How Cisco PIX work ???

[azev]

Would you Cisco expert here explain what is the difference between Network address translation and Port address translation that is used in Cisco PIX ??? I have pix501 3des, but dont know how to use them. I can get to internet no problem with the default, but I dont know how to publish or forward services inside my lan, such as exchange server, web,ftp, I cant even host age mythology game. I refer back to my old faithfull linksys router for now.... Help please!! I hate having $500 just sitting insite a box.

Thanks

 

[Lord Evermore]

Port Address Translation is a function of Network Address Translation. With NAT, a single external address is used and all outbound traffic is translated to that address for the source, so that the internal IP's of the machines are hidden. When the response comes back, the firewall or router translates the destination IP back to the internal computer's IP and sends it on. The firewall or router has to keep track of which ports the traffic is going in and out on, along with which router started a connection to which remote address, otherwise multiple computers couldn't work through it.

PAT allows port forwarding, where the firewall is configured to forward inbound connections to a certain IP on the internal network, based on which port the connection is sent to. This allows a server to be run on the network using only the external NAT IP, and stops any unwanted traffic from getting past the firewall. PAT isn't used unless NAT is already configured.

Why are you using a PIX exactly? A Linksys router works perfectly fine for most uses, unless you're trying to run a business and need high reliability and extra features.

To configure the port forwarding, you'll just have to find the configuration options for it. The manual for the PIX should have a section dedicated to this, and Cisco's technical support is very responsive and helpful, as is their website. I'm not sure whether the PIX has an easy interface for setting things up, or if it uses the normal Cisco text configuration file, which uses a lot of statements like this:

ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable

to create port forwarding behind NAT.

 

[azev]

Well after getting my CCNA last year, I decided to learn more cisco stuff and bought the PIX, but since then I landed on a job and has been taking most of my time, I never have the chance to study or play with my PIX. Weekend is booked by the wife Well Now that all my project is almost done, I am thinkering with all my toys... hehehh I have 4 2501 and 2948g to play with, and maybe getting a few different 2500 series router for my lab. Btw for those of you cisco master, which CCNP test should I take first ??

 

[alrox]

Take the switching test first, it's the easiest IMO. Then routing/remote access/support.

The PIX OS is nothing like IOS as far as similar commands go.

BTW, a PIX is overpriced junk and there is no need to 'study' one for CCNA/CCNP/CCIE routing/switching tests, none of them cover anything that a PIX is known for.

 

[Fatt]

It's no longer the "routing" test. It's BSCI, it has simulator questions and you need to really know OSPF, EIGRP, IS-IS and especially BGP. In fact, if you don't know BGP pretty damn well, don't even take the test.

 

[Metier]

if you only have 1 public address on the pix you can us port forwarding but the commands are differant then a router.

static (inside,outside) tcp interface 80 10.1.1.5 80 netmask 255.255.255.255
static (inside,outside) tcp interface 25 10.1.1.6 25 netmask 255.255.255.255

access-list 100 permit tcp any host 209.4.4.4 eq 80
access-list 100 permit tcp any host 209.4.4.4 eq 25
access-group 100 in interface outside

in the above example 209.4.4.4 is your public ip address on the outside interface of the pix

the first static command would be for your webserver 10.1.1.5 is the private address of the webserver change this to your private address.

2nd static is for a mail server to allow smtp through the pix.

even after you create a static you still need to permit the traffic hence the access-list

metier

 

[azev]

Thanks alot meltier I think that would help a lot. I've been reading a lot of pix documentation but for some reason some of them just doesnt make sense..... I guess that is how I acknowledge that the cisco IOS is totally different than any switch or router IOS. Honestly, I have not touch any cisco stuff since I've got my CCNA, except when I have to setup T1 in my office and that is it. I was just playing with all my cisco stuff and my god, I forgot most of the command.... I am going to do a lot of reading to get to where I was Btw what would be good to have to be able to practice all the requirement for CCNP? As I said in my previous post, i have (4) 2501, (1) 2948g switch, and a few different router simulation software. I am saving to get a few more stuff so I can have a complete lab. How some recomendation on books ?

Thanks a lot guys.

 

[Metier]

Azev, get the ccnp preparation library which includes 4 books
building cisco remote access networks
cisco internetworking troubleshooting
building scalable cisco networks
building cisco multilayer switched networks

you can get it from ciscopress.com also I believe amazon carries it.

Metier

 

[azev]

Btw meltier, on the forwarding command for PIX do you actualy have to write down the paranthesis (inside, outside) ??
Does it matter which one goes first ?? inside or outside ? maybe if you dont mind explaining a bit, or maybe if you know a link to a n00b guide for cisco PIX.

Thanks again

 

[her209]

NAT means only the ip translated.

PAT means both the ip and port are translated.

 

[Metier]

yes you need to type them in just as I typed them in. On the pix most of the time you translate from higher security interface to lower security interface, (with 6.2.x ios you can translate from lower to higher security interface) on the pix the inside interface is security level of 100 the outside is security level 0. so in my example
static (inside,outside) tcp interface 80 10.1.1.5 80 netmask 255.255.255.255

we are translating from an inside address 10.1.1.5 to the outside interface and it will translated to the outside interfaces ip address. so if the packet is sourced from the inside of the pix 10.1.1.5 and it's destined to the outside then it will be translated. now this is just for this one ip address. If you had other pc's that need to get to the internet then you would set up nat and global statements.

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface


this will tranlate any packet originating on the inside interface of the pix to the outside interfaces ip address. You need static statements if the connection is going to originate on the lower security interface and need to access a device on the higher security interface.
Nat statements define the higher security level and global will be the lower security level and will not allow connections originating on the lower security interface

so say you have 3 interfaces on the pix inside 100 dmz 50 outside 0 (100,50,0 are the security levels) and you just needed the inside devices to initiate the connection to devices on the dmz then you would only need the nat and global statement
you would use the existing nat (inside) statement so it would look like this

nat (inside) 1 0.0.0.0 0.0.0.0
global (dmz) 1 interface or what ever ip address you wanted to translate it to.

but if you need devices on the dmz to initiate the connection to devices on the inside then you would setup a static from the inside to the dmz. assuming your inside network is 10.1.1.0 255.255.255.0

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

with this static then anybody on the dmz would be able to connect to any device on it's private ip address. But remember going from lower to high you need to allow the traffic so you need to create an access-list then assign this access-list to the dmz interface, just like the example for outside to inside. so if I had a 10.1.1.5 on the inside then it would also be known on the dmz as 101.1.5.

so the static is
static (higher_security,lower_security) translated_ipaddress private_ipaddress netmask 255.255.255.255

netmask 255.255.255.255 means it's a host translation
while netmask 25.255.255.0 would be a class c translation.

so if you need to setup a static so connections could established from the outside to the dmz then the static would look like this
static (dmz,outside) translated_ipaddress private_ipaddress netmask 255.255.255.255

ok if you had other pc's on the dmz that only need to establish connections to the outside then your nat and global would look like this

nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

statics have a higher priority the nat and global statement so if it matches the static then it will use the static instead of the nat and global


Hope this helps

Metier

 

[MetroRider]

a bit of a side question here, but here goes....

how good is the Cisco PIX 501 as compared to a linux-box based firewall such as having Red Hat using ipchains? is either one stronger or more configurable than the other? advantages to having a PIX over setting up my own linux box to do this? and vice-versa

TIA, as i appreciate the feedback