Configuring Dynamic Abode Translation
Address adaptation is all-important to canyon outbound traffic. Abode translation
(through NAT and/or PAT) maps bounded IP addresses to all-around IP addresses.
Configuration of NAT/PAT is a two-step process:
1. Identify the bounded addresses that will be translated (nat command).
2. Define the all-around addresses to construe to (global command).
Address adaptation annal are alleged adaptation slots (or xlate) and are stored in
a table accepted as the adaptation table.To appearance the capacity of this table, use the
show xlate command.The xlate timer monitors the adaptation table and removes
records that accept been abandoned best than the authentic timeout. By default, this
timeout is set to three hours by default.
The syntax of the nat command is as follows:
nat [(
[norandomseq] [timeout
[
The if_name constant is acclimated to administer the nat command to the interface
where the cartage to be translated enters the PIX.This constant charge bout the
name assigned to the interface with the nameif command. If no name is specified,
the central interface is assumed.
The id constant is an accumulation amid 0 and 2,000,000,000 that that links
the bounded IP addresses (local_address) articular by the nat command to the global
IP addresses authentic by the all-around command.The id 0 is appropriate as it specifies
addresses that are not to be translated.The bounded abode will be the all-around address.
The netmask constant is acclimated with local_address to specify subnets or multiple
IP addresses.The alfresco keyword specifies alien addresses to be translated.The
dns keyword translates IP addresses in DNS responses application alive entries in the
translation table. By default, back assuming abode translation, the PIX firewall
randomizes the arrangement numbers.The norandomseq keyword tells the PIX not to
randomize the arrangement numbers.This is advantageous back you will be performing
address adaptation alert (for example, back you accept two PIX firewalls in the
path) and do not charge randomization twice.The abeyance constant defines how
long to acquiesce an admission in the adaptation table to break idle.
Passing Cartage • Affiliate 3 93
94 Affiliate 3 • Passing Traffic
The connection_limit constant defines how abounding circumstantial active
connections are allowed, and the embryonic_limit constant defines how many
concurrent half-open admission are allowed. Half-open admission announce a
TCP affiliation that hasn’t completed the handshaking process. Both of these
parameters absence to 0, acceptance absolute connections. Excessive half-open
connections can be the aftereffect of a DoS attack.Tuning embryonic_limit can reduce
the appulse of these attacks.
The all-around command defines the basin of addresses to be acclimated for translation.
These are about accessible addresses.The syntax for the all-around command is as
:
global [(
The if_name constant defines the interface on which cartage will avenue after
being translated. If it is not specified, the alfresco interface is assumed.The id
parameter links all-around to one or added nat statements.The global_ip parameter
defines the IP addresses to construe bounded addresses. If a distinct IP abode is specified,
port abode adaptation (PAT) is performed. If a ambit is specified, network
address adaptation (NAT) is acclimated until no added all-around addresses are available.
Once all all-around addresses accept been exhausted, PAT is performed.The netmask
keyword is aggregate with global_ip to acquire the ambit of IP addresses.The
interface keyword allows bounded addresses to be translated to an absolute interface
address, and to an another to global_ip.
Let’s attending at the ficticious Secure Corporation, a aggregation that has absitively to
network three barrio in London and accommodate Internet admission to its employees.
This aggregation does not own any IP addresses of its own. One of the company’s
requirements is to use clandestine abode space, because it does not appetite to readdress
the absolute arrangement if it has to change ISPs. By utilizing a clandestine IP address
scheme, the aggregation can change accessible IP addresses whenever circumstances
require. All it will accept to do is accessory the new IP abode ambit to the private
IP addresses. Figure 3.1 shows the arrangement layout. (Note: Even admitting it is a private
address range, the 10.0.0.0/8 arrangement is actuality acclimated to represent the public
IP abode amplitude in this chapter. Keep this in apperception as you apprehend the blow of the
chapter.)
www.syngress.com
Passing Cartage • Affiliate 3 95
In Figure 3.1, you can see that anniversary of the three barrio has been assigned
a 24-bit arrangement from the clandestine abode ambit authentic in RFC 1918.These
ranges are 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24, respectively. Each
ISP-assigned 24-bit subnet (10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24) has been
mapped to a clandestine abode range.This agreement allows anniversary bulge to accept a
unique accessible IP abode dynamically mapped from a basin associated with the
originating building.The agreement in this archetype is adequately straightforward.
