The PIX firewall, by default, allows traffic from higher security level interfaces to traverse to interfaces with lower security level interfaces. This means that traffic initiated on the inside interface is allowed to pass to the outside interface. Setting up outbound traffic is a fairly easy task. You can use the nat , global , and static commands to help control which IP address translations you want to occur. You can also use commands such as access-list to control who can and cannot traverse your firewall. Also, you can use various methods , such as static and dynamic translation, to translate inside IP addresses to outside IP addresses. To set up a basic scenario, use Figure 5.3 as the network diagram. Subnets 192.168.1.0/24 are the inside addresses that need to be translated to outside addresses. Figure 5.3. Network diagram.
Static Address TranslationsTo configure static NAT, you can use the static command, as shown here: Pixfirewall(config)# [no] static [(internal_if_name, external_if_name)] {<global_ip>interface} <local_ip> [dns] [netmask <mask>] [<max_conns> [<emb_limit> [<norandomseq>]]]
Table 5.3. static Command Options
The static command enables you to bind an internal inside IP address to an outside global address, making a one-to-one mapping. Every time a specific inside user travels across the PIX, that user is assigned the same global address. For example, if Jack's internal IP address is 192.168.1.11, you can use the static command shown here to bind Jack's address to a specific global address, such as 169.254.8.1. The following command creates this one-to-one mapping: Pixfirewall(config)# static (inside, outside) 169.254.8.1 192.168.1.11 Now, when Jack is traveling across the firewall, he will always use 169.254.8.1 on the public side and the PIX xlate table will show the following: Pixfirewall# show xlate 1 in use, 1237 most used Global 169.254.8.1 Local 192.168.1.11 Listing 5.2 creates a static one-to-one mapping from the three internal addresses to three global addresses. Figure 5.5 display the one-to-one mapping graphically. Listing 5.2 Static One-to-One MappingPixfirewall(config)# static (inside, outside) 169.254.8.1 192.168.1.11 Pixfirewall(config)# static (inside, outside) 169.254.8.2 192.168.1.12 Pixfirewall(config)# static (inside, outside) 169.254.8.3 192.168.1.13 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate Figure 5.5. The static command.
Dynamic Address TranslationsBy using the static command, you can specify a global address for each host. However, this manual binding can be too tedious to set up, or you might not have enough global addresses for every internal user. Dynamic address translation enables you to set up groups of internal addresses that can be assigned to a single global address or a pool of global addresses. The two main forms of dynamic address translations are NAT and PAT. Network Address TranslationNAT enables you to dynamically assign groups of internal addresses to a pool of global addresses. This configuration takes a minimum of two commands: nat and global . Listing 5.3 demonstrates these commands. Listing 5.3 The nat and global Commands Used for Dynamic MappingsPixfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 Pixfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 1 Pixfirewall(config)# Pixfirewall(config)# nat(inside) 1 0.0.0.0 0.0.0.0 Pixfirewall(config)# global (outside) 1 169.254.8.2-169.254.8.6 netmask 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate The nat and global commands work together to allow all traffic on the inside interface to exit the outside interface within the range of 169.254.8.2 ”169.254.8.6. The 0.0.0.0 0.0.0.0 in the nat command is similar to a default route command; all IP addresses will use the global address range using a NAT ID of 1 . The first address will consume the IP address of 169.254.8.2, and the next will use 169.254.8.3, and so on. If a computer stops passing traffic through the firewall, the PIX will release the xlate slot and allow another computer to reuse the global address.
In the example in Figure 5.6, computers coming from network 192.168.1.0 use the global range of 169.254.8.2 “169.254.8.6 and computers from network 10.0.0.0 use the range of 169.254.8.7 “169.254.8.11. The NAT ID portion of the nat and global commands helps to bind which inside NAT pool and which global pools go together. Figure 5.6. Using nat with two pools.
