Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-1 Understanding Translations and Connections.

Published byAshlyn Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "Lesson 4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-1 Understanding Translations and Connections."— Presentation transcript:

1 Lesson 4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-1 Understanding Translations and Connections

2 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-2 Transport Protocols

3 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-3 Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out primarily over two transport layer protocols: TCP UDP

4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-4 TCP TCP is a connection-oriented, reliable-delivery, robust, and high-performance transport layer protocol. TCP features: –Sequencing and acknowledgment of data –A defined state machine (open connection, data flow, retransmit, close connection) –Congestion detection and avoidance mechanisms

5 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-5 TCP Initialization: Inside to Outside Security Appliance TCP Header IP Header The security appliance checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created. 10.0.0.11 The security appliance utilizes the stateful packet inspection algorithm: Source IP, source port, destination IP, destination port check Sequence number check Translation check # 1 172.30.0.50 # 2 # 3 # 4 Start the embryonic connection counter. No Data Private Network Source Port Destination Address Source Address Initial Sequence # Destination Port Flag ACK 172.30.0.50 10.0.0.11 1026 23 49091 Syn 10.0.0.11 172.30.0.50 23 1026 92513 Syn-Ack 49092 Public Network 172.30.0.50 192.168.0.20 49769 Syn 192.168.0.20 172.30.0.50 23 1026 92513 Syn-Ack 49770 1026 23

6 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-6 TCP Initialization: Inside to Outside (Cont.) Private Network Public Network Security Appliance The security appliance Reset the embryonic counter for this client.. It then increases the connection counter for this host. # 5 # 6 The security appliance Strictly enforces the stateful packet inspection algorithm. Data Flows 172.30.0.50 192.168.0.20 1026 23 49770 Ack 92514 Source Port Destination Address Source Address Initial Sequence # Destination Port Flag ACK 172.30.0.50 10.0.0.11 1026 23 49092 Ack 92514 TCP Header IP Header 10.0.0.11 172.30.0.50

7 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-7 UDP Connectionless protocol Efficient protocol for some services Resourceful, but difficult to secure

8 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-8 UDP (Cont.) Security Appliance UDP Header IP Header The security appliance checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created. The security appliance follows the stateful packet inspection algorithm: Source IP, source port, destination IP, destination Port check Translation check Private Network Source Port Destination Address Source Address Destination Port 172.30.0.50 10.0.0.11 1028 45000 10.0.0.11 172.30.0.50 45000 1028 Public Network 172.30.0.50 192.168.0.20 172.30.0.50 45000 1028 45000 All UDP responses arrive from outside and within UDP user-configurable timeout (default is 2 minutes). 10.0.0.11 # 1 172.30.0.50 # 2 # 3 # 4

9 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-9 Network Address Translation

10 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-10 Addressing Scenarios NAT was created to overcome several addressing problems that occurred with the expansion of the Internet: –To mitigate global address depletion –To use RFC 1918 addresses internally –To conserve internal address plan NAT also increases security by hiding the internal topology. 10.0.0.11 10.0.0.4 10.0.0.11 192.168.6.9 Internet NAT

11 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-11 Access Through the Security Appliance e0 outside Security Level 0 e1 inside Security Level 100 Internet More Secure Less Secure e4 Intranet Security Level 70 e3 Partnernet Security Level 50 e2 DMZ Security Level 30 Allowed unless explicitly denied (NAT and global) More Secure Less Secure Denied unless explicitly allowed (static and access list)

12 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-12 Inside Address Translation 10.0.0.4 10.0.0.11 10.0.0.4 192.168.6.20 NAT Outside Global IP Address 192.168.6.10 Inside IP Address 10.0.0.11 Static Translation Dynamic Translation 10.0.0.4 Outside global IP address pool 192.168.6.20-254 Inside NAT translates addresses of hosts on higher security level to a less secure interface: –Dynamic translation –Static translation Internet Web Server

13 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-13 Dynamic Inside NAT Dynamic translations fw1(config)# nat (inside) 1 10.0.0.0 255.255.255.0 fw1(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 10.0.0.11 10.0.0.4 10.0.0.11 192.168.0.20 NAT Internet

