Lesson 6: Translations and Connections

Lesson 6
Translations and Connections
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1

Objectives

Objectives
Upon completion of this lesson, you will be

able to perform the following tasks:
• Describe how the TCP and UDP protocols
function within the PIX Firewall.
• Describe how static and dynamic translations
function.
• Configure the PIX Firewall to permit outbound
connections.
• Explain the PIX Firewall PAT feature.

Transport Protocols

Sessions in an IP World
In an IP world, a network session is a

transaction between two end systems.
It is carried out primarily over two transport
layer protocols:
• TCP
• UDP

TCP
• TCP is a connection-oriented, reliable-delivery,

robust, and high performance transport layer
protocol.
• TCP features
– Sequencing and acknowledgement of data.
– A defined state machine (open connection,
data flow, retransmit, close connection).
– Congestion detection and avoidance
mechanisms.

TCP Initialization—Inside to Outside
Private network The PIX Firewall checks for Public network

Source address 10.0.0.11 a translation slot. If one is 192.168.0.20
not found, it creates one
Destination address 172.30.0.50 after verifying NAT, global, 172.30.0.50
access control, and
Source port 1026 authentication or 1026
Destination port 23 authorization, if any. If OK, a 23
connection is created.
Initial sequence # 49091 49769
Ack
#1 #2
10.0.0.11 Flag Syn
PIX Firewall Syn 172.30.0.50
Start the embryonic

No data connection counter
#4 172.30.0.50 172.30.0.50
#3
10.0.0.11 192.168.0.20
The PIX Firewall follows the
23 Adaptive Security Algorithm: 23
1026 • (source IP, source port, 1026
destination IP, destination
IP header 92513 92513
port) check
TCP header 49092 • Sequence number check 49770
Syn-Ack • Translation check Syn-Ack

TCP Initialization—Inside to Outside
(Cont.)
Private network Public network

Source address 10.0.0.11 192.168.0.20
Reset the embryonic
Destination address 172.30.0.50 counter for this client.. It 172.30.0.50
1026
then increases the 1026
Source port
connection counter for
Destination port 23 this host. 23
Initial sequence # 49092 49770
Ack 92514 92514
#5 Flag Ack PIX Firewall Ack #6

10.0.0.11 172.30.0.50
Data flows Strictly follows the

Adaptive Security
Algorithm
IP header
TCP header

UDP
• Connectionless protocol.
• Efficient protocol for some services.
• Resourceful but difficult to secure.

UDP (Cont.)
Private network The PIX Firewall checks for Public network

a translation slot. If one is
Source address 10.0.0.11 not found, it creates one 192.168.0.20
Destination address 172.30.0.50 after verifying NAT, global, 172.30.0.50

access control, and
Source port 1028 authentication or 1028
authorization, if any. If OK, a
Destination port 45000 connection is created. 45000
#1
10.0.0.11
PIX Firewall #2
172.30.0.50
All UDP responses arrive
from outside and within UDP
user-configurable timeout
(default=2 minutes).
#4 #3
172.30.0.50 The PIX Firewall follows the 172.30.0.50
Adaptive Security Algorithm:
10.0.0.11 192.168.0.20
• (source IP, source port,
45000 destination IP, destination 45000
Port ) check
1028 1028
• Translation check
IP header
UDP header

Network Address Translations

Addressing Scenarios
NAT
192.168.6.1 10.0.0.11
Internet
10.0.0.11
• NAT was created to overcome several 10.0.0.4

addressing problems that occurred with the
expansion of the Internet:
– Mitigate global address depletion
– Use RFC 1918 addresses internally
– Conserve internal address plan
• Additionally, NAT increases security by hiding
the internal topology
Access Through the PIX Firewall
Less secure More secure

nat and global
(or static)
Internet
e0 outside e1 inside
security level 0 security level 100
Less secure More secure

static and access list
(or static and conduit)

Inside Address Translations
NAT
192.168.6.1 10.0.0.4
Internet
10.0.0.4
Outside global
Dynamic
IP address pool 10.0.0.4
translation
192.168.6.20-254
Outside global Inside

