© 2004, cisco systems, inc. all rights reserved. cspfa 3.2—6-1 lesson 6 translations and...
DESCRIPTION
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe how the TCP and UDP protocols function within the PIX Firewall. Describe how static and dynamic translations function. Configure the PIX Firewall to permit outbound connections. Explain the PIX Firewall PAT feature.TRANSCRIPT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1
Lesson 6
Translations and Connections
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-2
Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-3
Objectives
Upon completion of this lesson, you will be able to perform the following tasks:• Describe how the TCP and UDP protocols
function within the PIX Firewall.• Describe how static and dynamic translations
function.• Configure the PIX Firewall to permit outbound
connections.• Explain the PIX Firewall PAT feature.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-4
Transport Protocols
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-5
Sessions in an IP World
In an IP world, a network session is a transaction between two end systems. It is carried out primarily over two transport layer protocols:• TCP • UDP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-6
TCP
• TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol.
• TCP features–Sequencing and acknowledgement of data.–A defined state machine (open connection, data
flow, retransmit, close connection).–Congestion detection and avoidance mechanisms.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-7
TCP Initialization—Inside to Outside
PIX Firewall
TCP headerIP header
The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created.
10.0.0.11
The PIX Firewall follows the Adaptive Security Algorithm:• (source IP, source port, destination IP, destination port) check• Sequence number check • Translation check
# 1172.30.0.50
# 2
# 3# 4
Start the embryonicconnection counterNo data
Private network
Source port
Destination addressSource address
Initial sequence #
Destination port
Flag
Ack
172.30.0.50
10.0.0.11
1026
23
49091
Syn
10.0.0.11
172.30.0.50
23
1026
92513
Syn-Ack
49092
Public network
172.30.0.50
192.168.0.20
49769
Syn
192.168.0.20
172.30.0.50
23
1026
92513
Syn-Ack
49770
1026
23
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-8
TCP Initialization—Inside to Outside (Cont.)
Private network Public network
PIX Firewall
Reset the embryonic counter for this client.. It then increases the connection counter for this host.
10.0.0.11# 5
172.30.0.50# 6
Strictly follows theAdaptive SecurityAlgorithm
Data flows
172.30.0.50
192.168.0.20
1026
23
49770
Ack
92514
Source port
Destination addressSource address
Initial sequence #
Destination port
Flag
Ack
172.30.0.50
10.0.0.11
1026
23
49092
Ack
92514
TCP headerIP header
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-9
UDP
• Connectionless protocol.• Efficient protocol for some services.• Resourceful but difficult to secure.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-10
UDP (Cont.)
PIX Firewall
UDP headerIP header
The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created.
10.0.0.11
The PIX Firewall follows the Adaptive Security Algorithm:• (source IP, source port, destination IP, destination Port ) check• Translation check
# 1172.30.0.50# 2
# 3# 4
Private network
Source port
Destination addressSource address
Destination port
172.30.0.50
10.0.0.11
1028
45000
10.0.0.11
172.30.0.50
45000
1028
Public network
172.30.0.50
192.168.0.20
192.168.0.20
172.30.0.50
45000
1028
1028
45000
All UDP responses arrive from outside and within UDP user-configurable timeout (default=2 minutes).
