Shulou(Shulou.com)06/01 Report--

PIX Firewall NAT

One experimental topology

2. Experimental requirements

1) complete the basic configuration of the firewall

2) be familiar with the access rules of firewall

3) be familiar with the routing configuration of firewall

4) understand the working process of firewall NAT and be familiar with configuration commands

A) the message from lo0 of R1 to lo0 of R2 uses dynamic NAT

B) the lo1 of R1 to the lo1 of R2 uses PAT

C) the lo0 message of R3 goes to the outside direction to use a static route

5) understand special NAT and policy NAT

Three experimental steps

1) basic configuration and interface configuration of the router

2) basic configuration and interface configuration of PIX firewall

FW4 (config) # int e0

FW4 (config-if) # ip add 192.168.1.2 255.255.255.0

FW4 (config-if) # nameif inside

INFO: Security level for "inside" set to 100by default.

FW4 (config-if) # no shu

FW4 (config-if) # int e2

FW4 (config-if) # ip add 202.202.202.2 255.255.255.0

FW4 (config-if) # nameif outside

INFO: Security level for "outside" set to 0 by default.

FW4 (config-if) # no shu

FW4 (config-if) # int E3

FW4 (config-if) # ip add 192.168.3.2 255.255.255.0

FW4 (config-if) # nameif dmz

INFO: Security level for "dmz" set to 0 by default.

FW4 (config-if) # security-level 50

FW4 (config-if) # no shu

3) Test the connectivity of directly connected links

4) configure static routes to achieve full network connectivity. R2 simulates public network routers without routing.

R1 (config) # ip route 0.0.0.0 0.0.0.0 192.168.1.2

R3 (config) # ip route 0.0.0.0 0.0.0.0 192.168.3.2

FW4 (config) # route inside 192.168.10.0 255.255.255.0 192.168.1.1

FW4 (config) # route inside 192.168.20.0 255.255.255.0 192.168.1.1

FW4 (config) # route dmz 192.168.30.0 255.255.255.0 192.168.3.1

FW4 (config) # route outside 0.0.0.0 0.0.0.0 202.202.202.2

5) complete the NAT configuration of fireproof paint according to the experimental requirements, and understand its working process

A) Test dynamic NAT

Before doing dynamic NAT, R1 of inside cannot access R2 of outside. The reason is that there is no route back. After doing dynamic NAT, the return route is a directly connected route (because it has been translated to the address of the 202.202.202.0 network segment), which can be accessed

FW4 (config) # access-list outacl extended permit icmp host 200.200.200.200 202.202.202.202.255.255.255.0 / / allow host 202.202.202.202 icmp-based data access to 202.202.202.0 network segment (named extended ACL?)

FW4 (config) # access-group outacl in int outside / / apply to outside interface

FW4 (config) # nat?

Configure mode commands/options:

(Open parenthesis for the name of the network interface where the

Hosts/network designated by the local IP address are accessed

FW4 (config) # nat (inside) 1 192.168.10.0 255.255.255.0

FW4 (config) # global (outside) 1 202.202.202.3-202.202.5 netmask 255.255.255.0 / / use dynamic NAT to realize private network access to public network. Nat and global should be used together.

Test results:

R1#ping 200.200.200.200 so 192.168.10.1ax / be careful to bring the source, because the address of the 192.168.10.0 network segment is allowed to be translated. If there is no source, the egress address is used by default.

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

.!

Success rate is 80 percent (4amp 5), round-trip min/avg/max = 20-28-44 ms

B) Test PAT (PAT: map a private network address to a global address)

FW4 (config) # nat (inside) 2 192.168.20.0 255.255.255.0

FW4 (config) # global (outside) 2 int

INFO: outside interface address added to PAT pool

Test results:

R1#ping 200.200.200.200 so 192.168.20.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.20.1

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 16-36-68 ms

C) static NAT testing

FW4 (config) # static (dmz,outside) 202.202.202.8 192.168.30.1 netmask 255.255.255.255 / / the private network accesses the public network, and 192.168.30.1 is converted to 202.202.202.8

FW4 (config) # access-list dmzacl permit icmp 192.168.30.1 255.255.255.255 200.200.200.200.200.200 255.255.255.255max / there is no specific interface applied here?

Test results:

R3#ping 200.200.200.200 so 192.168.30.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.30.1

.!

