© 2000, Cisco Systems, Inc. CSPFF Chapter 6 Cisco Secure PIX Firewall Translations
© 2000, Cisco Systems, Inc. CSPFF Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe how the TCP and UDP protocols function within the PIX Firewall. Describe how the static and dynamic translations function.
© 2000, Cisco Systems, Inc. CSPFF Transport Protocols
© 2000, Cisco Systems, Inc. CSPFF Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out over two transport layer protocols: TCP (Transmission Control Protocol) UDP (User Datagram Protocol)
© 2000, Cisco Systems, Inc. CSPFF TCP TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol. TCP features: –Sequencing and acknowledgement of data –A defined state machine (open connection, data flow, retransmit, close connection) –Congestion management and avoidance mechanisms
© 2000, Cisco Systems, Inc. CSPFF PIX Firewall TCP Header IP Header The PIX Firewall checks for a translation slot. If not, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Sequence number check Translation check If the code bit is not syn-ack, PIX drops the packet. # # 2 # 3 # 4 Start the embryonic connection counter No data TCP InitializationInside to Outside Private Network Source Port Destination Addr Source Addr Initial Sequence # Destination Port Flag Ack Syn Syn-Ack Public Network Syn Syn-Ack
© 2000, Cisco Systems, Inc. CSPFF Private Network Public Network PIX Firewall Reset the embryonic counter for this client. Then it increments the connection counter for this host # # 6 Strictly follows the Adaptive Security Algorithm Data Flows TCP InitializationInside to Outside (cont.) Ack Source Port Destination Addr Source Addr Initial Sequence # Destination Port Flag Ack Ack TCP Header IP Header
© 2000, Cisco Systems, Inc. CSPFF UDP Connectionless protocol Efficient protocol for some services Resourceful but difficult to secure
© 2000, Cisco Systems, Inc. CSPFF PIX Firewall TCP Header IP Header The PIX Firewall checks for a translation slot. If not, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Translation check # # 2 # 3 # 4 UDP (cont.) Private Network Source Port Destination Addr Source Addr Destination Port Public Network All UDP responses arrive from outside and within UDP user-configurable timeout. (default=2 minutes)
© 2000, Cisco Systems, Inc. CSPFF PIX Firewall Translations
© 2000, Cisco Systems, Inc. CSPFF Internet Static Translations DNS Server PIX Firewall Perimeter Router pixfirewall(config)# static (inside, outside) Packet from has source address of Permanently maps a single IP address Recommended for internal service hosts like a DNS server
© 2000, Cisco Systems, Inc. CSPFF Internet Dynamic Translations Configures dynamic translations –nat (inside) –global (outside) netmask Global Pool
© 2000, Cisco Systems, Inc. CSPFF Connections vs. Translations Translationsxlate –IP address to IP address translation –65,536 translations supported Connectionsconns –TCP or UDP sessions –Restricted by memory –Max connections ~(memory x 2) PIX Firewall 515 ~64M x 2=128,000 PIX Firewall 520 ~128M x 2=256,000
© 2000, Cisco Systems, Inc. CSPFF xlate Command pixfirewall(config)# clear xlate [global_ip [local_ip]] pixfirewall(config)# show xlate [global_ip [local_ip]] pixfirewall(config)# clear xlate [global_ip [local_ip]] pixfirewall(config)# show xlate [global_ip [local_ip]] The clear xlate command clears the contents of the translation slots. The show xlate command displays the contents of the translation slots.
© 2000, Cisco Systems, Inc. CSPFF Summary
© 2000, Cisco Systems, Inc. CSPFF Summary The PIX Firewall manages the TCP and UDP protocols through the use of a Translation Table. Static translations assign a permanent IP address to an inside host. Mapping between local and global addresses is done dynamically with the NAT command. The PIX Firewall understands the performance characteristics of the NetBIOS protocol and is able to translate the source address in the IP header as well as the source address in the payload. Dynamic translations use NAT for local clients and their outbound connections and hides the client address from others on the Internet.
© 2000, Cisco Systems, Inc. CSPFF Review Questions
© 2000, Cisco Systems, Inc. CSPFF Review Questions Q1) Explain the six steps of how the TCP protocol travels through the PIX Firewall. Q2) How does the PIX Firewall handle the UDP protocol? Q3) Explain how the static command works. Q4) Explain how the nat and global commands work to make dynamic translations. Q5) Explain how the PIX Firewall handles the NetBIOS protocol.