Outbound Traffic

The PIX firewall, by default, allows traffic from higher security level interfaces to traverse to interfaces with lower security level interfaces. This means that traffic initiated on the inside interface is allowed to pass to the outside interface. Setting up outbound traffic is a fairly easy task. You can use the nat , global , and static commands to help control which IP address translations you want to occur. You can also use commands such as access-list to control who can and cannot traverse your firewall. Also, you can use various methods , such as static and dynamic translation, to translate inside IP addresses to outside IP addresses.

To set up a basic scenario, use Figure 5.3 as the network diagram. Subnets 192.168.1.0/24 are the inside addresses that need to be translated to outside addresses.

No traffic is allowed to pass through the PIX until a nat-global or static command has been issued.

Static Address Translations

To configure static NAT, you can use the static command, as shown here:

 Pixfirewall(config)# [no] static [(internal_if_name, external_if_name)]                 {<global_ip>interface} <local_ip> [dns] [netmask <mask>]                 [<max_conns> [<emb_limit> [<norandomseq>]]] 

Although the static command lists the interface names in internal-external sequence, the sequence of the IP addresses that follow is reversed ! Figure 5.4 shows how the internal inside interface address of 192.168.1.11 is mapped to the outside address of 169.254.8.1. Figure 5.4. The static command syntax.

Table 5.3. static Command Options

The static command enables you to bind an internal inside IP address to an outside global address, making a one-to-one mapping. Every time a specific inside user travels across the PIX, that user is assigned the same global address. For example, if Jack's internal IP address is 192.168.1.11, you can use the static command shown here to bind Jack's address to a specific global address, such as 169.254.8.1. The following command creates this one-to-one mapping:

 Pixfirewall(config)# static (inside, outside) 169.254.8.1 192.168.1.11 

Now, when Jack is traveling across the firewall, he will always use 169.254.8.1 on the public side and the PIX xlate table will show the following:

 Pixfirewall# show xlate 1 in use, 1237 most used Global 169.254.8.1 Local 192.168.1.11 

Listing 5.2 creates a static one-to-one mapping from the three internal addresses to three global addresses. Figure 5.5 display the one-to-one mapping graphically.

Listing 5.2 Static One-to-One Mapping

 Pixfirewall(config)# static (inside, outside) 169.254.8.1 192.168.1.11 Pixfirewall(config)# static (inside, outside) 169.254.8.2 192.168.1.12 Pixfirewall(config)# static (inside, outside) 169.254.8.3 192.168.1.13 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate 

Dynamic Address Translations

By using the static command, you can specify a global address for each host. However, this manual binding can be too tedious to set up, or you might not have enough global addresses for every internal user. Dynamic address translation enables you to set up groups of internal addresses that can be assigned to a single global address or a pool of global addresses. The two main forms of dynamic address translations are NAT and PAT.

Network Address Translation

NAT enables you to dynamically assign groups of internal addresses to a pool of global addresses. This configuration takes a minimum of two commands: nat and global . Listing 5.3 demonstrates these commands.

Listing 5.3 The nat and global Commands Used for Dynamic Mappings

 Pixfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 Pixfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 1 Pixfirewall(config)# Pixfirewall(config)# nat(inside) 1 0.0.0.0 0.0.0.0 Pixfirewall(config)# global (outside) 1 169.254.8.2-169.254.8.6                 netmask 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate 

The nat and global commands work together to allow all traffic on the inside interface to exit the outside interface within the range of 169.254.8.2 ”169.254.8.6.

The 0.0.0.0 0.0.0.0 in the nat command is similar to a default route command; all IP addresses will use the global address range using a NAT ID of 1 . The first address will consume the IP address of 169.254.8.2, and the next will use 169.254.8.3, and so on. If a computer stops passing traffic through the firewall, the PIX will release the xlate slot and allow another computer to reuse the global address.

Use the no nat and no global commands to delete all nat and global configuration entries.

In the example in Figure 5.6, computers coming from network 192.168.1.0 use the global range of 169.254.8.2 “169.254.8.6 and computers from network 10.0.0.0 use the range of 169.254.8.7 “169.254.8.11. The NAT ID portion of the nat and global commands helps to bind which inside NAT pool and which global pools go together.

Listing 5.4 demonstrates the commands necessary to create the mappings in Figure 5.6.