IP address WWW
Static IP address
Server
translation 192.168.6.10 10.0.0.11
10.0.0.11
Inside NAT—Translates addresses of hosts on higher security

level to a less secure interface:
• Dynamic translation
• Static translation
Dynamic Inside NAT
NAT
192.168.0.20 10.0.0.11
Internet
10.0.0.11
10.0.0.4
• Dynamic translations
pixfirewall(config)# nat(inside) 1 0.0.0.0 0.0.0.0
pixfirewall(config)# global(outside) 1
192.168.0.20-192.168.0.254 netmask 255.255.255.0

Two Interfaces with NAT
10.2.0.0 /24
Global pool
192.168.0.17-30
192.168.0.0
Internet
Global pool
192.168.0.3-14
10.0.0.0/24
• All hosts on the inside networks can start outbound connections.

• A separate global pool is used for each internal network.
pixfirewall(config)# global(outside) 1 192.168.0.3-
192.168.0.14 netmask 255.255.255.0
pixfirewall(config)# global(outside) 2 192.168.0.17-
192.168.0.30 netmask 255.255.255.0
Three Interfaces with NAT
DMZ Global pool
172.16.0.20-254
Global pool Inside

192.168.0.20-254
Internet
192.168.0.0 10.0.0.0
Outside
• Inside users can start outbound connections to both the DMZ and the Internet.
• The nat (dmz) command gives DMZ services access to the Internet.
• The global (dmz) command gives inside users access to the DMZ web server.
pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-
192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254
netmask 255.255.255.0
Port Address Translation

Port Address Translation
• PAT is a combination of a IP address and a source

port number.
• Many different sessions can be multiplexed over a
single global IP address.
• Session distinction is made via different port
numbers.
PAT
192.168.0.20 10.0.0.11
Port 2000
Internet
10.0.0.11
192.168.0.20 10.0.0.4
Port 2001
10.0.0.4

PAT Example
pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0
pixfirewall(config)# ip address outside 192.168.0.2
255.255.255.0
pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0
192.168.0.1
pixfirewall(config)# nat (inside) 1 10.0.0.0
.1
255.255.0.0
Global address pixfirewall(config)# global (outside) 1 192.168.0.9
192.168.0.0
192.168.0.9 netmask 255.255.255.255
.2
• Outside IP addresses are typically

.1 10.0.0.0 registered with InterNIC.
• Source addresses of hosts in network
10.0.0.0 are translated to 192.168.0.9 for
10.0.1.0 10.0.2.0 outgoing access.
• Assign a single IP address (192.168.0.9) to
global pool.
Engineering Sales
• Source port changed to a unique number
greater than 1023.
PAT Using Outside Interface Address
pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0
pixfirewall(config)# ip address outside dhcp
255.255.0.0
pixfirewall(config)# global (outside) 1 interface
.1
Global address 192.168.0.0
192.168.0.2
.2
.1
• The interface option of the global
10.0.0.0
command enables use of the outside
interface as the PAT address.
• The source addresses of hosts in
10.0.1.0 10.0.2.0 network 10.0.0.0 are translated to
192.168.0.2 for outgoing access.
• The source port is changed to a unique
number greater than 1024.
Engineering Sales

Mapping Subnets to PAT Addresses
255.255.255.0
255.255.255.0
pixfirewall(config)# global (outside) 1
192.168.0.8 netmask 255.255.255.0
192 .168.0.9
.1 pixfirewall(config)# global (outside) 2
192 .168.0.8 192.168.0.9 netmask 255.255.255.0
192.168.0.0
.2
• Each internal subnet is mapped to a
different PAT address.
.1 10.0.0.0
• Source addresses of hosts in
network 10.0.1.0 are translated to
10.0.1.0 10.0.2.0 • Source addresses of hosts in
network 10.0.2.0 are translated to
• The source port is changed to a
Engineering Sales
unique number greater than 1023.
Backing Up PAT Addresses by Using
Multiple PATs