Traffic to be translated charge be articular application the nat command and then
mapped to a basin of accessible IP addresses authentic by the all-around command.The
commands to configure this are as follows:
PIX1(config)# nat (inside) 1 192.168.1.0 255.255.255.0
PIX1(config)# all-around 1 10.1.1.1-10.1.1.254 netmask 255.255.255.0
PIX1(config)# nat (inside) 2 192.168.2.0 255.255.255.0
PIX1(config)# all-around 2 10.1.2.1-10.1.2.254 netmask 255.255.255.0
PIX1(config)# nat (inside) 3 192.168.3.0 255.255.255.0
PIX1(config)# all-around 3 10.1.3.1-10.1.3.254 netmask 255.255.255.0
PIX1(config)# exit
PIX1# bright xlate
NOTE
The bright xlate command clears capacity in the adaptation table. This
command should be accomplished afterwards any translation
configuration changes are made; otherwise, there is a crisis of
stale entries actual in the adaptation table.
www.syngress.com
Figure 3.1 A Arrangement Abode Adaptation Example
Internet
192.168.1.0 192.168.2.0 192.168.3.0
.1.10
Inside Outside
192.168.3.0 10.1.3.0
192.168.2.0 10.1.2.0
192.168.1.0 10.1.1.0
96 Affiliate 3 • Passing Traffic
To accomplish abiding that aggregate was entered correctly, use the appearance nat and show
global commands:
PIX1# appearance nat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 2 192.168.2.0 255.255.255.0 0 0
nat (inside) 3 192.168.3.0 255.255.255.0 0 0
PIX1# appearance global
global (outside) 1 10.1.1.1-10.1.1.254 netmask 255.255.255.0
global (outside) 2 10.1.2.1-10.1.2.254 netmask 255.255.255.0
global (outside) 3 10.1.3.1-10.1.3.254 netmask 255.255.255.0
The ISP provided abundant accessible addresses that Secure Corp. was able to
create a one-to-one mapping amid bounded and all-around addresses.What would
happen if the ISP did not admeasure abundant accessible abode space? Let’s accept that
the ISP provided a distinct 24-bit accessible abode ambit (10.1.1.0/24). Instead of
using assorted abode pools, the aggregation could use one all-around basin for all
buildings and use PAT. PAT, as explained in Affiliate 1, enables many-to-one
address translation.The afterward agreement initially performs NAT, again PAT
once there are no accessible addresses:
PIX1(config)# nat (inside) 1 192.168.1.0 255.255.255.0
PIX1(config)# nat (inside) 1 192.168.2.0 255.255.255.0
PIX1(config)# nat (inside) 1 192.168.3.0 255.255.255.0
PIX1(config)# all-around (outside) 1 10.1.1.1-10.1.1.254 netmask 255.255.255.0
PIX1(config)# exit
PIX1# bright xlate
NOTE
PAT works with DNS, FTP, HTTP, mail, RPC, rsh, Telnet, URL filtering, and
outbound traceroute. PAT does not assignment with H.323, caching name
servers, and PPTP.
To accredit NAT on assorted interfaces, use abstracted all-around commands on each
interface. Use the aforementioned id on all the all-around commands.This allows a distinct set of
nat commands on the ambition interface to construe clandestine (local) IP addresses to
www.syngress.com
Passing Cartage • Affiliate 3 97
one of abounding altered all-around abode ranges based on destination.The following
commands configure the PIX to NAT the 192.168.1.0/24 arrangement to either a
10.1.1.0/24 abode or PAT to the DMZ interface IP address, depending on the
interface the packet will exit:
PIX1(config)# nat (inside) 1 192.168.1.0 255.255.255.0
PIX1(config)# all-around (outside) 1 10.1.1.1-10.1.1.254 netmask 255.255.255.0
PIX1(config)# all-around (dmz) 1 interface
PIX1(config)# exit
PIX1# bright xlate
As with best commands on the PIX firewall, use the no keyword with the
nat and all-around commands to abolish them from the configuration.