14 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-14 Two Interfaces with NAT fw1(config)# nat (inside) 1 10.0.0.0 255.255.255.0 fw1(config)# nat (inside) 2 10.2.0.0 255.255.255.0 fw1(config)# global (outside) 1 192.168.0.3-192.168.0.16 netmask 255.255.255.0 fw1(config)# global (outside) 2 192.168.0.17-192.168.0.32 netmask 255.255.255.0 All hosts on the inside networks can start outbound connections. A separate global pool is used for each internal network. 10.2.0.0 /24 192.168.0.0 10.0.0.0/24 Internet Global Pool 192.168.0.17-32 Global Pool 192.168.0.3-16

15 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-15 Three Interfaces with NAT 192.168.0.0 10.0.0.0 Global Pool 172.16.0.20-254 fw1(config)# nat (inside) 1 10.0.0.0 255.255.255.0 fw1(config)# nat (dmz) 1 172.16.0.0 255.255.255.0 fw1(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 fw1(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0 Inside users can start outbound connections to both the DMZ and the Internet. The nat (dmz) command enables DMZ services to access the Internet. The global (dmz) command enables inside users to access the DMZ web server. Internet DMZ Inside Global Pool 192.168.0.20-254 Outside

16 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-16 Port Address Translation

17 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-17 Port Address Translation 10.0.0.11 10.0.0.4 10.0.0.11 192.168.0.20 Port 1024 PAT 10.0.0.4 192.168.0.20 Port 1025 PAT is a combination of an IP address and a source port number. Many different sessions can be multiplexed over a single global IP address. Sessions are kept distinct by the use of different port numbers. Internet

18 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-18 PAT Example Outside IP addresses are typically registered with InterNIC. Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.3 for outgoing access. A single IP address (192.168.0.3) is assigned to the global pool. The source port is dynamically changed to a unique number that is greater than 1023. fw1(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1 fw1(config)# nat (inside) 1 10.0.0.0 255.255.0.0 fw1(config)# global (outside) 1 192.168.0.3 netmask 255.255.255.255 Sales Engineering 10.0.1.0 10.0.2.0 192.168.0.0 10.0.0.0 Global Address 192.168.0.3.2.1

19 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-19 PAT Using Outside Interface Address The outside interface is configured as a DHCP client. The interface option of the global command enables use of a DHCP address as the PAT address. The source addresses of hosts in network 10.0.0.0 are translated into a DHCP address for outgoing access, in this case, 192.168.0.2. The source port is changed to a unique number greater than 1023. fw1(configs)# interface ethernet0 fw1(configs-if)# ip address inside 10.0.0.1 255.255.255.0 fw1(configs-if)# ip address outside dhcp fw1(configs)# nat (inside) 1 10.0.0.0 255.255.0.0 fw1(config)# global (outside) 1 interface Sales Engineering 10.0.1.0 10.0.2.0 192.168.0.0 10.0.0.0 Global DHCP Address (192.168.0.2).2.1

20 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-20 Mapping Subnets to PAT Addresses Each internal subnet is mapped to a different PAT address. Source addresses of hosts in network 10.0.1.0 are translated to 192.168.0.8 for outgoing access. Source addresses of hosts in network 10.0.2.0 are translated to 192.168.0.9 for outgoing access. The source port is changed to a unique number greater than 1023. fw1(config)# nat (inside) 1 10.0.1.0 255.255.255.0 fw1(config)# nat (inside) 2 10.0.2.0 255.255.255.0 fw1(config)# global (outside) 1 192.168.0.8 netmask 255.255.255.255 fw1(config)# global (outside) 2 192.168.0.9 netmask 255.255.255.255 Sales Engineering 10.0.1.0 10.0.2.0 192.168.0.0 10.0.0.0 192.168.0.8.2.1 192.168.0.9

21 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-21 Backing Up PAT Addresses by Using Multiple PATs Source addresses of hosts in network 10.0.1.0 are translated to 192.168.0.8 for outgoing access. Address 192.168.0.9 will be used only when the port pool from 192.168.0.8 is at maximum capacity. fw1(config)# nat (inside) 1 10.0.0.0 255.255.252.0 fw1(config)# global (outside) 1 192.168.0.8 netmask 255.255.255.255 fw1(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.255 Sales Engineering 10.0.1.0 10.0.2.0 192.168.0.0 10.0.0.0 192.168.0.8.2.1 192.168.0.9

