CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Summary

The "Foundation Summary" provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam.

All interfaces on the Cisco PIX Firewall are assigned security levels. The higher the number, the more secure the interface. Traffic is allowed to pass from an interface with a higher security level to an interface with a lower security level without a specific rule in the security policy. By default, the outside interface (Ethernet 0) is assigned a security level of 0, and the inside interface (Ethernet 1) is assigned a security level of 100. All other interfaces must be manually assigned a security level using the nameif command. Traffic does not pass through two interfaces if they have the same security level.

The PIX Firewall handles transport protocols completely differently. TCP is a connection-oriented protocol that creates a session and is relatively simple traffic for the PIX Firewall to handle. The TCP sequence number that is generated by the source machine is replaced by a randomly generated number as it passes through the PIX Firewall on its way to the destination. It becomes very difficult to hijack a TCP session because the initial TCP sequence numbers are randomly generated by the firewall and you cannot simply select the next sequence number in a series. Figure 5-8 shows how the PIX Firewall handles a TCP handshake.

Because UDP is a connectionless protocol, determining a connection''''''''''''''''s state can be very difficult. When outbound UDP traffic is generated, the PIX Firewall completes the necessary address translation and saves the session object in the state. If the response does not arrive within the timeout period (the default is 2 minutes), the connection is closed. If the response arrives within the timeout, the PIX Firewall verifies the connection information. If it matches the session object in the state table, the PIX Firewall allows the traffic. Figure 5-9 shows how the PIX Firewall typically handles UDP traffic.

There are two types of address translation:

• Dynamic address translation Is broken into two categories:

  - Network Address Translation (NAT) Multiple local hosts translate to a pool of global addresses.

  - Port Address Translation (PAT) Multiple local hosts translate to a single global address.

• Static translation A single local address translates to a single global address. Static rules provide the translation to allow connection from a lower security level to a higher security level, but this connection must be allowed in the security policy. This connection can be allowed using either the conduit or access-list command. Access lists must be part of an access group and must be configured to a specific interface.

Multiple connections can take place through a single translation. Translations take place at the network layer, and connections occur at the transport layer. Therefore, connections are a subset of translations. Two specific commands are used to troubleshoot translation:

• show xlate Displays translation slot information. Many options are available to display specific information about the address translations.

• clear xlate Clears the translation table. Again, many options enable you to clear specific portions of the translation table.

A single command with numerous options is used to troubleshoot connections:

• show conn Displays the number of and information about the active connections for the options specified.