cisco security all

7/13/2019 Cisco Security ALL

1/95

1999, Cisco Systems, Inc.www.cisco.com

Module 11:Security Basics


2/95

11-2CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com

Agenda

Why Security?

Security Technology

Identity

Integrity

Active Audit


3/95


All Networks Need Security

No matter the companysize, security is important

Internet connection is tobusiness in the late 1990swhat telephones were tobusiness in the late 1940s

Even small company sitesare cracked


4/95


Why Security?

Three primary reasons

Policy vulnerabilities

Configuration vulnerabilitiesTechnology vulnerabilities

And People Eager to TakeAdvantage of the Vulnerabilities


5/95


Denial of Service Loss of Integrity

BankCustomer

Deposit $1000 Deposit $ 100

Security Threats

Loss of Privacy

m-y-p-a-s-s-w-o-r-d d-a-n

telnet company.orgusername: danpassword:

Impersonation

Im Bob.Send Me All Corporate

Correspondencewith Cisco.

Bob

CPU


6/95


Security Objective: BalanceBusiness Needs with Risks

Access Security

Authentication

AuthorizationAccounting

Assurance

Confidentiality

Data Integrity

Policy Management

Connectivity

PerformanceEase of Use

Manageability

Availability


7/9511-7CSE: Networking FundamentalsSecurity 1999, Cisco Systems, Inc.www.cisco.com

Doors, locks, &guards

Keys & badgesSurveillancecameras &

motion sensors

Firewalls &access controls

AuthenticationIntrusiondetection system

Complementary mechanisms thattogether provide in-depth defense

Network Security Components:Physical Security Analogy


8/95 1999, Cisco Systems, Inc.www.cisco.com

Security Technology

3-8CSE-SecurityBasics 1999, Cisco Systems, Inc.www.cisco.com



Policy

Identity

Accurately identify users

Determine what users are allowed to do

Integrity Ensure network availability

Provide perimeter security

Ensure privacy

Active audit Recognize network weak spots

Detect and react to intruders

Elements of Security


10/95 1999, Cisco Systems, Inc.www.cisco.com

Security Technology

Identity




Identity

Uniquely and accuratelyidentify users,applications, services,and resources

Username/password,PAP, CHAP, AAAserver, one-timepassword, RADIUS,TACACS+, Kerberos,MS-login, digitalcertificates, directoryservices, NetworkAddress Translation



AAAServer

Dial-In User NetworkAccess Server

CampusPPP

PAP

Password

ID/PasswordID/PasswordID/Password

Public

Network

Username/Password

User dials in with password to NAS

NAS sends ID/password to AAA server

AAA server authenticates user ID/passwordand tells NAS to accept (or reject)

NAS accepts (or rejects) call



NetworkAccess Server

PPPPAP or CHAP

PublicNetwork

PAP and CHAP Authentication

Password Authentication Protocol (PAP)

Authenticates caller only

Passes password in clear text

Challenge Handshake AuthenticationProtocol (CHAP)

Authenticates both sides

Password is encrypted



Campus

AAAServer

Token orS-Key Server Token card Soft token S-Key ID/One-Time Password

ID/One-Time PasswordID/One-Time Password

One-TimePassword

Dial-In User NetworkAccessServer

Public

Network

One-Time Password

Additional level of security, guards against passwordguessing and cracking Prevents spoofing, replay attacks

Single-use password is generated by tokencard or in software

Synchronized central server authenticates user



1 2 34 5 67

098

1 2 34 5 67

098

Authentication, Authorization, andAccounting (AAA)

Tool for enforcingsecurity policy

Authentication Verifies identity

Who are you?

Authorization Configures integrity

What are you permittedto do?

Accounting Assists with audit

What did you do?



AAA Services

Centralized security database High availability

Same policy across many access points

Per-user access control

Single network login

Support for: TACACS+, RADIUS (IETF), Kerberos, one-time password

TACACS+

RADIUS

ID/UserProfileID/UserProfileID/UserProfile

AAAServer

Dial-InUser

NetworkAccess Server

Campus

Internet UserGatewayRouter Firewall

InterceptConnections

PublicNetwork

Internet



Lock-and-Key Security

Dynamically assigns access control lists on a per-user basis

Allows a remote host to access a local host via the Internet

Allows local hosts to access a host on a remote network

Authorized User

Corporate Site

Non-Authorized User

Internet



Calling Line Identification

1234

Call Setup Messagewith Local ISDNNumbers

Station ISDNNumber

A 1234

Compare with Known Numbers

Accept Call

PPP CHAPAuthentication

(Optional)

Station A

ISDN


19/95


User Authentication with Kerberos

Authenticates users and the network

services they use Uses tickets or credentials issued

by a trusted Kerberos server Limited life span; can be used in place of

standard user/password mechanism

?

