• cisco pix: introduction
  
• cisco pix: introduction cont
  
• cisco pix: basic pix configuration
  
• cisco pix: basic pix configuration cont
  
• cisco pix: tcp, udp, nat, pat, and pd
  

• cisco pix: tcp, udp, nat, pat, and pd 2
  
• cisco pix: tcp, udp, nat, pat, and pd 3
  
• cisco pix: tcp, udp, nat, pat, and pd 4
  
• cisco pix: configuring site to site vpn's
  
• cisco pix: configuring site to site vpn's 2
  

• cisco pix: configuring site to site vpn's 3
  
• cisco pix: configuring site to site vpn's 4
  
• cisco pix: configuring site to site vpn's 5
  
• cisco pix: access control lists and content filtering
  
• cisco pix: access control lists and content filtering 2
  

• cisco pix: access control lists and content filtering 3
  
• cisco pix: object grouping for quick and easy acl's
  
• cisco pix; slightly advanced configuration
  
• cisco pix: slightly advanced configuration 2
  
• cisco pix: slightly advanced configuration 3
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials3
  
• securitytutorials4
  

CISCO PIX: TCP, UDP, NAT, PAT, AND PORT REDIRECTION CONT...

Multiple Interfaces and NAT

Multiple interfaces are configured the exact same way as a single interface to enable NAT on them. There are a few options when it comes to the Global Addresses though.

You can either use a new group by using a different NAT-ID number and then assign the group a new range of external IP’s or you can share one Group of external IP addresses between multiple interfaces.

Remember we assign the Global addresses to the OUTSIDE interface, so any traffic passing through the OUTSIDE interface will pick-up a Global IP address. We could have five other interfaces all sharing the same NAT-ID and as long as there are IP addresses available from the pool, they will all pick-up an IP before traversing to the outside world.

Code:

London(config)# nat (inside) 1 10.10.10.0 255.255.255.0
London(config)# nat (dmz) 1 172.18.10.10 255.255.255.0
London(config)# nat (eth3) 1 192.168.50.0 255.255.255.0
London(config)# global (outside) 1 80.80.80.81-80.80.80.240 netmask 255.255.255.0


In the above example we have configured three different subnets on three different interfaces to all share the same pool of addresses when traversing the OUTSIDE interface. As long as there are IP address available all hosts will have external connectivity.

We don’t have to share the same pool, as mentioned a few paragraphs above we can use more than one NAT-ID.

Code:

London(config)# nat (inside) 1 10.10.10.0 255.255.255.0
London(config)# nat (dmz) 2 172.18.10.10. 255.255.255.0
London(config)# nat (eth3) 3 192.168.50.0 255.255.255.0
London(config)# global (outside) 1 80.80.80.80-81.80.80.100 netmask 255.255.255.0
London(config)# global (outside) 2 90.90.90.91-90.90.90.100 netmask 255.255.255.0
London(config)# global (outside) 3 100.100.100.100-100.100.100.150 netmask 255.255.255.0


As you can see each interface is in a different NAT group and has a different pool of IP addresses to chose from when traversing the OUTSIDE interface.


Port Address Translation (PAT)

PAT is more commonly used on small to medium sized office LAN’s as most small business don’t have a pool of external IP addresses to use.

As mentioned earlier a Static NAT is only god for one IP address and one host, you can’t Static NAT a single IP address to two different hosts.

If we only have one IP address (or very few) we need to use PAT

One single external IP can theoretically be used for up to 64,000 inside hosts and can be a virtual IP address which is different from the IP address assigned to the interface.

PAT can be used in conjunction with NAT if you so desire.

There are a few applications that have problems with PAT such as some VoIP protocols and various other multimedia applications so you may want to research PAT if you have multimedia applications on your network(s).

If we want to use an IP address that is different than the IP address we assigned to the interface we set it up in the same way we have been setting NAT up, except we only use one IP address in the Global pool with a 32 bit subnet mask.

Code:

London(config)# nat (inside) 1 10.10.10.0 255.255.255.0
London(config)# global (outside) 1 80.80.80.82 netmask 255.255.255.255


Each time a host on the 10.10.10.0 network sends data out of the OUTSIDE interface the source port in the frame header is dynamically changed by the PIX to a port greater the 1024.

