Lesson 4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-1 Understanding Translations and Connections.

Slides:



Advertisements
Similar presentations
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Advertisements

Chapter 9: Access Control Lists
CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Lecture 7 Transport Layer
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0 Module 1 Scaling IP Addresses.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Introduction to Network Address Translation
Mr. Mark Welton.  Firewalls are devices that prevent traffic from entering or leaving a network  Firewalls are often used between networks, or when.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Access Control List (ACL)
1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 9 Intermediate TCP/IP/ Access Control Lists (ACLs)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
PIX Firewall An example of a stateful packet filter. Can also work on higher layers of protocols (FTP, RealAudio, etc.) Runs on its own OS.
© 2002, Cisco Systems, Inc. CSPFA 2.1—3-1 PIX Firewall.
Configuring the PIX Firewall Presented by Drew Spesard.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
Security fundamentals Topic 10 Securing the network perimeter.
Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow.
1 © 2004, Cisco Systems, Inc. All rights reserved. Scaling IP Addresses Network Address Translation(NAT)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—6-1 Lesson 6 Object Grouping.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—5-1 Lesson 5 Configuring Inbound Access Thru a Cisco Security Appliance.
© 2002, Cisco Systems, Inc. All rights reserved..
Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI transport layer CCNA Exploration Semester 1 – Chapter 4.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
© 2001, Cisco Systems, Inc. CSPFA 2.0—6-1 Chapter 6 Configuring Multiple Interfaces.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling.
PIX Firewall An example of a stateful packet filter.
Chapter 9: Transport Layer
Instructor Materials Chapter 9: Transport Layer
Only Two Ways through the PIX Firewall
Access Control Configuration and Content Filtering
Cisco IOS Firewall Context-Based Access Control Configuration
NET323 D: Network Protocols
* Essential Network Security Book Slides.
NET323 D: Network Protocols
POOJA Programmer, CSE Department
PIX Firewall An example of a stateful packet filter.
Firewalls.
Firewalls Chapter 8.
Chapter 11: Network Address Translation for IPv4
Presentation transcript:

Lesson 4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-1 Understanding Translations and Connections

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-2 Transport Protocols

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-3 Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out primarily over two transport layer protocols: TCP UDP

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-4 TCP TCP is a connection-oriented, reliable-delivery, robust, and high-performance transport layer protocol. TCP features: –Sequencing and acknowledgment of data –A defined state machine (open connection, data flow, retransmit, close connection) –Congestion detection and avoidance mechanisms

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-5 TCP Initialization: Inside to Outside Security Appliance TCP Header IP Header The security appliance checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The security appliance utilizes the stateful packet inspection algorithm: Source IP, source port, destination IP, destination port check Sequence number check Translation check # # 2 # 3 # 4 Start the embryonic connection counter. No Data Private Network Source Port Destination Address Source Address Initial Sequence # Destination Port Flag ACK Syn Syn-Ack Public Network Syn Syn-Ack

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-6 TCP Initialization: Inside to Outside (Cont.) Private Network Public Network Security Appliance The security appliance Reset the embryonic counter for this client.. It then increases the connection counter for this host. # 5 # 6 The security appliance Strictly enforces the stateful packet inspection algorithm. Data Flows Ack Source Port Destination Address Source Address Initial Sequence # Destination Port Flag ACK Ack TCP Header IP Header

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-7 UDP Connectionless protocol Efficient protocol for some services Resourceful, but difficult to secure

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-8 UDP (Cont.) Security Appliance UDP Header IP Header The security appliance checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created. The security appliance follows the stateful packet inspection algorithm: Source IP, source port, destination IP, destination Port check Translation check Private Network Source Port Destination Address Source Address Destination Port Public Network All UDP responses arrive from outside and within UDP user-configurable timeout (default is 2 minutes) # # 2 # 3 # 4

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-9 Network Address Translation

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-10 Addressing Scenarios NAT was created to overcome several addressing problems that occurred with the expansion of the Internet: –To mitigate global address depletion –To use RFC 1918 addresses internally –To conserve internal address plan NAT also increases security by hiding the internal topology Internet NAT

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-11 Access Through the Security Appliance e0 outside Security Level 0 e1 inside Security Level 100 Internet More Secure Less Secure e4 Intranet Security Level 70 e3 Partnernet Security Level 50 e2 DMZ Security Level 30 Allowed unless explicitly denied (NAT and global) More Secure Less Secure Denied unless explicitly allowed (static and access list)

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-12 Inside Address Translation NAT Outside Global IP Address Inside IP Address Static Translation Dynamic Translation Outside global IP address pool Inside NAT translates addresses of hosts on higher security level to a less secure interface: –Dynamic translation –Static translation Internet Web Server