Remote User(Kerberos Principal)

KerberosCredential

(Ticket)

Encrypted ServiceCredential

KerberizedRouter

Kerberos Server

MailServer


20/95


DES

Public Key

Private Key

Public Key

Private Key

WAN

How Public Key Works

By exchanging public keys, two devices candetermine a new unique key (the secret key)known only to them


21/95


If verification is successful,

document has not been altered

BobsDocument

Hash

MessageHash

BobsPrivate Key

EncryptDigital

Signature

BobsPublic Key

BobsDocument

MessageHash

Same?

Decrypt

Hash

Digital Signatures


22/95


Certificate Authority

Certificate Authority (CA) verifies identity

CA signs digital certificate containing

devices public key Certificate equivalent to an ID card

Partners include Verisign, Entrust,Netscape, and Baltimore Technologies

?B A N K

CA CAInternet


23/95


Network Address Translation

Provides dynamic or static translation of private addresses toregistered IP addresses

Eliminates readdressing overheadLarge admin. cost benefit

Conserves addressesHosts can share a single registered IPaddress for all external communications via port-level multiplexing

Permits use of a single IP address range in multiple intranets

Hides internal addresses

Augmented by EasyIP DHCP host function

10.0.0.1

SA 10.0.0.1

Inside LocalIP Address

Inside GlobalIP Address

10.0.0.1

10.0.0.2

171.69.58.80

171.69.58.81

SA 171.69.58.8

Internet


24/95


Security Technology

Integrity



25/95


IntegrityNetwork Availability

Ensure the networkinfrastructureremains available

TCP Intercept, route

authentication


26/95


TCP Intercept

Connection Transferred

ConnectionEstablished

RequestIntercepted

Protects networks against denial of service attacks

TCP SYN flooding can overwhelm server and cause it to denyservice, exhaust memory, or waste processor cycles

TCP Intercept protects network by intercepting TCPconnection requests and replying on behalf of the destination

Can be configured to passively monitor TCP connectionrequests and respond if connection fails to be establishedin a configurable interval


27/95


Route Authentication

Home Gateway

Internet

Enables routers to identify one another andverify each others legitimacy before

accepting route updates

Ensures that routers receive legitimateupdate information from a trusted source

Trusted Source


28/95


IntegrityPerimeter Security

Control access to

critical networkapplications, data,and services

Access control lists,

firewall technologies,content filtering,CBAC, authentication


29/95


Access Lists

Standard

Filter source address only

Permit/deny entireprotocol suite

Extended

Filter source,destination addresses

Inbound or outbound

Port number Permit/deny specific

protocols

Reflexive

Time-based

P li E f t U i


30/95


Inbound Telnet

Stopped Here

Home Gateway

Internet

Policy Enforcement UsingAccess Control Lists

Ability to stop or reroute traffic based onpacket characteristics

Access control on incoming or outgoing interfaces

Works together with NetFlow to provide high-speedenforcement on network access points

Violation logging provides useful informationto network managers


31/95


Importance of Firewalls

Permit secureaccess to resources

Protect networksfrom:

Unauthorizedintrusion from both

external and internalsources

Denial of service(DOS) attacks


32/95


What Is a Firewall?

Alltraffic from inside to outside and viceversa must pass through the firewall

Only authorizedtraffic, as defined by the localsecurity policy, is allowed in or out

The firewall itself is immune to penetration


33/95


Router with ACLs

Users

Users

ProtectedNetwork

E-mailServer

MicroWebserver

zip 100

Micro Webserver

Web Server PublicAccess

ISP andInternet

Packet-Filtering Routers


34/95


Provides user-level security

Most effective when usedwith packet filtering

Internal Network

ProxyServer

Internet/Intranet

Proxy Service


35/95


FirewallMail

ServerWWWServer

Internet

Stateful Sessions

Highest performance security

Maintains complete session state

Connection oriented Tracks complete connection

Establishment and termination

Strong audit capability

Easy to add new applications


36/95


Company Network

.5

1

5 1020

40Meg

Per/Sec

Video Audio

Private link Web commerce

Internet

Performance Requirements


37/95


IntegrityPrivacy

Provide authenticated

private communicationon demand

VPNs, IPSec, IKE,encryption, DES, 3DES,

digital certificates,CET, CEP


38/95


Encryption and Decryption

Clear Text Clear Text

Cipher Text

DecryptionEncryption


39/95


What Is IPSec?

