The following are some additional configuration commands for the
PIX Security Appliance.
-
nat-control – Enable or disable NAT configuration
requirement.
-
nat – Shields IP addresses on the inside network from
the outside network.
-
global – Creates a pool of one or more IP addresses for
use in NAT and PAT.
-
route – Defines a static or default route for an
interface.
Network Address Translation (NAT)
Network Address
Translation (NAT) enables internal IP addresses that are behind the PIX
Security Appliance to remain unknown to external networks. NAT accomplishes
this by translating the internal IP addresses, which are not globally unique,
into globally accepted IP addresses before packets are forwarded to the
external network. NAT is implemented in the PIX with the
nat and global commands.
When an
outbound IP packet that is sent from a device on the inside network reaches a
PIX Security Appliance with NAT configured, the source address is extracted and
compared to an internal table of existing translations. If the address of the
device is not already in the table, it is then translated. A new entry is
created for that device, and it is assigned an IP address from a pool of global
IP addresses. This global pool is configured with the
global command. After this translation occurs, the table is
updated and the translated IP packet is forwarded. After a user configurable
timeout period, or the default of three hours, during which there have been no
translated packets for that particular IP address, the entry is removed from
the table, and the global address is freed for use by another inside
device.
In Figure
, host 10.0.0.11
starts an outbound connection. The PIX Security Appliance translates the source
address to 192.168.0.20. Packets from host 10.0.0.11 are seen on the outside as
having a source address of 192.168.0.20. Return packets from the outside server
at IP address 192.168.10.11 are addressed to the globally assigned address,
192.168.0.20.
The nat-control Command
The
nat-control command enables NAT to be enabled incrementally
. With
nat-control disabled, only IP addresses that need to be protected require a NAT
rule. With nat-control enabled, all packets traversing the PIX Security
Appliance require a NAT rule. There are two NAT policies, an inside NAT policy
and an outside NAT policy. They are used to perform address translation on each
packet that traverses the PIX. If nat-control is configured, the PIX enforces
address hiding. Specifically, each inside address must have an inside NAT rule
configured before communication is permitted through the PIX.
Additionally, if outside NAT is enabled on an interface, each outside
address must have an outside NAT rule configured before communication is
permitted through the PIX Security Appliance. If no nat-control is configured,
only hosts that undergo NAT need a NAT rule configured. If no NAT policy
matches the traversing packet, address rewrite is not performed and PIX
Security Appliance processing continues. No nat-control is the default.
The nat Command
The first
step in enabling NAT on a PIX Security Appliance is entering the
nat command. The nat command can
specify translation for a single host or a range of hosts. The
nat command has two major components, nat_id
and IP address or range of IP addresses. A nat_id
is a number from 1 to 2147483647 which specifies the hosts for
dynamic address translation. The dynamic addresses are chosen from a global
address pool created with the global command.
The nat command nat_id number must
match the nat_id number in the global
command if you want to use that specific global pool of IP addresses for the
dynamic address translation.
For example, the nat (inside) 1
10.0.0.0 255.255.255.0 command means that all outbound connections
from a host within the specified network, 10.0.0.0, can pass through the PIX
Security Appliance with address translation. The nat (inside) 1
10.0.0.11 255.255.255.255 command means that only outbound
connections originating from the inside host 10.0.0.11 are translated as the
packet passes through the PIX. Administrators can use 0.0.0.0 to allow all
hosts to be translated. The 0.0.0.0 can be abbreviated as 0. As shown in the
Figure
all inside hosts
making outbound connections with the nat (inside) 1 0.0.0.0
0.0.0.0 command are translated. The nat_id
identifies the global address pool the PIX will use for the dynamic
address translation.
The syntax for the nat command
is shown in Figure
.
The global Command
In order
for a local address to be translated using NAT, a global pool of addresses must
be defined. In a PIX Security Appliance configuration, there may be more than
one global pool configured. Each outbound network address translation is
associated with a nat id. Each global pool has a corresponding
nat_id. The PIX uses the nat_id of the outbound
IP packet to identify which global pool of addresses to select a translation IP
address from. The nat_id of the outbound packet must match
the nat_id of the global pool. The PIX assigns addresses
from the designated global pool starting from the low end to the high end of
the range specified in the global command. The pool of
global IP addresses is configured with the global
command.
In Figure
, host 10.0.0.11
starts an outbound connection. The nat_id of the outbound
packet is 1. In this instance, a global IP address pool of 192.168.0.20-254 is
also identified with a nat_id of 1. The PIX assigns an IP
address of 192.168.0.20. It is the lowest available IP address of the range
specified in the global command. Packets from host
10.0.0.11 are seen on the outside as having a source address of
192.168.0.20.
The syntax for the global command is
shown in Figure
. If the
nat command is used, the companion command,
global, must be configured to define the pool of translated
IP addresses. Use the no global command to delete a global
entry.
 |
NOTE:
The PIX Security Appliance uses the global addresses to assign a
virtual IP address to an internal NAT address. After adding, changing, or
removing a global statement, use the clear
xlate command to make the IP addresses available in the translation
table.
|
The route Command
Use
the route command to enter a static route for an interface.
To enter a default route, set ip_address and
netmask to 0.0.0.0, or the shortened form of 0. In Figure
, a
route command with the IP address of 0.0.0.0 identifies the
command as the default route. The PIX transmits all destination packets not
listed in its routing table out the outside interface to the router at IP
address 192.168.0.1.
Static routes can be created to access specific
networks beyond the locally connected networks. For example, in Figure
, PIX Security
Appliance sends all packets destined to the 10.0.1.0 255.255.255.0 network out
the inside interface to the router at IP address 10.0.0.102. This static route
was created by using the command route inside 10.0.1.0 255.255.255.0
10.0.0.102 1. The router knows how to route the packet to the
destination network of 10.0.1.0.
The syntax for the
route command is shown in Figure
.
All
routes entered using the route command are stored in the
configuration when it is saved. The IP address of one of the interfaces of the
PIX can be used as the gateway address. If this is done, the PIX broadcasts an
Address Resolution Protocol (ARP) request for the MAC address of the
destination IP address in the packet instead of broadcasting a request for the
MAC address of the gateway IP address.
The name Command
The
name command is used to configure a list of name-to-IP
address mappings on the PIX Security Appliance. This allows the use of names in
the configuration instead of IP addresses. In Figure
, the IP addresses of the server and PC are mapped to the names,
bastionhost, and insidehost. The names bastionhost and insidehost can be used
in place of an IP address in any PIX command reference, such as in the command
ping insidehost.
The syntax for the
name command is shown in Figure
.
Allowable
characters for the name are a to z, A to Z, 0 to 9, a dash (-), and an
underscore (_). The name cannot start with a number. If the name is over 16
characters long, the command fails. The names command must
be used to enable the use of the name command. The
clear names command clears the list of names from the PIX
Security Appliance configuration. The no names command
disables the use of the text names, but does not remove them from the
configuration. The show names command lists the
name command statements in the configuration.