• cisco pix: introduction
  
• cisco pix: introduction cont
  
• cisco pix: basic pix configuration
  
• cisco pix: basic pix configuration cont
  
• cisco pix: tcp, udp, nat, pat, and pd
  

• cisco pix: tcp, udp, nat, pat, and pd 2
  
• cisco pix: tcp, udp, nat, pat, and pd 3
  
• cisco pix: tcp, udp, nat, pat, and pd 4
  
• cisco pix: configuring site to site vpn's
  
• cisco pix: configuring site to site vpn's 2
  

• cisco pix: configuring site to site vpn's 3
  
• cisco pix: configuring site to site vpn's 4
  
• cisco pix: configuring site to site vpn's 5
  
• cisco pix: access control lists and content filtering
  
• cisco pix: access control lists and content filtering 2
  

• cisco pix: access control lists and content filtering 3
  
• cisco pix: object grouping for quick and easy acl's
  
• cisco pix; slightly advanced configuration
  
• cisco pix: slightly advanced configuration 2
  
• cisco pix: slightly advanced configuration 3
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials3
  
• securitytutorials4
  

CISCO PIX: TCP, UDP, NAT, PAT, AND PORT REDIRECTION CONT...

UDP

As we know UDP is not a stateful protocol and does not use flags to keep track of the connection state.

However, we can still be flooded by UDP connections/packets from spoofed IP addresses when we have Static NAT’s and/or PAT’s so it is a good practise to limit the number of UDP connections we will allow to a single server.

The syntax is similar to the TCP method:

Code:
London(config)# static (inside, outside) 80.80.80.100 10.10.10.10 netmask 255.255.255.255 udp 100


As you can see we simply specify the protocol and the maximum amount of UDP connections that the server can have, in this case we are saying that 10.10.10.10 can have a maximum of 100 udp connections at anyone time.

A more realistic command may be:

Code:
London(config)# static (inside, outside) 80.80.80.100 10.10.10.10 netmask 255.255.255.255 0 25 udp 100


Which says that 10.10.10.10 can have unlimited TCP connections, a maximum of 25 embryonic connections and a maximum of 100 UDP connections


Network Address Translation

As mentioned in Part two, NAT is a method to reduce the amount of external routable IP addresses an organization needs and also to hide the internal IP addresses from outside viewing.

When configuring NAT remember that an interface with a higher security level can access an interface with a lower security level unless they are explicitly denied.
The Nat and Global commands go hand in hand with each other.
If you want to enable a lower security level interface to access a higher security interface then you must have the relevant access rule permitting it and a static NAT / PAT translation.

The PIX supports both Static and Dynamic translations.

Static Translation
Is a permanent one-to-one translation, or mapping, between an IP address on a more secure interface to an IP address on a less secure interface. You can only statically NAT one external IP address to one inside IP address, i.e. if you NAT 80.80.80.81 to 10.10.10.20 – when traffic arrives on the OUTSIDE interface, ACL permitting, it will be directed to 10.10.10.20. 80.80.80.81 can only now be statically NAT’d to this IP address and no other, otherwise the PIX would not know where to send the incoming traffic. This is different from Port Address Translation (PAT) which can be translated to more than one IP address and will be covered later on.

You would typically use a Static NAT when you host a web server that sits on an internal IP. Obviously you want your external IP of the Web Server to always be the same, if you Static NAT it to the internal IP of the server you will ensure that when someone browses to the outside IP they will always be translated across to the correct web server.

The syntax for a Static NAT is:

Code:

London (config)# static (inside, outside) 80.80.80.81 10.10.10.20 netmask 255.255.255.255


At first glance the above command could seem confusing but look at it this way:

(inside, outside) 80.80.80.81 10.10.10.20

Firstly you specify the real interface that the server is attached to, in this case our web server is on the INSIDE interface.
Secondly specify the interface that the mapped IP address is on, in this case the OUTSIDE interface – then specify the mapped IP address.
Next we specify the real IP address of the server and its netmask.

Just remember the mapped interface and IP are in the centre of the command, and the real interface and IP go at either end of the command.

A Static NAT can also be used to translate entire networks and is known as Net Static.

Code:
London (config)# static (dmz, outside) 80.80.80.0 10.20.20.0 netmask 255.255.255.0


The above command will Nat the entire DMZ subnet to an IP address in the 80.80.80.0/24 subnet when passing traffic to the outside interface. This comes in handy when you have multiple subnets on a single interface.


Dynamic NAT

Dynamic NAT’s are used when no outside host will have to initiate a connection to come into your network(s). Typically a dynamic NAT is used for a normal office LAN that has not external facing servers/services and just need normal outside connectivity i.e. to the internet.

Firstly we must identify which internal hosts we want to NAT to an external IP address. This can be an entire subnet, specific hosts or everything attached to a certain interface. We then give these hosts a group number, usually starting from 1.

After we have decided what hosts will be eligible for translation, we must then decide what external IP’s we want them to use when they talk to the outside world. And assign these external IP addresses to the same group as the internal hosts we have just defined.

Code:
London(config)# nat (inside) 1 10.10.10.0 255.25.255.0


nat = Tells the PIX we are defining hosts to be NAT’d.
(inside) = Tells the PIX where the hosts are located, in this case they are on the INSDIE interface
1 = Group number for these hosts
10.10.10.0 = the subnet we want to configure NAT’ing for. In this case every host between 10.10.10.1 and 10.10.10.254 will be translated to an external address when sending packets out of the OUTSIDE interface.
255.255.255.0 = the subnet mask that defines our subnet.

Now we have told the PIX which internal hosts we want to NAT, we must now tell it what addresses it can use to translate them.

Code:
London(config)# global (outside) 1 80.80.80.81-80.80.80.100 netmask 255.255.255.0


The syntax is very similar to the NAT command we gave earlier.

global = Tells the PIX that we are defining what global (external) IP addresses it can use.
outside = Tells the PIX that these global IP’s are to be used by the OUTSIDE interface
1 = The NAT-ID group. This must be the same as what we defined in the NAT command for the inside interface. We can have multiple groups. For example if we hade two different internal subnets we want to NAT to two different sets of external IP’s, we would make two groups, one for each subnet. This would then tell the PIX, if the inside host is in group 1 then he gets an external IP from global group 1 and if the internal host is in group 2, he gets an external IP from group two.

Finally we tell it the range of IP’s available on the OUTSIDE interface. These are issued out on a ‘first come – first served’ basis until they are all used up. If the PIX administrator has not configured the PIX correctly and all the available IP addresses are in use, then some hosts will not have external connectivity, until IP addresses become available.

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on September 20th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.