22 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-22 fw1(config)# nat (inside) 1 10.0.0.0 255.255.0.0 fw1(config)# global (outside) 1 192.168.0.20-192.168.0.253 netmask 255.255.255.0 fw1(config)# global (outside) 1 192.168.0.254 netmask 255.255.255.255 Augmenting a Global Pool with PAT When hosts on the 10.0.0.0 network access the outside network through the security appliance, they are assigned public addresses from the 192.168.0.20–192.168.0.253 range. When the addresses from the global pool are exhausted, PAT begins with the next available IP address, in this case, 192.168.0.254. Sales Engineering 10.0.1.0 10.0.2.0 192.168.0.0 10.0.0.0 PAT 192.168.0.254.2.1 NAT 192.168.0.20

23 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-23 Identity NAT With NAT control enabled: All packets traversing a security appliance require a translation rule. Identity NAT is used to create a transparent mapping. IP addresses on the high security interface translate to themselves on all lower security interfaces. Internet Inside Outside 10.0.0.15 DMZ Internet Server 192.168.0.9

24 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-24 Identity NAT: nat 0 Command NAT 0 ensures that the Internet server is translated to its own address on the outside. Security levels remain in effect with NAT 0. fw1(config)# nat (dmz) 0 192.168.0.9 255.255.255.255 Internet Inside Outside DMZ Internet Server 192.168.0.9

25 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-25 Static Command

26 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-26 Global NAT and Static NAT Global NAT For dynamic NAT and PAT address assignments Inside end user receives an address from a pool of available addresses Used mostly for outbound end-user connections Internet Inside Outside Bob Smith 10.0.0.11 Static For NAT “permanent” address assignments Used mostly for server connections Internet Inside Outside Sam Jones 10.0.0.12 FTP Server 172.16.1.10 Web Server 172.16.1.9 Global Pool Fixed Bob Smith 10.0.0.11 Sam Jones 10.0.0.12

27 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-27 static Command: Parameters Interfaces Real interface – DMZ Mapped interface – Outside IP Addresses Real IP address – 172.16.1.9 Mapped IP address – 192.168.1.3 Internet Inside Outside FTP Server 172.16.1.10 Web Server 172.16.1.9 192.168.1.3 192.168.1.4 Bob Smith 10.0.0.11 Sam Jones 10.0.0.12 DMZ

28 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-28 static Command: Web Server pixfirewall(config)# static (real_interface,mapped_interface) {mapped_address | interface} real_address [netmask mask] fw1(config)# static (dmz,outside) 192.168.1.3 172.16.1.9 netmask 255.255.255.255 Packets sent to 192.168.1.3 on the outside are translated to 172.16.1.9 on the DMZ. Permanently maps the Web server IP address. Internet Inside Outside FTP Server 172.16.1.10 Web Server 172.16.1.9 192.168.1.3 192.168.1.4 Bob Smith 10.0.0.11 Sam Jones 10.0.0.12 DMZ

29 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-29 static Command: FTP Server Packets sent to 192.168.1.4 on the outside are translated to 172.16.1.10 on the DMZ. Permanently maps the FTP server IP address. pixfirewall(config)# static (real_interface,mapped_interface) {mapped_address | interface} real_address [netmask mask] fw1(config)# static (dmz,outside) 192.168.1.4 172.16.1.10 netmask 255.255.255.255 Internet Inside Outside FTP Server 172.16.1.10 Web Server 172.16.1.9 192.168.1.3 192.168.1.4 Bob Smith 10.0.0.11 Sam Jones 10.0.0.12 DMZ

30 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-30 Net Static pixfirewall(config)# fw1(config)# static (dmz,outside) 192.168.10.0 172.16.1.0 netmask 255.255.255.0 Recommended when you want to translate multiple addresses with a single command Host address on 172.16.1.0 subnet is translated to host address on 192.168.10.0 subnet static (real_interface,mapped_interface) {mapped_address | interface} real_address [netmask mask] Internet Inside Outside FTP Server 172.16.1.10 Web Server 172.16.1.9 192.168.10.9 192.168.10.10 Bob Smith 10.0.0.11 Sam Jones 10.0.0.12 DMZ

