© 2003, Cisco Systems, Inc. All rights reserved. CSPFA 3.16-1 Chapter 6 Translations and Connections.

Презентация:



Advertisements
Похожие презентации
© 2000, Cisco Systems, Inc. CSPFF Chapter 6 Cisco Secure PIX Firewall Translations.
Advertisements

© 2000, Cisco Systems, Inc. 7-1 Chapter 7 Access Configuration Through the Cisco Secure PIX Firewall.
© 2000, Cisco Systems, Inc. CSPFF Chapter 8 Configuration of Multiple Interfaces.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
© 2000, Cisco Systems, Inc. CSPFF Chapter 5 Cisco Secure PIX Firewall Configuration.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 3 Cisco PIX Firewall Technology and Features.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 10 Configure the Cisco VPN 3002 Hardware Client for Remote Access Using Pre-Shared.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 3 Cisco PIX Firewall Technology and Features.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 15 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN.
© 2000, Cisco Systems, Inc. CSPFF Chapter 10 Cisco Secure PIX Firewall Advanced Features.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS Firewall Authentication Proxy.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 14 Configuring the Cisco Virtual Private Network 3000 Series Concentrator for IPSec.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Introducing ACLs.
Option_W_3
Транксрипт:

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 6 Translations and Connections

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe how the TCP and UDP protocols function within the PIX Firewall. Describe how static and dynamic translations function. Configure the PIX Firewall to permit inbound connections. Explain the PIX Firewalls PAT feature.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives (cont.) Explain how to configure the PIX Firewall to perform port redirection. Explain how to configure the PIX Firewall to translate the IP address in a DNS A-record. Configure additional interfaces on the PIX Firewall. Test and verify correct PIX Firewall operation.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Transport Protocols

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Sessions in an IP World In an IP world, a network session is a transaction between two end systems. It is carried out primarily over two transport layer protocols: TCP UDP

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA TCP TCP is a connection-oriented, reliable-delivery, robust, and high performance transport layer protocol. TCP features –Sequencing and acknowledgement of data. –A defined state machine (open connection, data flow, retransmit, close connection). –Congestion detection and avoidance mechanisms.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA TCP InitializationInside to Outside PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (source IP, source port, destination IP, destination port) check Sequence number check Translation check # # 2 # 3 # 4 Start the embryonic connection counter No data Private network Source port Destination address Source address Initial sequence # Destination port Flag Ack Syn Syn-Ack Public network Syn Syn-Ack

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA TCP InitializationInside to Outside (cont.) Private network Public network PIX Firewall Reset the embryonic counter for this client.. It then increases the connection counter for this host # # 6 Strictly follows the Adaptive Security Algorithm Data flows Ack Source port Destination address Source address Initial sequence # Destination port Flag Ack Ack TCP header IP header

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA UDP Connectionless protocol. Efficient protocol for some services. Resourceful but difficult to secure.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA UDP (cont.) PIX Firewall TCP header IP header The PIX Firewall checks for a translation slot. If one is not found, it creates one after verifying NAT, global, access control, and authentication or authorization, if any. If OK, a connection is created The PIX Firewall follows the Adaptive Security Algorithm: (source IP, source port, destination IP, destination Port ) check Translation check # # 2 # 3 # 4 Private network Source port Destination address Source address Destination port Public network All UDP responses arrive from outside and within UDP user-configurable timeout (default=2 minutes).

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Network Address Translations

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Connections versus Translations Translations (xlates)IP address to IP address translation. Connections (conns)TCP or UDP sessions.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Translation Types Inside NATTranslates addresses of hosts on higher security level (inside) interfaces: –Dynamic –Static Outside NATTranslates addresses of hosts on lower security level (outside) interfaces: –Dynamic –Static

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Dynamic Inside Translations Configures dynamic translations: nat (inside) global (outside) netmask Global pool Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Two Interfaces with NAT Web FTP Backbone router PIX Firewall / / e0 outside.2 security level 0 e1 inside.1 security level /24 pixfirewall(config)# nat(inside) pixfirewall(config)# nat (inside) pixfirewall(config)# global(outside) netmask pixfirewall(config)# global(outside) netmask All hosts on the inside networks can start outbound connections. A separate global pool is used for each internal network. Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Three Interfaces with NAT Student PC Web FTP Backbone router PIX Firewall / /24 e0 outside.2 security level 0 e2 dmz.1 security level 50 bastionhost: Web FTP /24 e1 inside.1 security level 100 pixfirewall(config)# nat(inside) pixfirewall(config)# nat (dmz) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global(dmz) netmask Inside users can start outbound connections to both the DMZ and the Internet. The nat (dmz) command gives DMZ services access to the Internet. The global (dmz) command gives inside users access to the web server on the DMZ. Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA static Command pixfirewall(config)# static [(prenat_interface, postnat_interface)] mapped_address | interface real_address [netmask mask] Maps a local IP address to a global IP address pixfirewall(config)# static (inside,outside) netmask Packet sent from has a source address of Permanently maps a single IP address. Recommended for internal service hosts PIX Firewall Backbone router