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-11
Network Address Translations
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-12
Addressing Scenarios
• NAT was created to overcome several addressing problems that occurred with the expansion of the Internet:–Mitigate global address depletion–Use RFC 1918 addresses internally–Conserve internal address plan
• Additionally, NAT increases security by hiding the internal topology
10.0.0.11
10.0.0.4
10.0.0.11192.168.6.1Internet
NAT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-13
Access Through the PIX Firewall
e0 outsidesecurity level 0
e1 insidesecurity level 100
nat and global
static and access list
Internet
More secureLess secure
More secureLess secure
(or static and conduit)
(or static)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-14
Inside Address Translations
10.0.0.4
10.0.0.11
10.0.0.4192.168.6.1
NAT
Outside globalIP address
192.168.6.10
InsideIP address10.0.0.11
Static translation
Dynamic translation 10.0.0.4
Outside globalIP address pool192.168.6.20-254
Inside NAT—Translates addresses of hosts on higher security level to a less secure interface: • Dynamic translation• Static translation
Internet
WWWServer
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-15
Dynamic Inside NAT
• Dynamic translations
pixfirewall(config)# nat(inside) 1 0.0.0.0 0.0.0.0pixfirewall(config)# global(outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
10.0.0.11
10.0.0.4
10.0.0.11192.168.0.20
NAT
Internet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-16
Two Interfaces with NAT
pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# nat(inside) 2 10.2.0.0 255.255.255.0
pixfirewall(config)# global(outside) 1 192.168.0.3-192.168.0.14 netmask 255.255.255.0
pixfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.0
• All hosts on the inside networks can start outbound connections.• A separate global pool is used for each internal network.
10.2.0.0 /24
192.168.0.0
10.0.0.0/24
Internet
Global pool192.168.0.17-30
Global pool192.168.0.3-14
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-17
Three Interfaces with NAT
192.168.0.0 10.0.0.0
Global pool172.16.0.20-254
pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0
• Inside users can start outbound connections to both the DMZ and the Internet.• The nat (dmz) command gives DMZ services access to the Internet. • The global (dmz) command gives inside users access to the DMZ web server.
Internet
DMZ
InsideGlobal pool192.168.0.20-254
Outside
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-18
Port Address Translation
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-19
Port Address Translation
10.0.0.11
10.0.0.4
10.0.0.11192.168.0.20
Port 2000
PAT
10.0.0.4192.168.0.20
Port 2001
• PAT is a combination of a IP address and a source port number.
• Many different sessions can be multiplexed over a single global IP address.
• Session distinction is made via different port numbers.
Internet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-20
PAT Example
• Outside IP addresses are typically registered with InterNIC.
• Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.9 for outgoing access.
• Assign a single IP address (192.168.0.9) to global pool.
• Source port changed to a unique number greater than 1023.
pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0
pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.0.0
pixfirewall(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.255
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
Global address192.168.0.9
.2
.1
.1
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-21
PAT Using Outside Interface Address
• The interface option of the global command enables use of the outside interface as the PAT address.
• The source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.2 for outgoing access.
• The source port is changed to a unique number greater than 1024.
pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0
pixfirewall(config)# ip address outside dhcppixfirewall(config)# nat (inside) 1 10.0.0.0
255.255.0.0pixfirewall(config)# global (outside) 1 interface
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
Global address192.168.0.2
.2
.1
.1
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-22
Mapping Subnets to PAT Addresses
• Each internal subnet is mapped to a different PAT address.
• Source addresses of hosts in network 10.0.1.0 are translated to 192.168.0.8 for outgoing access.
• Source addresses of hosts in network 10.0.2.0 are translated to 192.168.0.9 for outgoing access.
• The source port is changed to a unique number greater than 1023.
pixfirewall(config)# nat (inside) 1 10.0.1.0 255.255.255.0
pixfirewall(config)# nat (inside) 2 10.0.2.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.8 netmask 255.255.255.0
pixfirewall(config)# global (outside) 2 192.168.0.9 netmask 255.255.255.0
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
192 .168.0.8
.2
.1
.1
192 .168.0.9
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-23
Backing Up PAT Addresses by Using Multiple PATs
• Source addresses of hosts in network 10.0.1.0 are translated to 192.168.0.8 for outgoing access.
• Address 192.168.0.9 will be used only when the port pool from 192.168.0.8 is at maximum capacity.
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.0.0
pixfirewall(config)# global (outside) 1 192.168.0.8 netmask 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.0
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
192 .168.0.8
.2
.1
.1
192 .168.0.9
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-24
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.0.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.253 netmask 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.254 netmask 255.255.255.0
Augmenting a Global Pool with PAT
• When hosts on the 10.0.0.0 network access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20–192.168.0.253 range.
