PIX Security Appliance Translations and Connections
Network address translation (NAT)

NAT is critical to mitigate global Internet address depletion. Very often, private networks are assigned numbers from network blocks defined in RFC 1918. Because these addresses are intended for local use only, NAT is required to connect to the Internet.

In Figure , the private network is using private IP addressing, 10.0.0.0/24. Before a packet can be sent to the Internet, it must be translated into a public, routable address. In this example, the PIX Security Appliance translates IP address 10.0.0.11 into routable IP address 192.168.6.1.

Access Through the Security Appliance
When configuring multiple interfaces, remember that the security level designates whether an interface is inside or outside relative to another interface . An interface is considered inside in relation to another interface if its security level is higher than the security level of the other interface, and is considered outside in relation to another interface if its security level is lower than the security level of the other interface.

The primary rule for security levels is that an interface with a higher security level can access an interface with a lower security level. The nat and global commands work together to enable the network to use any IP addressing scheme and to remain hidden from the external network.

An interface with a lower security level cannot access an interface with a higher security level unless it is specifically allowed by static and access-list command pairs.

Inside Address Translation
The PIX Security Appliance supports the following two main types of address translations :

  • Dynamic translation – Translates host addresses on more secure interfaces to a range or pool of IP addresses on a less secure interface. This allows internal users to share registered IP addresses and hides internal addresses from view on the public Internet.
  • Static translation – Provides a permanent, one-to-one mapping between an IP address on a more secure interface and an IP address on a less secure interface. This allows an inside host to access a less secure host, a server on the Internet, for instance, without exposing the actual IP address. Examples of static translation are static NAT and identity NAT.

Dynamic Inside NAT
Dynamic inside translations are used for local hosts and their outbound connections. With dynamic translations, the hosts that are eligible for translation must be defined with the nat command, and the address pool must be defined with the global command. The pool for address allocation is chosen on the outgoing interface based on the nat_id selected with the nat command.

In the Figure , all hosts on the inside network are eligible for translation. The global pool of addresses assigned by the global command is 192.168.0.20 through 192.168.0.254, enabling up to 235 individual IP addresses.

Two Interfaces with NAT
In Figure , the first nat command statement permits all hosts on the 10.0.0.0 network to start outbound connections using the IP addresses from a global pool. The second nat command statement permits all hosts on the 10.2.0.0 network to do the same. The nat_id in the first nat command statement tells the PIX Security Appliance to translate the 10.0.0.0 addresses to those in the global pool containing the same nat_id . Likewise, the nat_id in the second nat command statement tells the PIX to translate addresses for hosts on network 10.2.0.0 to the addresses in the global pool containing nat_id 2.

Three Interfaces with NAT
In Figure , the first nat command statement enables hosts on the inside interface, which has a security level of 100, to start connections to hosts on interfaces with lower security levels. In this case, that includes hosts on the outside interface and hosts on the demilitarized zone (DMZ). The second nat command statement enables hosts on the DMZ, which has a security level of 50, to start connections to hosts on interfaces with lower security levels. In this case, that includes only the outside interface.

Because both global pools and the nat (inside) command statement use a nat_id of 1, addresses for hosts on the 10.0.0.0 network can be translated to those in either global pool. Therefore, when users on the inside interface access hosts on the DMZ, their source addresses will be translated to addresses in the 172.16.0.20−172.16.0.254 range from the global (dmz) command statement. When they access hosts on the outside, their source addresses will be translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside) command statement.

When users on the DMZ access hosts on the outside, their source addresses will always be translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside) command statement.


Lab Activity

e-Lab Activity: Configure Internet Access on a PIX Security Appliance

The administrator wants to set up basic Internet connectivity for the internal network. The administrator does not want internal addresses exposed. However, the administrator wants to grant access to the internal Web server from outside hosts. In this activity, the student will create a default route to the perimeter router.