• cisco pix: introduction
  
• cisco pix: introduction cont
  
• cisco pix: basic pix configuration
  
• cisco pix: basic pix configuration cont
  
• cisco pix: tcp, udp, nat, pat, and pd
  

• cisco pix: tcp, udp, nat, pat, and pd 2
  
• cisco pix: tcp, udp, nat, pat, and pd 3
  
• cisco pix: tcp, udp, nat, pat, and pd 4
  
• cisco pix: configuring site to site vpn's
  
• cisco pix: configuring site to site vpn's 2
  

• cisco pix: configuring site to site vpn's 3
  
• cisco pix: configuring site to site vpn's 4
  
• cisco pix: configuring site to site vpn's 5
  
• cisco pix: access control lists and content filtering
  
• cisco pix: access control lists and content filtering 2
  

• cisco pix: access control lists and content filtering 3
  
• cisco pix: object grouping for quick and easy acl's
  
• cisco pix; slightly advanced configuration
  
• cisco pix: slightly advanced configuration 2
  
• cisco pix: slightly advanced configuration 3
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials3
  
• securitytutorials4
  

CISCO PIX: BASIC PIX CONFIGURATION CONT...

Network Address Translation (NAT)

As this paper is about configuring a PIX and not explaining how network protocols work I will very briefly explain about NAT.

Network Address Translation enables you to prevent external hosts from learning your internal IP addresses.
It accomplishes this by translating internal IP address, which is not routable over the internet, in to a globally unique IP address, which is routable over the internet. If you assigned your PC an IP address of 192.168.2.2 and tried to put it directly on the internet you would neither be able to receive or send traffic as the first router would drop your packets as soon as it saw your IP address.

This poses a problem for anyone with more than one computer behind a single connection, as if the above is true we would need an external IP address for every single computer on our network – which is obviously not possible as all the valid IP addresses would be used up very quickly.

Enter NAT.

Providing certain criteria are met the PIX will translate internal addresses to an external address as per your configuration. To anyone looking from the internet it will look like you have an external IP assigned to you and in most cases will never find out your internal address.

When an outbound IP packet that is sent from a device on the INSIDE network reaches your PIX which has NAT configured the source address is extracted and then compared with a table of existing translations. If the source address is not already in this table, it is now translated to an address taken from our external pool of addresses called a Global Pool. The table is now updated and the packet is forwarded on with our new external IP address in the source address part of the frames header.

This entry will stay in the translation table for three hours by default (this can be changed manually) if no activity is detected for this translation after the three hours it is removed and the external IP is free to be used for another host.

Configuring NAT

To configure NAT we first need to tell the PIX which hosts/networks on our INSIDE interface are allowed to be translated and them we tell it what we would like them to be translated to.

We can configure NAT on a global level with the command ‘nat-control’. If we enter the nat-control command we are telling the PIX that all addresses need to be translated before packets can be sent out of another interface.

The opposite is ‘no nat-control’ which means that all hosts can send packets and only where a specific NAT rule has been entered will a translation take place. No nat-control is the default.

There are two types of NAT policies on a PIX; Inside NAT Policy and Outside NAT Policy.

As their names suggest if Inside NAT Policy is enabled all INSIDE hosts need to have an inside NAT rule configured, likewise it Outside NAT is enabled all OUTSIDE addresses must have an outside rule configured

We configure NAT by telling the PIX, which interface the hosts/network is on that we want to translate:

Code:
London (config)# nat (inside) 1 0.0.0.0 0.0.0.0


The above tells the PIX that we want to perform nat on the (inside) interface, the 1 is the ‘nat group’ we have assigned it, this will be come apparent later, the 0.0.0.0 0.0.0.0 tells the PIX that we want to perform NAT on everything that is attached to the INSIDE interface. We could substitute this with 192.168.2.2 255.255.255.255 which would say that the host with that exact IP address needs to be NAT’ed or we could use 192.168.1.0 255.255.255.0 which would say that everything between192.168.0.1 and 192.168.0.255 needs to be translated.