For this example we will say a host with an IP of 10.10.10.10 has sent data to the internet and used port 3000 to send it. When this packet arrives at the PIX it will change the source port in the packet header to one greater then 1024, for now we will say it is changed to 2000.

Then when data arrives on the outside interface destined to 80.80.80.92 and with a destination port 2000 the PIX knows that is substituted the source port of 2000 for the host with the IP address of 10.10.10.10, it will now change the destination port back to 3000 as otherwise the host would not accept the packet and sends the data on its way. (TCP and UDP inspection is still carried out as normal as per the Stateful Algorithm Rules)

We can also use the IP address of the interface if we have no spare IP addresses left.

Code:
London(config)# nat (inside) 1 10.10.10.0 255.255.255.0
London(config)# global (outside) 1 interface


The above command speaks for itself, instead of specifying an IP address or a pool of IP addresses, we tell it to use the IP address assigned to the interface

PAT will take place in exactly the same way as mentioned above, except it will use the interfaces IP address.

Just as we can with NAT we can assign multiple subnets to a single IP address in the same group or we can have a single IP address per group.

Code:

London(config)# nat (inside) 1 10.10.10.0 255.255.255.0
London(config)# nat (inside) 2 10.10.20.0 255.255.255.0
London(config)# global (outside) 1 80.80.80.83 netmask 255.255.255.255
London(config)# global (outside) 2 80.80.80.84 netmask 255.255.255.255


Here we have two different subnet attached to the INSIDE interface but we want to separate the external IP's they use. So now the 10.10.10.0 network with PAT to 80.80.80.83 in the normal way and the 10.10.20.0 network will PAT to 80.80.80.84 in the normal way.

We can back up an IP address we are using for PAT with another one to keep in reserve should too many hosts want external connectivity at the same time.

Code:

London(config)# nat (inside) 1 10.10.10.0 255.255.255.0
London(config)# global (outside) 1 80.80.80.83 netmask 255.255.255.255
London(config)# global (outside) 1 80.80.80.84 netmask 255.255.255.255


The hosts on the 10.10.10.0 network will use 80.80.80.83 for external connectivity until the port pool is at maximum usage, then the PIX will start using ports from the 80.80.80.84 address.


We can even use a PAT IP address to argument a NAT global pool in case we run out of ‘NAT’able’ IP addresses.

Code:

London(config)#nat (inside) 1 10.10.10.0 255.255.255.0
London(config)# global (outside) 1 80.80.80.81-80.80.80.90 netmask 255.255.255.0
London(config)# global (outside) 1 80.80.80.91 netmask 255.255.255.255


So now all hosts on the 10.10.10.0 network will use the global pool of 80.80.80.81-90 and be NAT’d across to these until there are no more available, then the 80.80.80.91 address will be used to PAT any more hosts the require external connectivity.

This is a sneaky method if you only have a few external IP addresses but don’t want to PAT all hosts or if you have ran out of external IP’s and don’t want to by another subnet’s worth of them.


Identity NAT

As stated earlier NAT can be set to one of two settings, either all traffic will be NAT’d unless an explicit rule exists to say a certain IP address does not need to be NAT’d or no traffic will be NAT’d unless an explicit rule exists to say a host will be NAT’d.

Identity NAT, also know as NAT 0, allows us to map our IP addresses transparently so that our internal host’s IP addresses are visible to the internet without any address translation occurring. All hosts that are behind a higher security level with translate themselves to all lower interfaces.

Typically this is used when we have Internet Network Information Centre (InterNIC) registered IP addresses (external IP’s) on our internal network that we want people to be able to connect to directly from the internet without any NAT taking place.

Keep in mind that an ACL will still need to be applied to say traffic can pass from a lower level security interface to a higher one.

Code:
London(config)# nat (dmz) 0 80.80.80.234 255.255.255.255


This command tells the PIX to not translate 80.80.80.234 to anything when passing traffic to and from it.

Remember to put a ’0’ after the interface instead of NAT-ID group and to add the necessary ACL to allow the PIX to pass traffic to the host.


Port Redirection (Static PAT)

If we have a secure web server, a non-secure web server and an FTP server on our internal network that require connections to be initiated from the outside how would we set this up?