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-13 Dynamic Inside NAT Dynamic translations fw1(config)# nat (inside) fw1(config)# global (outside) netmask NAT Internet

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-14 Two Interfaces with NAT fw1(config)# nat (inside) fw1(config)# nat (inside) fw1(config)# global (outside) netmask fw1(config)# global (outside) netmask All hosts on the inside networks can start outbound connections. A separate global pool is used for each internal network / /24 Internet Global Pool Global Pool

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-15 Three Interfaces with NAT Global Pool fw1(config)# nat (inside) fw1(config)# nat (dmz) fw1(config)# global (outside) netmask fw1(config)# global (dmz) netmask Inside users can start outbound connections to both the DMZ and the Internet. The nat (dmz) command enables DMZ services to access the Internet. The global (dmz) command enables inside users to access the DMZ web server. Internet DMZ Inside Global Pool Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-16 Port Address Translation

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-17 Port Address Translation Port 1024 PAT Port 1025 PAT is a combination of an IP address and a source port number. Many different sessions can be multiplexed over a single global IP address. Sessions are kept distinct by the use of different port numbers. Internet

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-18 PAT Example Outside IP addresses are typically registered with InterNIC. Source addresses of hosts in network are translated to for outgoing access. A single IP address ( ) is assigned to the global pool. The source port is dynamically changed to a unique number that is greater than fw1(config)# route (outside) fw1(config)# nat (inside) fw1(config)# global (outside) netmask Sales Engineering Global Address

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-19 PAT Using Outside Interface Address The outside interface is configured as a DHCP client. The interface option of the global command enables use of a DHCP address as the PAT address. The source addresses of hosts in network are translated into a DHCP address for outgoing access, in this case, The source port is changed to a unique number greater than fw1(configs)# interface ethernet0 fw1(configs-if)# ip address inside fw1(configs-if)# ip address outside dhcp fw1(configs)# nat (inside) fw1(config)# global (outside) 1 interface Sales Engineering Global DHCP Address ( ).2.1

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-20 Mapping Subnets to PAT Addresses Each internal subnet is mapped to a different PAT address. Source addresses of hosts in network are translated to for outgoing access. Source addresses of hosts in network are translated to for outgoing access. The source port is changed to a unique number greater than fw1(config)# nat (inside) fw1(config)# nat (inside) fw1(config)# global (outside) netmask fw1(config)# global (outside) netmask Sales Engineering

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-21 Backing Up PAT Addresses by Using Multiple PATs Source addresses of hosts in network are translated to for outgoing access. Address will be used only when the port pool from is at maximum capacity. fw1(config)# nat (inside) fw1(config)# global (outside) netmask fw1(config)# global (outside) netmask Sales Engineering

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-22 fw1(config)# nat (inside) fw1(config)# global (outside) netmask fw1(config)# global (outside) netmask Augmenting a Global Pool with PAT When hosts on the network access the outside network through the security appliance, they are assigned public addresses from the – range. When the addresses from the global pool are exhausted, PAT begins with the next available IP address, in this case, Sales Engineering PAT NAT

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-23 Identity NAT With NAT control enabled: All packets traversing a security appliance require a translation rule. Identity NAT is used to create a transparent mapping. IP addresses on the high security interface translate to themselves on all lower security interfaces. Internet Inside Outside DMZ Internet Server

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-24 Identity NAT: nat 0 Command NAT 0 ensures that the Internet server is translated to its own address on the outside. Security levels remain in effect with NAT 0. fw1(config)# nat (dmz) Internet Inside Outside DMZ Internet Server

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-25 Static Command

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-26 Global NAT and Static NAT Global NAT For dynamic NAT and PAT address assignments Inside end user receives an address from a pool of available addresses Used mostly for outbound end-user connections Internet Inside Outside Bob Smith Static For NAT “permanent” address assignments Used mostly for server connections Internet Inside Outside Sam Jones FTP Server Web Server Global Pool Fixed Bob Smith Sam Jones

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-27 static Command: Parameters Interfaces Real interface – DMZ Mapped interface – Outside IP Addresses Real IP address – Mapped IP address – Internet Inside Outside FTP Server Web Server Bob Smith Sam Jones DMZ

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-28 static Command: Web Server pixfirewall(config)# static (real_interface,mapped_interface) {mapped_address | interface} real_address [netmask mask] fw1(config)# static (dmz,outside) netmask Packets sent to on the outside are translated to on the DMZ. Permanently maps the Web server IP address. Internet Inside Outside FTP Server Web Server Bob Smith Sam Jones DMZ

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-29 static Command: FTP Server Packets sent to on the outside are translated to on the DMZ. Permanently maps the FTP server IP address. pixfirewall(config)# static (real_interface,mapped_interface) {mapped_address | interface} real_address [netmask mask] fw1(config)# static (dmz,outside) netmask Internet Inside Outside FTP Server Web Server Bob Smith Sam Jones DMZ

