Configure PAT

pixf:

Perimeter N Pixf:

router ' 25

i pixf:

192.168.0.1

pixfirewall(config)# ip address (inside) 10.0.0.1 255.255.255.0

pixfirewall(config)# ip address (outside) 192.168.0.2 255.255.255.0

pixfirewall(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1

pixfirewall(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.0

pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0

Bastion host

Engineering 10.1.0.0 1

©2000, Cisco Systems.

Information systems

Assign a single IP address (192.168.0.9) to global pool

IP address must be registered with InterNIC

Source addresses of hosts in network 10.0.0.0 are translated to 192.168.0.9 for outgoing access

Source port changed to a unique number greater that 1024

©2000, Cisco Systems.

CSPFA 1.01-2-21

172.16.0.2

The PIX Firewall PAT feature expands an address pool:

■ One outside IP address is used for approximately 4,000 inside hosts (the practical limit is 4,000, and the theoretical limit is greater than 64,000)

■ Maps TCP port numbers to a single IP address

■ Hides the inside source address by using single IP address from the PIX Firewall

■ A PAT address is a virtual address, different from the outside address

Note Do not use PAT when running multimedia applications through the PIX Firewall. Multimedia applications need access to specific ports and can conflict with port mappings provided by PAT.

In the example of PAT in the preceding figure, XYZ Company has only four registered IP addresses. One address is taken by the perimeter router, the PIX Firewall, and bastion host.

The example configuration is as follows:

ip address (inside) 10.0.0.1 255.255.255.0 ip address (outside) 192.168.0.2 255.255.255.0

IP addresses are assigned to the internal and external interfaces. A single registered IP address is put into the global pool, and is shared by all outgoing access for network 10.0.0.0:

global (outside) 1 192.168.0.9 netmask 255.255.255.0

©2000, Cisco Systems,

CSPFA 1.01-2-22

©2000, Cisco Systems,

CSPFA 1.01-2-22

Another feature to control outbound connections is the ability to control which internal IP addresses are visible on the outside. The nat 0 command lets you disable address translation so that inside IP addresses are visible on the outside without address translation. Use this feature when you have Network Information Center- (NIC) registered IP addresses on your inside network that you want to be accessible on the outside network. Use of nat 0 depends on your security policy. If your policy allows for internal clients to have their IP address exposed to the Internet, then nat 0 is the process to provide that service.

In the figure above, the address 192.168.1.9 is not translated. When you enter nat (inside) o 192.168.1.9 255.255.255.255, the PIX Firewall displays the following message:nat o 192.168.1.9.

0 0

Post a comment