The PIX firewall's basic setup is based on six primary commands. The commands shown in the following list provide the most basic configuration settings to allow traffic to flow through the firewall. This section covers each command in detail. Here's a preview of the commands:
Naming InterfacesBefore we begin discussing these commands, a brief explanation is necessary to understand how interfaces are handled by the PIX. A name association needs to be designated for each hardware interface; it is this associated name rather than the hardware ID that is used in most of the configuration commands. For example, the interface e1 is by default named inside . This name of inside is used throughout the PIX command structure as a pointer to the real hardware ID of interface e1 . Network Address TranslationNetwork address translation ( NAT ) is the process of translating multiple internal addresses to multiple global addresses. Every packet leaving the NAT translator uses the next available global address, and a translation table entry is made to record a link between the internal address and the outgoing global address. As packets flow back, the translated global address is reverted to the original internal address. This is known as dynamic mapping , and the global addresses are only temporarily used. Table 4.4 displays the subnet of 192.168.1.0, which all share a global address pool of 169.254.8.31169.254.8.35: Table 4.4. NAT Mapping Table
Table 4.5 shows a temporary mapping of the internal address of 192.168.1.11 to 169.254.8.31. If the internal host closes the session or loses the session, or the connection times out, 169.254.8.31 is released so another internal address can use it. Table 4.5. Internal-to-Global Address Mapping
For example, as Jack's computer talks to the Internet, his IP address of 192.168.1.11 is translated by the PIX using NAT to an address of 169.254.8.31 and subsequently passes the interface connected to the Internet. If another user , such as Timmy with an IP address of 192.168.1.12, is going through the PIX to the Internet, Timmy's IP address is translated to the next available global IP address, which is 169.254.8.32. This process continues to allocate the next available global IP address until none are left. At this point, a process of NAT overloading also known as PAT takes over. Figure 4.1 displays Jack's computer being translated to 169.254.8.31 as it travels through the PIX firewall. Figure 4.1. A NAT diagram.
Port Address TranslationPort address translation (PAT) is also called NAT overloading and is the process of translating multiple internal addresses to a single global address. Every packet leaving the PAT translator uses the same global address with a modified source port number. For example, as Jack's packet travels through the PIX, his IP address and port number are changed. An address of 192.168.1.11 port 1237 is modified to an address of 169.254.8.31 and the next available port, such as port 5001. When Timmy requests information from the Internet, his address of 192.168.1.12 port 2403 is modified to the same 169.254.8.31 address but the port number is the next available port, such as 5002. When a request comes back from the Internet with 169.254.8.31 port 5001, this is referenced in the translation table to show that the packet should be changed back to 192.168.1.11 port 1237, and the packet is delivered to Jack. Table 4.6. PAT Address Table
Table 4.7. PAT IP Address and Port Mapping Table
Steps to Setting Up the PIX with the Six Basic Commands
The nameif CommandThe nameif command creates a name that is associated with a hardware interface and that is used throughout several other commands. Some examples of good names to use are inside , outside , and DMZ . The syntax of the nameif command is as follows : nameif <hardware_id> <if_name> <security_lvl> Table 4.8. nameif Options
The following example shows that hardware interface Ethernet 1 is being set to inside : pixfirewall(config)# nameif e1 inside security100 pixfirewall(config)# The interface CommandThe interface command sets the hardware speed and enables or disables an interface. Here's the syntax of the interface command: interface <hardware_id> [<hw_speed> [<shutdown>]] Table 4.9. interface Options
The first command in the example enables the interface with 10BASE-T, and the second command disables the interface: pixfirewall(config)# interface e1 10baseT pixfirewall(config)# interface e1 10baseT shutdown The ip address CommandThe ip address command defines the layer 3 IP address on the interface and uses the name of the interface, as opposed to the hardware address. Its syntax is shown here: ip address <if_name> <ip_address> [<mask>] Table 4.10. ip adddress Options
In the following example, the inside interface ( e1 ) is being set to an IP address of 192.168.1.1 and a subnet mask of 255.255.255.0: pixfirewall(config)# ip address inside 192.168.1.1 255.255.255.0 The nat and global CommandsThe nat and global commands work together to determine which addresses need translating and to what those addresses will be translated. NAT defines which addresses need to be translated. The ID field in the nat command corresponds to a global command that contains a pool of addresses used for translation. The nat command's syntax is shown here: nat [(<if_name>)] <nat_id> <local_ip> [<mask> [dns] [outside] [<max_conns> [emb_limit> [<norandomseq>]]]] Table 4.11. The nat Command's Options
The global command is used to allocate the address to which the internal address will be assigned. The syntax shown here details the global command: global [(<ext_if_name>)] <nat_id> {<global_ip>[-<global_ip>] [netmask <global_mask>]} interface Table 4.12. The global Command's Options
In Listing 4.6, the address 192.168.1.20 on the inside interface is translated to an IP address of 169.254.8.5 on the outside interface. These two commands are linked by the nat_id of 12 . Listing 4.6 The nat and global Commands for a Single Hostpixfirewall(config)# nat (inside) 12 192.168.1.20 255.255.255.255 pixfirewall(config)# global (outside) 12 169.254.8.5 255.255.255.0 In Listing 4.7, the network of 192.168.1.0 255.255.255.0 on the inside interface is translated to a global pool of addresses 169.254.8.10169.254.8.20 on the outside interface. These two commands are linked by the nat_id of 5 . Listing 4.7 The nat and global Commands for a Subnetpixfirewall(config)# nat (inside) 5 192.168.1.0 255.255.255.0 pixfirewall(config)# global (outside) 5 169.254.8.10-169.254.8.20 In Listing 4.8, all the addresses on the inside interface are translated to the global address that is defined as the outside interface IP address. This many-to-one solution uses PAT. Listing 4.8 nat and global Commandspixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pixfirewall(config)# global (outside) 1 interface In Listing 4.9, three networks on different interfaces are all part of the nat_id 3 group. The global command linked to nat_id 3 defines an address range of 168.254.8.5168.254.8.10 to be used. Listing 4.9 The nat and global Commands for Multiple Interfacespixfirewall(config)# nat (inside) 3 192.168.1.0 255.255.255.0 pixfirewall(config)# nat (dmz) 3 192.168.2.0 255.255.255.0 pixfirewall(config)# nat (dmz2) 3 192.168.3.0 255.255.255.0 pixfirewall(config)# global (outside) 3 168.254.8.5-168.254.8.10 netmask 255.255.255.0 You can use the show nat and show global commands to display the list of NAT and global entries made, and you can use the no nat and no global commands to disable the entries made. The route CommandThe route command is used to add a static or default route to an interface. This syntax shows the command: route <if_name> <foreign_ip> <mask> <gateway> [<metric>] Table 4.13. route Command Options
In this example a default route has been created that will forward traffic to a router at 169.254.8.100 with a metric of 1: pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.100 1 |