© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.

Slides:



Advertisements
Similar presentations
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
Interconnecting Networks with TCP/IP
CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Transport Layer Introduction to Networking.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Transport Layer Introduction to Networking.
Lecture 7 Transport Layer
© 2002, Cisco Systems, Inc. All rights reserved..
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—5-1 WAN Connections Enabling the Internet Connection.
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
CCNA 1 v3.1 Module 11 Review.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
© 2003, Cisco Systems, Inc. All rights reserved. ICND v2.1—4-1 © 2003, Cisco Systems, Inc. All rights reserved. 1 Scaling the Network with NAT and PAT.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Scaling the Network with NAT and PAT.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Network Address Translation
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0 Module 1 Scaling IP Addresses.
Chapter 6: Packet Filtering
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Introduction to Network Address Translation
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Transport Layer Introduction to Networking.
CS 540 Computer Networks II Sandy Wang
Transport Layer Layer #4 (OSI-RM). Transport Layer Main function of OSI Transport layer: Accept data from the Application layer and prepare it for addressing.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall.
Configuring the PIX Firewall Presented by Drew Spesard.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
Security fundamentals Topic 10 Securing the network perimeter.
Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—8-1 Lesson 8 Object Grouping.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
Lesson 4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-1 Understanding Translations and Connections.
CCNA4-1 Chapter 7-1 IP Addressing Services Scaling Networks With Network Address Translation (NAT)
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
CCNA4-1 Chapter 7-1 NAT Chapter 11 Routing and Switching (CCNA2)
© 2001, Cisco Systems, Inc. CSPFA 2.0—6-1 Chapter 6 Configuring Multiple Interfaces.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling.
Security fundamentals
Chapter 7: Transport Layer
© 2002, Cisco Systems, Inc. All rights reserved.
Chapter 9: Transport Layer
Instructor Materials Chapter 9: Transport Layer
Only Two Ways through the PIX Firewall
Access Control Configuration and Content Filtering
Instructor Materials Chapter 9: NAT for IPv4
Routing and Switching Essentials v6.0
NET323 D: Network Protocols
CIS 82 Routing Protocols and Concepts Chapter 11 NAT
Routing and Switching Essentials v6.0
Instructor Materials Chapter 9: NAT for IPv4
NET323 D: Network Protocols
Chapter 11: Network Address Translation for IPv4
Presentation transcript:

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-2 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe how the TCP and UDP protocols function within the PIX Firewall. Describe how static and dynamic translations function. Configure inbound and outbound access through the PIX Firewall. Test and verify correct PIX Firewall operation.

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-3 Transport Protocols

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-4 Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out over two transport layer protocols: TCP (Transmission Control Protocol) UDP (User Datagram Protocol)

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-5 TCP TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol. TCP features –Sequencing and acknowledgement of data –A defined state machine (open connection, data flow, retransmit, close connection) –Congestion management and avoidance mechanisms

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-6 PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Sequence number check Translation check If the code bit is not syn-ack, PIX drops the packet. # # 2 # 3 # 4 Start the embryonic connection counter No data TCP Initialization—Inside to Outside Private network Source port Destination addr Source addr Initial sequence # Destination port Flag Ack Syn Syn-Ack Public network Syn Syn-Ack

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-7 Private network Public network PIX Firewall Reset the embryonic counter for this client. It then increments the connection counter for this host # # 6 Strictly follows the Adaptive Security Algorithm Data flows TCP Initialization—Inside to Outside (cont.) Ack Source port Destination addr Source addr Initial sequence # Destination port Flag Ack Ack TCP header IP header

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-8 UDP Connectionless protocol Efficient protocol for some services Resourceful but difficult to secure

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-9 PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Translation check # # 2 # 3 # 4 UDP (cont.) Private network Source port Destination addr Source addr Destination port Public network All UDP responses arrive from outside and within UDP user-configurable timeout. (default=2 minutes)

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-10 PIX Firewall Translations

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-11 Internet Static Translations DNS Server PIX Firewall Perimeter router pixfirewall(config)# static (inside, outside) Packet from has source address of Permanently maps a single IP address Recommended for internal service hosts like a DNS server

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-12 Internet Dynamic Translations Configures dynamic translations –nat (inside) –global (outside) netmask Global Pool

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-13 Connections vs. Translations Translations—xlate –IP address to IP address translation –65,536 translations supported Connections—conns –TCP or UDP sessions

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-14 xlate Command pixfirewall(config)# clear xlate [global_ip [local_ip]] pixfirewall(config)# show xlate [global_ip [local_ip]] pixfirewall(config)# clear xlate [global_ip [local_ip]] pixfirewall(config)# show xlate [global_ip [local_ip]] The clear xlate command clears the contents of the translation slots. The show xlate command displays the contents of the translation slots.