Network-layer encryption and authentication

Open standards for ensuring secureprivate communications over any IPnetwork, including the Internet

Provides a necessary componentof a standards-based, flexible solutionfor deploying a network-wide security policy

Data protected with network encryption,digital certification, and device authentication

Implemented transparently in network infrastructure

Includes routers, firewalls, PCs, and servers

Scales from small to very large networks


40/95


Router to Router

Router to Firewall

PC to Router

PC to Server

PC to Firewall

IPSec Everywhere!


41/95


Automatically negotiates policy to protectcommunication

Authenticated Diffie-Hellman key exchange

Negotiates (possibly multiple) security associationsfor IPSec

3DES, MD5, and RSA Signatures,OR

IDEA, SHA, and DSS Signatures,OR

Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures

IKE Policy Tunnel

IKEInternet Key Exchange


42/95


Router A Router B

1. Outbound packet fromAlice to BobNo IPSecsecurity association yet

2. Router As IKE beginsnegotiation withrouter Bs IKE

3. Negotiation complete;router A and router B now havecomplete IPSec SAs in place

IKE IKE

4. Packet is sent from Alice toBob protected by IPSec SA

IKE Tunnel

Router A Router B

How IPSec Uses IKE


43/95


EncryptionDES and 3DES

Widely adopted standard

Encrypts plain text, whichbecomes cyphertext

DES performs 16 rounds

Triple DES (3DES)

The 56-bit DES algorithm runs three times

112-bit triple DES includes two keys 168-bit triple DES includes three keys

Accomplished on a VPN client,server, router, or firewall


44/95


Exhaustive search is the only way to breakDES keys (so far)

Would take hundreds of years on fastest generalpurpose computers (56-bit DES)

Specialized computer would cost $1,000,000 but could crackkeys in 35 minutes (Source: M.J. Wiener)

Internet enables multiple computers to worksimultaneously

Electronic Frontier Foundation and distributed.netcracked a 56-bit DES challenge in 22 hours and 15minutes

Consensus of the cryptographic community is that 56-bitDES, if not currently insecure, will soon be insecure

Breaking DES Keys


45/95


Security Technology

Active Audit



46/95


Firewalls, authorization, and encryption do not provideVISIBILITYinto these problems

Why Active Audit?

The hacker might be an employee or trusted partner Up to 80% of security breaches come from the

inside (Source: FBI)

Your defense might be ineffective

One out of every three intrusions occur where a firewallis in place (Source: Computer Security Institute)

Your employees might make mistakes

Misconfigured firewalls, servers, etc.

Your network will grow and change Each change introduces new security risks


47/95


Why Active Audit?

Network security requires a layereddefense

Point security PLUS active systems to measure

vulnerabilities and monitor for misuse Network perimeter and the intranet

Security is an ongoing, operational

process Must be constantly measured, monitored, and

improved

Active Audit Network


48/95


Active AuditNetworkVulnerability Assessment

Assess and report onthe security status ofnetwork components

Scanning (active,passive), vulnerability

database

Active Audit Intrusion Detection


49/95


Active AuditIntrusion DetectionSystem

Identify and react toknown or suspectednetwork intrusion oranomalies Passive promiscuous

monitoring

Database of threats orsuspect behavior

Communicationinfrastructure or accesscontrol changes


50/95


IDS Attack Detection

Context:(Header)

Content:(Data)

AtomicSingle Packet

CompositeMultiple Packets

Ping of Death

Land Attack

Port Sweep

SYN Attack

TCP Hijacking

MS IE Attack

DNS Attacks

Telnet Attacks

Character Mode

Attacks


51/95


Actively audit and

verify policy Detect intrusion

and anomalies

Report

Active Audit

UNIVERSALPASSPORT

KjkjkjdgdkkjdkjfdkIkdfjkdj

IkejkejKkdkdfdKKjkdjd

KjkdjfkdKjkdKjdkfjkdj Kjdk

USA

************************

************************

Kdkfldkaloeekjfkjajjakjkjkjkajkjfiejijgkd

kdjfkdkdkdkddfkdjfkdjkdkdkfjdkkdjkfd

kfjdkfjdkjkdjkdjkajkjfdkjfkdjkfjkjajjajdjfla

kjdfkjeiieiefkeieooei

UNIVERSALPASSPORT


52/95


Security is a mission-criticalbusiness requirement for all

networks Security requires a global,

corporate-wide policy

Security requires amultilayered implementation

Summary


53/95


Basic Security and

Traffic Managementwith Access Lists


54/95


Why Use Access Lists?