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-30 Net Static pixfirewall(config)# fw1(config)# static (dmz,outside) netmask Recommended when you want to translate multiple addresses with a single command Host address on subnet is translated to host address on subnet static (real_interface,mapped_interface) {mapped_address | interface} real_address [netmask mask] Internet Inside Outside FTP Server Web Server Bob Smith Sam Jones DMZ

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-31 Static PAT: Port Redirection Used to create a permanent translation between a mapped IP address and port number to a specific real IP address and port number – /www redirected to /www – /ftp redirected to /ftp /www Internet Inside Outside FTP Server Web Server DMZ /ftp ftp pixfirewall(config)# static [(real_interface, mapped_interface)] {tcp | udp} {mapped_ip | interface} mapped_port {real_ip real_port [netmask mask]

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-32 static pat Command fw1(config)# static (dmz,outside) tcp ftp ftp netmask fw1(config)# static (dmz,outside) tcp ftp netmask Packet sent to /FTP translated by security appliance to (first FTP server) Packet sent to /2121 translated by security appliance to (second FTP server) /FTP Internet Inside Outside FTP2 Server FTP1 Server DMZ /2121 ftp

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-33 TCP Intercept and Connection Limits

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-34 Connection Limits Administrator can set connection limits: Emb_lin – Maximum number of embryonic connections per host. An embryonic connection is a connection request that has not completed a TCP three-way handshake between the source and the destination. TCP_max_conns – Maximum number of simultaneous TCP connections that each real IP host is allowed to use. Idle connections are closed after the time specified by the timeout conn command. udp_max_conns – Maximum number of simultaneous UDP connections that each real IP host is allowed to use.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-35 TCP Three-Way Handshake Target Spoofed Host SYN, SRC: , DST: SYN-ACK ACK SYN, SRC: , DST: Target DoS Attack SYN, SRC: , DST: Normal Embryonic Connection ? Internet SYN-ACK ? ?

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-36 TCP Intercept Internet Embryonic Connection Count = 3 SYN SYN-ACK ACK SYN DoS Attack SYN Normal TCP Intercept SYN SYN-ACK ACK

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-37 SYN Cookies Internet SYN SYN-ACK (Cookie) ACK (Cookie) Normal TCP Intercept SYN SYN-ACK ACK The security appliance responds to the SYN itself, which includes a cookie in the TCP header of the SYN-ACK. The security appliance keeps no state information. The cookie is a hash of parts of the TCP header and a secret key. A legitimate client completes the handshake by sending the ACK back with the cookie. If the cookie is authentic, the security appliance proxies the TCP session.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-38 Embryonic Connection Limit Setting the embryonic connections (emb_lim) enables TCP proxying using either TCP Intercept or SYN cookies. –A value of 0 disables protection (default). –When the embryonic connection limit is exceeded, all connections are proxied. fw1(config)# nat (inside) fw1(config)# static (inside,outside) static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask] | access-list access_list_name} [dns] [norandomseq] [[tcp] [max_conns [emb_lim]] [udp udp_max_conns] firewall (config)# nat (local_interface) nat_id local_ip [mask] [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns] firewall (config)#

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-39 UDP Maximum Connection Limit Maximum number of simultaneous UDP connections that the local IP hosts are allowed. –A value of 0 disables protection (default). –Idle connections are closed after the time specified in the udp timeout command. fw1(config)# nat (inside) fw1(config)# static (inside,outside) udp 100 firewall (config)# static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask]} | {access-list access_list_name} [dns] [[tcp] [max_conns [emb_lim]] [norandomseq] ]] [udp udp_max_conns] nat {local_interface} nat_id local_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-40 Connections and Translations

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-41 Connections Versus Translations Translations: NAT – Mapped address to real address PAT – Mapped address and port to real address and port Connections: Host address and port to host address and port Inside Local Outside Mapped Pool Translation Translation Connections Connection : :1026 Connection : : Internet Telnet HTTP

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-42 show conn Command show conn fw1#show conn 2 in use, 2 most used fw1# show conn 2 in use, 9 most used TCP out :80 in :2824 idle 0:00:03 bytes 2320 flags UIO TCP out :80 in :2823 idle 0:00:03 bytes 3236 flags UIO pixfirewall# Connection Internet Enables you to view all active connections

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-43 show conn detail Command fw1# show conn 2 in use, 9 most used TCP out :80 in :2824 idle 0:00:03 bytes 2320 flags UIO TCP out :80 in :2823 idle 0:00:03 bytes 3236 flags UIO fw1# show conn detail 2 in use, 9 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, k - Skinny media, M - SMTP data, m - SIP media, O - outbound data, P - inside back conn, q - SQL*Net data, R - outside acknowledged FIN, R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up TCP outside: /80 inside: /2824 flags UIO TCP outside: /80 inside: /2823 flags UIO Connection Internet

