© 2000, Cisco Systems, Inc. CSPFF 1.116-1 Chapter 6 Cisco Secure PIX Firewall Translations.

Презентация:



Advertisements
Похожие презентации
© 2000, Cisco Systems, Inc. 7-1 Chapter 7 Access Configuration Through the Cisco Secure PIX Firewall.
Advertisements

© 2000, Cisco Systems, Inc. CSPFF Chapter 5 Cisco Secure PIX Firewall Configuration.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 6 Translations and Connections.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 6 Translations and Connections.
© 2000, Cisco Systems, Inc. CSPFF Chapter 8 Configuration of Multiple Interfaces.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
© 2000, Cisco Systems, Inc. CSPFF Chapter 10 Cisco Secure PIX Firewall Advanced Features.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2000, Cisco Systems, Inc. CSPFF Chapter 2 Cisco Secure PIX Firewall Models and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 3 Cisco PIX Firewall Technology and Features.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Ensuring the Reliability of Data Delivery Understanding How UDP and TCP Work.
© 2000, Cisco Systems, Inc. CSPFF Chapter 4 Image Upgrade of the Cisco Secure PIX Firewall Software.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 14 Configuring the Cisco Virtual Private Network 3000 Series Concentrator for IPSec.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Transition Mechanisms Describing NAT-PT.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS Firewall Authentication Proxy.
© 2000, Cisco Systems, Inc. CSPFF Chapter 9 Configure Syslog and Perform General Maintenance Tasks.
© 2000, Cisco Systems, Inc. CSPFF Chapter 1 Network Security and the Cisco Secure PIX Firewall.
Транксрипт:

© 2000, Cisco Systems, Inc. CSPFF Chapter 6 Cisco Secure PIX Firewall Translations

© 2000, Cisco Systems, Inc. CSPFF Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe how the TCP and UDP protocols function within the PIX Firewall. Describe how the static and dynamic translations function.

© 2000, Cisco Systems, Inc. CSPFF Transport Protocols

© 2000, Cisco Systems, Inc. CSPFF Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out over two transport layer protocols: TCP (Transmission Control Protocol) UDP (User Datagram Protocol)

© 2000, Cisco Systems, Inc. CSPFF TCP TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol. TCP features: –Sequencing and acknowledgement of data –A defined state machine (open connection, data flow, retransmit, close connection) –Congestion management and avoidance mechanisms

© 2000, Cisco Systems, Inc. CSPFF PIX Firewall TCP Header IP Header The PIX Firewall checks for a translation slot. If not, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Sequence number check Translation check If the code bit is not syn-ack, PIX drops the packet. # # 2 # 3 # 4 Start the embryonic connection counter No data TCP InitializationInside to Outside Private Network Source Port Destination Addr Source Addr Initial Sequence # Destination Port Flag Ack Syn Syn-Ack Public Network Syn Syn-Ack

© 2000, Cisco Systems, Inc. CSPFF Private Network Public Network PIX Firewall Reset the embryonic counter for this client. Then it increments the connection counter for this host # # 6 Strictly follows the Adaptive Security Algorithm Data Flows TCP InitializationInside to Outside (cont.) Ack Source Port Destination Addr Source Addr Initial Sequence # Destination Port Flag Ack Ack TCP Header IP Header

© 2000, Cisco Systems, Inc. CSPFF UDP Connectionless protocol Efficient protocol for some services Resourceful but difficult to secure

© 2000, Cisco Systems, Inc. CSPFF PIX Firewall TCP Header IP Header The PIX Firewall checks for a translation slot. If not, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Translation check # # 2 # 3 # 4 UDP (cont.) Private Network Source Port Destination Addr Source Addr Destination Port Public Network All UDP responses arrive from outside and within UDP user-configurable timeout. (default=2 minutes)

© 2000, Cisco Systems, Inc. CSPFF PIX Firewall Translations

© 2000, Cisco Systems, Inc. CSPFF Internet Static Translations DNS Server PIX Firewall Perimeter Router pixfirewall(config)# static (inside, outside) Packet from has source address of Permanently maps a single IP address Recommended for internal service hosts like a DNS server

© 2000, Cisco Systems, Inc. CSPFF Internet Dynamic Translations Configures dynamic translations –nat (inside) –global (outside) netmask Global Pool

© 2000, Cisco Systems, Inc. CSPFF Connections vs. Translations Translationsxlate –IP address to IP address translation –65,536 translations supported Connectionsconns –TCP or UDP sessions –Restricted by memory –Max connections ~(memory x 2) PIX Firewall 515 ~64M x 2=128,000 PIX Firewall 520 ~128M x 2=256,000

© 2000, Cisco Systems, Inc. CSPFF xlate Command pixfirewall(config)# clear xlate [global_ip [local_ip]] pixfirewall(config)# show xlate [global_ip [local_ip]] pixfirewall(config)# clear xlate [global_ip [local_ip]] pixfirewall(config)# show xlate [global_ip [local_ip]] The clear xlate command clears the contents of the translation slots. The show xlate command displays the contents of the translation slots.

© 2000, Cisco Systems, Inc. CSPFF Summary

© 2000, Cisco Systems, Inc. CSPFF Summary The PIX Firewall manages the TCP and UDP protocols through the use of a Translation Table. Static translations assign a permanent IP address to an inside host. Mapping between local and global addresses is done dynamically with the NAT command. The PIX Firewall understands the performance characteristics of the NetBIOS protocol and is able to translate the source address in the IP header as well as the source address in the payload. Dynamic translations use NAT for local clients and their outbound connections and hides the client address from others on the Internet.

© 2000, Cisco Systems, Inc. CSPFF Review Questions

© 2000, Cisco Systems, Inc. CSPFF Review Questions Q1) Explain the six steps of how the TCP protocol travels through the PIX Firewall. Q2) How does the PIX Firewall handle the UDP protocol? Q3) Explain how the static command works. Q4) Explain how the nat and global commands work to make dynamic translations. Q5) Explain how the PIX Firewall handles the NetBIOS protocol.