Deny traffic you do not want based on packet tests

(for example, addressing or traffic type)

TokenRing

FDDI

172.16.0.0 Internet

172.17.0.0


55/95


What are Access Lists?

Standard

Simpler address specifications

Generally permits or denies entire protocol suite

Extended

More complex address specifications

Generally permits or denies specific protocols

Access List Processes

E0

Incoming

Packet

Sourceand

Destination

Permit?

OutgoingPacket

E0

Optional

Dialer


56/95


Access List CommandOverview

Router (config-if) #

access-list access-list-number{permit|deny} {test conditions}

{protocol} access-group access-list-number

Access lists are numbered (for IP, numbered or named)

Router (config) #

Step 1: Set parameter for this access list test statement

(which can be done one of several statements)

Step 2: Enable an interface to become part of the group

that uses the specified access list

H t Id tif A Li t


57/95


How to Identify Access Lists

Access List Type Number Range/IdentifierIP Standard

Extended

1-99

100-199

Named (Cisco IOS 11.2 and later)

IPX Standard

SAP filters

800-899

1000-1099

AppleTalk 600-699

Number identifies the protocol and type

Other number ranges for most protocols


58/95


TCP/IP Access Lists


59/95


Testing Packets with AccessLists

Frame

Header

(for example,

HDLC)

Packet

(IP header)

Segment(for example,

TCP header)

Data

Port number

Protocol

Source Address

Destination Address

PermitDeny

Use

access

list statements

1-99 or 100-199 to

test thepacket


60/95


Key Concept for IP Access Lists

Standard lists (1 to 99) test conditions of all IPpackets from source addresses

Extended lists (100 to 199) can test conditions of

Source and destination addresses

Specific TCP/IP-suite protocols

Destination ports

Wildcard bits indicate how to check the

corresponding address bits (0=check, 1=ignore)

H t U Wild d M k


61/95


How to Use Wildcard MaskBits

128 64 32 16 8 4 2 1

0

0

0

1

1

0

0

1

1

0 0 0 0 0 0 0

0

1 1

1 11

1 1

0

1

1

1

1

1

1

1

1

1

0

1

1

1

0

1

=

=

=

=

=

check all address bits(match all)

ignore last 6 address bits

ignore last 4 address bits

check last 2 address bits

do not check address(ignore bits in octet)

0 means check corresponding bit value

1 means ignore value of corresponding bit

H U h Wild d


62/95


How to Use the Wildcard any

Accept any address: 0.0.0.0 255.255.255.255;

abbreviate the expression using the keyword any

Any IP address

0.0.0.0

Test conditions: Ignore all the address bits (match any)

Wildcard mask: 255.255.255.255

(ignore all)

H t U th Wild d h t


63/95


How to Use the Wildcard host

Test conditions: Check all the address bits (match all)

Example 172.30.16.29 0.0.0.0 checks all the address bitsAbbreviate the wildcard using the IP address followed by

the keyword host. For example, 172.30.16.29 host

An IP host address, for example:

170.3.16.29

Wildcard mask: 0.0.0.0

(check all bits)


64/95


IP Standard AccessList Configuration

Router (config-if) #

access-list access-list-number{permit|deny}

source [source-mask]

Sets parameters for this list entry

IP standard access lists use 1 to 99

ip access-group access-list-number {in|out}

Activates the list on an interface

Router (config) #

Standard Access List Example 1


65/95



172.16.3.0 172.16.4.0

172.16.4.13

E0 E1

S0

Non-

172.16.0.0

access-list 1 permit 172.16.0.0 0.0.255.255

(implicit deny all-not visible in the list)

(access-list 1 deny 0.0.0.0 255.255.255.255)

interface ethernet 0

ip access-group 1 out


ip access-group 1 out

Permit my network only



66/95



172.16.3.0 172.16.4.0

172.16.4.13

E0 E1

S0

Non-

172.16.0.0

access-list 1 deny 172.16.4.13 host

access-list 1 permit 0.0.0.0 255.255.255.255

(implicit deny all)