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-44 show local-host Command fw1# show local-host Interface dmz: 0 active, 0 maximum active, 0 denied Interface inside: 1 active, 5 maximum active, 0 denied local host:, TCP flow count/limit = 2/300 TCP embryonic count to host = 0 TCP intercept watermark = 25 UDP flow count/limit = 0/unlimited Conn: TCP out :80 in :2824 idle 0:00:05 bytes 466 flags UIO TCP out :80 in :2823 idle 0:00:05 bytes 1402 flags UIO Interface outside: 1 active, 1 maximum active, 0 denied local host:, TCP flow count/limit = 2/unlimited TCP embryonic count to host = 0 TCP intercept watermark = unlimited UDP flow count/limit = 0/unlimited Conn: TCP out :80 in insidehost:2824 idle 0:00:05 bytes 466 flags UIO TCP out :80 in insidehost:2823 idle 0:00:05 bytes 1402 flags UIO Connection Internet

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-45 show xlate Command show xlate Enables you to view translation slot information fw1#show xlate 1 in use, 2 most used Global Local pixfirewall# Translation Internet

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-46 show xlate detail Command fw1#show xlate 1 in use, 3 most used Global Local fw1# show xlate detail 1 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static NAT from inside: to outside: flags i Translation Internet

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-47 Security Appliance NAT Philosophy Security appliance translation rules are configured between pairs of interfaces. With NAT control enabled, a packet cannot be switched across the security appliance if it does not match a translation slot in the translation table except for NAT 0, which doesn’t create a translation entry. If there is no translation slot, the security appliance will try to create a translation slot from its translation rules. If no translation slot match is found, the packet is dropped OutsideInside NAT Internet

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-48 Matching Outbound Packet Addresses A packet arrives at an inside interface: -The security appliance consults the access rules first. -The security appliance makes a routing decision to determine the outbound interface. The source address is checked against the local addresses in the translation table: -If found, the source address is translated according to the translation slot. Otherwise the security appliance looks for a match to the local address in the following order: -nat0 access-list (NAT exemption) – In order, until first match -static (static NAT) – In order, until first match -static {tcp | udp} (static PAT) – In order, until first match -nat nat_id access-list (policy NAT) – In order, until first match -nat (regular NAT): Best match If no match is found, the packet is dropped.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-49 Configuring Multiple Interfaces

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-50 Additional Interface Support Supports additional interfaces Increases the security of publicly available services Easily interconnects multiple extranets and partner networks Easily configured with standard security appliance commands e0 Outside Security Level 0 e1 Inside Security Level 100 Internet e4 Intranet Security Level 70 e3 Partner Network Security Level 50 e2 DMZ Security Level 30

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-51 Configuring Three Interfaces fw1(config)# interface ethernet0 fw1(config-if)# nameif outside fw1(config-if)# ip address fw1(config)# interface ethernet1 fw1(config-if)# nameif inside fw1(config-if)# ip address fw1(config)# interface ethernet2 fw1(config-if)# nameif dmz fw1(config-if)# sec 50 fw1(config-if)# ip address fw1(config)# nat (inside) fw1(config)# global (outside) netmask fw1(config)# static (dmz,outside) netmask fw1(config)# static (inside,dmz) netmask /24 Internet Net Static DMZ Inside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-52 Configuring Four Interfaces fw1(config)# interface ethernet0 fw1(config-if)# nameif outside fw1(config-if)# ip address fw1(config)# interface ethernet1 fw1(config-if)# nameif inside fw1(config-if)# ip address fw1(config)# interface ethernet2 fw1(config-if)# nameif dmz fw1(config-if)# sec 50 fw1(config-if)# ip address fw1(config)# interface ethernet3 fw1(config-if)# nameif partnernet fw1(config-if)# sec 40 fw1(config-if)# ip address fw1(config)# nat (inside) fw1(config)# global (outside) netmask fw1(config)# static (inside,dmz) netmask fw1(config)# static (dmz,outside) fw1(config)# static (dmz,partnernet) Partner Network DMZ.1 Net Static / /24.1 Internet Inside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-53 Summary The security appliance manages the TCP and UDP protocols through the use of a translation table (for NAT sessions) and a connection table (for TCP and UDP sessions). The static command creates a permanent translation. Mapping between local and global address pools is done dynamically with the nat command. The nat and global commands work together to hide internal IP addresses. The security appliance supports PAT. Configuring multiple interfaces requires a greater attention to detail, but can be done with standard security appliance commands.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.