255.255.0.0
192.168.0.8 netmask 255.255.255.0
192 .168.0.9 192.168.0.9 netmask 255.255.255.0
.1
192 .168.0.8 192.168.0.0
.2
• Source addresses of hosts in network

.1 10.0.0.0 10.0.1.0 are translated to 192.168.0.8
for outgoing access.
• Address 192.168.0.9 will be used only
10.0.1.0 10.0.2.0 when the port pool from 192.168.0.8 is
at maximum capacity.
Engineering Sales

Augmenting a Global Pool with PAT
255.255.0.0
192.168.0.20-192.168.0.253 netmask 255.255.255.0
NAT 192.168.0.254 netmask 255.255.255.0
192 .168.0.20
.1
PAT
192 .168.0.254 192.168.0.0
.2
• When hosts on the 10.0.0.0 network
access the outside network through the
.1 10.0.0.0 firewall, they are assigned public
addresses from the 192.168.0.20–
192.168.0.253 range.
• When the addresses from the global
10.0.1.0 10.0.2.0
pool are exhausted, PAT begins with IP
address 192.168.0.254.
Engineering Sales

Static NAT

static Command
Static
translation
Inside
192.168.0.10 10.0.0.11
DNS server
Internet 10.0.0.11
Outside
• Used to create a permanent translation between an

inside IP address and a specific global IP address
• Recommended for internal service hosts

static Command (Cont.)
Static
mapping
Outside 192.168.0.10 10.0.0.11

Inside
10.0.0.11
Internet DNS
server
pixfirewall(config)#
static [(prenat_interface, postnat_interface)]
{mapped_address | interface} real_address [netmask mask]
• Packet sent from 10.0.0.11 translated to 192.168.0.10
• Permanently maps a single IP address
• Recommended for internal service hosts
pixfirewall(config)# static (inside,outside)

192.168.0.10 10.0.0.11 netmask 255.255.255.255
Identity NAT (NAT 0)

Identity NAT—nat 0 Command
www.cisco.com
DMZ Internet
server
192.168.0.9
192.168.0.9
10.0.0.15
Internet
Outside Inside
• Identity NAT is used to create a transparent

mapping.
• IP addresses on the inside appear on the outside
without translation.

Identity NAT—nat 0 Command (Cont.)
DMZ www.cisco.com
192.168.0.9 Internet
server
192.168.0.9 Inside
Internet
Outside
• NAT 0 ensures that Internet server is not translated.

• ASA remains in effect with NAT 0.
pixfirewall(config)# nat (dmz) 0 192.168.0.9
255.255.255.255

Policy NAT

Policy NAT
Telnet
Server 192.168.0.9
192.168.10.11
Internet 10.0.0.15
Web
Server 192.168.0.21
192.168.10.4
• Identify local traffic for address translation by

specifying the source and destination addresses in
an access list.
• Apply access-list to nat or static command
Policy NAT—nat plus acl command
Telnet
Server 192.168.0.9
192.168.10.11
Internet 10.0.0.15
Web
Server 192.168.0.21
192.168.10.4
pix1(config)# access-list NET1 permit tcp 10.0.0.0

255.255.255.0 host 192.168.10.11 eq 23
pix1(config)# nat (inside) 10 access-list net1
pix1(config)# global (outside) 10 192.168.0.9 255.255.255.255
255.255.255.0 host 192.168.10.4 eq 80
pix1(config)# nat (inside) 11 access-list net2
pix1(config)# global (outside) 11 192.168.0.21 255.255.255.255

Policy NAT—static plus acl command
Telnet
Server 192.168.0.9
192.168.10.11
Internet 10.0.0.15
Web
Server 192.168.0.21
192.168.10.4

255.255.255.0 host 192.168.10.11 eq 23
pix1(config)# static (inside,outside) 192.168.0.9 access-list
net1
255.255.255.0 host 192.168.10.4 eq 80
pix1(config)# static (inside,outside) 192.168.0.21 access-list
net2

