Checking Translation
The PIX firewall performs abode translation. In adjustment for centralized networks to
communicate with alien networks, and carnality versa, addresses charge be translated.
Translation is not optional. Recall from Affiliate 3 that adaptation is the act
of advice one IP abode to another, which can be configured as one to one
(NAT) or abounding to one (PAT).
NOTE
To canyon cartage through the PIX traffic, you charge construe it, alike if this
means you will construe IP addresses to themselves.
We discussed adaptation at some breadth in Affiliate 3. In this chapter, we
quickly analysis some key concepts application Figure 10.19, which shows all the
possible adaptation scenarios that you can accept on your PIX firewall.
Figure 10.19 shows a PIX firewall, PIX1, affiliated to three networks: inside,
DMZ, and outside.The addresses on the central arrangement are serviced application PAT.
The DMZ has two hosts on it: one that is not translated (in reality, it is aloof translated
to itself) and one that is statically translated. All absolute addresses on the
DMZ are dynamically translated application a ambit of IP addresses associated with the
outside network.
www.syngress.com
Figure 10.18 Continued
Troubleshooting and Performance Monitoring • Affiliate 10 581
In the PIX world, adaptation is all-important to accommodate connectivity.When
translation does not work, you charge to apperceive area to alpha and accomplishment your
troubleshooting. Cisco provides several commands that you can use to validate
various aspects of translation.We alpha with a analysis of the assorted translation
configuration commands and how to finer convention them. Let’s analysis the
configuration in Figure 10.19.
First, attending at which clandestine addresses are actuality translated to which public
addresses.This advice will actuate if the adaptation ambit accept been
configured correctly.Two commands acclimated to accomplish this assignment are appearance nat and
show global:
PIX1# appearance nat
nat (dmz) 0 192.168.1.10 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 99 0.0.0.0 0.0.0.0 0 0
PIX1# appearance global
global (outside) 99 192.168.99.4-192.168.99.254 netmask 255.255.255.0
global (outside) 1 192.168.99.3 netmask 255.255.255.0
www.syngress.com
Figure 10.19 Adaptation in Action
! Configure PAT to construe central addresses to 192.168.99.3.
global (outside) 1 192.168.99.3 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
! Configure NAT to translates DMZ addresses to 192.168.99.4-254.
global (outside) 99 192.168.99.4-192.168.99.254 netmask 255.255.255.0
nat (dmz) 99 0.0.0.0 0.0.0.0 0 0
! Do not construe DMZ abode 192.168.1.10.
nat (dmz) 0 192.168.1.10 255.255.255.255 0 0
! Statically construe 192.168.1.2 consistently to 192.168.99.2.
static (dmz,outside) 192.168.99.2 192.168.1.2 netmask 255.255.255.255 0 0
DMZ
192.168.2.0/24
PIX1
192.168.99.1/24
INSIDE
192.168.2.1/30
192.168.1.0/24
OUTSIDE
192.168.1.1/24
192.168.11.11
192.168.1.2
192.168.1.10
Not translated
Static
translation
Internet
582 Affiliate 10 • Troubleshooting and Performance Monitoring
Our NAT agreement specifies a nontranslation for the DMZ server at
address 192.168.1.10 arrangement (as apparent by the nat 0 command).The nat 99
specifies that all absolute addresses in the DMZ should be translated.The global
command defines two pools of addresses to be acclimated for adaptation purposes.The
numerical ID is referenced by the NAT command to accomplish the absolute translation.
The all-around 99 command is acclimated for NAT, admitting all-around 1 with its distinct IP
address is acclimated for PAT. In absolute practice, you would apperceive at this point if you had
configured the adaptation ambit correctly. Both of these commands provide
enough abstracts for you to accomplish this determination. Once you accept adapted any
errors (the best accepted actuality typos or incorrect IP addresses), you can then
check to see if admission are actuality fabricated and translated.The abutting footfall is to
determine if admission accept been fabricated by application the appearance conn detail command:
PIX1# appearance conn detail
1 in use, 1 best used
Flags: A - apprehension central ACK to SYN, a - apprehension alfresco ACK to SYN,
B - antecedent SYN from outside, D - DNS, d - dump,
E - alfresco aback connection, f - central FIN, F - alfresco FIN,
G - group, H - H.323, I - entering data, M - SMTP data,
O - outbound data, P - central aback connection,
q - SQL*Net data, R - alfresco accustomed FIN,
R - UDP RPC, r - central accustomed FIN, S - apprehension central SYN,
s - apprehension alfresco SYN, U - up
TCP outside:192.168.11.11/24 dmz:192.168.99.2/80 flags UIO
The workstation has accustomed a affiliation to our HTTP server on the
DMZ arrangement (as accepted by its destination port, 80). Notice that the workstation
established the affiliation to the accessible abode of this server rather than
to its centralized DMZ abode (192.168.1.2), which it cannot reach. Now we accept a
valid affiliation attempt, but has the adaptation taken abode as it should? To
determine that, we charge use the abutting command in our toolbox, appearance xlate detail:
PIX1# appearance xlate detail
1 in use, 1 best used
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static
TCP NAT from DMZ:192.168.1.2/80 to outside:192.168.99.2/80 flags ri
This command displays a accepted advertisement of alive adaptation slots.The output
of this command confirms that our host’s attack to admission the Web server at
www.syngress.com
Troubleshooting and Performance Monitoring • Affiliate 10 583
192.168.99.2 has resulted in the actual adaptation to 192.168.99.2. Such
verification is decidedly important if you are accouterment casework that charge be
accessible by alfresco users.
There is one added command that we can use to accumulate advice about
our adaptation operations. It is a alter command and, as such, should be used
sparingly to conserve firewall resources.This command can serve two functions:
tracking and adaptation packet-level action amid hosts (such as the traffic
between our workstation and the Web server) or it can be acclimated if you charge to
determine absolutely which addresses charge to be translated and accepted access.The
latter allotment of this account needs to be explained added fully. Assuming that we did
not apperceive absolutely what the antecedent abode of our workstation was activity to be, it
would be accessible to abduction advice on its attempts to affix to the DMZ
Web server.The command that can accommodate us with the copious advice we
need is the alter packet command.The syntax of the command is as follows:
debug packet
[netmask
[dport
In our case, the command we would absolutely access to acquisition out which
addresses are attempting to use our Web server is:
PIX1(config)# alter packet alfresco src 0.0.0.0 netmask 0.0.0.0 dst 192
.168.99.2 netmask 255.255.255.0 rx
This command captures packet abstracts that comes into the alfresco interface destined
for the Web server’s accessible IP address. Since we do not apperceive absolutely which
protocols (TCP, UDP, or ICMP) will be used, we accept autonomous not to specify one.
After we accept captured our data, we can again actuate which translation
parameters we charge to enter.