1 / 9

Only Two Ways through the PIX Firewall

Only Two Ways through the PIX Firewall. For a packet to traverse the PIX Firewall, it must pass two policies: NAT and access control. The following are the only two ways to pass these policies and gain access through the PIX Firewall: Valid user request—Outbound communications.

lenka
Download Presentation

Only Two Ways through the PIX Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Only Two Ways through the PIX Firewall • For a packet to traverse the PIX Firewall, it must pass two policies: NAT and access control. The following are the only two ways to pass these policies and gain access through the PIX Firewall: • Valid user request—Outbound communications. • Pre-defined static and conduit—Inbound communications. • ACLs are preferred over conduits ..support dropped in 6.3 for conduits

  2. ACL Usage Guidelines • Higher to lower security level: • Use an ACL to restrict outbound traffic. • The ACL source address is the actual (un-translated) address of the host or network. • Applied at the higher level interface inbound • Lower to higher security level: • Use an ACL to restrict inbound traffic. • The ACL destination address is the translated global IP address. • Requires a statically mapped address for the internal destination address • Applied at the lower level interface inbound

  3. Enables you to create an ACL. Denies access from the 192.168.1.0 network to TCP ports less than 1024 on host 192.168.0.1. access-list Command pixfirewall(config)# • access-list acl_ID deny | permit protocol source_addrsource_mask [operator port[port]]destination_addr destination_mask operator port [port] pixfirewall(config)# access-list DMZ1 deny tcp 192.168.1.0 255.255.255.0 host 192.168.0.1 lt 1024

  4. access-group Command pixfirewall(config)# access-group acl_ID in interface interface_name • Binds an ACL to an interface. pixfirewall(config)# access-group DMZ1 in interface dmz • Binds ACL DMZ1 to interface dmz.

  5. Static Inside Translations pixfirewall(config)# static (inside, outside)192.168.0.18 10.0.0.10 • Packet from 10.0.0.10 has a source address of 192.168.0.18. • Permanently maps a single IP address.. • Remember “inside outside outside inside”

  6. static Command pixfirewall(config)# static [(prenat_interface, postnat_interface)] mapped_address | interface real_address [netmask mask] pixfirewall(config)# static (inside,outside) 192.168.0.10 10.0.0.11 netmask 255.255.255.255 • Packet sent from 10.0.0.11 has a source address of 192.168.0.10. • Permanently maps a single IP address. • Recommended for internal service hosts.

  7. Three Interfaces with NAT pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0 • Inside users can start outbound connections to both the DMZ and the Internet. • The nat (dmz) command gives DMZ services access to the Internet. • The global (dmz) command gives inside users access to the web server on the DMZ.

  8. Permit Web Access to the DMZ pixfirewall(config)# write terminal ... nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif ethernet2 dmz sec50 ip address outside 192.168.0.2 255.255.255.0 ip address inside 10.0.0.1 255.255.255.0 ip address dmz 172.16.0.1 255.255.255.0 static (dmz,outside) 192.168.0.11 172.16.0.2 access-list acl_in_dmz permit tcp any host 192.168.0.11 eq www access-list acl_in_dmz deny ip any any access-group acl_in_dmz in interface outside ... • The ACL acl_in_dmz permits web traffic on port 80 from the Internet to the DMZ web server. • The ACL acl_in_dmz denies all other IP traffic from the Internet.

  9. Configuring Three Interfaces pixfirewall(config)# nameif ethernet0 outside sec0 pixfirewall(config)# nameif ethernet1 inside sec100 pixfirewall(config)# nameif ethernet2 dmz sec50 pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0 pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0 pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global (dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0 pixfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2 pixfirewall(config)# access-list acl_in_dmz permit tcp any host 192.168.0.11 eq www pixfirewall(config)# access-list acl_in_dmz deny ip any any pixfirewall(config)# access-group acl_in_dmz in interface outside

More Related