NAT is critical to mitigate global Internet address depletion. Very often,
private networks are assigned numbers from network blocks defined in RFC 1918.
Because these addresses are intended for local use only, NAT is required to
connect to the Internet.
In Figure
, the private
network is using private IP addressing, 10.0.0.0/24. Before a packet can be
sent to the Internet, it must be translated into a public, routable address. In
this example, the PIX Security Appliance translates IP address 10.0.0.11 into
routable IP address 192.168.6.1.
Access Through the Security Appliance
When configuring multiple
interfaces, remember that the security level designates whether an interface is
inside or outside relative to another interface
. An
interface is considered inside in relation to another interface if its security
level is higher than the security level of the other interface, and is
considered outside in relation to another interface if its security level is
lower than the security level of the other interface.
The primary rule
for security levels is that an interface with a higher security level can
access an interface with a lower security level. The nat
and global commands work together to enable the network to
use any IP addressing scheme and to remain hidden from the external
network.
An interface with a lower security level cannot access an
interface with a higher security level unless it is specifically allowed by
static and access-list command pairs.
Inside Address Translation
The PIX Security Appliance
supports the following two main types of address translations
:
- Dynamic translation – Translates host addresses on more secure interfaces
to a range or pool of IP addresses on a less secure interface. This allows
internal users to share registered IP addresses and hides internal addresses
from view on the public Internet.
- Static translation – Provides a permanent, one-to-one mapping between an IP
address on a more secure interface and an IP address on a less secure
interface. This allows an inside host to access a less secure host, a server on
the Internet, for instance, without exposing the actual IP address. Examples of
static translation are static NAT and identity NAT.
Dynamic Inside NAT
Dynamic inside translations are used for
local hosts and their outbound connections. With dynamic translations, the
hosts that are eligible for translation must be defined with the
nat command, and the address pool must be defined with the
global command. The pool for address allocation is chosen
on the outgoing interface based on the nat_id selected with
the nat command.
In the Figure
, all hosts on
the inside network are eligible for translation. The global pool of addresses
assigned by the global command is 192.168.0.20 through
192.168.0.254, enabling up to 235 individual IP addresses.
Two
Interfaces with NAT
In Figure
, the first
nat command statement permits all hosts on the 10.0.0.0
network to start outbound connections using the IP addresses from a global
pool. The second nat command statement permits all hosts on
the 10.2.0.0 network to do the same. The nat_id in the
first nat command statement tells the PIX Security
Appliance to translate the 10.0.0.0 addresses to those in the global pool
containing the same nat_id . Likewise, the nat_id
in the second nat command statement tells the
PIX to translate addresses for hosts on network 10.2.0.0 to the addresses in
the global pool containing nat_id 2.
Three
Interfaces with NAT
In Figure
, the first
nat command statement enables hosts on the inside
interface, which has a security level of 100, to start connections to hosts on
interfaces with lower security levels. In this case, that includes hosts on the
outside interface and hosts on the demilitarized zone (DMZ). The second
nat command statement enables hosts on the DMZ, which has a
security level of 50, to start connections to hosts on interfaces with lower
security levels. In this case, that includes only the outside interface.
Because both global pools and the nat (inside) command
statement use a nat_id of 1, addresses for hosts on the
10.0.0.0 network can be translated to those in either global pool. Therefore,
when users on the inside interface access hosts on the DMZ, their source
addresses will be translated to addresses in the 172.16.0.20−172.16.0.254 range
from the global (dmz) command statement. When they access
hosts on the outside, their source addresses will be translated to addresses in
the 192.168.0.20−192.168.0.254 range from the global
(outside) command statement.
When users on the DMZ access
hosts on the outside, their source addresses will always be translated to
addresses in the 192.168.0.20−192.168.0.254 range from the global
(outside) command statement.