© 1999, Cisco Systems, Inc. 6-1 Configuring Access Through the PIX Firewall Chapter 6
© 1999, Cisco Systems, Inc. MCNS v Objectives Upon completion of this chapter, you will be able to complete the following tasks: Configure outbound and inbound access through the PIX Firewall based on a case study network design Test and verify correct PIX operation
© 1999, Cisco Systems, Inc. MCNS v CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ Dirty DMZ NetRanger Sensor Dialup R2 NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Dialup Client Sales XYZ Companys Outbound & Inbound Access Plan Bastion Host R1 Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Configuring Outbound Access Control
© 1999, Cisco Systems, Inc. MCNS v PIX NAT Enables an Internet-connected campus independent of Internet address limitations Allows Internet access from unregistered clients without expensive renumbering Internet Translates Addresses Campus Unregistered Client Arbitrary Addresses global (outside) nat (inside) global (outside) nat (inside)
© 1999, Cisco Systems, Inc. MCNS v NAT Configuration Example global (inside) nat (inside) nat (inside) nat (inside) nat (inside) global (inside) nat (inside) nat (inside) nat (inside) nat (inside) global nat (inside) global nat (inside) or Translates inside IP addresses to addresses specified in global command Still maintains firewall security for connection Bastion Host PIX Firewall Perimeter Router Sales Engineering Information Systems
© 1999, Cisco Systems, Inc. MCNS v NAT 0 Configuration Example nat (inside) nat will be non-translated nat (inside) nat will be non-translated Does not translate Still maintains firewall security for connection Note that the Executive client is on a subnet OR nat (inside) Bastion Host PIX Firewall Perimeter Router Executive Client
© 1999, Cisco Systems, Inc. MCNS v Port Address Translation ip address (inside) ip address (outside) route (outside) global (outside) netmask nat (inside) ip address (inside) ip address (outside) route (outside) global (outside) netmask nat (inside) PAT only Assign single IP address ( ) to global pool IP address must be registered with InterNIC Source address of hosts in network are translated to for outgoing access Bastion Host PIX Firewall Perimeter Router Sales Engineering Information Systems
© 1999, Cisco Systems, Inc. MCNS v NetBIOS Translation Support: Perfect for MS Networks 2. The PIX Firewall changes the SA in BOTH the header and the data payload to The source address of is in the IP header and in the data payload 1. The source address of is in the IP header and in the data payload 3. NT server is able to complete the connection Win NT Supports Windows NT domain name translation SAData Payload SAData Payload PIX provides built-in support for NetBIOS PIX translates IP addresses in both IP header and the NetBIOS header Configure using static and conduit commands No special configuration required
© 1999, Cisco Systems, Inc. MCNS v PIX Supported Multimedia Applications Progressive Networks' RealAudio Xing Technologies' Stream Works White Pines' CuSeeMe Vocal Tec's Internet Phone VDOnet's VDOLive Microsoft's NetShow VXtreme Web Theatre 2 Intel's Internet Video Phone and Microsoft's NetMeeting (based on H.323 standards) Oracle SQL*Net client and server communication And the list is growing……. Progressive Networks' RealAudio Xing Technologies' Stream Works White Pines' CuSeeMe Vocal Tec's Internet Phone VDOnet's VDOLive Microsoft's NetShow VXtreme Web Theatre 2 Intel's Internet Video Phone and Microsoft's NetMeeting (based on H.323 standards) Oracle SQL*Net client and server communication And the list is growing…….
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Configuring Access to Inside Hosts
© 1999, Cisco Systems, Inc. MCNS v Configuring PIXstatic Command pixfirewall(config) # static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask] [max_conns [em_limit]] [norandomseq] Statically maps a local IP address to a global IP address Global– PIX Firewall Local– Global Pool–
© 1999, Cisco Systems, Inc. MCNS v Static Mapping Example Internet DNS Server TACACS+ Server SMTP Gateway UNIX DB Gateway DMZ PIX Firewall Perimeter Router Bastion Host static (inside, outside) Packet from has source address of Permanently maps a single IP address Recommended for internal service hosts: DNS server Syslog Server Internet
© 1999, Cisco Systems, Inc. MCNS v Net Statics Internet DMZ static (inside,outside) netmask Net statics permanently map a range of IP addresses 256 addresses are mapped in this example PIX allows up to 16,384 net static statements DNS Server TACACS+ Server SMTP Gateway UNIX DB Gateway PIX Firewall Perimeter Router Bastion Host Internet Syslog Server
© 1999, Cisco Systems, Inc. MCNS v conduit permit|deny protocol global_ip global_mask [operator port [port]] foreign_ip foreign_mask [operator port [port]] Permits protocol-specific connections from outside to inside Creates an exception to adaptive security algorithm by permitting connections from one firewall network interface to access hosts on another Global– PIX Firewall Local– Global Pool– Configuring PIXconduit Command
