《防火墙基本配置文档PIX_ASA.pdf》由会员分享,可在线阅读,更多相关《防火墙基本配置文档PIX_ASA.pdf(28页珍藏版)》请在得力文库 - 分享文档赚钱的网站上搜索。
1、PIX/ASA:Port Redirection(Forwarding)with nat,global,static and accesslist CommandsDocument ID:63872IntroductionPrerequisites Requirements Components Used Related Products ConventionsNetwork DiagramInitial ConfigurationAllow Outbound Access Allow Inside Hosts Access to Outside Networks with NAT Allow
2、 Inside Hosts Access to Outside Networks with the use of PAT Restrict Inside Hosts Access to Outside NetworksAllow Untrusted Hosts Access to Hosts on Your Trusted Network Use ACLs on PIX Versions 7.0 and LaterDisable NAT for Specific Hosts/NetworksPort Redirection(Forwarding)with Statics Network Dia
3、gram Port Redirection(Forwarding)Partial PIX Configuration Port RedirectionLimit TCP/UDP Session using StaticTime Based Access ListInformation to Collect if You Open a Technical Support CaseNetPro Discussion Forums Featured ConversationsRelated InformationIntroductionIn order to maximize security wh
4、en you implement Cisco PIX Security Appliance version 7.0,it is importantto understand how packets pass between higher security interfaces and lower security interfaces when you usethe natcontrol,nat,global,static,accesslist and accessgroup commands.This document explains thedifferences between thes
5、e commands and how to configure Port Redirection(Forwarding)and the outsideNetwork Address Translation(NAT)features in PIX software version 7.x,with the use of the command lineinterface or the Adaptive Security Device Manager(ASDM).Note:Some options in ASDM 5.2 and later can appear different than th
6、e options in ASDM 5.1.Refer to theASDM documentation for more information.PrerequisitesRequirementsRefer to Allowing HTTPS Access for ASDM in order to allow the device to be configured by the ASDM.Components UsedThe information in this document is based on these software and hardware versions:Cisco
7、PIX 500 Series Security Appliance Software version 7.0 and later ASDM version 5.x and later The information in this document was created from the devices in a specific lab environment.All of thedevices used in this document started with a cleared(default)configuration.If your network is live,make su
8、rethat you understand the potential impact of any command.Related ProductsYou can also use this configuration with Cisco ASA Security Appliance version 7.x and later.ConventionsRefer to the Cisco Technical Tips Conventions for more information on document conventions.Network DiagramThe IP addressing
9、 schemes used in this configuration are not legally routable on the Internet.They are RFC1918 addresses which have been used in a lab environment.Initial ConfigurationThe interface names are:interface ethernet 0?nameif outside interface ethernet 1?nameif inside Note:In order to find additional infor
10、mation on the commands used in this document,use the CommandLookup Tool(registered customers only).Allow Outbound AccessOutbound access describes connections from a higher security level interface to a lower security levelinterface.This includes connections from inside to outside,inside to Demilitar
11、ized Zones(DMZs),and DMZsto outside.This can also include connections from one DMZ to another,as long as the connection sourceinterface has a higher security level than the destination.Review the securitylevel configuration on the PIXinterfaces in order to confirm this.This example shows the securit
12、y level and interface name configuration:pix(config)#interface ethernet 0pix(configif)#securitylevel 0pix(configif)#nameif outsidepix(configif)#exitPIX 7.0 introduces the natcontrol command.You can use the natcontrol command in configuration modein order to specify if NAT is required for outside com
13、munications.With NAT control enabled,configurationof NAT rules is required in order to allow outbound traffic,as is the case with previous versions of PIXsoftware.If NAT control is disabled(no natcontrol),inside hosts can communicate with outside networkswithout the configuration of a NAT rule.Howev
14、er,if you have inside hosts that do not have public addresses,you still need to configure NAT for those hosts.In order to configure NAT control with the use of ASDM,select the Configuration tab from the ASDM Homewindow and choose NAT from the features menu.Enable traffic through the firewall without
15、 translation:This option was introduced in PIX version 7.0(1).When this option is checked,no natcontrol command is issued in the configuration.This command meansthat no translation is required for traversing through the firewall.This option is usually checked only wheninternal hosts have public IP a
16、ddresses or the network topology does not require internal hosts to be translatedto any IP address.If internal hosts have private IP addresses,then this option has to be unchecked so that internal hosts can gettranslated to a public IP address and access the Internet.There are two policies that are
17、required in order to allow outbound access with NAT control.The first one is atranslation method.This can be a static translation with the use of the static command,or a dynamictranslation with the use of a nat/global rule.This is not required if NAT control is disabled and your insidehosts have pub
