hosts on higher security level to a less secure interface: Dynamic translation Static translation Internet WWW Server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Dynamic Inside NAT Dynamic translations pixfirewall(config)# nat(inside) pixfirewall(config)# global(outside) netmask NAT Internet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Two Interfaces with NAT pixfirewall(config)# nat(inside) pixfirewall(config)# nat(inside) pixfirewall(config)# global(outside) netmask pixfirewall(config)# global(outside) netmask All hosts on the inside networks can start outbound connections. A separate global pool is used for each internal network / /24 Internet Global pool Global pool
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Three Interfaces with NAT Global pool pixfirewall(config)# nat(inside) pixfirewall(config)# nat (dmz) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global(dmz) netmask Inside users can start outbound connections to both the DMZ and the Internet. The nat (dmz) command gives DMZ services access to the Internet. The global (dmz) command gives inside users access to the DMZ web server. Internet DMZ Inside Global pool Outside
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Port Address Translation
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Port Address Translation Port 2000 PAT Port 2001 PAT is a combination of a IP address and a source port number. Many different sessions can be multiplexed over a single global IP address. Session distinction is made via different port numbers. Internet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PAT Example Outside IP addresses are typically registered with InterNIC. Source addresses of hosts in network are translated to for outgoing access. Assign a single IP address ( ) to global pool. Source port changed to a unique number greater than pixfirewall(config)# ip address inside pixfirewall(config)# ip address outside pixfirewall(config)# route (outside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask Sales Engineering Global address
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PAT Using Outside Interface Address The interface option of the global command enables use of the outside interface as the PAT address. The source addresses of hosts in network are translated to for outgoing access. The source port is changed to a unique number greater than pixfirewall(config)# ip address inside pixfirewall(config)# ip address outside dhcp pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) 1 interface Sales Engineering Global address
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Mapping Subnets to PAT Addresses Each internal subnet is mapped to a different PAT address. Source addresses of hosts in network are translated to for outgoing access. Source addresses of hosts in network are translated to for outgoing access. The source port is changed to a unique number greater than pixfirewall(config)# nat (inside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (outside) netmask Sales Engineering
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Backing Up PAT Addresses by Using Multiple PATs Source addresses of hosts in network are translated to for outgoing access. Address will be used only when the port pool from is at maximum capacity. pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (outside) netmask Sales Engineering
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (outside) netmask Augmenting a Global Pool with PAT When hosts on the network access the outside network through the firewall, they are assigned public addresses from the – range. When the addresses from the global pool are exhausted, PAT begins with IP address Sales Engineering PAT NAT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Static NAT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA static Command Used to create a permanent translation between an inside IP address and a specific global IP address Recommended for internal service hosts Internet Inside Outside DNS server Static translation
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA static Command (Cont.) pixfirewall(config)# static [(prenat_interface, postnat_interface)] {mapped_address | interface} real_address [netmask mask] pixfirewall(config)# static (inside,outside) netmask Packet sent from translated to Permanently maps a single IP address Recommended for internal service hosts Internet InsideOutside DNS server Static mapping
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Identity NAT (NAT 0)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Identity NATnat 0 Command Identity NAT is used to create a transparent mapping. IP addresses on the inside appear on the outside without translation. Internet Inside Outside DMZ Internet server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Identity NATnat 0 Command (Cont.) NAT 0 ensures that Internet server is not translated. ASA remains in effect with NAT 0. pixfirewall(config)# nat (dmz) Internet Inside Outside DMZ Internet server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Policy NAT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Policy NAT Identify local traffic for address translation by specifying the source and destination addresses in an access list. Apply access-list to nat or static command Internet Telnet Server Web Server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Policy NATnat plus acl command pix1(config)# access-list NET1 permit tcp host eq 23 pix1(config)# nat (inside) 10 access-list net1 pix1(config)# global (outside) pix1(config)# access-list NET2 permit tcp host eq 80 pix1(config)# nat (inside) 11 access-list net2 pix1(config)# global (outside) Internet Telnet Server Web Server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Policy NATstatic plus acl command Internet Telnet Server Web Server pix1(config)# access-list NET1 permit tcp host eq 23 pix1(config)# static (inside,outside) access-list net1 pix1(config)# access-list NET2 permit tcp host eq 80 pix1(config)# static (inside,outside) access-list net
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Connections and Translations
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Connections vs. Translations Translations (xlates)IP address to IP address translation Connections (conns)TCP or UDP sessions Inside local Outside global pool Translation Translation Connections Connection : :1026 Connection : : Internet Telnet HTTP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show conn Command show conn pixfirewall#show conn 1 in use, 2 most used TCP out :23 in :1026 idle 0:00:22 Bytes 1774 flags UIO pixfirewall# Connection Internet Enables you to view all active connections
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show xlate Command show xlate Enables you to view translation slot information pixfirewall#show xlate 1 in use, 2 most used Global Local pixfirewall# Translation Internet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall NAT Philosophy With the PIX Firewall, translation rules are always configured between pairs of interfaces. A packet cannot be switched across the PIX Firewall if it does not match a translation slot in the xlate table. If there is no translation slot, the PIX Firewall will try to create a translation slot from its translation rules. Otherwise, the packet is dropped OutsideInside NAT Internet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall NAT Algorithm Outbound Packet Flow A packet arrives at an inside interface: -PIX Firewall consults the access rules first. -PIX Firewall makes a routing decision to determine the outbound interface. Source address is checked against the local addresses in the xlate table: -If found, SA is translated according to the xlate slot. Otherwise, PIX Firewall looks for a static translation rule from this interface: -If found, an xlate slot is created, and SA is translated. Otherwise, PIX Firewall looks for a dynamic translation rule from this interface: -If found, an xlate slot is created from the destination interface address pool, and the SA is translated. Otherwise the packet is dropped.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Multiple Interfaces
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Additional Interface Support Supports up to eight additional interfaces. Increases the security of publicly available services. Easily interconnects multiple extranets or partner networks. Easily configured with standard PIX Firewall commands. e0 e1 e2 e4 e3 e6 e5 e9 e7 e8 Outside Inside
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Three Interfaces pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) /24 Internet DMZ Inside
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Four Interfaces pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# nameif ethernet3 partnernet sec40 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# ip address partnernet pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# static (dmz,partnernet) Partnernet DMZ / /24.1 Internet Inside
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary The PIX Firewall manages the TCP and UDP protocols through the use of a translation table (for NAT sessions) and a connection table (for TCP and UDP sessions). The static command creates a permanent translation. Mapping between local and global address pool is done dynamically with the nat command. The nat and global commands work together to hide internal IP addresses. The PIX Firewall supports PAT. Configuring multiple interfaces requires more attention to detail but can be done with standard PIX Firewall commands.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Visual Objective Q P.0 Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS PIX Firewall.1 Local: 10.0.P.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB.2 bastionhost: Web FTP P Q.0 bastionhost: Web FTP.1