The Six Basic Commands


The PIX firewall's basic setup is based on six primary commands. The commands shown in the following list provide the most basic configuration settings to allow traffic to flow through the firewall. This section covers each command in detail.

Here's a preview of the commands:

global

nameif

interface

nat

ip address

route

Naming Interfaces

Before we begin discussing these commands, a brief explanation is necessary to understand how interfaces are handled by the PIX. A name association needs to be designated for each hardware interface; it is this associated name rather than the hardware ID that is used in most of the configuration commands. For example, the interface e1 is by default named inside . This name of inside is used throughout the PIX command structure as a pointer to the real hardware ID of interface e1 .

Network Address Translation

Network address translation ( NAT ) is the process of translating multiple internal addresses to multiple global addresses. Every packet leaving the NAT translator uses the next available global address, and a translation table entry is made to record a link between the internal address and the outgoing global address. As packets flow back, the translated global address is reverted to the original internal address. This is known as dynamic mapping , and the global addresses are only temporarily used. Table 4.4 displays the subnet of 192.168.1.0, which all share a global address pool of 169.254.8.31169.254.8.35:

Table 4.4. NAT Mapping Table

NAT Internal Addresses

Global Address Pool

192.168.1.0 255.255.255.0

169.254.8.31169.254.8.35

Table 4.5 shows a temporary mapping of the internal address of 192.168.1.11 to 169.254.8.31. If the internal host closes the session or loses the session, or the connection times out, 169.254.8.31 is released so another internal address can use it.

Table 4.5. Internal-to-Global Address Mapping

Internal Addresses

Globally Mapped Addresses

192.168.1.11

169.254.8.31 (temporary)

192.168.1.12

169.254.8.32 (temporary)

169.254.8.33 (temporary)

169.254.8.34 (temporary)

169.254.8.35 (temporary)

For example, as Jack's computer talks to the Internet, his IP address of 192.168.1.11 is translated by the PIX using NAT to an address of 169.254.8.31 and subsequently passes the interface connected to the Internet. If another user , such as Timmy with an IP address of 192.168.1.12, is going through the PIX to the Internet, Timmy's IP address is translated to the next available global IP address, which is 169.254.8.32. This process continues to allocate the next available global IP address until none are left. At this point, a process of NAT overloading also known as PAT takes over. Figure 4.1 displays Jack's computer being translated to 169.254.8.31 as it travels through the PIX firewall.

Figure 4.1. A NAT diagram.

graphics/04fig01.gif

Port Address Translation

Port address translation (PAT) is also called NAT overloading and is the process of translating multiple internal addresses to a single global address. Every packet leaving the PAT translator uses the same global address with a modified source port number. For example, as Jack's packet travels through the PIX, his IP address and port number are changed. An address of 192.168.1.11 port 1237 is modified to an address of 169.254.8.31 and the next available port, such as port 5001. When Timmy requests information from the Internet, his address of 192.168.1.12 port 2403 is modified to the same 169.254.8.31 address but the port number is the next available port, such as 5002. When a request comes back from the Internet with 169.254.8.31 port 5001, this is referenced in the translation table to show that the packet should be changed back to 192.168.1.11 port 1237, and the packet is delivered to Jack.

Table 4.6. PAT Address Table

Nat Internal Address

Global Address Pool

192.168.1.0 255.255.255.0

169.254.8.31

Table 4.7. PAT IP Address and Port Mapping Table

Internal Addresses

Globally Mapped Addresses

192.168.1.11: 1237

169.254.8.31: 5001 (temporary)

192.168.1.12: 1937

169.254.8.31: 5002 (temporary)

Steps to Setting Up the PIX with the Six Basic Commands

  1. nameif Assign a name to a hardware ID interface and set the security level.

  2. interface Set the interface speed and enable the interface.

  3. ip address Assign an IP address to a named interface.

  4. nat Create a NAT ID that defines which local IP addresses will be translated on a specific named interface.

  5. global Create a global list of addresses to be used by the NAT ID in step 4.

  6. route Create any necessary static routes or default routes.

The nameif Command

The nameif command creates a name that is associated with a hardware interface and that is used throughout several other commands. Some examples of good names to use are inside , outside , and DMZ . The syntax of the nameif command is as follows :

 nameif <hardware_id> <if_name> <security_lvl> 
Table 4.8. nameif Options

Option

Function

hardware_id

The hardware ID is the name of the physical hardware, such as e0 or Ethernet0 .

if_name

This is the name you want to call the interface.

security_lvl

The security level setting is between 0 and 100. 0 is reserved for the outside interface, and 100 is used for the most secure inside interface.

The following example shows that hardware interface Ethernet 1 is being set to inside :

 pixfirewall(config)# nameif e1 inside security100 pixfirewall(config)# 

The interface Command

The interface command sets the hardware speed and enables or disables an interface. Here's the syntax of the interface command:

 interface <hardware_id> [<hw_speed> [<shutdown>]] 
Table 4.9. interface Options

Option

Function

hardware_id

The hardware ID is the name of the physical hardware, such as e0 or Ethernet0 .

hw_speed

This determines the connection speed used by this interface.