31 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-31 Static PAT: Port Redirection Used to create a permanent translation between a mapped IP address and port number to a specific real IP address and port number –192.168.0.9/www redirected to 172.16.1.9/www –192.168.0.9/ftp redirected to 172.16.1.10/ftp 192.168.0.9/www Internet Inside Outside FTP Server 172.16.1.10 Web Server 172.16.1.9 DMZ 192.168.0.9/ftp ftp 192.168.0.9 pixfirewall(config)# static [(real_interface, mapped_interface)] {tcp | udp} {mapped_ip | interface} mapped_port {real_ip real_port [netmask mask]

32 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-32 static pat Command fw1(config)# static (dmz,outside) tcp 192.168.0.9 ftp 172.16.1.9 ftp netmask 255.255.255.255 fw1(config)# static (dmz,outside) tcp 192.168.0.9 2121 172.16.1.10 ftp netmask 255.255.255.255 Packet sent to 192.168.0.9/FTP translated by security appliance to 172.16.1.9 (first FTP server) Packet sent to 192.168.0.9/2121 translated by security appliance to 172.16.1.10 (second FTP server) 192.168.0.9/FTP Internet Inside Outside FTP2 Server 172.16.1.10 FTP1 Server 172.16.1.9 DMZ 192.168.0.9/2121 ftp 192.168.0.9

33 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-33 TCP Intercept and Connection Limits

34 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-34 Connection Limits Administrator can set connection limits: Emb_lin – Maximum number of embryonic connections per host. An embryonic connection is a connection request that has not completed a TCP three-way handshake between the source and the destination. TCP_max_conns – Maximum number of simultaneous TCP connections that each real IP host is allowed to use. Idle connections are closed after the time specified by the timeout conn command. udp_max_conns – Maximum number of simultaneous UDP connections that each real IP host is allowed to use.

35 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-35 TCP Three-Way Handshake 172.26.26.45 Target 10.0.0.2 Spoofed Host 172.16.16.20 172.26.26.46 SYN, SRC: 172.26.26.45, DST: 10.0.0.2 SYN-ACK ACK SYN, SRC: 172.16.16.20, DST: 10.0.0.3 Target 10.0.0.3 DoS Attack SYN, SRC: 172.16.16.20, DST: 10.0.0.3 Normal Embryonic Connection ? Internet SYN-ACK ? ?

36 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-36 TCP Intercept Internet Embryonic Connection Count = 3 SYN SYN-ACK ACK SYN DoS Attack SYN Normal TCP Intercept SYN SYN-ACK ACK

37 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-37 SYN Cookies Internet SYN SYN-ACK (Cookie) ACK (Cookie) Normal TCP Intercept SYN SYN-ACK ACK The security appliance responds to the SYN itself, which includes a cookie in the TCP header of the SYN-ACK. The security appliance keeps no state information. The cookie is a hash of parts of the TCP header and a secret key. A legitimate client completes the handshake by sending the ACK back with the cookie. If the cookie is authentic, the security appliance proxies the TCP session.

38 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-38 Embryonic Connection Limit Setting the embryonic connections (emb_lim) enables TCP proxying using either TCP Intercept or SYN cookies. –A value of 0 disables protection (default). –When the embryonic connection limit is exceeded, all connections are proxied. fw1(config)# nat (inside) 1 0 0 0 25 fw1(config)# static (inside,outside) 192.168.0.11 172.16.0.2 0 25 static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask] | access-list access_list_name} [dns] [norandomseq] [[tcp] [max_conns [emb_lim]] [udp udp_max_conns] firewall (config)# nat (local_interface) nat_id local_ip [mask] [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns] firewall (config)#

39 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-39 UDP Maximum Connection Limit Maximum number of simultaneous UDP connections that the local IP hosts are allowed. –A value of 0 disables protection (default). –Idle connections are closed after the time specified in the udp timeout command. fw1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 200 25 fw1(config)# static (inside,outside) 192.168.0.11 172.16.0.2 0 0 udp 100 firewall (config)# static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask]} | {access-list access_list_name} [dns] [[tcp] [max_conns [emb_lim]] [norandomseq] ]] [udp udp_max_conns] nat {local_interface} nat_id local_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]