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Static Inside Translations pixfirewall(config)# static (inside, outside) Packet from has a source address of Permanently maps a single IP address. Recommended for internal service hosts like a DNS server DNS server PIX Firewall Backbone router Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA nat [(if_name)] nat_id address [netmask] [outside][dns][timeout hh:mm:ss] pixfirewall(config)# nat Command for Outside NAT Addresses on the outside network are translated, and DNS replies that match the xlate are translated. pixfirewall(config)# nat (outside) outside dns pixfirewall(config)# global (inside) netmask Enables dynamic outside NAT.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Dynamic Outside Translations pixfirewall(config)# nat (outside) outside pixfirewall(config)# global (inside) netmask pixfirewall(config)# static (inside,outside) pixfirewall(config)# access-list ACLIN permit host eq ftp pixfirewall(config)# access-group ACLIN in interface outside (outside).1 (inside) Student PC FTP server.2.3 Router A Router C Router B Router D

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA static Command for Outside NAT pixfirewall(config)# Enables static outside NAT. static [(prenat_interface, postnat_interface)] mapped_address | interface real_address [dns] [netmask mask]

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Static Outside Translations pixfirewall(config)# static (inside, outside) dns netmask pixfirewall(config)# static (outside, inside) dns netmask pixfirewall(config)# static (outside, inside) dns netmask pixfirewall(config)# route outside pixfirewall(config)# route outside PIX Firewall.1 e1.2 e DNS server FTP server (outside) (inside)

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Identity NAT NAT 0 ensures that is not translated. ASA remains in effect with NAT 0. pixfirewall(config)# nat (inside) pixfirewall(config)# show nat nat will be non-translated PIX Firewall Backbone router

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA xlate Command clear xlate [global_ip [local_ip]] Clears the contents of the translation slots. pixfirewall(config)# show xlate Enables you to view translation slot information. pixfirewall(config)#show xlate 2 in use, 2 most used Global P.20 Local insidehost Global P.11 Local bastionhost pixfirewall(config)#

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring DNS Support

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA alias Command pixfirewall(config)# alias [(if_name)] dnat_ip foreign_ip [netmask] Can be used to do address translation on a destination address. Can be used to do DNS Doctoring. pixfirewall(config)# alias (inside) Client on the inside initiates DNS Doctoring. IP address is translated to

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA DNS Doctoring with the alias Command Student PC pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# static (inside,outside) pixfirewall(config)# conduit permit tcp host eq www any pixfirewall(config)# alias (inside) Source: Destination: P Web Client DNS server 10.0.P.0 Web server Who is Source: Destination: cisco.com= Source: Destination:

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Destination NAT with the alias Command Student PC pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# static (inside,outside) pixfirewall(config)# conduit permit tcp eq www any pixfirewall(config)# alias (inside) Source: Destination: P Web Client DNS server 10.0.P.0 Web server cisco.com Who is Source: Destination: cisco.com= Source: Destination:

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA DNS Record Translation Student PC pixfirewall(config)# nat (inside) dns pixfirewall(config)# global (outside) netmask pixfirewall(config)# static (inside,outside) P Web Client DNS server 10.0.P.0 Web server cisco.com Who is cisco.com? Source: Destination: cisco.com= Source: Destination: Source: Destination:

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Connections

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Only Two Ways through the PIX Firewall For a packet to traverse the PIX Firewall, it must pass two policies: NAT and access control. The following are the only two ways to pass these policies and gain access through the PIX Firewall: Valid user requestOutbound communications. Pre-defined static and conduitInbound communications.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Statics and Conduits The static and conduit commands allow connections from a lower security interface to a higher security interface. The static command is used to create a permanent mapping between an inside IP address and a global IP address. The conduit command is an exception in the ASAs inbound security policy for a given host. Outside Security 0 Inside Security 100

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# conduit permit tcp host eq ftp any conduit permit|deny protocol global_ip global_mask [operator port[port]] foreign_ip foreign_mask [operator port[port]] conduit Command A conduit maps specific IP address and TCP/UDP connection from the outside host to the inside host. pixfirewall(config) # Backbone router PIX Firewall