(access-list 1 deny 0.0.0.0 255.255.255.255)


ip access-group 1

Deny a specific host



67/95



172.16.3.0 172.16.4.0

172.16.4.13

E0 E1

S0

Non-

172.16.0.0

access-list 1 deny 172.16.4.0 0.0.0.255

access-list 1 permit any

(implicit deny all)

(access-list 1 deny 0.0.0.0 255.255.255.255)


ip access-group 1

Deny a specific subnet


68/95


Extended IP Access Lists

Allow more precise filtering conditions

Check source and destination IP address

Specify an optional IP protocol port number

Use access list number range 100 to 199

E t d d A Li t C fi ti


69/95


Extended Access List Configuration

access-list access-list-number{permit|deny}

protocolsource source-mask destination

destination-mask [operator operand][established]

Sets parameters for this list entry

IP uses a list number in range 100 to 199

ip access-group access-list-number {in|out}

Activates the extended list on an interface

Router (config) #

E t d d A Li t


70/95


Extended Access ListExample172.16.3.0 172.16.4.0

172.16.4.13

E0 E1

S0

Non-

172.16.0.0

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20

access-list 101 permit ip 172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255

(implicit deny all)

(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)


ip access-group 101

Deny FTP for E0

Where to Place IP Access Lists


71/95


Where to Place IP Access Lists

Token

Ring

To0

E0

E0

S0

S1

S0

S1

E0E0

E1

A

B

D

C

Place standard access lists close to the destination

Place extended access lists close to the source

Monitoring Access Lists


72/95


Monitoring Access Lists

Router# show ip interface

Ethernet0 is up, line protocol is up

Internet address is 192.54.222.2, subnet mask is 255.255.255.0

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is 192.52.71.4

Secondary address 131.192.115.2, subnet mask 255.255.255.0

Outgoing access list 10 is set

Inbound access list is not set

Proxy ARP is enabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachable are always sent

ICMP mask replies are never sent

IP fast switching is enabled

Gateway Discovery is disabled

IP accounting is disabledTCP/IP header compression is disabled

Probe proxy name replies are disabled

Router#

Monitoring Access List


73/95


Monitoring Access ListStatements

Router> show access-lists

Standard IP access list 19

permit 172.16.19.0

deny 0.0.0.0, wildcard bits 255.255.255.255

Standard IP access list 49

permit 172.16.31.0, wildcard bits 0.0.0.255





Extended IP access list 101

permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 23

Type code access list 201

permit 0x6001 0x0000

Type code access list 202

permit 0x6004 0x0000deny 0x0000 0xFFFF

Router>

Summary


74/95


SummaryAccess lists perform several functions

within a Cisco router, including:Implement security/access procedures

Determine whether packets need dialerfor WAN links

Act as a protocol firewall

Extended access lists allow filtering onaddress, protocol, and application

parameterUse access lists to limit broadcast trafficfrom protocol overhead packets


75/95


Cisco

PIX Firewall

Configuration

Guidelines

C i G i i


76/95


Command Line Guidelines

Information that you will need before you startconfiguring PIX firewall :

- Access mode

- Backup- Default configuration

- Help information

- Ip addresses

- Masks

A d


77/95


Access modes

The pix firewall contains a command set base on cisco IOS technologies, which

provides three administrative access mode.

* Unprivilaged mode is available when you first access the firewall and display

> prompt.

*privilaged mode display the # prompt and let you change the current

settings. any unprivilaged command also work in previllage mode .use the enable command to start the privilage mode and the disable, exit or quit

commad to exit.

*configuration mode displays the (config)# prompt to lets you change system

configurations. all privilage, unprivilage, and configuration commands work in

this mode. Using the configure terminal to start configuring mode and the exit

and quit commands to exit.

B k


78/95


Backups

you should back up your configuration in at least one of the following ways.

* store the configuration in flash memory with the write memorycommand. Should

need arise, you can restore a configuration from flash memory using the configure

memory command.

* use the write terminalcommand to list configuration. Then cut and paste the

configuration into a text file. The archive the text file. You can restore a

configuration from a text file using the write terminal command and pasting the

configuration either line by line or as a whole.

* store the configuration on another system using the tftp-server command to initialy

specify a host and write netcommand to store the configuration.

