Getting Started with the PIX Security Appliance
Additional PIX Security Appliance configuration commands

The following are some additional configuration commands for the PIX Security Appliance.

  • nat-control – Enable or disable NAT configuration requirement.
  • nat – Shields IP addresses on the inside network from the outside network.
  • global – Creates a pool of one or more IP addresses for use in NAT and PAT.
  • route – Defines a static or default route for an interface.

Network Address Translation (NAT)
Network Address Translation (NAT) enables internal IP addresses that are behind the PIX Security Appliance to remain unknown to external networks. NAT accomplishes this by translating the internal IP addresses, which are not globally unique, into globally accepted IP addresses before packets are forwarded to the external network. NAT is implemented in the PIX with the nat and global commands.

When an outbound IP packet that is sent from a device on the inside network reaches a PIX Security Appliance with NAT configured, the source address is extracted and compared to an internal table of existing translations. If the address of the device is not already in the table, it is then translated. A new entry is created for that device, and it is assigned an IP address from a pool of global IP addresses. This global pool is configured with the global command. After this translation occurs, the table is updated and the translated IP packet is forwarded. After a user configurable timeout period, or the default of three hours, during which there have been no translated packets for that particular IP address, the entry is removed from the table, and the global address is freed for use by another inside device.

In Figure , host 10.0.0.11 starts an outbound connection. The PIX Security Appliance translates the source address to 192.168.0.20. Packets from host 10.0.0.11 are seen on the outside as having a source address of 192.168.0.20. Return packets from the outside server at IP address 192.168.10.11 are addressed to the globally assigned address, 192.168.0.20.

The nat-control Command
The nat-control command enables NAT to be enabled incrementally . With nat-control disabled, only IP addresses that need to be protected require a NAT rule. With nat-control enabled, all packets traversing the PIX Security Appliance require a NAT rule. There are two NAT policies, an inside NAT policy and an outside NAT policy. They are used to perform address translation on each packet that traverses the PIX. If nat-control is configured, the PIX enforces address hiding. Specifically, each inside address must have an inside NAT rule configured before communication is permitted through the PIX.

Additionally, if outside NAT is enabled on an interface, each outside address must have an outside NAT rule configured before communication is permitted through the PIX Security Appliance. If no nat-control is configured, only hosts that undergo NAT need a NAT rule configured. If no NAT policy matches the traversing packet, address rewrite is not performed and PIX Security Appliance processing continues. No nat-control is the default.

The nat Command
The first step in enabling NAT on a PIX Security Appliance is entering the nat command. The nat command can specify translation for a single host or a range of hosts. The nat command has two major components, nat_id and IP address or range of IP addresses. A nat_id is a number from 1 to 2147483647 which specifies the hosts for dynamic address translation. The dynamic addresses are chosen from a global address pool created with the global command. The nat command nat_id number must match the nat_id number in the global command if you want to use that specific global pool of IP addresses for the dynamic address translation.

For example, the nat (inside) 1 10.0.0.0 255.255.255.0 command means that all outbound connections from a host within the specified network, 10.0.0.0, can pass through the PIX Security Appliance with address translation. The nat (inside) 1 10.0.0.11 255.255.255.255 command means that only outbound connections originating from the inside host 10.0.0.11 are translated as the packet passes through the PIX. Administrators can use 0.0.0.0 to allow all hosts to be translated. The 0.0.0.0 can be abbreviated as 0. As shown in the Figure all inside hosts making outbound connections with the nat (inside) 1 0.0.0.0 0.0.0.0 command are translated. The nat_id identifies the global address pool the PIX will use for the dynamic address translation.

The syntax for the nat command is shown in Figure .

The global Command
In order for a local address to be translated using NAT, a global pool of addresses must be defined. In a PIX Security Appliance configuration, there may be more than one global pool configured. Each outbound network address translation is associated with a nat id. Each global pool has a corresponding nat_id. The PIX uses the nat_id of the outbound IP packet to identify which global pool of addresses to select a translation IP address from. The nat_id of the outbound packet must match the nat_id of the global pool. The PIX assigns addresses from the designated global pool starting from the low end to the high end of the range specified in the global command. The pool of global IP addresses is configured with the global command.

In Figure , host 10.0.0.11 starts an outbound connection. The nat_id of the outbound packet is 1. In this instance, a global IP address pool of 192.168.0.20-254 is also identified with a nat_id of 1. The PIX assigns an IP address of 192.168.0.20. It is the lowest available IP address of the range specified in the global command. Packets from host 10.0.0.11 are seen on the outside as having a source address of 192.168.0.20.

The syntax for the global command is shown in Figure . If the nat command is used, the companion command, global, must be configured to define the pool of translated IP addresses. Use the no global command to delete a global entry.

NOTE:

The PIX Security Appliance uses the global addresses to assign a virtual IP address to an internal NAT address. After adding, changing, or removing a global statement, use the clear xlate command to make the IP addresses available in the translation table.

The route Command
Use the route command to enter a static route for an interface. To enter a default route, set ip_address and netmask to 0.0.0.0, or the shortened form of 0. In Figure , a route command with the IP address of 0.0.0.0 identifies the command as the default route. The PIX transmits all destination packets not listed in its routing table out the outside interface to the router at IP address 192.168.0.1.

Static routes can be created to access specific networks beyond the locally connected networks. For example, in Figure , PIX Security Appliance sends all packets destined to the 10.0.1.0 255.255.255.0 network out the inside interface to the router at IP address 10.0.0.102. This static route was created by using the command route inside 10.0.1.0 255.255.255.0 10.0.0.102 1. The router knows how to route the packet to the destination network of 10.0.1.0.

The syntax for the route command is shown in Figure .

All routes entered using the route command are stored in the configuration when it is saved. The IP address of one of the interfaces of the PIX can be used as the gateway address. If this is done, the PIX broadcasts an Address Resolution Protocol (ARP) request for the MAC address of the destination IP address in the packet instead of broadcasting a request for the MAC address of the gateway IP address.

The name Command
The name command is used to configure a list of name-to-IP address mappings on the PIX Security Appliance. This allows the use of names in the configuration instead of IP addresses. In Figure , the IP addresses of the server and PC are mapped to the names, bastionhost, and insidehost. The names bastionhost and insidehost can be used in place of an IP address in any PIX command reference, such as in the command ping insidehost.

The syntax for the name command is shown in Figure .

Allowable characters for the name are a to z, A to Z, 0 to 9, a dash (-), and an underscore (_). The name cannot start with a number. If the name is over 16 characters long, the command fails. The names command must be used to enable the use of the name command. The clear names command clears the list of names from the PIX Security Appliance configuration. The no names command disables the use of the text names, but does not remove them from the configuration. The show names command lists the name command statements in the configuration.


Lab Activity

e-Lab Activity: Basic PIX Security Appliance Commands

In this activity students will practice some of the basic commands that are used to configure the PIX Security Appliance. These commands name the PIX interfaces, assign the security level of the interfaces, assign an IP address to the interfaces, set the duplex and speed settings for interfaces, and enable operation of the interfaces.