18、lic addresses.The other requirement for outbound access(which applies whether NAT control is enabled or disabled),is ifthere is an access control list(ACL)present.If an ACL is present,then it must allow the source host access tothe destination host with the use of the specific protocol and port.By d
19、efault,there are no access restrictionson outbound connections through the PIX.This means that if there is no ACL configured for the sourceinterface,then by default,the outbound connection is allowed if there is a translation method configured.Allow Inside Hosts Access to Outside Networks with NATTh
20、is configuration gives all of the hosts on the subnet 10.1.6.0/24 access to the outside.In order to accomplishthis,use the nat and global commands as this procedure demonstrates.Define the inside group you want to include for NAT.nat(inside)1 10.1.6.0 255.255.255.01.Specify a pool of addresses on th
21、e outside interface to which the hosts defined in the NAT statementare translated.global(outside)1 172.16.1.5172.16.1.10 netmask 255.255.255.02.Use ASDM in order to create your global address pool.Choose Configuration Features NATand uncheck Enable traffic through the firewall without address transl
22、ation.Then click Add inorder to configure the NAT Rule.3.Click Manage Pools in order to define the NAT pool addresses.4.Choose Outside Add,and choose a range to specify a pool of addresses.5.Enter your address range,enter a Pool ID,and click OK.6.Choose Configuration Features NAT Translation Rules i
23、n order to create the translationrule.7.Choose Inside as the Source Interface,and enter the addresses you want to NAT.8.For Translate Address on Interface,select Outside,choose Dynamic,and select the Address Pool youjust configured.9.Click OK.10.The translation appears in the Translation Rules at Co
24、nfiguration Features NAT TranslationRules.11.Now the hosts on the inside can access outside networks.When hosts from the inside initiate aconnection to the outside,they are translated to an address from the global pool.The addresses areassigned from the global pool on a firstcome,firsttranslated bas
25、is,and start with the lowest addressin the pool.For example,if host 10.1.6.25 is the first to initiate a connection to the outside,it receivesaddress 172.16.1.5.The next host out receives 172.16.1.6,and so on.This is not a static translation,and the translation times out after a period of inactivity
26、 as defined by the timeout xlate hh:mm:sscommand.If there are more inside hosts than there are addresses in the pool,the final address in thepool is used for Port Address Translation(PAT).Allow Inside Hosts Access to Outside Networks with the use of PATIf you want inside hosts to share a single publ
27、ic address for translation,use PAT.If the global statementspecifies one address,that address is port translated.The PIX allows one port translation per interface and thattranslation supports up to 65,535 active xlate objects to the single global address.Complete these steps inorder to allow inside h
28、osts access to outside networks with the use of PAT.Define the inside group you want to include for PAT(when you use 0 0,you select all inside hosts.)nat(inside)1 10.1.6.0 255.255.255.01.Specify the global address you want to use for PAT.This can be the interface address.global(outside)1 172.16.1.4
29、netmask 255.255.255.02.In ASDM,choose Configuration Features NAT and uncheck Enable traffic through thefirewall without address translation.3.Click Add in order to configure the NAT rule.4.Choose Manage Pools in order to configure your PAT address.5.Choose Outside Add and click Port Address Translat
30、ion(PAT)in order to configure a single6.address for PAT.Enter an address,a Pool ID,and click OK.7.Choose Configuration Features NAT Translation Rules in order to create the translationrule.8.Select inside as the source interface,and enter the addresses you want to NAT.9.For Translate Address on Inte
31、rface,select outside,choose Dynamic,and select the Address Pool youjust configured.Click OK.10.The translation appears in the Translation Rules at Configuration Features NAT TranslationRules.11.There are a few things to consider when you use PAT.The IP addresses you specify for PAT cannot be in anot
32、her global address pool.PAT does not work with H.323 applications,caching nameservers,and PointtoPoint TunnelingProtocol(PPTP).PAT works with Domain Name Service(DNS),FTP and passive FTP,HTTP,mail,remoteprocedure call(RPC),rshell,Telnet,URL filtering,and outbound traceroute.Do not use PAT when you n
33、eed to run multimedia applications through the firewall.Multimediaapplications can conflict with port mappings that PAT provides.In PIX software release 4.2(2),the PAT feature does not work with IP data packets that arrive inreverse order.PIX software release 4.2(3)corrects this problem.IP addresses
34、 in the pool of global addresses specified with the global command require reverse DNSentries in order to ensure that all external network addresses are accessible through the PIX.In orderto create reverse DNS mappings,use a DNS Pointer(PTR)record in the addresstoname mappingfile for each global add
35、ress.Without the PTR entries,sites can experience slow or intermittentInternet connectivity and FTP requests fail consistently.For example,if a global IP address is 192.168.1.3 and the domain name for the PIX SecurityAppliance is ,the PTR record is:3.1.1.175.inaddr.arpa.IN PTR 4.1.1.175.inaddr.arpa.
