Foundation Summary 83
Foundation Summary
The Foundation Summary is a consolidation of the information covered in this chapter. It helps you continue to review the information in this chapter to prepare for the Certification Exam.
All interfaces on the Cisco PIX Firewall are assigned security levels. The higher the number, the more secure the interface. Traffic is allowed to pass from an interface with a higher security level to an interface with a lower security level without a specific rule in the security policy. By default, the outside interface (Ethernet 0) is assigned a security level of 0, and the inside interface (Ethernet 1) is assigned a security level of 100. All other interfaces must be manually assigned a security level using the nameif command. Traffic does not pass through two interfaces if they have the same security level.
The PIX Firewall handles the two transport protocols completely differently. Because TCP is connection-oriented and creates a session, it is relatively simple for the PIX to handle the traffic. TCP also generates a TCP sequence number, and the PIX randomizes that number as it passes through the firewall on its way to the destination. This way, it is very difficult to hijack a TCP session by selecting the next sequence number in the series. Figure 5-8 shows how the PIX Firewall handles a TCP handshake.
84 Chapter 5: Understanding Cisco PIX Firewall Translation and Connections
Figure 5-8 PIX Handling TCP Traffic
Step 1. Source Initiates Connection
Source IP: 10.10.10.10
Destination IP: 192.168.1.12
Source Port: 2531
Destination Port: 22
Sequence Number: 331
ACK: None
TCP Flag: SYN
10.10.10.10
Step 4. PIX Returns Response
Source IP: 192.168.1.12
Destination IP: 10.10.10.10
Source Port: 22
Destination Port: 2531
Sequence Number: 557
ACK: 332
TCP Flag: SYN ACK
Step 5. Source Sends ACK
Source IP: 10.10.10.10
Destination IP: 192.168.1.12
Source Port: 2531
Destination Port: 22
Sequence Number: 332
ACK: 558
TCP Flag: ACK
Step 2. PIX Allows Connection
xlate Source IP: 192.168.1.10
Destination IP: 192.168.1.12
Source Port: 2531
Destination Port: 22
Random Sequence Number: 2748
ACK: None
TCP Flag: SYN
Step 3. Server Responds |
192.168.1.12 |
|
|
Source IP: 192.168.1.12 |
|
Destination IP: 192.168.1.10 |
Handshake |
Source Port: 22 |
Complete |
Destination Port: 2531 |
|
Sequence Number: 557 |
|
ACK: 2749 |
|
TCP Flag: SYN ACK |
|
Step 2. PIX Allows Connection |
|
xlate source IP: 192.168.1.10 |
|
Destination IP: 192.168.1.12 |
|
Source Port: 2531 |
|
Destination Port: 22 |
|
Random Sequence Number: 2748 |
|
ACK: 558 |
|
TCP Flag: ACK |
|
UDP is a connectionless protocol, so it is very difficult to determine a connection’s state. When outbound UDP traffic is generated, the PIX completes the necessary address translation and saves the session object in the state. If the response does not arrive within the timeout period (the default is 2 minutes), the connection is closed. If the response arrives within the timeout, the PIX verifies the connection information. If it matches the session object in the state table, the PIX allows the traffic. Figure 5-9 shows how the PIX typically handles UDP traffic.
Foundation Summary 85
There are two types of address translation:
•Dynamic address translation is broken into two categories:
—Network Address Translation (NAT)—Multiple local hosts translate to a pool of global addresses.
—Port Address Translation (PAT)—Multiple local hosts translate to a single global address.
Figure 5-9 PIX Handling UDP Traffic
|
|
|
|
Step 1. Source Initiates Connection |
Step 2. PIX Allows Connection |
|
|
|
|
|
Source IP: 10.10.10.10 |
xlate Source IP: 192.168.1.10 |
|
|
|
|
|
Destination IP: 192.168.1.12 |
Destination IP: 192.168.1.12 |
|
|
|
|
|
Source Port: 1012 |
Source Port: 1012 |
|
|
|
|
|
Destination Port: 53 |
Destination Port: 53 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10.10.10.10 |
192.168.1.12 |
|
|
Step 4. PIX Returns Response |
Step 3. Server Responds |
Source IP: 192.168.1.12 |
Source IP: 192.168.1.12 |
Destination IP: 10.10.10.10 |
Destination IP: 192.168.1.10 |
Source Port: 53 |
Source Port: 53 |
Destination Port: 1012 |
Destination Port: 1012 |
•Static translation—A single local address translates to a single global address. Static rules provide the translation to allow connection from a lower security level to a higher security level, but this connection must be allowed in the security policy. This connection can be allowed using either the conduit or access-list command. Access lists must be part of an access group and must be configured to a specific interface.
86 Chapter 5: Understanding Cisco PIX Firewall Translation and Connections
Multiple connections can take place through a single translation. Translations take place at the network layer, and connections occur at the transport layer. Therefore, connections are a subset of translations. Two specific commands are used to troubleshoot translation:
•show xlate—This command displays translation slot information. Many options are available to display specific information about the address translations.
•clear xlate—This command clears the translation table. Again, many options allow you to clear specific portions of the translation table.
A single command with numerous options is used to troubleshoot connections:
•show conn—Displays the number of and information about the active connections for the options specified.
Q&A 87
Q&A
As mentioned in the Introduction, the questions in this book are written to be more difficult than what you should experience on the exam. The questions are designed to ensure your understanding of the concepts discussed in this chapter and adequately prepare you to complete the exam. You should use the simulated exams on the CD to practice for the exam.
The answers to these questions can be found in Appendix A.
1When should you run the command clear xlate?
A When updating a conduit on the firewall
BWhen editing the NAT for the inside segment
CWhen adding addresses to the global pool
DAll of the above
2What happens if you configure two interfaces with the same security level?
3True or false: The quickest way to clear the translation table is to reboot the PIX.
4True or false: If you configure a static translation for your web server, everyone can connect to it.
5Which of the following is not a method of address translation supported by the PIX?
A Network Address Translation
B Socket Address Translation
C Port Address Translation
D Static
6True or false: It is easy t o hack into a PIX over UDP 53, because it accepts DNS resolves from anyone.
7What the does the PIX normally change when allowing a TCP handshake between nodes on different interfaces and performing NAT?
8What the does the PIX normally change when allowing a TCP handshake between nodes on different interfaces and performing PAT?
88 Chapter 5: Understanding Cisco PIX Firewall Translation and Connections
9You have configured two additional DMZ interfaces on your PIX Firewall. How do you prevent nodes on DMZ1 from accessing nodes on DMZ2 without adding rules to the security policy?
ARoute all traffic for DMZ2 out the outside interface.
BDynamically NAT all DMZ2 nodes to a multicast address.
CAssign a higher security level to DMZ2.
DAll of the above
10True or false: It is possible to hide an entire Class C network behind a single IP using PAT.
11True or false: TCP is a much better protocol than UDP, because it does handshakes and randomly generates TCP sequence numbers.
12Which of the following nat commands is/are correct?
ALabPIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0
BLabPIX(config)# nat (inside) 1 0.0
CLabPIX(config)# nat (inside) 1 0 0
DA and B
EA and C
FAll of the above
13When would you want to configure NAT and PAT for the same inside segment?
14What is RFC 1918?
15True or false: By default, an embryonic connection terminates after 2 minutes.
16What command shows all active TCP connections on the PIX?
17Why is there an id field in the nat command?
This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-511):
5.User interface
6.Configuring the PIX Firewall
8.Time setting and NTP support
13.DHCP server configuration