The options are as follows:

Auto Autodetects the network speed

10BASE-T 10Mbp Ethernet half-duplex

10full 10Mbp Ethernet full-duplex

100BASE-TX 100Mbp Ethernet half-duplex

100full 100Mbp Ethernet full-duplex

shutdown

Defines whether the interface is administratively shut down.

The first command in the example enables the interface with 10BASE-T, and the second command disables the interface:

 pixfirewall(config)# interface e1 10baseT pixfirewall(config)# interface e1 10baseT shutdown 

The ip address Command

The ip address command defines the layer 3 IP address on the interface and uses the name of the interface, as opposed to the hardware address. Its syntax is shown here:

 ip address <if_name> <ip_address> [<mask>] 
Table 4.10. ip adddress Options

Option

Function

if_name

This is the name given to the hardware ID using the nameif command.

ip_address

This is the IP address you want to have on the address.

mask

This is the network mask.

In the following example, the inside interface ( e1 ) is being set to an IP address of 192.168.1.1 and a subnet mask of 255.255.255.0:

 pixfirewall(config)# ip address inside 192.168.1.1 255.255.255.0 

The nat and global Commands

The nat and global commands work together to determine which addresses need translating and to what those addresses will be translated. NAT defines which addresses need to be translated. The ID field in the nat command corresponds to a global command that contains a pool of addresses used for translation. The nat command's syntax is shown here:

 nat [(<if_name>)] <nat_id> <local_ip> [<mask> [dns] [outside]                [<max_conns> [emb_limit> [<norandomseq>]]]] 
Table 4.11. The nat Command's Options

Option

Function

if_name

This is the name of the internal interface to which this command is linked.

nat_id

This is the ID number that groups the nat command with the global command

local_ip

This defines which IP addresses are within this nat_id group .

mask

This defines the local_IP network mask.

dns

This specifies that the DNS replies that match xlate tables are translated.

outside

This specifies that the nat command applies to the outside interface.

max_cons

This defines the maximum number of TCP connections allowed.

emb_limit

This specifies the embryonic limit. The default is , which is unlimited embryonic connections.

norandomseq

This states not to randomize the normal TCP packet sequence numbering.

The global command is used to allocate the address to which the internal address will be assigned. The syntax shown here details the global command:

 global [(<ext_if_name>)] <nat_id> {<global_ip>[-<global_ip>] [netmask <global_mask>]}  interface 
Table 4.12. The global Command's Options

Option

Function

ext_if_name

Defines the external interface on which these global addresses will be used.

nat_id

The ID number that links the nat command with the global address pool command.

global_ip

Assigns a single address or a pool of addresses to which the nat command will translate its internal address.

interface

If you use this option, the interface is to set up to use PAT or NAT overloading on the same IP address assigned to the interface.

In Listing 4.6, the address 192.168.1.20 on the inside interface is translated to an IP address of 169.254.8.5 on the outside interface. These two commands are linked by the nat_id of 12 .

Listing 4.6 The nat and global Commands for a Single Host
 pixfirewall(config)# nat (inside) 12 192.168.1.20 255.255.255.255 pixfirewall(config)# global (outside) 12 169.254.8.5 255.255.255.0 

In Listing 4.7, the network of 192.168.1.0 255.255.255.0 on the inside interface is translated to a global pool of addresses 169.254.8.10169.254.8.20 on the outside interface. These two commands are linked by the nat_id of 5 .

Listing 4.7 The nat and global Commands for a Subnet
 pixfirewall(config)# nat (inside) 5 192.168.1.0 255.255.255.0 pixfirewall(config)# global (outside) 5 169.254.8.10-169.254.8.20 

In Listing 4.8, all the addresses on the inside interface are translated to the global address that is defined as the outside interface IP address. This many-to-one solution uses PAT.

Listing 4.8 nat and global Commands
 pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pixfirewall(config)# global (outside) 1 interface 

In Listing 4.9, three networks on different interfaces are all part of the nat_id 3 group. The global command linked to nat_id 3 defines an address range of 168.254.8.5168.254.8.10 to be used.

Listing 4.9 The nat and global Commands for Multiple Interfaces
 pixfirewall(config)# nat (inside) 3 192.168.1.0 255.255.255.0 pixfirewall(config)# nat (dmz) 3 192.168.2.0 255.255.255.0 pixfirewall(config)# nat (dmz2) 3 192.168.3.0 255.255.255.0 pixfirewall(config)# global (outside) 3                168.254.8.5-168.254.8.10 netmask 255.255.255.0 

You can use the show nat and show global commands to display the list of NAT and global entries made, and you can use the no nat and no global commands to disable the entries made.

The route Command

The route command is used to add a static or default route to an interface. This syntax shows the command:

 route <if_name> <foreign_ip> <mask> <gateway> [<metric>] 
Table 4.13. route Command Options

Option

Function

if_name

This is the internal or external interface name the traffic will use to exit from the PIX.

foreign_ip

The foreign IP is the destination network address. To define a default route, you can use 0.0.0.0 as the address and 0.0.0.0 as the mask.

gateway

This is the gateway, which is also known as the next hop router .

metric

This is the metric value used to define the number of hops away the destination network is.

In this example a default route has been created that will forward traffic to a router at 169.254.8.100 with a metric of 1:

 pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.100 1 


CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net