Presentation is loading. Please wait.

Presentation is loading. Please wait.

Only Two Ways through the PIX Firewall

Published byBelinda Shields Modified over 6 years ago

Similar presentations

Presentation on theme: "Only Two Ways through the PIX Firewall"— Presentation transcript:

1 Only Two Ways through the PIX Firewall
For a packet to traverse the PIX Firewall, it must pass two policies: NAT and access control. The following are the only two ways to pass these policies and gain access through the PIX Firewall: Valid user request—Outbound communications. Pre-defined static and conduit—Inbound communications. ACLs are preferred over conduits ..support dropped in 6.3 for conduits Valid User Request: Inside to Outside. All inside to outside originated sessions first dynamically populate the Adaptive State table. When an outside server responds to the request, the PIX checks the state table to see if a translation slot exists for that particular request. If present, the PIX allows the session to flow. Once the session is terminated (FIN or RESET for TCP), that translation is deleted. For UDP requests, a configurable timer sets once the session is established and fires based on the time allowed for the UDP session thereby closing the translation slot. Pre-Defined Conduits are used for Outside to Inside communication. A pre-defined static translation is entered using an address or range of addresses (netstatic) from the global pool. In addition, a conduit is entered that defines either by address, group of addresses and tcp/udp port or range of ports, who and what application is allowed to flow through the PIX. A TACACS+ or RADIUS server may be used for authentication and authorization for both inside to outside and outside to inside communication.

2 ACL Usage Guidelines Higher to lower security level:
Use an ACL to restrict outbound traffic. The ACL source address is the actual (un-translated) address of the host or network. Applied at the higher level interface inbound Lower to higher security level: Use an ACL to restrict inbound traffic. The ACL destination address is the translated global IP address. Requires a statically mapped address for the internal destination address Applied at the lower level interface inbound

3 access-list Command pixfirewall(config)# access-list acl_ID deny | permit protocol source_addr source_mask [operator port[port]]destination_addr destination_mask operator port [port] Enables you to create an ACL. 1. The outside interface’s IP address can now be used as the PAT address. The interface IP address used for PAT is the address associated with the interface when the xlate (translation slot) is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT. When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the PIX Firewall unit's outside interface. pixfirewall(config)# access-list DMZ1 deny tcp host lt 1024 Denies access from the network to TCP ports less than 1024 on host

4 access-group Command access-group acl_ID in interface interface_name
pixfirewall(config)# access-group acl_ID in interface interface_name Binds an ACL to an interface. pixfirewall(config)# access-group DMZ1 in interface dmz Binds ACL DMZ1 to interface dmz.

5 Static Inside Translations
For this and each subsequent feature: Mention the feature name Outline the feature qualities and capabilities Show where the feature is used by highlighting the example network diagram to show the extent of the feature’s influence Discuss the example configuration Mention to students that address simulates a public address. Note that the global IP address specified in the static command ( ) is mapped to the MAC address of the outside PIX address. pixfirewall(config)# static (inside, outside) Packet from has a source address of Permanently maps a single IP address.. Remember “inside outside outside inside”

6 static Command pixfirewall(config)# static [(prenat_interface, postnat_interface)] mapped_address | interface real_address [netmask mask] pixfirewall(config)# static (inside,outside) netmask static [(internal_if_name, external_if_name)] {tcp | udp} {global_ip | interface} global-port local_ip local-port [netmask mask] [max_conns [emb_limit [norandomseq, nailed]]] Packet sent from has a source address of Permanently maps a single IP address. Recommended for internal service hosts.

7 Three Interfaces with NAT
pixfirewall(config)# nat(inside) pixfirewall(config)# nat (dmz) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global(dmz) netmask Inside users can start outbound connections to both the DMZ and the Internet. The nat (dmz) command gives DMZ services access to the Internet. The global (dmz) command gives inside users access to the web server on the DMZ.

8 Permit Web Access to the DMZ
pixfirewall(config)# write terminal ... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif ethernet2 dmz sec50 ip address outside ip address inside ip address dmz static (dmz,outside) access-list acl_in_dmz permit tcp any host eq www access-list acl_in_dmz deny ip any any access-group acl_in_dmz in interface outside Purpose: Describe the PIX and its e2 interface to a protected DMZ and its servers. Emphasize: The PIX supports multiple interfaces, with the third and other additional interfaces available to create one or more secured DMZ areas. The two major advantages of using multiple perimeter interfaces are that PIX enhances the extensibility of servers to other platforms and that the PIX is a major element for enforcing the network security policy. Configure the interfaces with the following commands: nameif interface ip address Refer to the SG text for guidelines to present with this figure. Transition: The next section covers the integration of AAA services with the PIX. The ACL acl_in_dmz permits web traffic on port 80 from the Internet to the DMZ web server. The ACL acl_in_dmz denies all other IP traffic from the Internet.

9 Configuring Three Interfaces
pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# access-list acl_in_dmz permit tcp any host eq www pixfirewall(config)# access-list acl_in_dmz deny ip any any pixfirewall(config)# access-group acl_in_dmz in interface outside Purpose: Describe the PIX and its e2 interface to a protected DMZ and its servers. Emphasize: The PIX supports multiple interfaces, with the third and other additional interfaces available to create one or more secured DMZ areas. The two major advantages of using multiple perimeter interfaces are that PIX enhances the extensibility of servers to other platforms and that the PIX is a major element for enforcing the network security policy. Configure the interfaces with the following commands: nameif interface ip address Refer to the SG text for guidelines to present with this figure. Transition: The next section covers the integration of AAA services with the PIX.

Download ppt "Only Two Ways through the PIX Firewall"

Similar presentations

© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
© 2003, Cisco Systems, Inc. All rights reserved. ICND v2.1—4-1 © 2003, Cisco Systems, Inc. All rights reserved. 1 Scaling the Network with NAT and PAT.

© 2003, Cisco Systems, Inc. All rights reserved. ICND v2.1—4-1 © 2003, Cisco Systems, Inc. All rights reserved. 1 Scaling the Network with NAT and PAT.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.


Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Network Address Translation

Network Address Translation
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
NAT (Network Address Translation) Natting means Translation of private IP address into public IP address . In order to communicate with internet we must.

NAT (Network Address Translation) Natting means "Translation of private IP address into public IP address ". In order to communicate with internet we must.
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.

Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Access Control Lists (ACLs)

Access Control Lists (ACLs)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Access Control List (ACL)

Access Control List (ACL)

Similar presentations

Ads by Google