Listing 5.4 demonstrates the commands necessary to create the mappings in Figure 5.6. Listing 5.4 nat and global Commands for Two Dynamic MappingsPixfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 Pixfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 1 Pixfirewall(config)# Pixfirewall(config)# nat (inside) 2 192.168.1.0 255.255.255.0 Pixfirewall(config)# nat (inside) 3 10.0.0.0 255.0.0.0 Pixfirewall(config)# global (outside) 2 169.254.8.2-169.254.8.6 netmask 255.255.255.0 Pixfirewall(config)# global (outside) 3 169.254.8.7-169.254.8.11 netmask 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate Port Address TranslationPAT enables you to use a single address for many internal addresses. For example, if your ISP assigns you only one address, you can have all your internal users share the same global IP address by implementing PAT. PAT modifies the port numbers of the source address to provide the tracking capability necessary on the return requests . For example, as Jack travels across the PIX, his address is changed from 192.168.1.11 port 1939 to the global address of 169.254.8.1 port number 5000. As Kristina travels across the PIX at the same time, her address of 192.168.1.25 port 1970 is changed to the same IP address Jack received ”169.254.8.1 ”but with a different port number, such as 5001. The PIX tracks these IP address-to-port translations in the xlate table. In Figure 5.7 all the inside addresses coming into the PIX will use the single address of 169.254.8.1 as their global source address. Because all the internal addresses use the same global address, PAT will also modify the source port to provide a specific mapping back to the internal source. Figure 5.7. PAT example.
Listing 5.5 displays the PAT being set up with the global command using the option called interface . This option sets the outside interface IP address of 169.254.8.1 as the global address. Listing 5.5 PAT and global Command for Dynamic MappingsPixfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 Pixfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 1 Pixfirewall(config)# Pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 Pixfirewall(config)# global (outside) 1 interface Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate NAT and PAT TogetherYou've learned how to use NAT to translate internal addresses to a global address creating a one-to-one mapping. You have also seen how to use a single address and use PAT to change the source port numbers to create a mapping back to the internal source. Now, let's see how to use both at the same time. Figure 5.8 and Listing 5.6 demonstrate the use of NAT and PAT together. Users from the inside first use the NAT address in the range of 169.254.8.1 “169.254.8.5 until all the entries have been allocated. Then they begin to share the PAT address and use different port numbers. Listing 5.6 NAT, PAT, and the global CommandPixfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 Pixfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 1 Pixfirewall(config)# Pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 Pixfirewall(config)# global (outside) 1 169.254.8.2-169.254.8.6 netmask 255.255.255.0 Pixfirewall(config)# global (outside) 1 169.254.8.11 netmask 255.255.255.255 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate Figure 5.8. NAT and PAT together.
Working Without NAT or PATYou might encounter a situation in which addresses in the inside interface are just fine the way they are and don't need translating. If this is the case, you can use the nat 0 command. For example, if your address is 192.168.1.11 and it doesn't need to be translated on the other side of the PIX, the nat 0 command simply passes the traffic through without changing the source address. nat 0The nat 0 command stands by itself. It doesn't need the use of a global command because it doesn't change the source address; it only passes it through the firewall like a router would. In Figure 5.9 the nat 0 command does not translate the three networks; it just passes them on. Figure 5.9. The nat 0 command.
Listing 5.7 shows that three nat 0 commands are used to allow the three subnets of 192.168.1.0, 192.168.2.0, and 192.168.3.0 to pass through the PIX firewall without translating their addresses. Listing 5.7 Using the nat 0 CommandPixfirewall(config)# nat (inside) 0 192.168.1.0 255.255.255.0 Pixfirewall(config)# nat (inside) 0 192.168.2.0 255.255.255.0 Pixfirewall(config)# nat (inside) 0 192.168.3.0 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate Using nat 0 with an Access Control ListYou can accomplish the same nat 0 task as in Listing 5.8 by using an access control list to point to a list of address you want to use. Listing 5.8 uses the access-list option in the nat 0 command to point to an access list named cool-no-nat . The three access-list commands create the pool of addresses that will not be translated.
Listing 5.8 Using the nat 0 Command with an Access ListPixfirewall(config)# nat (inside) 0 access-list cool-no-nat Pixfirewall(config)# Pixfirewall(config)#access-list cool-no-nat permit IP 192.168.1.0 255.255.255.0 Pixfirewall(config)#access-list cool-no-nat permit IP 192.168.2.0 255.255.255.0 Pixfirewall(config)#access-list cool-no-nat permit IP 192.168.3.0 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate |