168.1.3HERE ARE THE STEPS TO FOLLOW IN WALKING THROUGH THE CONFIGU...

Question

192.168.1.3Here are the steps to follow in walking through the configurationexample, with explanations for clarification after each step as you gothrough the commands:configure terminalinterface ethernet0ip address 192.168.1.1 255.255.255.0This assigns the IP address to ethernet0 interface.ip nat insideThis designates ethernet0 interface as an inside network.no shutdownhttps://traloihay.netThis removes the interface from shutdown status.interface serial0ip address 207.139.221.1 255.255.255.128This assigns the IP address to serial0 interface.ip nat outsideThis designates the serial0 interface as an outside network.As in the previous example, this removes the interface from shutdownstatus.interface ethernet1ip address 192.168.2.1 255.255.255.0This assigns the IP address to ethernet1 interface.This designates ethernet1 interface as an inside network.access-list 10 permit ip 192.168.1.0 0.0.0.255This specifies that traffic originating from 192.168.1.0 network will betranslated.ip nat pool net-207 207.139.221.4 207.139.221.126 netmask 255.255.255.128This defines a pool of global IP addresses named net-207 with anaddress range of 207.139.221.4-207.139.221.126 to be used for NAT.ip nat pool net-207-napt 207.139.221.127 netmask 255.255.255.128This defines a single global IP address named net-207-napt withaddress 207.139.221.127 to be used for NAPT.ip nat inside source list 10 pool net-207This specifies that the source IP address of traffic defined in access list10 will be NAT’d with the IP addresses defined in net-207 pool.ip nat inside source list 10 pool net-207-napt overloadNetwork Address Translation (NAT) • Chapter 3 12710 will be NAPTed with the IP address defined in net-207-napt pool. NAPTwill occur once NAT has used all available addresses in net-207 pool.Once a translation has timed out due to inactivity, that global IP addresswill be reused for future NAT translations.ip nat inside source static 192.168.2.2 207.139.221.2 netmask>255.255.255.128Create a static translation for inside IP address 192.168.2.2 to global IPaddress 207.139.221.2. Any traffic destined for 207.139.221.2 will be stati-cally translated to 192.168.2.2.ip nat inside source static 192.168.2.3 207.139.221.3 netmaskConsiderations on NAT and NAPT Even though NAT helps to avoid the problem of scarce availability of glob-ally routable IP addresses, NAT has an impact on the functionality of cer-tain protocols, therefore complicating their deployment. This section willoutline some of the problems that are associated with NAT.IP Address Information in DataNumerous applications fail when packets traverse a NAT device. Thesepackets carry IP address or port information in the data portion of thepacket. Since NAT only alters the IP header to perform the translation, thedata portion is left untouched. With the aid of an ALG, a work-around maybe provided in some cases. But if the packet data is IPSec secured (orsecured by another transport or application level mechanism), the applica-tion is going to fail.Bundled Session ApplicationsBundled session applications such as FTP, H.323, SIP, and RTSP, whichuse a control connection to establish data flow are also usually broken byNAT devices. This occurs because the applications exchange address andport information within control session to establish data sessions and ses-sion orientations. NAT cannot know the interdependency of the bundledsessions and would treat each session as if they were unrelated to eachother. Applications like these can fail for a variety of reasons. Two of themost common reasons for failures are as follows: ■ Addressing information in the data portion of the packet is realmspecific and is not valid once the packet crosses the originatingrealm■ Control sessions create new data sessions about which NAT hasno information. These will fail in many cases.Peer-to-Peer ApplicationsPeer-to-peer applications are more prone to failure than client/server-based applications. Peer-to-peer applications can be originated by any ofthe peers; if the peers are located in different realms, NAT translations maynot be established because the host on the inside network is not visible tothe host on the outside network. This is more problematic with traditionalNAT (dynamic NAT and NAPT) where connections are client to server. IP Fragmentation with NAPT En RouteIP fragmentation with NAPT can occur when two hosts originate frag-mented TCP/UDP packets to the same destination host, and they happento use the same fragmentation identifier. When the target host receives thetwo unrelated packets, carrying the same fragmentation id, and from thesame assigned host address, the target host is unable to distinguish whichof the two sessions the packets belong to (due to the translation of thelocal source address, to that used in the global NAPT address); therefore,both sessions will be corrupted. Applications Requiring Retention of Address MappingWhen a session is established across realms through the use of NAT, thetranslation for that session will eventually time out and then be utilized byanother session’s traversing realms. This can be a problem for applicationsthat require numerous sessions to the same external address. NAT cannotknow this requirement ahead of time and may reassign the global addressbetween sessions. For example, if Host A on the inside network has estab-lished a session with Host Z on the outside network, the application willfunction properly. Once the session stops sending traffic and the NATtimer expires, the translation will be terminated and the global IP allocatedfor that specific translation will be used for another translation. What hap-pens if Host Z requires more data and tries to initiate a session with the IPNetwork Address Translation (NAT) • Chapter 3 129address that Host A had while it was translated? At this point, the applica-tion will no longer function properly.To remedy this problem, keepalive messages need to be sent betweenhosts to keep the translation active. This can be especially annoying andmay not be possible in some situations. An alternative is to use an ALG tokeep the address mapping from being discarded by NAT.IPSec and IKENAT operates by modifying source addresses within the IP header while itpasses through the NAT device. Due to the nature of IPSec, the AH pro-tocol is designed to detect alterations to an IP packet header. So when NATalters the source address information, the destination host receiving thealtered packet will discard the packet since the IP headers have beenaltered. The IPSec AH secure packet traversing NAT will simply not reachthe target application. IPSec ESP encrypted packets may be altered by NAT devices only in alimited number of cases. In the cases of TCP/UDP packets, NAT wouldneed to update the checksum in the TCP/UDP headers whenever the IPheader is changed. However, because the TCP/UDP header is encrypted bythe ESP, NAT would not be able to make this checksum update because itis now encrypted. TCP/UDP packets that are encrypted and traverse a NATdevice will fail because the TCP/UDP checksum validation is on thereceiving end and will not reach the target application.Internet Key Exchange (IKE) protocol can potentially pass IP addressesas node identifiers during the Main, Aggressive, and Quick Modes. In orderfor an IKE negotiation to correctly pass through NAT, these data portionswould need to be modified. However, these payloads are often protected byencryption. For all practical purposes, end-to-end IPSec is almost impos-sible to accomplish with NAT translation en route.SummaryNAT solves the problem of the limited available supply of global IPaddresses. By implementing a private IP address scheme in a private net-work, those addresses can then be translated into global IP addresses via aNAT device. This chapter covered various generic terms used by NAT, vari-ations of NAT, deploying NAT on a network, and considerations for usingNAT. As I stated at the beginning of the chapter, NAT is not a security fea-ture and should not be used for security. It simply allows private IPaddresses to be translated into global IP addresses. The myth that NAT“hides” a network is exactly that, a myth. A company’s ISP may haveknowledge of that private network and can therefore inject a route to thatnetwork in their routing tables, therefore exposing the private network. FAQsQ: Should I use NAT or NAPT?A: It is a good idea to implement both, depending on how many globaladdresses are available and how many local hosts need to be trans-lated. If a NAT pool is implemented, NAPT can then be used once all ofthe NAT translations are used up. Once a translation times out, it willbe reallocated to another local host trying to open a session with a hoston the outside. Q: How do I know if NAT should be used on my network?A: Typically, NAT must be used if your network is using a private IPaddress space and traffic must be routed globally (Internet). Anotherinstance when NAT would be used is when two companies merge twoLANs that use an overlapping IP subnet. Q: I have implemented NAT on my network; at different points in time,hosts are no longer being translated. Why is this happening?A: Check the number of global addresses in your global pool. The numberof hosts requiring translation may be outnumbering the availableaddresses. If this is the case, remove one of the addresses from theNAT pool and assign that address for NAPT. Q: RFC1918? RFC2663? What are these?A: RFC is short for Request for Comments. RFCs are standards that arepublished on various topics. For a listing of RFCs, visit https://traloihay.net orhttps://traloihay.net (official mirror site for internet drafts and RFCs).Chapter 4Cisco PIX FirewallSolutions in this chapter:■ Overview of the Security Features■ Initial Configuration■ Configuring NAT and NAPT■ Security Policy Configuration■ PIX Configuration Examples■ Securing and Maintaining the PIX131IntroductionA firewall is a security mechanism located on a network that protectsresources from other networks and individuals. A firewall controls accessto a network and enforces a security policy that can be tailored to suit theneeds of a company.There is some confusion on the difference between a Cisco PIX firewalland a router. Both devices are capable of filtering traffic with access con-trol lists, and both devices are capable of providing Network AddressTranslation (NAT). PIX, however, goes above and beyond simply filteringpackets, based on source/destination IP addresses, as well as source/des-tination TCP/UDP port numbers. PIX is a dedicated hardware device builtto provide security. Although a router can also provide some of the func-tions of a PIX by implementing access control lists, it also has to deal withrouting packets from one network to another. Depending on what model ofrouter is being used, access lists tend to burden the CPU, especially ifthere are numerous access lists that must be referenced for every packetthat travels through the router. This can impact the performance of therouter, causing other problems such as network convergence time.Cisco Systems offers a number of security solutions for networks,including Cisco Secure PIX Firewall series. The PIX firewall is a dedicatedhardware-based firewall that utilizes a version of the Cisco IOS for configu-ration and operation. This chapter will introduce and discuss security fea-tures, Network Address Translation (NAT), Network Address PortTranslation (NAPT, or referred to as PAT in the PIX firewall IOS), developinga security policy for your network, applying the security policy on the PIX,and finally, maintaining your PIX and securing it from unauthorized indi-viduals. The PIX Firewall series offers several models to meet today’s networks’needs, from the Enterprise-class Secure PIX 520 Firewall to the newlyintroduced Small Office/Home Office (SOHO) class Secure PIX 506 Firewallmodel. 520 and 520 DC The largest of the PIX Firewall series, it is meant forEnterprise and Internet Service Provider (ISP) use. It has a throughput of385 Mbps and will handle up to 250,000 simultaneous sessions. The hard-ware specifications include two Fast Ethernet ports, 128MB of RAM, afloppy disk drive for upgrading the IOS image, and support for up to sixadditional network interface cards in the chassis. Additionally, other avail-able interfaces are 10/100 Ethernet cards, Token Ring cards, and dual-attached multimode FDDI cards.Cisco PIX Firewall • Chapter 4 133515R and 515UR This particular model is intended for small- to medium-sized businesses and remote offices. The 515R and 515UR have athroughput of 120 Mbps with the capacity to handle up to 125,000 simul-taneous connections. The hardware specifications include two FastEthernet 10/100 ports, 32MB of RAM for the 515R and 64MB of RAM forthe 515UR model, and will support up to two additional network interfacecards in the chassis. Additionally, 10/100 Ethernet cards are available,but Token Ring cards are not supported on the 515 model. 506 The most recent addition to the Secure PIX Firewall series is the 506,intended for high-end small office/home office use, with a throughputmeasured at 10 Mbps. The 506 offers two Fast Ethernet 10/100 ports, anddoes not support any additional network interface cards in the chassis.The 506 comes with 32MB of RAM and does not support additional RAMupgrades. Overview of the Security FeaturesWith the enormous growth of the Internet, companies are beginning todepend on having an online presence on the Internet. With that presencecome security risks that allow outside individuals to gain access to criticalinformation and resources. Companies are now faced with the task of implementing security mea-sures to protect their data and resources. These resources can be verydiversified, such as Web servers, mail servers, FTP servers, databases, orany type of networked devices. Figure 4.1 displays a typical company net-work with access to the Internet via a leased line without a firewall inplace.As you can see in Figure 4.1, company XYZ has a direct connection tothe Internet. They are also using a class C public IP address space fortheir network, therefore making it publicly available to anyone who wishesto access it. Without any security measures, individuals are able to accesseach of the devices on the network with a public IP. Private informationcan be compromised, and other malicious attacks such as Denial ofService (DoS) can occur. If a firewall was placed between company XYZ’snetwork and the Internet, security measures can then be taken to filterand block unwanted traffic. Without any access control at the networkperimeter, a company’s security relies on proper configuration and securityon each individual host and server. This can be an administrative night-mare if hundreds of devices need to be configured for this purpose. Figure 4.1 Typical LAN with no firewall.Company XYZT1ISP

