Hardware firewall configuration: Advanced article

Part I see: How to configure a hardware firewall

10. Address Translation (NAT)

The NAT configuration of a firewall is basically the same as the NAT configuration of a router, and it must first define the internal IP address group for NAT conversion, and then define the internal network segment.

The command that defines the internal address group for NAT conversion is NAT, which is in the format: Nat [(If_name)] nat_id local_ip [netmask [Max_conns [Em_limit]]], where If_name is the interface name; nat_ The ID parameter represents the internal address group number, and the LOCAL_IP is the local network address; Netmask is the subnet mask; Max_conns The maximum number of TCP connections allowed on this interface, the default is "0", which means that the connection is unrestricted, and the number of connections allowed from this port is em_limit. The default is also "0", which is not restricted. Such as:

Nat (inside) 1 10.1.6.0 255.255.255.0

Indicates that all network addresses are 10.1.6.0, and the subnet mask is defined as a 255.255.255.0 host address group of 1th NAT addresses.

The external address pool that is available after the internal address translation is then defined, and the command used is global, and the basic command format is:

Global [(If_name)] nat_id global_ip [netmask [Max_conns [Em_limit]]], each parameter explains the same. Such as:

Global (Outside) 1 175.1.1.3-175.1.1.64 netmask 255.255.255.0

Converts the internal IP address group set by the NAT command to an external IP address in the 175.1.1.3~175.1.1.64 's external address pool, with a subnet of 255.255.255.0.

Port redirection with Statics

This is a static port redirection command. The Cisco PIX version 6.0 increases the ability to port redirection, allowing external users to transfer through a firewall through a special IP address/port to an internally specified internal server. The redirected address can be a single external address, a shared external address translation port (PAT), or a shared external port. This function is to release the internal www, FTP, mail and other servers, this way is not directly connected with the internal server, but through the port redirection connection, so that the internal server is very secure.

There are two types of command formats, which apply to TCP/UDP communication and non-TCP/UDP communication, respectively:

(1). static[(Internal_if_name, External_if_name)]{global_ip|interface}local_ip[netmask mask] Max_conns [emb_limit[ NORANDOMSEQ]]]

(2). static [(Internal_if_name, External_if_name)] {tcp|udp}{global_ip|interface} global_port local_ip Local_port [netmask Mask] [Max_conns [Emb_limit [Norandomseq]]]

The above parameters in this command are explained as follows:

Internal_if_name: internal interface name; External_if_name: external interface name; {TCP|UDP}: Select communication protocol type; {global_ip|interface}: redirected external IP address or shared port ; local_ip: local IP address; [netmask mask]: local subnet mask; Max_conns: The maximum number of TCP connections allowed, the default is "0", that is, unrestricted; Emb_limit: The number of connections allowed from this port, the default is "0", that is, unrestricted ; Norandomseq: Do not sort packets, this parameter is usually not selected.