© 2000, Cisco Systems, Inc. 7-1 Chapter 7 Access Configuration Through the Cisco Secure PIX Firewall.

Презентация:



Advertisements
Похожие презентации
© 2000, Cisco Systems, Inc. CSPFF Chapter 5 Cisco Secure PIX Firewall Configuration.
Advertisements

© 2000, Cisco Systems, Inc. CSPFF Chapter 8 Configuration of Multiple Interfaces.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
© 2000, Cisco Systems, Inc. CSPFF Chapter 6 Cisco Secure PIX Firewall Translations.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 6 Translations and Connections.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.
© 1999, Cisco Systems, Inc. 6-1 Configuring Access Through the PIX Firewall Chapter 6.
© 2000, Cisco Systems, Inc. CSPFF Chapter 10 Cisco Secure PIX Firewall Advanced Features.
© 2000, Cisco Systems, Inc. CSPFF Chapter 4 Image Upgrade of the Cisco Secure PIX Firewall Software.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
© 2000, Cisco Systems, Inc. CSPFF Chapter 9 Configure Syslog and Perform General Maintenance Tasks.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 6 Translations and Connections.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS Firewall Authentication Proxy.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.
Option_W_3
© 2000, Cisco Systems, Inc. CSPFF Chapter 1 Network Security and the Cisco Secure PIX Firewall.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 12 Authentication, Authorization, and Accounting.
Транксрипт:

© 2000, Cisco Systems, Inc. 7-1 Chapter 7 Access Configuration Through the Cisco Secure PIX Firewall

© 2000, Cisco Systems, Inc. CSPFF v Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe how to use statics and conduits. Configure inbound and outbound access through the PIX Firewall. Test and verify correct PIX Firewall operation.

© 2000, Cisco Systems, Inc. 7-3 Access Through the PIX Firewall

© 2000, Cisco Systems, Inc. CSPFF v Only Two Ways Through the PIX Firewall Valid user request –Inside to outside communications Pre-defined static and conduit –Outside to inside communications –Defines addresses, ports, and applications

© 2000, Cisco Systems, Inc. 7-5 Understand Statics and Conduits

© 2000, Cisco Systems, Inc. CSPFF v Outside Security 0 Inside Security 100 Statics and Conduits The static and conduit commands allow connections from a lower security interface to a higher security interface. The static command is used to create a permanent mapping between an inside IP address and a global IP address. The conduit command is an exception in the ASAs inbound security policy for a given host.

© 2000, Cisco Systems, Inc. CSPFF v static Command pixfirewall(config) # static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask] Statically maps a local IP address to a global IP address PIX Firewall Perimeter Router pixfirewall(config)# static (inside,outside) Packet from has source address of Permanently maps a single IP address Recommended for internal service hosts

© 2000, Cisco Systems, Inc. CSPFF v pixfirewall(config)# conduit permit tcp host eq ftp any PIX Firewall Perimeter Router conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask[operator port[port]] conduit Command A conduit maps specific IP address and TCP/UDP connection from outside host to inside host pixfirewall(config) #

© 2000, Cisco Systems, Inc. 7-9 Other Ways Through the PIX Firewalls

© 2000, Cisco Systems, Inc. CSPFF v PATGlobal Port Address Translation Source Port Destination Addr Source Addr Destination Port Source Port Destination Addr Source Addr Destination Port Source Port Destination Addr Source Addr Destination Port Source Port Destination Addr Source Addr Destination Port

© 2000, Cisco Systems, Inc. CSPFF v Configure PAT pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# nat (inside) pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# nat (inside) Assign single IP address ( ) to global pool IP address must be registered with InterNIC Source address of hosts in network are translated to for outgoing access Source port changed to a unique number greater that 1024 SalesEngineering Information Systems Bastion Host PIX Firewall Perimeter Router

© 2000, Cisco Systems, Inc. CSPFF v nat 0 Configuration Example pixfirewall(config)# nat (inside) pixfirewall(config)# show nat pixfirewall(config)# nat will be non- translated pixfirewall(config)# nat (inside) pixfirewall(config)# show nat pixfirewall(config)# nat will be non- translated The nat 0 command ensures that is not translated nat 0 still maintains firewall security for all connections PIX Firewall Perimeter Router

© 2000, Cisco Systems, Inc. CSPFF v fixup Command pixfirewall(config)# fixup protocol ftp [port] pixfirewall(config)# fixup protocol http [port[-port]] pixfirewall(config)# fixup protocol h323 [port[-port]] pixfirewall(config)# fixup protocol rsh [514] pixfirewall(config)# fixup protocol smtp [port[-port]] pixfirewall(config)# fixup protocol sqlnet [port[-port]] pixfirewall(config)# no fixup protocol protocol [port[-port]] pixfirewall(config)# show fixup [protocol protocol] pixfirewall(config)# fixup protocol ftp [port] pixfirewall(config)# fixup protocol http [port[-port]] pixfirewall(config)# fixup protocol h323 [port[-port]] pixfirewall(config)# fixup protocol rsh [514] pixfirewall(config)# fixup protocol smtp [port[-port]] pixfirewall(config)# fixup protocol sqlnet [port[-port]] pixfirewall(config)# no fixup protocol protocol [port[-port]] pixfirewall(config)# show fixup [protocol protocol]

© 2000, Cisco Systems, Inc. CSPFF v Supported Multimedia Applications Intel Internet Phone Microsoft NetMeeting Microsoft NetShow CuSeeMe VDOLive Real Audio and Video VxStream StreamWorks 2.0 VocalTech InternetPhone

© 2000, Cisco Systems, Inc Lab Exercise

© 2000, Cisco Systems, Inc. CSPFF v Lab Visual Objective Inside host Web and FTP server Backbone server Web, FTP, and TFTP server Pod Perimeter Router PIX Firewall P.0/24.1 e1 inside P.0 /24 e0 outside.2 e2 dmz.1 Bastion host Web and ftp server P.0/24 Internet

© 2000, Cisco Systems, Inc Summary

© 2000, Cisco Systems, Inc. CSPFF v Summary Understand how the static and conduit commands are used to allow inbound communication through the PIX Firewall. Understand how PAT, Nat0, fixup, and multimedia are supported through the PIX Firewall.

© 2000, Cisco Systems, Inc Review Questions

© 2000, Cisco Systems, Inc. CSPFF v Review Questions Q1) What are the two ways through the PIX Firewall? Q2) What function does the nat 0 command serve? Q3) What does the fixup command do? Q4) What are the two commands used to enable NAT? Q5) What command has precedence, static, nat, or global?