Answer

192.168.1.3Here are the steps to follow in walking through the configurationexample, with explanations for clarification after each step as you gothrough the commands:configure terminalinterface ethernet0ip address 192.168.1.1 255.255.255.0This assigns the IP address to ethernet0 interface.ip nat insideThis designates ethernet0 interface as an inside network.no shutdownhttps://traloihay.netThis removes the interface from shutdown status.interface serial0ip address 207.139.221.1 255.255.255.128This assigns the IP address to serial0 interface.ip nat outsideThis designates the serial0 interface as an outside network.As in the previous example, this removes the interface from shutdownstatus.interface ethernet1ip address 192.168.2.1 255.255.255.0This assigns the IP address to ethernet1 interface.This designates ethernet1 interface as an inside network.access-list 10 permit ip 192.168.1.0 0.0.0.255This specifies that traffic originating from 192.168.1.0 network will betranslated.ip nat pool net-207 207.139.221.4 207.139.221.126 netmask 255.255.255.128This defines a pool of global IP addresses named net-207 with anaddress range of 207.139.221.4-207.139.221.126 to be used for NAT.ip nat pool net-207-napt 207.139.221.127 netmask 255.255.255.128This defines a single global IP address named net-207-napt withaddress 207.139.221.127 to be used for NAPT.ip nat inside source list 10 pool net-207This specifies that the source IP address of traffic defined in access list10 will be NAT’d with the IP addresses defined in net-207 pool.ip nat inside source list 10 pool net-207-napt overloadNetwork Address Translation (NAT) • Chapter 3 12710 will be NAPTed with the IP address defined in net-207-napt pool. NAPTwill occur once NAT has used all available addresses in net-207 pool.Once a translation has timed out due to inactivity, that global IP addresswill be reused for future NAT translations.ip nat inside source static 192.168.2.2 207.139.221.2 netmask>255.255.255.128Create a static translation for inside IP address 192.168.2.2 to global IPaddress 207.139.221.2. Any traffic destined for 207.139.221.2 will be stati-cally translated to 192.168.2.2.ip nat inside source static 192.168.2.3 207.139.221.3 netmaskConsiderations on NAT and NAPT Even though NAT helps to avoid the problem of scarce availability of glob-ally routable IP addresses, NAT has an impact on the functionality of cer-tain protocols, therefore complicating their deployment. This section willoutline some of the problems that are associated with NAT.IP Address Information in DataNumerous applications fail when packets traverse a NAT device. Thesepackets carry IP address or port information in the data portion of thepacket. Since NAT only alters the IP header to perform the translation, thedata portion is left untouched. With the aid of an ALG, a work-around maybe provided in some cases. But if the packet data is IPSec secured (orsecured by another transport or application level mechanism), the applica-tion is going to fail.Bundled Session ApplicationsBundled session applications such as FTP, H.323, SIP, and RTSP, whichuse a control connection to establish data flow are also usually broken byNAT devices. This occurs because the applications exchange address andport information within control session to establish data sessions and ses-sion orientations. NAT cannot know the interdependency of the bundledsessions and would treat each session as if they were unrelated to eachother. Applications like these can fail for a variety of reasons. Two of themost common reasons for failures are as follows: ■ Addressing information in the data portion of the packet is realmspecific and is not valid once the packet crosses the originatingrealm■ Control sessions create new data sessions about which NAT hasno information. These will fail in many cases.Peer-to-Peer ApplicationsPeer-to-peer applications are more prone to failure than client/server-based applications. Peer-to-peer applications can be originated by any ofthe peers; if the peers are located in different realms, NAT translations maynot be established because the host on the inside network is not visible tothe host on the outside network. This is more problematic with traditionalNAT (dynamic NAT and NAPT) where connections are client to server. IP Fragmentation with NAPT En RouteIP fragmentation with NAPT can occur when two hosts originate frag-mented TCP/UDP packets to the same destination host, and they happento use the same fragmentation identifier. When the target host receives thetwo unrelated packets, carrying the same fragmentation id, and from thesame assigned host address, the target host is unable to distinguish whichof the two sessions the packets belong to (due to the translation of thelocal source address, to that used in the global NAPT address); therefore,both sessions will be corrupted. Applications Requiring Retention of Address MappingWhen a session is established across realms through the use of NAT, thetranslation for that session will eventually time out and then be utilized byanother session’s traversing realms. This can be a problem for applicationsthat require numerous sessions to the same external address. NAT cannotknow this requirement ahead of time and may reassign the global addressbetween sessions. For example, if Host A on the inside network has estab-lished a session with Host Z on the outside network, the application willfunction properly. Once the session stops sending traffic and the NATtimer expires, the translation will be terminated and the global IP allocatedfor that specific translation will be used for another translation. What hap-pens if Host Z requires more data and tries to initiate a session with the IPNetwork Address Translation (NAT) • Chapter 3 129address that Host A had while it was translated? At this point, the applica-tion will no longer function properly.To remedy this problem, keepalive messages need to be sent betweenhosts to keep the translation active. This can be especially annoying andmay not be possible in some situations. An alternative is to use an ALG tokeep the address mapping from being discarded by NAT.IPSec and IKENAT operates by modifying source addresses within the IP header while itpasses through the NAT device. Due to the nature of IPSec, the AH pro-tocol is designed to detect alterations to an IP packet header. So when NATalters the source address information, the destination host receiving thealtered packet will discard the packet since the IP headers have beenaltered. The IPSec AH secure packet traversing NAT will simply not reachthe target application. IPSec ESP encrypted packets may be altered by NAT devices only in alimited number of cases. In the cases of TCP/UDP packets, NAT wouldneed to update the checksum in the TCP/UDP headers whenever the IPheader is changed. However, because the TCP/UDP header is encrypted bythe ESP, NAT would not be able to make this checksum update because itis now encrypted. TCP/UDP packets that are encrypted and traverse a NATdevice will fail because the TCP/UDP checksum validation is on thereceiving end and will not reach the target application.Internet Key Exchange (IKE) protocol can potentially pass IP addressesas node identifiers during the Main, Aggressive, and Quick Modes. In orderfor an IKE negotiation to correctly pass through NAT, these data portionswould need to be modified. However, these payloads are often protected byencryption. For all practical purposes, end-to-end IPSec is almost impos-sible to accomplish with NAT translation en route.SummaryNAT solves the problem of the limited available supply of global IPaddresses. By implementing a private IP address scheme in a private net-work, those addresses can then be translated into global IP addresses via aNAT device. This chapter covered various generic terms used by NAT, vari-ations of NAT, deploying NAT on a network, and considerations for usingNAT. As I stated at the beginning of the chapter, NAT is not a security fea-ture and should not be used for security. It simply allows private IPaddresses to be translated into global IP addresses. The myth that NAT“hides” a network is exactly that, a myth. A company’s ISP may haveknowledge of that private network and can therefore inject a route to thatnetwork in their routing tables, therefore exposing the private network. FAQsQ: Should I use NAT or NAPT?A: It is a good idea to implement both, depending on how many globaladdresses are available and how many local hosts need to be trans-lated. If a NAT pool is implemented, NAPT can then be used once all ofthe NAT translations are used up. Once a translation times out, it willbe reallocated to another local host trying to open a session with a hoston the outside. Q: How do I know if NAT should be used on my network?A: Typically, NAT must be used if your network is using a private IPaddress space and traffic must be routed globally (Internet). Anotherinstance when NAT would be used is when two companies merge twoLANs that use an overlapping IP subnet. Q: I have implemented NAT on my network; at different points in time,hosts are no longer being translated. Why is this happening?A: Check the number of global addresses in your global pool. The numberof hosts requiring translation may be outnumbering the availableaddresses. If this is the case, remove one of the addresses from theNAT pool and assign that address for NAPT. Q: RFC1918? RFC2663? What are these?A: RFC is short for Request for Comments. RFCs are standards that arepublished on various topics. For a listing of RFCs, visit https://traloihay.net orhttps://traloihay.net (official mirror site for internet drafts and RFCs).Chapter 4Cisco PIX FirewallSolutions in this chapter:■ Overview of the Security Features■ Initial Configuration■ Configuring NAT and NAPT■ Security Policy Configuration■ PIX Configuration Examples■ Securing and Maintaining the PIX131IntroductionA