40 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-40 Connections and Translations

41 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-41 Connections Versus Translations Translations: NAT – Mapped address to real address PAT – Mapped address and port to real address and port Connections: Host address and port to host address and port Inside Local Outside Mapped Pool 10.0.0.11192.168.0.20 10.0.0.11 10.0.0.4 Translation 10.0.0.11 192.168.0.20 192.168.10.5 Translation Connections Connection 192.168.10.11:2310.0.0.11:1026 Connection 192.168.10.11:8010.0.0.11:1027 192.168.10.11 Internet Telnet HTTP

42 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-42 show conn Command show conn fw1#show conn 2 in use, 2 most used fw1# show conn 2 in use, 9 most used TCP out 192.168.10.11:80 in 10.0.0.11:2824 idle 0:00:03 bytes 2320 flags UIO TCP out 192.168.10.11:80 in 10.0.0.11:2823 idle 0:00:03 bytes 3236 flags UIO pixfirewall# 10.0.0.11 10.0.0.4 192.168.10.11 Connection Internet Enables you to view all active connections

43 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-43 show conn detail Command fw1# show conn 2 in use, 9 most used TCP out 192.168.10.11:80 in 10.0.0.11:2824 idle 0:00:03 bytes 2320 flags UIO TCP out 192.168.10.11:80 in 10.0.0.11:2823 idle 0:00:03 bytes 3236 flags UIO fw1# show conn detail 2 in use, 9 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, k - Skinny media, M - SMTP data, m - SIP media, O - outbound data, P - inside back conn, q - SQL*Net data, R - outside acknowledged FIN, R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up TCP outside:192.168.10.11/80 inside:10.0.0.11/2824 flags UIO TCP outside:192.168.10.11/80 inside:10.0.0.11/2823 flags UIO 10.0.0.11 192.168.10.11 Connection Internet

44 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-44 show local-host Command fw1# show local-host Interface dmz: 0 active, 0 maximum active, 0 denied Interface inside: 1 active, 5 maximum active, 0 denied local host:, TCP flow count/limit = 2/300 TCP embryonic count to host = 0 TCP intercept watermark = 25 UDP flow count/limit = 0/unlimited Conn: TCP out 192.168.10.11 :80 in 10.0.0.11 :2824 idle 0:00:05 bytes 466 flags UIO TCP out 192.168.10.11 :80 in 10.0.0.11 :2823 idle 0:00:05 bytes 1402 flags UIO Interface outside: 1 active, 1 maximum active, 0 denied local host:, TCP flow count/limit = 2/unlimited TCP embryonic count to host = 0 TCP intercept watermark = unlimited UDP flow count/limit = 0/unlimited Conn: TCP out 192.168.10.11 :80 in insidehost:2824 idle 0:00:05 bytes 466 flags UIO TCP out 192.168.10.11 :80 in insidehost:2823 idle 0:00:05 bytes 1402 flags UIO 10.0.0.11 192.168.10.11 Connection Internet

45 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-45 show xlate Command show xlate Enables you to view translation slot information fw1#show xlate 1 in use, 2 most used Global 192.168.0.20 Local 10.0.0.11 pixfirewall# 10.0.0.11 10.0.0.4 10.0.0.11 192.168.0.20 192.168.10.11 Translation Internet

46 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-46 show xlate detail Command fw1#show xlate 1 in use, 3 most used Global 192.168.0.20 Local 10.0.0.11 fw1# show xlate detail 1 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static NAT from inside:10.0.0.11 to outside:192.168.0.20 flags i 10.0.0.11 192.168.0.20 192.168.10.11 Translation Internet

47 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-47 Security Appliance NAT Philosophy Security appliance translation rules are configured between pairs of interfaces. With NAT control enabled, a packet cannot be switched across the security appliance if it does not match a translation slot in the translation table except for NAT 0, which doesn’t create a translation entry. If there is no translation slot, the security appliance will try to create a translation slot from its translation rules. If no translation slot match is found, the packet is dropped. 10.0.0.11 10.0.0.4 10.0.0.11 192.168.0.20 192.168.10.11 OutsideInside NAT Internet