Success rate is 80 percent (4amp 5), round-trip min/avg/max = 16-33-48 ms

6) Test special NAT and policy NAT

A) Special NAT

When the nat-control command is enabled, the inside address must have a corresponding internal NAT rule. Similarly, if an external dynamic NAT is enabled on an interface before allowing communication through a security device, each external address must have a corresponding external NAT rule

Test:

Note that you need to ping R1 to R3

FW4 (config) # fixup protocol icmp

Or

FW4 (config) # no fixup protocol icmp

FW4 (config) # access-list dmz-inside extended permit icmp 192.168.3.1 255.255.255.0 192.168.1.0 255.255.255.0 echo-reply

FW4 (config) # access-group dmz-inside in int dmz

At this point:

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 16-33-72 ms

Enable nat-control

FW4 (config) # nat-control

Test:

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

.

Success rate is 0 percent (0Unip 5)

B) identity NAT

The converted IP is the original real IP which is equivalent to no conversion and can only be used for outbound traffic. Similar to dynamic NAT, except that dynamic NAT is mapped to a global address. The identity NAT is one-way. That is, in the following example, R3 cannot ping R1 (192.168.3.1 ping 192.168.1.1)

FW4 (config) # nat-control

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

.

Success rate is 0 percent (0Unip 5)

FW4 (config) # nat (inside) 0 192.168.1.1 255.255.255.255

Nat 0 192.168.1.1 will be identity translated for outbound

/ / only nat but not global. Contact the characteristics of identity NAT

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 20-31-68 ms

Note: both of the above experiments are based on

Let R1 ping to R3

FW4 (config) # fixup protocol icmp

Or

FW4 (config) # no fixup protocol icmp

FW4 (config) # access-list dmz-inside extended permit icmp 192.168.3.1 255.255.255.0 192.168.1.0 255.255.255.0 echo-reply

FW4 (config) # access-group dmz-inside in int dmz

Question: will the firewall delete ACL and delete the commands applied to the interface at the same time?

C) NAT exemption (nat 0 with ACL)

Similar to identity NAT, the main difference is that the NAT exemption allows two-way communication, while allowing conversion and remote host to initiate connections

FW4 (config) # no nat (inside) 0 192.168.1.1 255.255.255.255

FW4 (config) # nat-control

FW4 (config) # access-list nonat permit ip 192.168.1.1 255.255.255.255 192.168.3 $

FW4 (config) # nat (inside) 0 access-list nonat

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 16-28-52 ms

Note: all three experiments above should be based on

Let R1 ping to R3

FW4 (config) # fixup protocol icmp

Or

FW4 (config) # no fixup protocol icmp

FW4 (config) # access-list dmz-inside extended permit icmp 192.168.3.1 255.255.255.0 192.168.1.0 255.255.255.0 echo-reply

FW4 (config) # access-group dmz-inside in int dmz

D) Policy NAT

Similar to static NAT, however, policy NAT allows you to define a conditional standard to detect source and destination addresses to determine address translation. With this feature, the source address translation can be changed to a different destination address

FW4 (config) # access-list NAT1 permit ip 192.168.10.0 255.255.255.0 192.168.30.1 255.255.255.255

FW4 (config) # access-list NAT2 permit ip 192.168.10.0 255.255.255.0 192.168.30.2 255.255.255.255

FW4 (config) # nat (inside) 1 access-list NAT1

FW4 (config) # global (outside) 1 192.168.3.2

INFO: Global 192.168.3.2 will be Port Address Translated

FW4 (config) # nat (inside) 2 access-list NAT2

FW4 (config) # global (outside) 2 192.168.3.3

INFO: Global 192.168.3.3 will be Port Address Translated

7) summarize the access rules of the firewall and the handling of traffic

A) NAT selection order

Choose according to the consumption of firewall performance resources:

NAT exemptions (nat 0 access-list commands) nat 0 with ACL

Policy NAT (static access-list commands)

Static NAT (static commands without port numbers)

Static PAT (static commands with port numbers)

NAT 0 or Policy NAT (nat nat_id access-list commands)

Dynamic NAT and PAT (nat nat_id commands)

If you are at the same level, you need to compare the details of the access control list and the address of the network segment.

FW4# sh conn

0 in use, 2 most used

FW4# sh local-host

Interface dmz: 0 active, 1 maximum active, 0 denied

Interface outside: 0 active, 1 maximum active, 0 denied

Interface inside: 2 active, 2 maximum active, 0 denied

Local host:

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited

Xlate:

Global 202.202.202.3 Local 192.168.10.1

Local host:

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited

Xlate:

Global 192.168.1.1 Local 192.168.1.1

FW4# sh xlate

3 in use, 3 most used

Global 202.202.202.8 Local 192.168.30.1

Global 202.202.202.3 Local 192.168.10.1

Global 192.168.1.1 Local 192.168.1.1

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.