Download presentation
Presentation is loading. Please wait.
Published byRolf Barton Modified over 8 years ago
1
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations
2
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-2 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe how the TCP and UDP protocols function within the PIX Firewall. Describe how static and dynamic translations function. Configure inbound and outbound access through the PIX Firewall. Test and verify correct PIX Firewall operation.
3
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-3 Transport Protocols
4
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-4 Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out over two transport layer protocols: TCP (Transmission Control Protocol) UDP (User Datagram Protocol)
5
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-5 TCP TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol. TCP features –Sequencing and acknowledgement of data –A defined state machine (open connection, data flow, retransmit, close connection) –Congestion management and avoidance mechanisms
6
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-6 PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created. 10.0.0.3 The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Sequence number check Translation check If the code bit is not syn-ack, PIX drops the packet. # 1 172.30.0.50 # 2 # 3 # 4 Start the embryonic connection counter No data TCP Initialization—Inside to Outside Private network Source port Destination addr Source addr Initial sequence # Destination port Flag Ack 172.30.0.50 10.0.0.3 1026 23 49091 Syn 10.0.0.3 172.30.0.50 23 1026 92513 Syn-Ack 49092 Public network 172.30.0.50 192.168.0.10 49769 Syn 192.168.0.10 172.30.0.50 23 1026 92513 Syn-Ack 49770 1026 23
7
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-7 Private network Public network PIX Firewall Reset the embryonic counter for this client. It then increments the connection counter for this host. 10.0.0.3 # 5 172.30.0.50 # 6 Strictly follows the Adaptive Security Algorithm Data flows TCP Initialization—Inside to Outside (cont.) 172.30.0.50 192.168.0.10 1026 23 49770 Ack 92514 Source port Destination addr Source addr Initial sequence # Destination port Flag Ack 172.30.0.50 10.0.0.3 1026 23 49092 Ack 92514 TCP header IP header
8
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-8 UDP Connectionless protocol Efficient protocol for some services Resourceful but difficult to secure
9
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-9 PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created. 10.0.0.3 The PIX Firewall follows the Adaptive Security Algorithm: (Src IP, Src Port, Dest IP, Dest Port ) check Translation check # 1 172.30.0.50 # 2 # 3 # 4 UDP (cont.) Private network Source port Destination addr Source addr Destination port 172.30.0.50 10.0.0.3 1028 45000 10.0.0.3 172.30.0.50 45000 1028 Public network 172.30.0.50 192.168.0.10 172.30.0.50 45000 1028 45000 All UDP responses arrive from outside and within UDP user-configurable timeout. (default=2 minutes)
10
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-10 PIX Firewall Translations
11
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-11 Internet Static Translations 10.0.0.10 DNS Server 192.168.0.1 192.168.0.2 10.0.0.1 PIX Firewall Perimeter router pixfirewall(config)# static (inside, outside) 192.168.0.18 10.0.0.10 Packet from 10.0.0.10 has source address of 192.168.0.18 Permanently maps a single IP address Recommended for internal service hosts like a DNS server
12
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-12 Internet Dynamic Translations Configures dynamic translations –nat (inside) 1 0.0.0.0 0.0.0.0 –global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 192.168.0.20-192.168.0.254 Global Pool 10.0.0.3 192.168.0.1 192.168.0.2 10.0.0.1
13
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-13 Connections vs. Translations Translations—xlate –IP address to IP address translation –65,536 translations supported Connections—conns –TCP or UDP sessions
14
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-14 xlate Command pixfirewall(config)# clear xlate [global_ip [local_ip]] pixfirewall(config)# show xlate [global_ip [local_ip]] pixfirewall(config)# clear xlate [global_ip [local_ip]] pixfirewall(config)# show xlate [global_ip [local_ip]] The clear xlate command clears the contents of the translation slots. The show xlate command displays the contents of the translation slots.
15
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-15 Access Through the PIX Firewall
16
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-16 Only Two Ways Through the PIX Firewall Valid user request –Inside to outside communications Pre-defined static and conduit –Outside to inside communications –Defines addresses, ports, and applications
17
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-17 Outside Security 0 Inside Security 100 Statics and Conduits The static and conduit commands allow connections from a lower security interface to a higher security interface. The static command is used to create a permanent mapping between an inside IP address and a global IP address. The conduit command is an exception in the ASA’s inbound security policy for a given host.