36、IN PTR &so on.Restrict Inside Hosts Access to Outside NetworksIf there is a valid translation method defined for the source host,and no ACL defined for the source PIXinterface,then the outbound connection is allowed by default.However,in some cases it is necessary torestrict outbound access based on
37、 source,destination,protocol,and/or port.In order to accomplish this,configure an ACL with the accesslist command and apply it to the connection source PIX interface with theaccessgroup command.You can apply PIX 7.0 ACLs in both inbound and outbound directions.Thisprocedure is an example that allows
38、 outbound HTTP access for one subnet,but denies all other hosts HTTPaccess to the outside,while allowing all other IP traffic for everyone.Define the ACL.accesslist acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq wwwaccesslist acl_outbound deny tcp any any eq wwwaccesslist acl_outbound permit
39、ip any anyNote:PIX ACLs differ from ACLs on Cisco IOS routers in that the PIX does not use a wildcardmask like Cisco IOS.It uses a regular subnet mask in the ACL definition.As with Cisco IOS routers,the PIX ACL has an implicit deny all at the end of the ACL.1.Apply the ACL to the inside interface.ac
40、cessgroup acl_outbound in interface inside2.Use ASDM in order to configure the first accesslist entry in step 1 to allow HTTP traffic from10.1.6.0/24.Choose Configuration Features Security Policy Access Rules.3.Click Add,enter the information as this window shows,and click OK.4.Once you enter the th
41、ree accesslist entries,choose Configuration Feature Security Policy Access Rules in order to display these rules.5.Allow Untrusted Hosts Access to Hosts on Your TrustedNetworkMost organizations need to allow untrusted hosts access to resources in their trusted network.A commonexample is an internal
42、web server.By default,the PIX denies connections from outside hosts to inside hosts.In order to allow this connection in NAT control mode,use the static command,with accesslist andaccessgroup commands.If NAT control is disabled,only the accesslist and accessgroup commands arerequired,if no translati
43、on is performed.Apply ACLs to interfaces with an accessgroup command.This command associates the ACL with theinterface to examine traffic that flows in a particular direction.In contrast to the nat and global commands which allow inside hosts out,the static command creates atwoway translation that a
44、llows inside hosts out and outside hosts in if you add the proper ACLs/groups.In the PAT configuration examples shown in this document,if an outside host tries to connect to the globaladdress,it can be used by thousands of inside hosts.The static command creates a onetoone mapping.Theaccesslist comm
45、and defines what type of connection is allowed to an inside host and is always requiredwhen a lower security host connects to a higher security host.The accesslist command is based on both portand protocol and can be very permissive or very restrictive,based on what the system administrator wants to
46、achieve.The network diagram in this document illustrates the use of these commands in order to configure the PIX toallow any untrusted hosts to connect to the inside web server,and allow untrusted host 192.168.1.1 access toan FTP service on the same machine.Use ACLs on PIX Versions 7.0 and LaterComp
47、lete these steps for PIX software versions 7.0 and later with the use of ACLs.If NAT control is enabled,define a static address translation for the inside web server to anoutside/global address.static(inside,outside)172.16.1.16 10.16.1.161.Define which hosts can connect on which ports to your web/FT
48、P server.accesslist 101 permit tcp any host 172.16.1.16 eq wwwaccesslist 101 permit tcp host 192.168.1.1 host 172.16.1.16 eq ftp2.Apply the ACL to the outside interface.accessgroup 101 in interface outside 3.Choose Configuration Features NAT and click Add in order to create this static translation w
49、iththe use of ASDM.4.Select inside as the source interface,and enter the internal address for which you want to create astatic translation.5.Choose Static and enter the outside address you want to translate to in the IP address field.Click OK.6.The translation appears in the Translation Rules when y
50、ou choose Configuration Features NAT Translation Rules.7.Use the Restrict Inside Hosts Access to Outside Networks procedure in order to enter the accesslistentries.Note:Be careful when you implement these commands.If you implement the accesslist 101 permitip any any command,any host on the untrusted
黑公网安备:91230400333293403D