© 1999, Cisco Systems, Inc. MCNS v Internet Conduit Outside to Inside Connections static conduit permit tcp host eq 5190 host Static Creates permanent translation connection through PIX Static must be entered before conduit Conduit Maps specific IP address and UDP/TCP connection from outside host to inside host Proxy Server Application Server Allowed DMZ
© 1999, Cisco Systems, Inc. MCNS v Fixup Protocol fixup protocol ftp [21] fixup protocol http [port[-port] fixup protocol h323 [port[-port]] fixup protocol rsh [514] fixup protocol smtp [port[-port]] fixup protocol sqlnet [port[-port]] no fixup protocol protocol [port[-port]] show fixup [protocol protocol] fixup protocol ftp [21] fixup protocol http [port[-port] fixup protocol h323 [port[-port]] fixup protocol rsh [514] fixup protocol smtp [port[-port]] fixup protocol sqlnet [port[-port]] no fixup protocol protocol [port[-port]] show fixup [protocol protocol]
© 1999, Cisco Systems, Inc. MCNS v Configuring PIX Mail Guard DMZ hosts public/external mail relay/host External mail relay security transfers mail to internal mail host Layered security approach Classic Mail Relay (DMZ) Design Cisco PIX Firewall Bastion host Mail relay Perimeter router Private servers Internal DNS, Mail gateways, etc. Private clients Private Networks DMZ First Tier Second Tier PIX Mail Guard Implementation Cisco PIX Firewall Private clients Private Networks DMZ Removes cost of external mail relay host Allows connection to internal mail host via TCP port 25 only Allows only the RFC 821, sect minimum SMTP server commands Perimeter router First Tier Second Tier Private servers Internal DNS, Mail gateways, etc. Public Internet Public Internet
© 1999, Cisco Systems, Inc. MCNS v Fixup ProtocolControlled Support of SMTP Commands MAIL HELO RCPT DATA RSET NOOP QUIT SOML SAML VERIFY EXPAND TURN SEND Examples of insecure SMTP commands not supported by PIX PIX treats as NOOP PIX returns OK to sender SMTP commands supported by PIX fixup protocol smtp 25 static (inside,outside) netmask conduit permit tcp host eq smtp host fixup protocol smtp 25 static (inside,outside) netmask conduit permit tcp host eq smtp host
© 1999, Cisco Systems, Inc. MCNS v Xlate Command clear xlate [global_ip [local_ip]] show xlate [global_ip [local_ip]] clear xlate [global_ip [local_ip]] show xlate [global_ip [local_ip]] xlate means translation slot The clear xlate command clears the contents of the translation slots The show xlate command displays the contents of the translation slots
© 1999, Cisco Systems, Inc. MCNS v Prevents UDP session hijacking Does not wait for default UDP timer to close session – shuts down at end of session transmission Protects against denial of service on servers and clients on the private network Internet DNS or Mail Server Requesting Client UDP Session PIX DNS Guard and Denial of Service Protection Features
© 1999, Cisco Systems, Inc. MCNS v © 1999, Cisco Systems, Inc Lab Exercise Configuring Access Through the PIX Firewall
© 1999, Cisco Systems, Inc. MCNS v Lab Objectives Upon completion of this lab, you will be able to perform the following tasks: Configure outbound and inbound access through the PIX Firewall based on a case- study network design Test and verify correct PIX operation
© 1999, Cisco Systems, Inc. MCNS v PIX1 Firewall Protected DMZ Dirty DMZ X.0 /24.2 Outside X.0/24.1 DMZ Inside.3 NAS1 IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NT1 NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA / X.1 /30 Perimeter1 Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #
© 1999, Cisco Systems, Inc. MCNS v Summary PIX provides strong, adaptive security Easy setupno day-to-day management Scalable performance for hundreds of thousands of hosts Complete compatibility with all TCP/IP services Web browsers, mail, FTP, Telnet, etc. Supports multimedia applications: RealAudio, VDO Live, StreamWorks, CuSeeMe, many others Upgrades accomplished entirely with software Secure, embedded real-time operating system High MTBFsolid stateruns from Flash (no disk) Direct Internet access from unregistered hosts No user impactdoes not affect existing LANs Dynamic and static NAT
© 1999, Cisco Systems, Inc. MCNS v Review Questions 1. What function does the nat 0 command serve? It disables address translation so that outside hosts can access inside hosts. 2. Two commands can be used to enable NAT. What are they? A. global B. static 3. PAT supports more than 64,000 hosts. What approximate percentage of that number can be connected at the same time? 25%
© 1999, Cisco Systems, Inc. MCNS v Review Questions (cont.) 4. When running multimedia applications through the PIX, does it matter if PAT is enabled? Yes. Some multimedia applications need access to specific ports. This may cause a conflict with the port mappings that PAT provides. 5. Which command has precedence, static, or nat and global? Why is this important? Static. It is important because a nat command only grants outbound access to hosts not specified in the static statement. 6. In V-4.4(1) of the PIX s/w, can the conduit command be used with either the global or static commands? Is either of them required with the conduit command? Yes. No.
© 1999, Cisco Systems, Inc. MCNS v Blank for pagination