All Cisco-Network Study Notes: Conduits and Outbound/Apply Name and accredit aegis levels to the two interfaces not already authentic on the PIX:

Conduits and Outbound/Apply

Name and accredit aegis levels to the two interfaces not already authentic on the

PIX:

PIX1(config)# nameif ethernet2 dmz security40

PIX1(config)# nameif ethernet3 dbdmz security60

Bring the interfaces online:

PIX1(config)# interface ethernet0 auto

PIX1(config)# interface ethernet1 auto

PIX1(config)# interface ethernet2 auto

PIX1(config)# interface ethernet3 auto

Assign an IP abode to anniversary interface:

PIX1(config)# ip abode central 172.16.0.1 255.240.0.0

PIX1(config)# ip abode alfresco 10.1.1.1 255.255.255.0

PIX1(config)# ip abode dmz 192.168.10.1 255.255.255.0

PIX1(config)# ip abode dbdmz 192.168.20.1 255.255.255.0

Assign a absence avenue to the PIX:

PIX1(config)# avenue alfresco 0.0.0.0 0.0.0.0 10.1.1.254

Create admission lists to be acclimated afterwards to bypass NAT:

PIX1(config)# access-list nonatinside admittance ip 172.16.0.0 255.240.0.0

192.168.10.0 255.255.255.0

PIX1(config)# access-list nonatinside admittance ip 172.16.0.0 255.240.0.0

192.168.20.0 255.255.255.0

PIX1(config)# access-list nonatdbdmz admittance ip 192.168.20.0 255.255.255.0

192.168.10.0 255.255.255.0

Create a all-around basin utilizing PAT for the central network:

PIX1(config)# all-around (outside) 1 10.1.1.2

Global 10.1.1.2 will be Port Abode Translated

Bypass NAT area needed:

PIX1(config)# nat (inside) 0 access-list nonatinside

PIX1(config)# nat (dbdmz) 0 access-list nonatdbdmz

www.syngress.com

128 Affiliate 3 • Passing Traffic

Enable NAT on the central interface and accept it mapped to the all-around id:

PIX1(config)# nat (inside) 1 0 0

Create changeless translations for admission from the lower-level aegis interfaces:

PIX1(config)# changeless (dmz, outside) 10.1.1.10 192.168.10.10

PIX1(config)# changeless (dmz, outside) 10.1.1.11 192.168.10.11

PIX1(config)# changeless (dmz, outside) 10.1.1.12 192.168.10.12

PIX1(config)# changeless (dbdmz, dmz) 192.168.20.0 192.168.20.0 netmask 255

.255.255.0

Configure names for the attainable addresses of the DMZ servers:

PIX1(config)# names

PIX1(config)# name 10.1.1.10 dns

PIX1(config)# name 10.1.1.11 mail

PIX1(config)# name 10.1.1.12 web

Configure conduits:

PIX1(config)# aqueduct abjure ip any 0.0.0.0 255.0.0.0

PIX1(config)# aqueduct abjure ip any 10.0.0.0 255.0.0.0

PIX1(config)# aqueduct abjure ip any 127.0.0.0 255.0.0.0

PIX1(config)# aqueduct abjure ip any 172.16.0.0 255.240.0.0

PIX1(config)# aqueduct abjure ip any 224.0.0.0 224.0.0.0

PIX1(config)# aqueduct admittance tcp object-group dbhosts eq sqlnet 192.168

.10.12

PIX1(config)# aqueduct abjure ip any 192.168.0.0 255.255.0.0

PIX1(config)# aqueduct admittance tcp host web eq http any

PIX1(config)# aqueduct admittance tcp host mail eq smtp any

PIX1(config)# aqueduct admittance tcp host dns eq area any

PIX1(config)# aqueduct admittance udp host dns eq area any

PIX1(config)# aqueduct admittance icmp 172.16.0.0 255.255.0.0 object-group

dmzhosts

PIX1(config)# aqueduct admittance icmp 172.16.0.0 255.255.0.0 object-group

dbhosts

PIX1(config)# aqueduct admittance icmp 10.1.1.0 255.255.255.0 any object-group

icmp-outside-in

PIX1(config)# aqueduct abjure icmp any any

PIX1(config)# aqueduct abjure ip any any

www.syngress.com

Passing Cartage • Affiliate 3 129

Configure outbound statements:

PIX1(config)# outbound 10 abjure 0 0 0

PIX1(config)# outbound 10 admittance 172.16.0.0 255.240.0.0

PIX1(config)# outbound 10 abjure 172.16.0.0 255.240.0.0 pop3

PIX1(config)# outbound 10 abjure 172.16.0.0 255.240.0.0 143

PIX1(config)# outbound 20 abjure 0 0 0

PIX1(config)# outbound 20 except 192.168.10.0 255.255.255.0 sqlnet

PIX1(config)# outbound 30 abjure 0 0 0

PIX1(config)# outbound 30 admittance 192.168.10.11 255.255.255.255 smtp

PIX1(config)# outbound 30 admittance 192.168.10.10 255.255.255.255 domain

PIX1(config)# outbound 30 admittance 192.168.10.0 255.255.255.0 http

Apply the outbound statements to the adapted interfaces:

PIX1(config)# administer (inside) 10 outgoing_src

PIX1(config)# administer (dbdmz) 20 outgoing_src

PIX1(config)# administer (dmz) 30 outgoing_src

www.syngress.com

130 Affiliate 3 • Passing Traffic

Summary

Configuring the PIX to canyon entering or outbound cartage requires assorted steps.

Basic connectivity allows users on a college security-level interface of the PIX to

transmit cartage to a lower security-level interface application NAT or PAT.This is

accomplished application the nat command with the all-around command.The PIX ASA

allows college security-level interfaces to abode cartage to lower security-level

interfaces.The PIX is stateful. Users on the central of the PIX can run about any

application afterwards added configuration.

Controlling outbound cartage is an important allotment of a absolute security

policy.This ascendancy can be able application the access-list command or the

outbound command activated to a specific interface. If available, the access-list

command should be acclimated instead of the outbound command to clarify traffic.

The access-group command applies an admission account to an interface.

Once outbound admission is secure, acceptance entering admission is almost easy. By

default, all entering admission (connections from a lower security-level interface to a

higher security-level interface) is denied. Admission lists or conduits can be acclimated to

allow entering traffic. Conduits are not angry to a accurate interface, and the rules

defined in a aqueduct are activated to all entering traffic.The fundamentals of the

access-list command are no altered for authoritative entering or outbound traffic.

For entering traffic, configuring a changeless adaptation (using the changeless command) is

required for anniversary about attainable server in

addition to access-list or conduit.

Solutions Fast Track

Allowing Outbound Traffic

If abode adaptation is configured, the PIX firewall allows all

connections from a college security-level interface to a lower securitylevel

interface.

A categorical aegis action usually does not acquiesce all outbound

traffic. Define and ascendancy what cartage you allow.

www.syngress.com

Passing Cartage • Affiliate 3 131

There are two methods for authoritative outbound traffic: admission lists and

outbound/apply statements. Use admission lists back accessible as they allow

greater flexibility. Use the outbound and administer commands alone if you

must.These commands are actuality phased out in newer versions of PIX

firewall software.

Allowing Entering Traffic

Admission from a lower security-level interface to a college securitylevel

interface are denied.To acquiesce entering traffic, configure a static

translation and use admission lists or conduits to admittance traffic.

Port redirection is an accomplished advantage for baby businesses that do not

have abundant IP addresses.

The syntax for admission lists is the aforementioned whether they are activated to

inbound or outbound traffic.

TurboACLs

TurboACLs can be enabled for all admission lists or on a one-by-one basis.

TurboACLs do not acceleration up admission lists of beneath than 19 lines.

TurboACLs do use lots of resources; accomplish abiding you accept enough

available afore enabling them.

Object Grouping

Article groups abridge admission account and aqueduct agreement and

management.

There are four types of article groups: ICMP type, network, protocol,

and service.

Article groups charge consistently be preceded with the object-group keyword in

an admission account or conduit.

www.syngress.com

132 Affiliate 3 • Passing Traffic

Case Study

In our case study, the central interface is the accomplished aegis interface.All

corporate users will be amid abaft this interface, as able-bodied as private

and centralized servers.

The db-dmz interface has the additional accomplished aegis akin and is acclimated to

host database servers that accredit the attainable Web server to body dynamic

HTML pages. No clandestine or arcane advice is stored on these

database servers.

The dmz interface has the third accomplished aegis level. About accessible

services, including Web, mail, and DNS servers, are amid abaft this

interface.

The alfresco interface has the everyman aegis level.The aggregation wants to

only acquiesce admission to the casework in the DMZ interface.The company

also wants to accomplish abiding that it will not be the victim of a bluff attack,

so it wants to clarify out any cartage sourced with a clandestine address.

Q: Could I use a changeless command with a netmask advantage instead of the nat 0

access-list command to configure attainable IP addresses central the PIX?

A: Although this agreement will work, it opens up the firewall to vulnerabilities

if a aqueduct or admission account is misconfigured. Use nat 0 access-list if you can.

Q: Why do I accept to affair a bright xlate afterwards I accomplish changes?

A: The xlate table is maintained by the NAT action of the PIX, so if you make

changes to that process, items can become ashore in the table or items that

should not be in the table ability still remain.This can account unpredictable

results, and it creates a aegis risk.

www.syngress.com

Frequently Asked Questions

The afterward Frequently Asked Questions, answered by the authors of this book,

are advised to both admeasurement your compassionate of the concepts presented in

this affiliate and to abetment you with real-life accomplishing of these concepts. To

have your questions about this affiliate answered by the author, browse to

www.syngress.com/solutions and bang on the “Ask the Author” form.

Passing Cartage • Affiliate 3 133

Q: Should I move all my servers into a DMZ?

A: DMZs are actual accessible in absolute aegis risks for about accessible

servers. If a server is not bare by the alfresco world, there is apparently no

reason to move it into a DMZ. If you do not assurance your central users, that is

another story.

Q: Why should I use clandestine IP addresses central my arrangement if I accept enough

public abode space?

A: Application clandestine abode amplitude central your arrangement has abounding advantages.The

amount of abode amplitude provided allows for ample adaptability in the network

design and allows for expansion. However, clandestine addresses are not for

everyone, and abounding universities and added institutions that accept ample amounts

of IP abode amplitude use attainable acclamation in their

networks.

Q: How do I apperceive if my admission lists are alive correctly?

A: The appearance access-list command displays the accepted admission account configuration

on the PIX. If you appetite to apperceive that the admission lists are working, watch

the hitcnt counter. Every time cartage matches an entry, the adverse will

increment.