Configuring Adaptation Rules
Address adaptation is broadly acclimated in networked environments to add additional
layers of aegis and to conserve IP abode space.To configure or appearance address
translation application PDM, bang the Adaptation Rules tab (see Figure 9.48).
From this screen, you can dispense all configurations accompanying to NAT,
including adaptation rules, absolution rules, and all-around NAT pools. In our
example, there is an absolute changeless NAT rule, which pertains to the Web server
host article we added previously.We can acquaint this is changeless adaptation by the icon
in the Blazon column.The two NAT icons are apparent in Figure 9.49.
From the Adaptation Rules screen, move the annal bar at the basal of the
screen to the appropriate until you can see the columns to the appropriate of the DNS
Rewrite column. Four Options columns should appear, as apparent in Figure 9.50.
www.syngress.com
Figure 9.47 The Add Host/Network Group
506 Chapter 9 • PIX Device Manager
These options are accessible for use with all NAT rules.The DNS Rewrite
option allows the PIX firewall to construe all DNS concern responses through the
firewall as defined in a NAT rule.With this functionality, administrators no
longer charge to advance a breach DNS architecture; the PIX firewall will translate
www.syngress.com
Figure 9.48 The Adaptation Rules Tab
Figure 9.49 NAT Icons
Figure 9.50 NAT Options
PIX Device Manager • Chapter 9 507
the responses from the centralized DNS servers to alien hosts.The remaining
options chronicle to aegis and throttling mechanisms.We altercate these options in
the afterward exercise.
You can additionally add rules to absolved specific entities from abode translation.To
do so, bang the Adaptation Absolution Rules radio button and add a rule.
This advantage is sometimes advantageous in situations with VPNs or back you do not
want a specific server’s abode to be translated.
So far, we accept added changeless NAT rules for the servers central our network
using the Hosts/Networks tab. Let’s abide our archetype and add a dynamic
translation aphorism for the absolute hosts central our network. Doing so will provide
outbound admission for applicant workstations and added accessories on our centralized network
while preventing entering admission to these devices.
First, actualize a all-around basin on which the activating adaptation will be based.
Click the Manage Pools button to add a new abode pool.The Manage Global
Address Pools awning appears. Bang Add to admission the Add All-around Basin Item
window apparent in Figure 9.51.
From this window, you can actualize an alfresco or central basin and ascertain the
pool ID. Furthermore, you can specify the blazon of adaptation to actualize such as a
dynamic range, PAT, or interface PAT by beat the Range, Anchorage Address
Translation (PAT) or Anchorage Abode Adaptation (PAT) application the IP
address of the interface radio buttons, respectively. Based on your specific
selection, you will additionally charge to ample in the accessible fields afore beat OK.
www.syngress.com
Figure 9.51 The Add All-around Basin Item Window
508 Chapter 9 • PIX Device Manager
For our exercise, we will configure interface PAT application the firewall’s external
interface.This adjustment conserves IP abode amplitude on the alien network.
Alternatively, we could specify approved PAT and accommodate alien IP abode for
the pool.To configure interface PAT, baddest the alfresco interface from the
Interface pull-down card and admission an accumulation such as one (1) in the Basin ID
field. Do not use aught (0), because the basin ID of aught is aloof for no-NAT
configurations. Bang the third radio button, Anchorage Abode Adaptation (PAT)
using the IP abode of the interface, and bang OK. No added information
is appropriate because we accept defined the alien IP abode of the PIX as
the PAT address.The Manage All-around Abode Pools awning should appear, as
shown in Figure 9.52.
Note that the IP Address(es) cavalcade contains the alien PIX firewall’s IP
address. Bang OK to acknowledgment to the Adaptation Rules tab.
This architecture allows the firewall’s alien IP abode to be acclimated in a dynamic
NAT configuration. Next, from the Rules drop-down menu, baddest Add to
create a new activating abode adaptation on the firewall.The Add Address
Translation Aphorism window appears, as apparent in Figure 9.53.
Use the Browse button to affectation a account of accessible networks and hosts previously
specified in the Hosts/Networks tab. Alternatively, you can blazon in the IP
www.syngress.com
Figure 9.52 Manage All-around Abode Pools
PIX Device Manager • Chapter 9 509
address and subnet affectation of the centralized arrangement (IP Address: 172.20.0.0,
Mask: 255.255.0.0). Because we will be configuring PAT, bang the Dynamic
radio button and baddest 1 from the Abode Basin drop-down list.This choice
corresponds to the all-around basin ID we added in the antecedent step.
Click the Advanced button to appearance the Advanced NAT Options window.
From this window, you can dispense the options arresting from the Translation
Rules screen, such as DNS Rewrite.When finished, bang the OK button. From
the Adaptation Rules screen, bang Apply to PIX to amend the firewall and
make the changes booty effect. Now centralized hosts should be able to access
external resources.
In SOHO environments area alien IP amplitude is limited, application interface
PAT is acutely beneficial. For example, accept you alone accept one static
external IP abode provided by your ISP.Your alone advantage would be to use interface
PAT for both entering and outbound connections. Let’s add a mail server
using this premise.
www.syngress.com
Figure 9.53 The Add Abode Adaptation Rules Window
510 Chapter 9 • PIX Device Manager
NOTE
From the Add Abode Adaptation Aphorism window, it is accessible to specify
all hosts by entering 0.0.0.0 0.0.0.0 in the IP Abode and Affectation fields.
It is recommended that you specify anniversary arrangement to be translated, however,
so that you accept a abounding compassionate of the networks traversing
outbound through your firewall. This convenance is acutely benign in
large networks.
Assuming that you accept already added a host article from the Hosts/
Networks tab, now add a changeless adaptation rule.To do so, bang Add from the
Rules drop-down card again. Bang the Browse button and baddest the mail
host object, as apparent in Figure 9.54.
Next, bang the Changeless radio button and baddest Interface IP from the IP
address pull-down list. Normally, this activity would be acceptable to actualize a static
NAT agreement agnate to that already configured for the Web server.
However, we already added an all-embracing interface PAT aphorism for all centralized networks.
Therefore, we charge specify absolute ports to alter as well.To do so, click
www.syngress.com
Figure 9.54 The Baddest Host/Network Window
PIX Device Manager • Chapter 9 511
the Alter Anchorage analysis box and the TCP radio button. In the Original Port
and Translated Anchorage fields, blazon 25, which is the TCP anchorage for SMTP (mail)
services.The Add Abode Adaptation Aphorism window should appear, as apparent in
Figure 9.55.
Click OK to add the rule.You ability be prompted with a admonishing message
reminding you that the new agreement overlaps with the absolute centralized network
interface NAT rule. Bang Proceed to continue.
This agreement creates a changeless abode adaptation mapping amid the
firewall’s alien IP abode and the centralized mail server IP abode 172.20.1.25,
but alone for TCP anchorage 25.
Next, let’s add admission rules to acquiesce cartage through the firewall for these new
servers.