firewall is a security mechanism located on a network that protectsresources from other networks and individuals. A firewall controls accessto a network and enforces a security policy that can be tailored to suit theneeds of a company.There is some confusion on the difference between a Cisco PIX firewalland a router. Both devices are capable of filtering traffic with access con-trol lists, and both devices are capable of providing Network AddressTranslation (NAT). PIX, however, goes above and beyond simply filteringpackets, based on source/destination IP addresses, as well as source/des-tination TCP/UDP port numbers. PIX is a dedicated hardware device builtto provide security. Although a router can also provide some of the func-tions of a PIX by implementing access control lists, it also has to deal withrouting packets from one network to another. Depending on what model ofrouter is being used, access lists tend to burden the CPU, especially ifthere are numerous access lists that must be referenced for every packetthat travels through the router. This can impact the performance of therouter, causing other problems such as network convergence time.Cisco Systems offers a number of security solutions for networks,including Cisco Secure PIX Firewall series. The PIX firewall is a dedicatedhardware-based firewall that utilizes a version of the Cisco IOS for configu-ration and operation. This chapter will introduce and discuss security fea-tures, Network Address Translation (NAT), Network Address PortTranslation (NAPT, or referred to as PAT in the PIX firewall IOS), developinga security policy for your network, applying the security policy on the PIX,and finally, maintaining your PIX and securing it from unauthorized indi-viduals. The PIX Firewall series offers several models to meet today’s networks’needs, from the Enterprise-class Secure PIX 520 Firewall to the newlyintroduced Small Office/Home Office (SOHO) class Secure PIX 506 Firewallmodel. 520 and 520 DC The largest of the PIX Firewall series, it is meant forEnterprise and Internet Service Provider (ISP) use. It has a throughput of385 Mbps and will handle up to 250,000 simultaneous sessions. The hard-ware specifications include two Fast Ethernet ports, 128MB of RAM, afloppy disk drive for upgrading the IOS image, and support for up to sixadditional network interface cards in the chassis. Additionally, other avail-able interfaces are 10/100 Ethernet cards, Token Ring cards, and dual-attached multimode FDDI cards.Cisco PIX Firewall • Chapter 4 133515R and 515UR This particular model is intended for small- to medium-sized businesses and remote offices. The 515R and 515UR have athroughput of 120 Mbps with the capacity to handle up to 125,000 simul-taneous connections. The hardware specifications include two FastEthernet 10/100 ports, 32MB of RAM for the 515R and 64MB of RAM forthe 515UR model, and will support up to two additional network interfacecards in the chassis. Additionally, 10/100 Ethernet cards are available,but Token Ring cards are not supported on the 515 model. 506 The most recent addition to the Secure PIX Firewall series is the 506,intended for high-end small office/home office use, with a throughputmeasured at 10 Mbps. The 506 offers two Fast Ethernet 10/100 ports, anddoes not support any additional network interface cards in the chassis.The 506 comes with 32MB of RAM and does not support additional RAMupgrades. Overview of the Security FeaturesWith the enormous growth of the Internet, companies are beginning todepend on having an online presence on the Internet. With that presencecome security risks that allow outside individuals to gain access to criticalinformation and resources. Companies are now faced with the task of implementing security mea-sures to protect their data and resources. These resources can be verydiversified, such as Web servers, mail servers, FTP servers, databases, orany type of networked devices. Figure 4.1 displays a typical company net-work with access to the Internet via a leased line without a firewall inplace.As you can see in Figure 4.1, company XYZ has a direct connection tothe Internet. They are also using a class C public IP address space fortheir network, therefore making it publicly available to anyone who wishesto access it. Without any security measures, individuals are able to accesseach of the devices on the network with a public IP. Private informationcan be compromised, and other malicious attacks such as Denial ofService (DoS) can occur. If a firewall was placed between company XYZ’snetwork and the Internet, security measures can then be taken to filterand block unwanted traffic. Without any access control at the networkperimeter, a company’s security relies on proper configuration and securityon each individual host and server. This can be an administrative night-mare if hundreds of devices need to be configured for this purpose. Figure 4.1 Typical LAN with no firewall.Company XYZT1ISP