Listing 5.4 nat and global Commands for Two Dynamic Mappings

 Pixfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 Pixfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 1 Pixfirewall(config)# Pixfirewall(config)# nat (inside) 2 192.168.1.0 255.255.255.0 Pixfirewall(config)# nat (inside) 3 10.0.0.0 255.0.0.0 Pixfirewall(config)# global (outside) 2 169.254.8.2-169.254.8.6                 netmask 255.255.255.0 Pixfirewall(config)# global (outside) 3 169.254.8.7-169.254.8.11                 netmask 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate 

Port Address Translation

PAT enables you to use a single address for many internal addresses. For example, if your ISP assigns you only one address, you can have all your internal users share the same global IP address by implementing PAT. PAT modifies the port numbers of the source address to provide the tracking capability necessary on the return requests . For example, as Jack travels across the PIX, his address is changed from 192.168.1.11 port 1939 to the global address of 169.254.8.1 port number 5000. As Kristina travels across the PIX at the same time, her address of 192.168.1.25 port 1970 is changed to the same IP address Jack received ”169.254.8.1 ”but with a different port number, such as 5001. The PIX tracks these IP address-to-port translations in the xlate table.

In Figure 5.7 all the inside addresses coming into the PIX will use the single address of 169.254.8.1 as their global source address. Because all the internal addresses use the same global address, PAT will also modify the source port to provide a specific mapping back to the internal source.

Listing 5.5 displays the PAT being set up with the global command using the option called interface . This option sets the outside interface IP address of 169.254.8.1 as the global address.

Listing 5.5 PAT and global Command for Dynamic Mappings

 Pixfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 Pixfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 1 Pixfirewall(config)# Pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 Pixfirewall(config)# global (outside) 1 interface Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate 

NAT and PAT Together

You've learned how to use NAT to translate internal addresses to a global address creating a one-to-one mapping. You have also seen how to use a single address and use PAT to change the source port numbers to create a mapping back to the internal source. Now, let's see how to use both at the same time.

Figure 5.8 and Listing 5.6 demonstrate the use of NAT and PAT together. Users from the inside first use the NAT address in the range of 169.254.8.1 “169.254.8.5 until all the entries have been allocated. Then they begin to share the PAT address and use different port numbers.

Listing 5.6 NAT, PAT, and the global Command

 Pixfirewall(config)# IP address outside 169.254.8.1 255.255.255.0 Pixfirewall(config)# IP address inside 192.168.1.1 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 169.254.8.254 1 Pixfirewall(config)# Pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 Pixfirewall(config)# global (outside) 1 169.254.8.2-169.254.8.6                 netmask 255.255.255.0 Pixfirewall(config)# global (outside) 1 169.254.8.11                 netmask 255.255.255.255 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate 

PAT has several problems when working with H.323, caching name servers, multimedia applications, and PPTP. So, if you are working with these technologies, use NAT instead of PAT.

Working Without NAT or PAT

You might encounter a situation in which addresses in the inside interface are just fine the way they are and don't need translating. If this is the case, you can use the nat 0 command. For example, if your address is 192.168.1.11 and it doesn't need to be translated on the other side of the PIX, the nat 0 command simply passes the traffic through without changing the source address.

nat 0

The nat 0 command stands by itself. It doesn't need the use of a global command because it doesn't change the source address; it only passes it through the firewall like a router would.

In Figure 5.9 the nat 0 command does not translate the three networks; it just passes them on.

Listing 5.7 shows that three nat 0 commands are used to allow the three subnets of 192.168.1.0, 192.168.2.0, and 192.168.3.0 to pass through the PIX firewall without translating their addresses.

Listing 5.7 Using the nat 0 Command

 Pixfirewall(config)# nat (inside) 0 192.168.1.0 255.255.255.0 Pixfirewall(config)# nat (inside) 0 192.168.2.0 255.255.255.0 Pixfirewall(config)# nat (inside) 0 192.168.3.0 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate 

Using nat 0 with an Access Control List

You can accomplish the same nat 0 task as in Listing 5.8 by using an access control list to point to a list of address you want to use. Listing 5.8 uses the access-list option in the nat 0 command to point to an access list named cool-no-nat . The three access-list commands create the pool of addresses that will not be translated.

Beware that the mask on access-list commands on the PIX firewall are similar to normal subnet masks, not wildcard masks as on a Cisco IOS router. For example, to define a subnet for 192.168.1.0, the PIX would use a mask of 255.255.255.0, whereas IOS routers would use 0.0.0.255 for the same subnet. A PIX firewall would use the following command: access-list 1 permit IP 192.168.1.0 255.255.255.0 An IOS router, on the other hand, would use this command: access-list 1 permit IP 192.168.1.0 0.0.0.255

Listing 5.8 Using the nat 0 Command with an Access List

 Pixfirewall(config)# nat (inside) 0 access-list cool-no-nat Pixfirewall(config)# Pixfirewall(config)#access-list cool-no-nat permit IP 192.168.1.0                 255.255.255.0 Pixfirewall(config)#access-list cool-no-nat permit IP 192.168.2.0                 255.255.255.0 Pixfirewall(config)#access-list cool-no-nat permit IP 192.168.3.0                 255.255.255.0 Pixfirewall(config)# Pixfirewall(config)# exit Pixfirewall# clear xlate