• When the addresses from the global pool are exhausted, PAT begins with IP address 192.168.0.254.
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
PAT192 .168.0.254
.2
.1
.1
NAT192 .168.0.20
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-25
Static NAT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-26
static Command
• Used to create a permanent translation between an inside IP address and a specific global IP address
• Recommended for internal service hosts
Internet
Inside
OutsideDNS server
10.0.0.11
10.0.0.11192.168.0.10
Statictranslation
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-27
static Command (Cont.)
pixfirewall(config)#
static [(prenat_interface, postnat_interface)] {mapped_address | interface} real_address [netmask mask]
pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255
• Packet sent from 10.0.0.11 translated to 192.168.0.10• Permanently maps a single IP address• Recommended for internal service hosts
192.168.0.10 10.0.0.11
Internet
InsideOutside10.0.0.11
DNS server
Staticmapping
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-28
Identity NAT (NAT 0)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-29
Identity NAT—nat 0 Command
• Identity NAT is used to create a transparent mapping.
• IP addresses on the inside appear on the outside without translation.
Internet
InsideOutside
10.0.0.15
DMZwww.cisco.com
Internetserver
192.168.0.9192.168.0.9
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-30
Identity NAT—nat 0 Command (Cont.)
• NAT 0 ensures that Internet server is not translated.• ASA remains in effect with NAT 0.pixfirewall(config)# nat (dmz) 0 192.168.0.9 255.255.255.255
Internet
Inside
Outside
DMZ www.cisco.comInternetserver
192.168.0.9
192.168.0.9
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-31
Policy NAT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-32
Policy NAT
• Identify local traffic for address translation by specifying the source and destination addresses in an access list.
• Apply access-list to nat or static command
Internet 10.0.0.15
192.168.0.9192.168.10.11
192.168.10.4
TelnetServer
WebServer 192.168.0.21
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-33
Policy NAT—nat plus acl command
pix1(config)# access-list NET1 permit tcp 10.0.0.0 255.255.255.0 host 192.168.10.11 eq 23
pix1(config)# nat (inside) 10 access-list net1pix1(config)# global (outside) 10 192.168.0.9 255.255.255.255pix1(config)# access-list NET2 permit tcp 10.0.0.0 255.255.255.0 host 192.168.10.4 eq 80
pix1(config)# nat (inside) 11 access-list net2pix1(config)# global (outside) 11 192.168.0.21 255.255.255.255
Internet 10.0.0.15
192.168.0.9TelnetServer
WebServer 192.168.0.21
192.168.10.11
192.168.10.4
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-34
Policy NAT—static plus acl command
Internet 10.0.0.15
192.168.0.9TelnetServer
WebServer 192.168.0.21
pix1(config)# access-list NET1 permit tcp 10.0.0.0 255.255.255.0 host 192.168.10.11 eq 23
pix1(config)# static (inside,outside) 192.168.0.9 access-list net1
pix1(config)# access-list NET2 permit tcp 10.0.0.0 255.255.255.0 host 192.168.10.4 eq 80
pix1(config)# static (inside,outside) 192.168.0.21 access-list net2
192.168.10.11
192.168.10.4
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-35
Connections and Translations
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-36
Connections vs. Translations
• Translations (xlates)—IP address to IP address translation• Connections (conns)—TCP or UDP sessions
Inside local
Outside global pool
10.0.0.11192.168.0.20
10.0.0.11
10.0.0.4Translation
10.0.0.11192.168.0.20
192.168.10.5
Translation
Connections
Connection 192.168.10.11:23 10.0.0.11:1026
Connection 192.168.10.11:80 10.0.0.11:1027
192.168.10.11
Internet
Telnet
HTTP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-37
show conn Command
show conn
pixfirewall#show conn1 in use, 2 most usedTCP out 192.168.10.11:23 in 10.0.0.11:1026 idle 0:00:22 Bytes 1774 flags UIO
pixfirewall#
10.0.0.11
10.0.0.4
192.168.10.11
Connection
Internet
• Enables you to view all active connections
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-38
show xlate Command
show xlate• Enables you to view translation slot information
pixfirewall#show xlate1 in use, 2 most usedGlobal 192.168.0.20 Local 10.0.0.11
pixfirewall#
10.0.0.11
10.0.0.4
10.0.0.11192.168.0.20
192.168.10.11
Translation
Internet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-39
PIX Firewall NAT Philosophy
• With the PIX Firewall, translation rules are always configured between pairs of interfaces.