Connections and Translations

Connections vs. Translations
192.168.10.11
Telnet Connections
HTTP
Translation
192.168.0.20 10.0.0.11
Internet
10.0.0.11
192.168.10.5
Outside Inside
global pool local
10.0.0.4
Translation 192.168.0.20 10.0.0.11
Connection 192.168.10.11:23 10.0.0.11:1026
Connection 192.168.10.11:80 10.0.0.11:1027
• Translations (xlates)—IP address to IP address translation

• Connections (conns)—TCP or UDP sessions
show conn Command
Connection
Internet
10.0.0.11
192.168.10.11
pixfirewall# 10.0.0.4
show conn
• Enables you to view all active connections
pixfirewall#show conn
1 in use, 2 most used
TCP out 192.168.10.11:23 in 10.0.0.11:1026 idle
0:00:22 Bytes 1774 flags UIO
show xlate Command
Translation
192.168.0.20 10.0.0.11
Internet
10.0.0.11
192.168.10.11
10.0.0.4
pixfirewall#
show xlate
• Enables you to view translation slot information
pixfirewall#show xlate
1 in use, 2 most used
Global 192.168.0.20 Local 10.0.0.11
PIX Firewall NAT Philosophy
Outside Inside
Internet
10.0.0.11
192.168.0.20 10.0.0.11
192.168.10.11
NAT
10.0.0.4
• With the PIX Firewall, translation rules are always

configured between pairs of interfaces.
• A packet cannot be switched across the PIX Firewall if
it does not match a translation slot in the xlate table.
• If there is no translation slot, the PIX Firewall will try to
create a translation slot from its translation rules.
• Otherwise, the packet is dropped.
PIX Firewall NAT Algorithm—
Outbound Packet Flow
• A packet arrives at an inside interface:
- PIX Firewall consults the access rules first.
- PIX Firewall makes a routing decision to determine the
outbound interface.
• Source address is checked against the local addresses in
the xlate table:
- If found, SA is translated according to the xlate slot.
• Otherwise, PIX Firewall looks for a static translation rule
from this interface:
- If found, an xlate slot is created, and SA is translated.
• Otherwise, PIX Firewall looks for a dynamic translation rule
from this interface:
- If found, an xlate slot is created from the destination
interface address pool, and the SA is translated.
• Otherwise the packet is dropped.
Configuring Multiple Interfaces

Additional Interface Support
• Supports up to eight Outside

additional interfaces.
• Increases the security of
publicly available e0 e5
e6
services. e4
e7
• Easily interconnects e3
multiple extranets or e8 e2
partner networks. e9 e1
• Easily configured with
standard PIX Firewall
commands. Inside

Configuring Three Interfaces
Internet
pixfirewall(config)# nameif ethernet0 outside sec0
pixfirewall(config)# nameif ethernet1 inside sec100
pixfirewall(config)# nameif ethernet2 dmz sec50
192.168.0.20 192.168.0.11 pixfirewall(config)# ip address outside 192.168.0.2

255.255.255.0
172.16.0.2 pixfirewall(config)# ip address inside 10.0.0.1
.2 255.255.255.0
pixfirewall(config)# ip address dmz 172.16.0.1
DMZ 255.255.255.0
.1
.1
172.16.0.20 pixfirewall(config)# nat (inside) 1 10.0.0.0
255.255.255.0
10.0.0.0/24 pixfirewall(config)# global (outside) 1
192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global (dmz) 1 172.16.0.20-
172.16.0.254 netmask 255.255.255.0
Inside pixfirewall(config)# static (dmz,outside)
192.168.0.11 172.16.0.2

Configuring Four Interfaces
pixfirewall(config)# nameif ethernet0 outside sec0

Internet
Internet pixfirewall(config)# nameif ethernet1 inside sec100
pixfirewall(config)# nameif ethernet2 dmz sec50
pixfirewall(config)# nameif ethernet3 partnernet sec40
192.168.0.20 pixfirewall(config)# ip address outside 192.168.0.2

