Using Management Center for Firewalls 1.3
Configuring Translation Rules
Download this chapter
Configuring Translation RulesConfiguring Translation Rules
Download the complete book
Using Management Center for Firewalls 1.3 - PDF VersionUsing Management Center for Firewalls 1.3 - PDF Version (PDF - 7 MB)
give_us_feedback

Table Of Contents

Configuring Translation Rules

Address Translation Basics

NAT Types

Dynamic NAT

Dynamic PAT

Static NAT

Static PAT

Bypassing NAT

Policy NAT

Managing Alias Command Support

Order of NAT Commands Used to Match Local Addresses

Global Addresses to Use

DNS and NAT

Other Properties Controlled by Translation Rules

Defining Translation Rules in Firewall MC

What's New in Firewall MC 1.3 NAT Support

Notes About Translation Rules

Configuring Dynamic NAT and Dynamic Policy NAT

Adding or Editing a Dynamic Translation Rule

Adding or Editing a Dynamic Policy NAT Rule

Deleting a Dynamic Translation Rule

Configuring Static NAT and PAT

Important Notes About PAT Translation Rules

Adding or Editing a Static Translation Rule

Deleting a Static Translation Rule

Bypassing NAT

Configuring Identity NAT

Configuring NAT Exemption Rules

Viewing Translation Rules


Configuring Translation Rules

Firewall devices support different types of Network Address Translation (NAT). They also process these translation rules differently.

In routed firewall mode, the firewall device typically performs NAT between most networks. In transparent firewall mode, the inside and outside networks are the same, so the firewall does not perform NAT. However, you still must configure some features in the Configuration > Translation Rules area. For more information, see Other Properties Controlled by Translation Rules.

Topics to be discussed are:

Address Translation Basics

NAT Types

Order of NAT Commands Used to Match Local Addresses

Global Addresses to Use

DNS and NAT

Other Properties Controlled by Translation Rules

Defining Translation Rules in Firewall MC

Configuring Dynamic NAT and Dynamic Policy NAT

Configuring Static NAT and PAT

Bypassing NAT

Viewing Translation Rules

Address Translation Basics

Address translation substitutes the local address (also called original or source address) on a packet with a global address that can be routed on the destination network. In this document, all types of translation are generally referred to as NAT.

On a firewall device, you must specifically configure some interfaces to use or bypass NAT. For example, when hosts on a higher security interface (inside) access hosts on a lower security interface (outside), you must configure NAT on the inside hosts or specifically configure the inside hosts to bypass NAT (See the "Configuring Interfaces" section on page 8-5 for more information about security levels).

Note When discussing NAT, the terms inside and outside are relative, and represent the relationship between any two interfaces. The higher security level is inside and the lower security level is outside even if, for example, both interfaces are used as DMZs.

An inside host can communicate with the untranslated local address of the outside host without any special configuration on the outside interface. However, you can also optionally perform NAT on the outside network.

Interfaces that are on the same security level do not have to perform NAT. You can, however, optionally configure NAT for these interfaces.

Some benefits of NAT are:

You can use private addresses on your inside networks. Private addresses cannot be routed on the Internet.

NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host.

You can resolve IP routing problems such as overlapping addresses.

Note See Table 12-2 for information protocols that are not supported by NAT.

Figure 12-1 shows a typical NAT scenario, with a private network on the inside. When the inside user sends a packet to a web server, the local source address of the packet is changed to a routable global address. When the server responds, it sends the response to the global address, and the firewall receives the packet. The firewall then translates the global address to the local address before sending it on to the user.

Figure 12-1 NAT Example

NAT Types

You can implement address translation as dynamic NAT, PAT, static NAT, or static PAT or as a mix of these types. You can also bypass NAT. See the following sections for information about each type:

Dynamic NAT

Dynamic PAT

Static NAT

Static PAT

Bypassing NAT

Policy NAT

Managing Alias Command Support

Dynamic NAT

Dynamic NAT translates a group of local addresses to a pool of global addresses that can be routed on the destination network. In Firewall MC, this feature is configured under Configuration > Translation Rules > Dynamic Translations. The global pool can include fewer addresses than the local group. When a local host accesses the destination network, the firewall device assigns it an IP address from the global pool. Because the translation is in place only for the duration of the connection, a given user does not keep the same IP address between connections. Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access control list (ACL)). Not only can you not predict the global IP address of the host, but also, the host does not have a global address unless it is the initiator. See Static NAT for reliable access to hosts.

Dynamic NAT has these disadvantages:

If the global pool has fewer addresses than the local group, you could run out of addresses if the traffic is more than expected.

Use PAT if this event occurs often.

You have to use routable addresses in the global pool; if the destination network requires registered addresses, such as the Internet, you might have a shortage of usable addresses.

The advantage of dynamic NAT is that some protocols cannot use PAT, which does not work with applications that have an inbound data stream on one port and the outgoing control path on another, such as multimedia applications. See Table 12-2 for more information about PAT support.

Dynamic PAT

Dynamic Port Address Translation (PAT) translates a group of local addresses to a single global IP address combined with a unique source port (above 1024). In Firewall MC, this feature is configured under Configuration > Translation Rules > Static Translations. When a local host accesses the destination network, the firewall device assigns it the global IP address and then a unique port number. Each host receives the same IP address, but because the source port numbers are unique, the responding traffic, which includes the IP address and port number as the destination, can be assigned to the correct host. