It is not necessary to configure DNS support on the Cisco PIX Firewall. By default, the PIX identifies each outbound DNS request and allows only a single response to that request. The internal host can query several DNS servers for a response, and the PIX allows the outbound queries. However, the PIX allows only the first response to pass through the firewall. All subsequent responses to the original query are dropped.
Flag Description
R RPC
H H.323
T UDP SIP connection
m SIP media connection t SIP transient connection
D DNS
Table 5-5 Connection Flags (Continued)
Foundation Summary 83
Foundation Summary
The Foundation Summary is a consolidation of the information covered in this chapter. It helps you continue to review the information in this chapter to prepare for the Certification Exam.
All interfaces on the Cisco PIX Firewall are assigned security levels. The higher the number, the more secure the interface. Traffic is allowed to pass from an interface with a higher security level to an interface with a lower security level without a specific rule in the security policy. By default, the outside interface (Ethernet 0) is assigned a security level of 0, and the inside interface (Ethernet 1) is assigned a security level of 100. All other inter-faces must be manually assigned a security level using the nameif command. Traffic does not pass through two interfaces if they have the same security level.
The PIX Firewall handles the two transport protocols completely differently. Because TCP is connection-oriented and creates a session, it is relatively simple for the PIX to handle the traffic. TCP also generates a TCP sequence number, and the PIX randomizes that number as it passes through the firewall on its way to the destination. This way, it is very difficult to hijack a TCP session by selecting the next sequence number in the series. Figure 5-8 shows how the PIX Firewall handles a TCP handshake.
84 Chapter 5: Understanding Cisco PIX Firewall Translation and Connections
Figure 5-8 PIX Handling TCP Traffic
UDP is a connectionless protocol, so it is very difficult to determine a connection’s state.
When outbound UDP traffic is generated, the PIX completes the necessary address trans-lation and saves the session object in the state. If the response does not arrive within the timeout period (the default is 2 minutes), the connection is closed. If the response arrives within the timeout, the PIX verifies the connection information. If it matches the session object in the state table, the PIX allows the traffic. Figure 5-9 shows how the PIX typically handles UDP traffic.
Foundation Summary 85
There are two types of address translation:
•
Dynamic address translation is broken into two categories:— Network Address Translation (NAT)—Multiple local hosts translate to a pool of global addresses.
— Port Address Translation (PAT)—Multiple local hosts translate to a single global address.
Figure 5-9 PIX Handling UDP Traffic
•
Static translation—A single local address translates to a single global address. Static rules provide the translation to allow connection from a lower security level to a higher security level, but this connection must be allowed in the security policy. This connection can be allowed using either the conduit or access-list command. Access lists must be part of an access group and must be configured to a specific interface.10.10.10.10 192.168.1.12
Step 1. Source Initiates Connection Source IP: 10.10.10.10 Destination IP: 192.168.1.12
Source Port: 1012 Destination Port: 53
Step 2. PIX Allows Connection xlate Source IP: 192.168.1.10
Destination IP: 192.168.1.12 Source Port: 1012 Destination Port: 53
Step 3. Server Responds Source IP: 192.168.1.12 Destination IP: 192.168.1.10
Source Port: 53 Destination Port: 1012 Step 4. PIX Returns Response
Source IP: 192.168.1.12 Destination IP: 10.10.10.10
Source Port: 53 Destination Port: 1012
86 Chapter 5: Understanding Cisco PIX Firewall Translation and Connections
Multiple connections can take place through a single translation. Translations take place at the network layer, and connections occur at the transport layer. Therefore, connections are a subset of translations. Two specific commands are used to troubleshoot translation:
•
show xlate—This command displays translation slot information. Many options are available to display specific information about the address translations.•
clear xlate—This command clears the translation table. Again, many options allow you to clear specific portions of the translation table.A single command with numerous options is used to troubleshoot connections:
•
show conn—Displays the number of and information about the active connections for the options specified.Q&A 87
Q&A
As mentioned in the Introduction, the questions in this book are written to be more difficult than what you should experience on the exam. The questions are designed to ensure your understanding of the concepts discussed in this chapter and adequately prepare you to complete the exam. You should use the simulated exams on the CD to practice for the exam.
The answers to these questions can be found in Appendix A.
1 When should you run the command clear xlate?
A When updating a conduit on the firewall
B When editing the NAT for the inside segment
C When adding addresses to the global pool
D All of the above
2 What happens if you configure two interfaces with the same security level?
3 True or false: The quickest way to clear the translation table is to reboot the PIX.
4 True or false: If you configure a static translation for your web server, everyone can connect to it.
5 Which of the following is not a method of address translation supported by the PIX?
A Network Address Translation
B Socket Address Translation
C Port Address Translation
D Static
6 True or false: It is easy t o hack into a PIX over UDP 53, because it accepts DNS resolves from anyone.
7 What the does the PIX normally change when allowing a TCP handshake between nodes on different interfaces and performing NAT?
8 What the does the PIX normally change when allowing a TCP handshake between nodes on different interfaces and performing PAT?
88 Chapter 5: Understanding Cisco PIX Firewall Translation and Connections
9 You have configured two additional DMZ interfaces on your PIX Firewall. How do you prevent nodes on DMZ1 from accessing nodes on DMZ2 without adding rules to the security policy?
A Route all traffic for DMZ2 out the outside interface.
B Dynamically NAT all DMZ2 nodes to a multicast address.
C Assign a higher security level to DMZ2.
D All of the above
10 True or false: It is possible to hide an entire Class C network behind a single IP using PAT.
11 True or false: TCP is a much better protocol than UDP, because it does handshakes and randomly generates TCP sequence numbers.
12 Which of the following nat commands is/are correct?
A LabPIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0
B LabPIX(config)# nat (inside) 1 0.0
C LabPIX(config)# nat (inside) 1 0 0
D A and B
E A and C
F All of the above
13 When would you want to configure NAT and PAT for the same inside segment?
14 What is RFC 1918?
15 True or false: By default, an embryonic connection terminates after 2 minutes.
16 What command shows all active TCP connections on the PIX?
17 Why is there an id field in the nat command?
This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-511):
5. User interface
6. Configuring the PIX Firewall 8. Time setting and NTP support 13. DHCP server configuration