255.255.255.0
192.168.0.11 pixfirewall(config)# ip address inside 10.0.0.1
255.255.255.0
pixfirewall(config)# ip address dmz 172.16.0.1
172.18.0.11 172.16.0.2
255.255.255.0
pixfirewall(config)# ip address partnernet 172.18.0.1
255.255.255.0
.1 .1
.1
172.16.0.20 pixfirewall(config)# nat (inside) 1 10.0.0.0
172.18.0.0/24 255.255.255.0
DMZ
Partnernet pixfirewall(config)# global (outside) 1 192.168.0.20-
192.168.0.254 netmask 255.255.255.0
10.0.0.0/24 pixfirewall(config)# global (dmz) 1 172.16.0.20-
172.16.0.254 netmask 255.255.255.0
pixfirewall(config)# static (dmz,outside) 192.168.0.11

172.16.0.2
pixfirewall(config)# static (dmz,partnernet) 172.18.0.11
172.16.0.2
Inside

Summary

Summary
• The PIX Firewall manages the TCP and UDP protocols

through the use of a translation table (for NAT
sessions) and a connection table (for TCP and UDP
sessions).
• The static command creates a permanent translation.
• Mapping between local and global address pool is
done dynamically with the nat command.
• The nat and global commands work together to hide
internal IP addresses.
• The PIX Firewall supports PAT.
• Configuring multiple interfaces requires more
attention to detail but can be done with standard PIX
Firewall commands.
Lab Exercise

Lab Visual Objective
Web
FTP
.50
172.26.26.0
.150
Pods 1–5 .1 .1 Pods 6–10
192.168.P.0 RBB 192.168.Q.0
.2 .2
“bastionhost”: .2 .1 .1 .2 “bastionhost”:
PIX PIX
Web Web
Firewall Firewall
FTP 172.16.P.0 172.16.Q.0 FTP
.1 .1
10.0.P.0 10.0.Q.0
.100 .100
RTS RTS
Web/FTP Web/FTP
Local: 10.0.P.11 CSACS Local: 10.0.Q.11
CSACS
Student PC Student PC

Lesson 6: Translations and Connections

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lesson 6: Translations and Connections

Uploaded by

Copyright:

Available Formats

Lesson 6

Translations and Connections

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-2

Upon completion of this lesson, you will be

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-3

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-4

In an IP world, a network session is a

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-5

• TCP is a connection-oriented, reliable-delivery,

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-6

Private network The PIX Firewall checks for Public network

Start the embryonic

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-7

Private network Public network

Initial sequence # 49092 49770

Ack 92514 92514

#5 Flag Ack PIX Firewall Ack #6

Data flows Strictly follows the

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-8

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-9

Private network The PIX Firewall checks for Public network

Destination address 172.30.0.50 after verifying NAT, global, 172.30.0.50

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-10

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-11

• NAT was created to overcome several 10.0.0.4

Less secure More secure

Less secure More secure

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-13

Outside global Inside

Inside NAT—Translates addresses of hosts on higher security

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-15

• All hosts on the inside networks can start outbound connections.

Global pool Inside

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-18

• PAT is a combination of a IP address and a source

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-19

• Outside IP addresses are typically

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-21

pixfirewall(config)# nat (inside) 1 10.0.0.0

• Source addresses of hosts in network

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-23

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-24

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-25

• Used to create a permanent translation between an

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-26

Outside 192.168.0.10 10.0.0.11

pixfirewall(config)# static (inside,outside)

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-28

• Identity NAT is used to create a transparent

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-29

• NAT 0 ensures that Internet server is not translated.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-30

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-31

• Identify local traffic for address translation by

pix1(config)# access-list NET1 permit tcp 10.0.0.0

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-33

pix1(config)# access-list NET1 permit tcp 10.0.0.0

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-34

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-35

Connection 192.168.10.11:23 10.0.0.11:1026

Connection 192.168.10.11:80 10.0.0.11:1027

• Translations (xlates)—IP address to IP address translation