D f lt fi ti


79/95


The default configuration command is :

* nameif: identifies the interface name and specifies its security level. if you have

more than two interface, you need to add a nameifcommand to the configuration

for each interface.

* enable password:list the encrypted privilaged mode password

* passwd: list the encrypted password for telnet access to PIX firewall console.

* hostname: set the pix firewall system name topixfirewall. You can change this

name or leave as default.

* names: let you rename IP address with names from your native language to add

clarity to your configuration. It is best to ignore this command until you have

established network connectifity.

Default configuration


80/95


* interfacescommands: identifies the speed of interface or whetherthe network

inteface card can automaticly sence itspeed and duplex. All interfaces are disabledby default. Before you can use an interface you need to enable it by entering the

interface command without shutdown option.

example: interface ethernet 0 outside auto

interface ethernet 1 inside auto

The auto command option to the interface command is not recommanded. For bestperformance is by specify the speed of interface such as 10base, 10full, 100baseTx,

100full, 1000basesx, 1000sxfull, 4mbps or 16 mbps for the token ring interface.

*mtucommands : set maximun paket size to 1500 bytes for ethernet or to appropriate

size for tokenring interface.

* ip addresscommands: identifies the ip address for each interface.

H l I f ti


81/95


Help Information

* help information is avaiable from the pix firewall command line by entering help ora question mark to list all commands. The number of command is listed when you

use the question mark or help command differs by access mode so that

unprivilaged mode offers the least commands and configuration mode. In addition,

you can enter any command by itself on the command line and press enter to view

the command syntax.

IP Addresses


82/95


* PIX firewall requires that ip addresses in the ip adresses, static, global, failover, and

virtual commands be unique. these ip address cannot be same as your ip address.

* IP addresses are primarily one of this values:

- local_ip: An untranslated ip addrss on the internal, protected network. In an

outbound connection originated from local_ip, the local_ipis translated to global_ip.

- Global_ip: A translated global ip address in the pool or those address declared withthe global or static commands.

- Foreign_ip:An untranslated ip address on an external network. foreign_ipis an

adresses for host on the external network.

IP Addresses

Mask


83/95


Mask- For the PIX firewall commands that accept network masks. Specify the correct mask

for a network address. For hosts use 255.255.255.255. However, for the ip address

command, use a network mask, and for the global command, use a network addressfor both PAT (Port Address Translation) addresses and when specifying a pool of

global addresses.

Examples :

ip address inside 10.1.1.1 255.255.255.0ip address outside 209.165.201.1 255.255.255.224

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 209.165.201.2 netmask 255.255.255.224

static (inside,outside) 209.165.201.3 10.1.1.3 netmask 255.255.255.255

access-list acl-out permit tcp any host 209.165.201.3 eq www

route outside 0 0 209.165.201.4 1

telnet 10.1.1.2 255.255.255.255


84/95


-The ip addresscommands is specify addreses for inside and outside network

interfaces.

-The natcommand is to let users start connection from inside.

-The globalcommand provide the PAT (Port Address Translation) address to handle

the translated connectio from inside

-The staticcommand is map an inside host to a global address for access by outside

user. Host mask are always specofied as 255.255.255.255

-The access-listcommand permit any outside host to access the global address

specified by the static command.

-The routestatement spesifies the address to the default router. the 0 0 entry

indicates any host and it respective mask.

-The telnetcommand specifies a host that can access the PIX firewall units console

using telnet.

Using the command at the Network


85/95


1. Without Nat

Local Host

202.100.100.1

255.255.255.248

Two Interface Without Nat

Inside

Internet

Outside

202.100.100.22552.55.255.248

202.100.100.9255.255.255.248

202.100.100.10255.255.255.248

202.100.100.11255.255.255.248

202.100.100.12255.255.255.248

202.100.100.13255.255.255.248

202.100.100.14255.255.255.248

- transparant ip from outbound connection to inbound connection

- using filtering with access-list connection from outbound to inbound

Mail ServerWeb Server

- enable all inbound connection to outbound or internet

g

configuration.

