This article mainly describes the connection and conversion of the PIX Firewall during the use of the router. What operations should be taken? The following article will give you a detailed answer.
1. ASA Security Level
By default, the Cisco PIX Firewall applies the security level to each interface. The Safer the network segment,
The higher the security level. The security level ranges from 0 ~ 100. By default, security level 0 is applicable to e0 and its default name is external. Security Level 100 is applicable to e1. its default name is inside.
You can use name if to configure any additional interfaces. The security level is between 1 and 1 ~ Between 99
E. g:
Nameif e thernet0 outside security0
Nameif ethernet1 inside security100
Nameif ethernet2 dmz security50
1.1 The Adaptive Security Algorithm (ASA) allows traffic to flow from the high security level segment to the low security level segment. You do not need to use specific rules in the security policy to allow these connections.
/Global Command to configure these interfaces.
1.2 at the same time, if you want a low security level segment to flow to a high security level segment, the traffic must pass through security policies (such as acl or conducting it ).
1.3 if you set the security levels of the two interfaces to the same, the traffic cannot flow through these interfaces.
Remember that ASA is the key to state Connection Control on the cisco pix Firewall.
2. Transmission Protocol
2.1 First, please understand the OSI 7-layer model. To be honest, if you want to do IT, you must understand this OSI 7-layer model, just like windows DNS, it must be time-consuming. 1 ~ 7 is from the physical layer up the number, the physical layer is the first layer, the application layer is the seventh layer.
Application Layer data
Presentation layer data
Session Layer data
Transport Layer Segment
Network layer Packet
Data link layer Frame
Physical Layer Bit
2.2 learn about TCP/IP
Generally speaking, TCP/IP includes two transmission protocols, TCP and UDP. Of course, TCP/IP is a protocol family and is an implementation of OSI theory, is an industrial protocol family that is truly applied to the network. TCP-it is a connection-based transmission protocol that is responsible for the reliability and efficiency of Inter-node communication. By creating the Connection source and destination of virtual circuits, it can complete these tasks through bidirectional communication, because of the high overhead, the transmission speed is slow. UDP-it is a non-connection transmission protocol used to send data to the target end.
Understand TCP communication between nodes without the PIX (three-way handshake)
Understand TCP communication between nodes with a PIX
2.3 note that the default security policy allows UDP groups to send messages from a high-security segment to a low-security segment.
The cisco pix Firewall uses the following methods to process UDP traffic:
2.3.1 The source and its UDP connections start. The Cisco pix Firewall receives the connection and routes it to the target end. The default rules of the Pix application and any required conversions. Create a session object in the status table and allow connections through external interfaces.
2.3.2 any returned traffic must match the painting object and the application session times out. The default session time-out period is 2 minutes. if the response does not match the session object or times out, the group will be discarded. If all matches, the response signal will be allowed to be sent to the source end of the request.
2.3.3 any Inbound UDP session from a low security level segment to a high security level segment must be permitted by the security policy or the connection is interrupted.
3. Network Address Translation
Understand the three types of address spaces in RFC1918:
10.0.0.0 ~ 10.20.255.255
172.16.0.0 ~ 172.16.255.255
192.168.0.0 ~ 192.168.255.255 address translation is a cisco pix Firewall provides internal nodes with a dedicated IP address to access the internet. The converted IP address is called an internal IP address, and the converted IP address is called a Global IP address.
It is possible to convert any address of an interface into another address of any other address interface, if the internal address of your CIDR block can be converted to the outside address or the DMZ address, as long as the nat and global commands are used correctly.
For example:
Global (outside) 1 interface
Global (dmz) 1 xxx. xxx
Nat (inside) 1 192.168.6.0 255.255.255.0 0 0
Dynamic address translation involves NAT and PAT. Static addresses are what we call static hiding for DMZ interface addresses, which are usually used for key services such as web site and mail server. so that users on the Internet can connect to these servers through their global addresses.