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Port Address Translation

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Port Address Translation PAT Global Destination port Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PAT Example Assign a single IP address ( ) to global pool. IP addresses are typically registered with InterNIC. Source addresses of hosts in network are translated to for outgoing access. Source port changed to a unique number greater than pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask Sales Engineering Information systems bastionhost PIX Firewall Backbone router

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PAT Using Outside Interface Address The interface option of the global command enables use of the outside interface as the PAT address. Source addresses of hosts in network are translated to for outgoing access. The source port is changed to a unique number greater than pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) 1 interface Sales Engineering Information systems bastionhost PIX Firewall Backbone router

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Mapping Subnets to PAT Addresses Each internal subnet is mapped to a different PAT address. Source addresses of hosts in network are translated to for outgoing access. Source addresses of hosts in network are translated to for outgoing access. The source port is changed to a unique number greater than pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# nat (inside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (outside) netmask Sales Engineering Information systems bastionhost PIX Firewall Backbone router

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Backing up PAT Addresses by Using Multiple PATs Source addresses of hosts in network are translated to for outgoing access. Address will only be used when the port pool from is at maximum capacity. pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (outside) netmask Information systems Sales Engineering bastionhost PIX Firewall Backbone router

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall(config)# ip address (inside) pixfirewall(config)# ip address (outside) pixfirewall(config)# route (outside) pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (outside) netmask Augmenting a Global Pool with PAT When hosts on the network access the outside network through the firewall, they are assigned public addresses from the range. When the addresses from the global pool are exhausted, PAT begins. Sales Engineering Information systems bastionhost PIX Firewall Backbone router

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Port Redirection

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Port Redirection Allows outside users to connect to a particular IP address or port and have the PIX redirect traffic to the appropriate inside server. External users direct FTP requests to unique IP address The PIX Firewall redirects the request to pixfirewall(config)# static [(internal_if_name, external_if_name)] tcp|udp global_ip | interface global_port local_ip local_port [netmask mask] pixfirewall(config)# static (inside,outside) tcp ftp ftp netmask

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Port Redirection Example pixfirewall(config)# static (inside,outside)tcp interface telnet telnet netmask pixfirewall(config)# static (inside,outside) tcp www netmask Web server PIX Firewall Backbone router telnet The external user directs a Telnet request to the PIX Firewalls outside IP address, The PIX Firewall redirects the request to host The external user directs an HTTP port 8080 request to the PIX Firewall PAT address, The PIX Firewall redirects this request to host port 80. Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Multiple Interfaces

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Additional Interface Support Supports up to eight additional interfaces. Increases the security of publicly available services. Easily interconnects multiple extranets or partner networks. Easily configured with standard PIX Firewall commands. e0 e1 e2 e4 e3 e6 e5 e9 e7 e8

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Access Through the PIX Firewall PIX Firewall e0 outside.2 security level 0 e1 inside.1 security level 100 nat and global static and access list (or static and conduit) Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Three Interfaces pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# conduit permit tcp host eq http any e0 e2 e1 bastionhost / / /24 Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Four Interfaces pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# nameif ethernet3 partnernet sec40 pixfirewall(config)# ip address outside pixfirewall(config)# ip address inside pixfirewall(config)# ip address dmz pixfirewall(config)# ip address partnernet pixfirewall(config)# nat (inside) pixfirewall(config)# global (outside) netmask pixfirewall(config)# global (dmz) netmask pixfirewall(config)# static (dmz,outside) pixfirewall(config)# conduit permit tcp host eq http any pixfirewall(config)# static (dmz,partnernet) pixfirewall(config)# conduit permit tcp host eq http any Partnernet e0 e2 e1 bastionhost DMZ / / /24 e /24.1 Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary The PIX Firewall manages the TCP and UDP protocols through the use of a translation table (for NAT sessions) and a connection table (for TCP and UDP sessions). Static translations assign a permanent IP address to an inside host. Mapping between local and global addresses is done dynamically with the nat command. The nat and global commands work together to hide internal IP addresses. The static and conduit commands are used to allow inbound communication through the PIX Firewall.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary (cont.) The PIX Firewall supports PAT, port redirection, and identity NAT. Outside NAT provides transparent support for DNS. The PIX Firewall can be configured with up to ten interfaces. Configuring multiple interfaces requires more attention to detail but can be done with standard PIX Firewall commands.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Visual Objective Q P.0 Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS PIX Firewall.1 Remote: 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB.2 bastionhost: Web FTP P Q.0 bastionhost: Web FTP.1