Command Configuration without Nat


86/95


nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall


access-list acl-out permit tcp any host 200.100.100.14 eq pop3

access-list acl-out permit tcp any host 200.100.100.14 eq smtp

access-list acl-in permit ip any any

interface ethernet0 auto





87/95


ip address outside 200.100.100.2 255.255.255.248

ip address inside 200.100.100.9 255.255.255.248

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 200.100.100.13 200.100.100.13 netmask

255.255.255.255 0 0

static (inside,outside) 200.100.100.14 200.100.100.14 netmask

255.255.255.255 0 0

access-group acl-in in interface inside

access-group acl-out in interface outside

rip inside default version 1

route outside 0.0.0.0 0.0.0.0 200.100.100.1 1


Understanding Network Address Translation.


88/95


2. With Dynamic NatTwo Interface With Nat

Internet

Dynamic Nat

Local Host

202.100.100.1

255.255.255.248

Inside

Outside

202.100.100.22552.55.255.248

202.100.100.9-14

255.255.255.248

100.100.100.6255.255.255.248

100.100.100.2255.255.255.248

100.100.100.3255.255.255.248

100.100.100.4255.255.255.248

100.100.100.5255.255.255.248

- using legal random ip to having the connection from inbound to outbound

- using filtering with access-list connection from outbound to inbound

- enable all inbound connection to outbound or internet

Dynamic Nat Range

100.100.100.1

255.255.255.248


Command Configuration with Dynamic Nat


89/95







access-list acl-out deny ip any any







90/95




nat (inside) 1 100.100.100.0 255.255.255.0 0 0

global (outside) 1 200.100.100.9-200.100.100.14




route outside 0.0.0.0 0.0.0.0 200.100.100.1 1




91/95


3. With Static Nat

202.100.100.1255.255.255.252

Inside

Internet

Outside202.100.100.2

2552.55.255.252

- using the port adress translation ip from inbound connection to internet or outboun

- using privat ip to connect from all inbound connection to dmz

Tree Interface With Nat

202.100.100.5,6255.255.255.252

Static Nat

Port Address Translation 202.100.100.9255.255.255.248

90.90.90.2255.0.0.0

202.100.100.10255.255.255.248

90.90.90.3255.0.0.0

Web Serv er Mail Serv er

Dmz

100.100.100.3255.255.255.0

90.90.90.1255.0.0.0

100.100.100.2255.255.255.0

100.100.100.1255.255.255.0

- using legal ip connection from Dmz to outbound or internet

- enable all internet to connection (Dmz mailserver&webserver)

- filtering all port except web & mail and other application port if used from internet


Command Configuration with Static Nat


92/95



nameif ethernet1 dmz security50






access-list acl-out permit tcp any host 202.100.100.10 eq pop3

access-list acl-out permit tcp any host 202.100.100.10 eq smtp


C C g S N



93/95






ip address dmz 90.90.90.1 255.255.255.0


nat (inside) 1 100.100.100.0 255.255.255.0 0 0

global (outside) 1 202.100.100.5

global (outside) 1 202.100.100.6

g



94/95


static (dmz,outside) 202.100.100.9 90.90.90.2 netmask 255.255.255.255 0 0

static (dmz,outside) 202.100.100.10 90.90.90.3 netmask 255.255.255.255 0 0

static (inside,dmz) 90.90.90.2 90.90.90.2 netmask 255.255.255.255 0 0

static (inside,dmz) 90.90.90.3 90.90.90.3 netmask 255.255.255.255 0 0


access-group acl-in in interface dmz



route outside 0.0.0.0 0.0.0.0 202.100.100.1 1

g

How To configure If your Network like this ???


95/95

g y

Inside

INTERNET

ISDN

Frame Relay

CISCO

1720

CISCO

2509 CISCO PIX

DialUp Users

NAT Server

3COM

3C892A

Web Server

&

Mail Server192.1.1.1/252

192.1.1.2/252

192.237.117.214/240

192.237.117.209/240

192.168.1.1/24 206.182.235.225/248

206.182.235.230/248

206.182.235.228/248

DNS

Server 1

206.182.235.229/248

192.168.1.2/24

Proxy

Server

192.168.1.3/24

IP untuk PCs:192.168.1.20/24

s/d

192.168.1.254/24IP untuk PCs:

192.168.11.20/24

s/d

192.168.11.254/24

192.168.1.19/24

IP Un-numbered

IP untuk PCs:

192.168.1.5/24

s/d

192.168.1.15/24

192.168.11.99/24

206.182.235.227/248

Nb : nat inside to internet with ip

206.182.235.238

Nb : nat inside to dmz with ip

206.182.235.226

DMZ

Internet

outside

Web Server&

Mail Server

DNS

Server 2

cisco security all

Documents