Foundation SummaryThe "Foundation Summary" provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam.All interfaces on the Cisco PIX Firewall are assigned security levels. The higher the number, the more secure the interface. Traffic is allowed to pass from an interface with a higher security level to an interface with a lower security level without a specific rule in the security policy. By default, the outside interface (Ethernet 0) is assigned a security level of 0, and the inside interface (Ethernet 1) is assigned a security level of 100. All other interfaces must be manually assigned a security level using the nameif command. Traffic does not pass through two interfaces if they have the same security level.The PIX Firewall handles transport protocols completely differently. TCP is a connection-oriented protocol that creates a session and is relatively simple traffic for the PIX Firewall to handle. The TCP sequence number that is generated by the source machine is replaced by a randomly generated number as it passes through the PIX Firewall on its way to the destination. It becomes very difficult to hijack a TCP session because the initial TCP sequence numbers are randomly generated by the firewall and you cannot simply select the next sequence number in a series. Figure 5-8 shows how the PIX Firewall handles a TCP handshake. Figure 5-8. PIX Firewall Handling TCP Traffic[View full size image] ![]() Figure 5-9. PIX Firewall Handling UDP Traffic[View full size image] ![]()
Multiple connections can take place through a single translation. Translations take place at the network layer, and connections occur at the transport layer. Therefore, connections are a subset of translations. Two specific commands are used to troubleshoot translation:
A single command with numerous options is used to troubleshoot connections:
![]() |