It is not necessary to configure DNS support on Cisco Security Appliance. By default, the Security Appliance identifies each outbound DNS request and allows only a single response to that request. The internal host can query several DNS servers for a response, and the Security Appliance allows the outbound queries. However, the Security Appliance allows only the first response to pass through the firewall. All subsequent responses to the original query are dropped.
PIX Version 6.3(2) includes a DNS fixup protocol that enables you to configure a maximum packet length for connections to UDP port 53. The default value is 512 bytes. If you configure the DNS fixup protocol, the Security Appliance drops all connections to UDP port 53 that exceed the configured maximum length. The command for this configuration is
f f
ffiixiixxxuuuupp pp pprpprrrootootttooooccoccoooll ll ddnddnnnssss [maximum length <512-65535>]
P Inside back connection
E Outside back connection
G Group
a Awaiting outside ACK to SYN
A Awaiting inside ACK to SYN
B Initial SYN from outside
R RPC
H H.323
T UDP SIP connection
m SIP media connection
t SIP transient connection
D DNS
Table 5-6 Connection Flags (Continued)
Flag Description
Foundation Summary 131
Foundation Summary
The “Foundation Summary” provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam.
All interfaces on Cisco Security Appliance are assigned security levels. The higher the number, the more secure the interface. Traffic is allowed to pass from an interface with a higher security level to an interface with a lower security level without a specific rule in the security policy. By default, the outside interface (Ethernet 0) is assigned a security level of 0, and the inside interface (Ethernet 1) is assigned a security level of 100. All other interfaces must be manually assigned a security level using the nameif command. Traffic does not pass through two interfaces if they have the same security level.
The Security Appliance handles transport protocols completely differently. TCP is a connection-oriented protocol that creates a session and is relatively simple traffic for the Security Appliance to handle. The TCP sequence number that is generated by the source machine is replaced by a randomly generated number as it passes through the Security Appliance on its way to the destination. It becomes very difficult to hijack a TCP session because the initial TCP sequence numbers are randomly generated by the firewall and you cannot simply select the next sequence number in a series. Figure 5-8 shows how a PIX Firewall would handle a TCP handshake.
Because UDP is a connectionless protocol, determining a connection’s state can be very difficult. When outbound UDP traffic is generated, the Security Appliance completes the necessary address translation and saves the session object in the state. If the response does not arrive within the timeout period (the default is 2 minutes), the connection is closed. If the response arrives within the timeout, the Security Appliance verifies the connection
information. If it matches the session object in the state table, the Security Appliance allows the traffic. Figure 5-9 shows how a PIX Firewall would typically handle UDP traffic.
Figure 5-8 PIX Firewall Handling TCP Traffic
There are two types of address translation:
■ Dynamic address translation—Is broken into two categories:
— Network Address Translation (NAT)—Multiple local hosts translate to a pool of global addresses.
— Port Address Translation (PAT)—Multiple local hosts translate to a single global address.
Foundation Summary 133
■ Static translation—A single local address translates to a single global address. Static rules provide the translation to allow connection from a lower security level to a higher security level, but this connection must be allowed in the security policy. This connection can be allowed using either the conduit or access-list command. Access lists must be part of an access group and must be configured to a specific interface.
Figure 5-9 PIX Firewall Handling UDP Traffic
Multiple connections can take place through a single translation. Translations take place at the network layer, and connections occur at the transport layer. Therefore, connections are a subset of translations. Two specific commands are used to troubleshoot translation:
■ show xlate—Displays translation slot information. Many options are available to display specific information about the address translations.
■ clear xlate—Clears the translation table. Again, many options enable you to clear specific portions of the translation table.
A single command with numerous options is used to troubleshoot connections:
■ show conn—Displays the number of and information about the active connections for the options specified.
Step 1.
Step 4.
Step 2.
Step 3.
Q&A
As mentioned in the Introduction, the questions in this book are more difficult than what you should experience on the exam. The questions are designed to ensure your understanding of the concepts discussed in this chapter and adequately prepare you to complete the exam. You should use the simulated exams on the CD to practice for the exam.
The answers to these questions can be found in Appendix A:
1. What is the difference between TCP and UDP?
2. What is the default security for traffic origination on the inside network segment going to the outside network?
3. True or false: You can have multiple translations in a single connection.
4. What commands are required to configure NAT on a Cisco Security Appliance?
5. How many nodes can you hide behind a single IP address when configuring PAT?
6. What is an embryonic connection?
7. What is the best type of translation to use to allow connections to web servers from the Internet?
8. How does a Cisco Security Appliance handle outbound DNS requests?
9. True or false: The quickest way to clear the translation table is to reboot the Security Appliance.
10. True or false: If you configure a static translation for your web server, everyone can connect to it.
11. What does a Security Appliance, such as PIX Firewall, normally change when allowing a TCP handshake between nodes on different interfaces and performing NAT?
12. What does the Cisco Security Appliance normally change when allowing a TCP handshake between nodes on different interfaces and performing PAT?
13. True or false: TCP is a much better protocol than UDP because it does handshakes and randomly generates TCP sequence numbers.
Q&A 135
14. What are the two commands (syntax) to perform NAT of all internal addresses?
15. When would you want to configure NAT and PAT for the same inside segment?
16. What is RFC 1918?
17. Why is there an id field in the nat command?
This chapter covers the following subjects:
■ User Interface
■ Configuring the Cisco Security Appliance
■ Time Settings and NTP Support