• A packet cannot be switched across the PIX Firewall if it does not match a translation slot in the xlate table.
• If there is no translation slot, the PIX Firewall will try to create a translation slot from its translation rules.
• Otherwise, the packet is dropped.
10.0.0.11
10.0.0.4
10.0.0.11192.168.0.20192.168.10.11
Outside Inside
NAT
Internet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-40
PIX Firewall NAT Algorithm—Outbound Packet Flow
• A packet arrives at an inside interface:- PIX Firewall consults the access rules first.- PIX Firewall makes a routing decision to determine the
outbound interface.• Source address is checked against the local addresses in
the xlate table:- If found, SA is translated according to the xlate slot.
• Otherwise, PIX Firewall looks for a static translation rule from this interface:
- If found, an xlate slot is created, and SA is translated.• Otherwise, PIX Firewall looks for a dynamic translation rule
from this interface:- If found, an xlate slot is created from the destination
interface address pool, and the SA is translated.• Otherwise the packet is dropped.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-41
Configuring Multiple Interfaces
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-42
Additional Interface Support
• Supports up to eight additional interfaces.
• Increases the security of publicly available services.
• Easily interconnects multiple extranets or partner networks.
• Easily configured with standard PIX Firewall commands.
e0
e1e2
e4
e3
e6e5
e9
e7
e8
Outside
Inside
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-43
Configuring Three Interfaces
pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100pixfirewall(config)# nameif ethernet2 dmz sec50
pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0
pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0
pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2
.2
.1.1
10.0.0.0/24
Internet
172.16.0.2
192.168.0.11
172.16.0.20
192.168.0.20
DMZ
Inside
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-44
Configuring Four Interfaces
pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100pixfirewall(config)# nameif ethernet2 dmz sec50pixfirewall(config)# nameif ethernet3 partnernet sec40
pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0
pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0
pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0
pixfirewall(config)# ip address partnernet 172.18.0.1 255.255.255.0
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2
pixfirewall(config)# static (dmz,partnernet) 172.18.0.11 172.16.0.2
Partnernet
172.16.0.2
DMZ
.1.1 172.16.0.20
10.0.0.0/24
172.18.0.0/24
.1
InternetInternet
Inside
192.168.0.11
192.168.0.20
172.18.0.11
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-45
Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-46
Summary
• The PIX Firewall manages the TCP and UDP protocols through the use of a translation table (for NAT sessions) and a connection table (for TCP and UDP sessions).
• The static command creates a permanent translation.• Mapping between local and global address pool is
done dynamically with the nat command.• The nat and global commands work together to hide
internal IP addresses.• The PIX Firewall supports PAT. • Configuring multiple interfaces requires more
attention to detail but can be done with standard PIX Firewall commands.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-47
Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-48
Lab Visual Objective
192.168.Q.0192.168.P.0
Student PC
.2.1
.1
Student PC
PIXFirewall
Web/FTPCSACS
Web/FTPCSACS
.1
.2
.1
PIXFirewall
.1
Local: 10.0.P.11 Local: 10.0.Q.11
10.0.P.0 10.0.Q.0
RTS.100
RTS.100
Pods 1–5 Pods 6–10172.26.26.0
.150
.50
WebFTP
RBB
.2.2 “bastionhost”:WebFTP172.16.P.0 172.16.Q.0
“bastionhost”:WebFTP
.1