18
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-18 static Command pixfirewall(config)# static [(internal_if_name, external_if_name)] global_ip local_ip [netmask network_mask][max_conns[em_limit]][norandomseq] Maps a local IP address to a global IP address 10.0.0.3 192.168.0.1 192.168.0.2 10.0.0.1 PIX Firewall Perimeter router pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.3 Packet sent from 10.0.0.3 has a source address of 192.168.0.10 Permanently maps a single IP address Recommended for internal service hosts
19
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-19 pixfirewall(config)# conduit permit tcp host 192.168.0.10 eq ftp any conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask[operator port[port]] conduit Command A conduit maps specific IP address and TCP/UDP connection from the outside host to the inside host pixfirewall(config) # 10.0.0.3 192.168.0.1 192.168.0.2 10.0.0.1 PIX Firewall Perimeter router
20
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-20 Other Ways Through the PIX Firewalls
21
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-21 172.30.0.50 192.168.0.15 PAT Global Port Address Translation 172.30.0.50 10.0.0.2 49090 23 10.0.0.3 172.30.0.50 2000 23 192.168.0.15 172.30.0.50 2001 23 192.168.0.15 Source port Destination addr Source addr Destination port Source port Destination addr Source addr Destination port 10.0.0.3 49090 Source port Destination addr Source addr Destination port 23 10.0.0.2 Source port Destination addr Source addr Destination port Internet
22
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-22 PAT Example pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 Assign a single IP address (192.168.0.9) to global pool IP addresses are typically registered with InterNIC Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.9 for outgoing access Source port changed to a unique number greater than 1024 Sales Engineering 10.0.1.0 10.0.2.0 Information systems 192.168.0.1 192.168.0.2 172.16.0.2 Bastion host PIX Firewall Perimeter router 10.0.0.1
23
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-23 PAT Using Outside Interface Address pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)# global (outside) 1 interface pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 Sales Engineering 10.0.1.0 10.0.2.0 Information systems 192.168.0.1 192.168.0.2 172.16.0.2 Bastion host PIX Firewall Perimeter router 10.0.0.1 Use the interface option to enable use of the outside interface as the PAT address. Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.2 for outgoing access. The source port is changed to a unique number greater than 1024.
24
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-24 Mapping Subnets to PAT Addresses pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)# global (outside) 1 192.168.0.8 netmask 255.255.255.0 pixfirewall(config)# global (outside) 2 192.168.0.9 netmask 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.1.0 255.255.255.0 pixfirewall(config)# nat (inside) 2 10.0.2.0 255.255.255.0 Sales Engineering 10.0.1.0 10.0.2.0 Information systems 192.168.0.1 192.168.0.2 172.16.0.2 Bastion host PIX Firewall Perimeter router 10.0.0.1 Map different internal subnets to different PAT addresses.. Source addresses of hosts in network 10.0.1.0 are translated to 192.168.0.8 for outgoing access. Source addresses of hosts in network 10.0.2.0 are translated to 192.168.0.9 for outgoing access. The source port is changed to a unique number greater than 1024.
25
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-25 Backing up PAT Addresses by Using Multiple PATs Information systems pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)# global (outside) 1 192.168.0.8 netmask 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.1.0 255.255.255.0 Sales Engineering 10.0.1.0 10.0.2.0 192.168.0.1 192.168.0.2 172.16.0.2 Bastion host PIX Firewall Perimeter router 10.0.0.1 Back up your PAT addresses by configuring another global. Source addresses of hosts in network 10.0.1.0 are translated to 192.168.0.8 for outgoing access. Address 192.168.0.9 will only be used when the port pool from 192.168.0.8 is at maximum capacity.
26
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-26 pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0 pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.19 netmask 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 Augmenting a Global Pool with PAT Sales Engineering 10.0.1.0 10.0.2.0 Information systems 192.168.0.1 192.168.0.2 172.16.0.2 Bastion host PIX Firewall Perimeter router 10.0.0.1 10.0.0.0 When hosts on the 10.0.0.0 network access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20- 192.168.0.254 range. When the addresses from the global pool are exhausted, PAT begins.
27
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-27 No Network Address Translation (nat 0) pixfirewall(config)# nat (inside) 0 192.168.0.9 255.255.255.255 pixfirewall(config)# show nat pixfirewall(config)# nat 0 192.168.0.9 will be non- translated nat 0 ensures that 192.168.0.9 is not translated. ASA remains in effect with nat 0. 192.168.0.9 192.168.0.1 192.168.0.2 PIX Firewall Perimeter router 10.0.0.1
28
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-28 Summary
29
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-29 Summary The PIX Firewall manages the TCP and UDP protocols through the use of a translation table. Static translations assign a permanent IP address to an inside host. Mapping between local and global addresses is done dynamically with the nat command. The PIX Firewall understands the performance characteristics of the NetBIOS protocol and is able to translate the source address in the IP header as well as the source address in the payload.
30
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-30 Summary (cont.) Dynamic translations use NAT for local clients and their outbound connections and hides the client address from others on the Internet. The static and conduit commands are used to allow inbound communication through the PIX Firewall. The PIX Firewall supports PAT and no network address translation (nat 0).
31
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-31 Lab Configuring Access Through the PIX Firewall
32
© 2001, Cisco Systems, Inc. www.cisco.com CSPFA 2.0—5-32 Lab Visual Objective Inside host web and FTP server Backbone server web, FTP, and TFTP server Pod perimeter router PIX Firewall 192.168.P.0/24.1 e1 inside.1.3 10.0.P.0 /24 e0 outside.2 e2 dmz.1 Bastion host web and ftp server 172.26.26.50.2 172.16.P.0/24 Internet
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.