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-15 Access Through the PIX Firewall

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-16 Only Two Ways Through the PIX Firewall Valid user request –Inside to outside communications Pre-defined static and conduit –Outside to inside communications –Defines addresses, ports, and applications

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-17 Outside Security 0 Inside Security 100 Statics and Conduits The static and conduit commands allow connections from a lower security interface to a higher security interface. The static command is used to create a permanent mapping between an inside IP address and a global IP address. The conduit command is an exception in the ASA’s inbound security policy for a given host.

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-18 static Command pixfirewall(config)# static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask][max_conns[em_limit]][norandomseq] Maps a local IP address to a global IP address PIX Firewall Perimeter router pixfirewall(config)# static (inside,outside) Packet sent from has a source address of Permanently maps a single IP address Recommended for internal service hosts

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-19 pixfirewall(config)# conduit permit tcp host eq ftp any conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask[operator port[port]] conduit Command A conduit maps specific IP address and TCP/UDP connection from the outside host to the inside host pixfirewall(config) # PIX Firewall Perimeter router

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-20 Other Ways Through the PIX Firewalls

© 2001, Cisco Systems, Inc. CSPFA 2.0— PAT Global Port Address Translation Source port Destination addr Source addr Destination port Source port Destination addr Source addr Destination port Source port Destination addr Source addr Destination port Source port Destination addr Source addr Destination port Internet

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-22 PAT Example pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# nat (inside) Assign a single IP address ( ) to global pool IP addresses are typically registered with InterNIC Source addresses of hosts in network are translated to for outgoing access Source port changed to a unique number greater than 1024 Sales Engineering Information systems Bastion host PIX Firewall Perimeter router

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-23 PAT Using Outside Interface Address pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# global (outside) 1 interface pixfirewall(config)# nat (inside) Sales Engineering Information systems Bastion host PIX Firewall Perimeter router Use the interface option to enable use of the outside interface as the PAT address. Source addresses of hosts in network are translated to for outgoing access. The source port is changed to a unique number greater than 1024.

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-24 Mapping Subnets to PAT Addresses pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (outside) netmask pixfirewall(config)# nat (inside) pixfirewall(config)# nat (inside) Sales Engineering Information systems Bastion host PIX Firewall Perimeter router Map different internal subnets to different PAT addresses.. Source addresses of hosts in network are translated to for outgoing access. Source addresses of hosts in network are translated to for outgoing access. The source port is changed to a unique number greater than 1024.

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-25 Backing up PAT Addresses by Using Multiple PATs Information systems pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (outside) netmask pixfirewall(config)# nat (inside) Sales Engineering Bastion host PIX Firewall Perimeter router Back up your PAT addresses by configuring another global. Source addresses of hosts in network are translated to for outgoing access. Address will only be used when the port pool from is at maximum capacity.

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-26 pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (outside) netmask pixfirewall(config)# nat (inside) Augmenting a Global Pool with PAT Sales Engineering Information systems Bastion host PIX Firewall Perimeter router When hosts on the network access the outside network through the firewall, they are assigned public addresses from the range. When the addresses from the global pool are exhausted, PAT begins.

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-27 No Network Address Translation (nat 0) pixfirewall(config)# nat (inside) pixfirewall(config)# show nat pixfirewall(config)# nat will be non- translated nat 0 ensures that is not translated. ASA remains in effect with nat PIX Firewall Perimeter router

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-28 Summary

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-29 Summary The PIX Firewall manages the TCP and UDP protocols through the use of a translation table. Static translations assign a permanent IP address to an inside host. Mapping between local and global addresses is done dynamically with the nat command. The PIX Firewall understands the performance characteristics of the NetBIOS protocol and is able to translate the source address in the IP header as well as the source address in the payload.

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-30 Summary (cont.) Dynamic translations use NAT for local clients and their outbound connections and hides the client address from others on the Internet. The static and conduit commands are used to allow inbound communication through the PIX Firewall. The PIX Firewall supports PAT and no network address translation (nat 0).

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-31 Lab Configuring Access Through the PIX Firewall

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-32 Lab Visual Objective Inside host web and FTP server Backbone server web, FTP, and TFTP server Pod perimeter router PIX Firewall P.0/24.1 e1 inside P.0 /24 e0 outside.2 e2 dmz.1 Bastion host web and ftp server P.0/24 Internet

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.