48 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-48 Matching Outbound Packet Addresses A packet arrives at an inside interface: -The security appliance consults the access rules first. -The security appliance makes a routing decision to determine the outbound interface. The source address is checked against the local addresses in the translation table: -If found, the source address is translated according to the translation slot. Otherwise the security appliance looks for a match to the local address in the following order: -nat0 access-list (NAT exemption) – In order, until first match -static (static NAT) – In order, until first match -static {tcp | udp} (static PAT) – In order, until first match -nat nat_id access-list (policy NAT) – In order, until first match -nat (regular NAT): Best match If no match is found, the packet is dropped.

49 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-49 Configuring Multiple Interfaces

50 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-50 Additional Interface Support Supports additional interfaces Increases the security of publicly available services Easily interconnects multiple extranets and partner networks Easily configured with standard security appliance commands e0 Outside Security Level 0 e1 Inside Security Level 100 Internet e4 Intranet Security Level 70 e3 Partner Network Security Level 50 e2 DMZ Security Level 30

51 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-51 Configuring Three Interfaces fw1(config)# interface ethernet0 fw1(config-if)# nameif outside fw1(config-if)# ip address 192.168.0.2 255.255.255.0 fw1(config)# interface ethernet1 fw1(config-if)# nameif inside fw1(config-if)# ip address 10.0.0.1 255.255.255.0 fw1(config)# interface ethernet2 fw1(config-if)# nameif dmz fw1(config-if)# sec 50 fw1(config-if)# ip address 172.16.0.1 255.255.255.0 fw1(config)# nat (inside) 1 10.0.0.0 255.255.255.0 fw1(config)# global (outside) 1 192.168.0.20- 192.168.0.254 netmask 255.255.255.0 fw1(config)# static (dmz,outside) 192.168.0.11 172.16.0.2 netmask 255.255.255.255 fw1(config)# static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0.2.1 10.0.0.0/24 Internet 172.16.0.2 192.168.0.11 Net Static 192.168.0.20 DMZ Inside

52 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-52 Configuring Four Interfaces fw1(config)# interface ethernet0 fw1(config-if)# nameif outside fw1(config-if)# ip address 192.168.0.2 255.255.255.0 fw1(config)# interface ethernet1 fw1(config-if)# nameif inside fw1(config-if)# ip address 10.0.0.1 255.255.255.0 fw1(config)# interface ethernet2 fw1(config-if)# nameif dmz fw1(config-if)# sec 50 fw1(config-if)# ip address 172.16.0.1 255.255.255.0 fw1(config)# interface ethernet3 fw1(config-if)# nameif partnernet fw1(config-if)# sec 40 fw1(config-if)# ip address 172.18.0.1 255.255.255.0 fw1(config)# nat (inside) 1 10.0.0.0 255.255.255.0 fw1(config)# global (outside) 1 192.168.0.20- 192.168.0.254 netmask 255.255.255.0 fw1(config)# static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 fw1(config)# static (dmz,outside) 192.168.0.11 172.16.0.2 fw1(config)# static (dmz,partnernet) 172.18.0.11 172.16.0.2 Partner Network 172.16.0.2 DMZ.1 Net Static 10.0.0.0/24 172.18.0.0/24.1 Internet Inside 192.168.0.11 192.168.0.20 172.18.0.11

53 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-53 Summary The security appliance manages the TCP and UDP protocols through the use of a translation table (for NAT sessions) and a connection table (for TCP and UDP sessions). The static command creates a permanent translation. Mapping between local and global address pools is done dynamically with the nat command. The nat and global commands work together to hide internal IP addresses. The security appliance supports PAT. Configuring multiple interfaces requires a greater attention to detail, but can be done with standard security appliance commands.

Download ppt "Lesson 4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—4-1 Understanding Translations and Connections."

Similar presentations

CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Lecture 7 Transport Layer

Lecture 7 Transport Layer
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0.

Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0 Module 1 Scaling IP Addresses.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0 Module 1 Scaling IP Addresses.

Similar presentations

Ads by Google