We could static NAT 3 different IP Addresses to the servers and apply the relevant ACL’s which would allow outside users to connect to all of out services.
Whilst this solution would work and is a viable one in some cases, it is a waste of IP addresses.

Would it be better if we could share one IP address between all the hosts? But didn’t we say that we could only static NAT one IP address to one host?

Since all three of our servers use different ports, we can static NAT & PAT one IP address between any amount of hosts that require the use of different ports.

We basically tell the PIX, if traffic comes in to x.x.x.x on port xx then send it to x.x.x.x on port xx

So say we have an external IP of 80.80.80.132 and an FTP server with the internal IP of 10.10.10.50

We tell the PIX:

Code:
London(config)# static (inside, outside) tcp 80.80.80.132 ftp 10.10.10.50 ftp netmask 255.255.255.255


The above command tells the PIX that any tcp traffic that comes in to the outside interface destined for 80.80.80.132 that is ftp (on port 21) should be sent to the inside interface to the host that has the IP address of 10.10.10.50 on the ftp port (port 21)

If you spend a few seconds looking at the above command it will become obvious what it is doing.

For an added layer of security we can use a non-default port on the outside interface and redirect it to the default port, like so:

Code:
London(config)# static (inside, outside) tcp 80.80.80.132 12345 10.10.10.50 ftp netmask 255.255.255.255


The above command tells the PIX that any tcp traffic that comes in to the outside interface destined for 80.80.80.132 on port 12345 should be sent to the inside interface to the host that has the IP address of 10.10.10.50 on the ftp port (port 21)

Usually due to the time issue when scanning all 65.535 ports most casual vertical scans do not exceed the well known ports ( 0-1024), so by opening up port 12345 to an incoming FTP request we could fool a casual attacker into thinking we do not have an FTP server on the network.

*A vertical scan is a scan that checks the ports of a certain hosts, a horizontal scan refers to a ‘ping sweep’ or a scan that tries to determine active IP addresses*

An ACL would still need to be configured to allow the external connections to pass through the PIX.

So for our three servers a sample configuration could look like:

Code:
London(config)# static (inside, outside) tcp 80.80.80.132 12345 10.10.10.50 ftp netmask 255.255.255.255
London(config)# static (inside, outside) tcp 80.80.80.133 80 10.10.10.60 http netmask 255.255.255.255
London(config)# static (inside, outside) tcp 80.80.80.134 https 10.10.10.60 https netmask 255.255.255.255


We can change the first set of ports to anything we want, but unless the default ports on the server have been altered we need to use the defaults for the second port number we enter.

We can use the service name for common services such as FTP, HTTP and HTTPS or we can use the port number should we so wish, the PIX sees it all in the same way.



Summary

Well if you have read all of this, Congratulations as it took me 5 days to write!

Due to the extraordinary length and detail in this paper I will summarize the process a packet will follow when it arrives at the OUTSIDE interface of the PIX.

1) Packet arrives at the PIX
2) The PIX first consults the Access Rules of the interface the packet arrives on.
3) The PIX makes a routing decision to determine which interface to send the packet out of
4) The source address of the packet is checked against LOCAL ADDRESSES in the translation table
5) If an entry is found in the translation table, it is translated as per the configuration
6) If an entry is not found the PIX will look for a translation match in the following order:
1) nat0 access-list (NAT Exemption) to see if the host is exempt translation or not
2) Static (Static NAT) will look through the static NAT table starting at the top until it finds a match
3) Static TCP / UDP (PAT) – will examine the static PAT table starting at the top until it finds a match
4) nat (NAT-ID access-list) this is policy NAT which will be covered later
5) nat – regular NAT, best match
6) If no match is found at all then the packet is dropped

The PIX keeps a State Table for all TCP and UDP connections and a Translation Table for all NAT translations.

Current TCP/UDP and NAT connections can be seen with the sh conn and sh xlate command respectively.

The PIX uses SYN cookies to prevent SYN Flooding, a form of DoS or if you have a version prior to 6.2 it will use TCP Inspection

You can Port Redirect traffic from a non protocol default port to a protocol default port.

The NAT and GLOBAL commands argument each other and will not work on individually.

You can only Static NAT one IP address to one host but you can Port redirect fro one IP address to many hosts.




Next paper will be Access Control and Content Filtering.

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on September 20th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.