*The 0.0.0.0 0.0.0.0 can be abbreviated to 0 0 however this can look a bit confusing to anyone not comfortable configuring a PIX so you may want to use 0.0.0.0 0.0.0.0.*

So now we have told it what IP addresses that require translating we need to tell the PIX what we want them translated to.
To do this we use the ‘global’ command.

Code:
London (config)# global (outside) 1 80.80.80.81 – 80.80.80.200 netmask 255.255.255.0


The above command tells the PIX that we are assigning global IP addresses on the (outside) from NAT group 1 and the range of address available are 80.80.80.81 – 80.80.80.200

Our configuration so far:

Code:
 London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address 80.80.80.80 255.255.0.0
London (config-if)# security-level 0
London (config-if)# speed 100
London (config-if)# duplex full
London (config-if)# end
London# conf t
London (config)# nat (inside) 1 0.0.0.0 0.0.0.0
London (config)# global (outside) 1 80.80.80.81 – 80.80.80.200 netmask 255.255.255.0


So now all hosts on the INSIDE interface will be translated to an address between 80.80.80.81 to 80.80.80.200 whenever the send traffic from the INSDIE interface to the OUTSIDE interface.

*If the NAT command is used there MUST be a GLOBAL command, otherwise NAT will not work*

We can use static NAT’s that NAT a specific IP address either on the INSIDE or OUTSIDE interface to another IP on a different interface but this will be covered later in the Advanced PIX Configuration papers.

Route

Just like a router we need to tell the PIX where to send traffic destined for unknown and known IP addresses. We do this by configuring Static and/or Default Routes.

A static route is basically saying ‘To send a packet to the specified network, send it to this router’

A default route tells the PIX where to send traffic destined for an IP address/network not in its routing table. We normally configure a default route to state where internet traffic should go. It is impossible to enter every IP address on the internet in to the PIX’s routing table but it is easy to enter out internal networks in to it. So we say that, if there is no entry in the routing table, then the traffic is destined for the internet so send it here. If when the packet gets to the gateway it is not destined for the internet and has an internal IP, it will be dropped for reasons mentioned earlier.

Code:
London (config)# route outside 0.0.0.0. 0.0.0.0 192.168.2.1 1


The above is an example of a default route. It is saying to route traffic out the outside interface if the IP address is not in the routing table 0.0.0.0. 0.0.0.0 to the router with the IP address of 192.168.2.1 which is 1 hop away.

Code:
London (config)# route inside 10.10.10.0 255.255.255.0 10.10.10.1 1


The above is an example of a static route. This is telling the PIX that any traffic arriving on the inside interface destined for the 10.10.10.0 network should be sent to the router with the IP address of 10.10.10.1 which is 1 hop away.

Code:
 London (config)# interface ethernet0 (or ‘int e0’ for short)
London (config-if)# nameif outside
London (config-if)# ip address 80.80.80.80 255.255.0.0
London (config-if)# security-level 0
London (config-if)# speed 100
London (config-if)# duplex full
London (config-if)# end
London# conf t
London (config)# nat (inside) 1 0.0.0.0 0.0.0.0
London (config)# global (outside) 1 80.80.80.81 – 80.80.80.200 netmask 255.255.255.0
London (config)# route outside 0.0.0.0. 0.0.0.0 192.168.2.1 1
London (config)# route inside 10.10.10.0 255.255.255.0 10.10.10.1 1
London (config)# end
London#wr mem


There we have our finished initial BASIC configuration. We have named an interface, assigned it an IP address and subnet mask, told it what speed to operate at, told it that we want to NAT all hosts on the INSIDE interface to the external IP addresses of 80.80.80.81-200, we have gave it a default route to tell it where to send unknown traffic and we have told it where to send traffic destined for the internal network of 10.10.10.0.

Obviously the IP addresses are just for demonstration purposes and all interfaces will need to be configured as above for the PIX to work.

Part three will be ‘slightly advanced PIX configuration’. :

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on September 11th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.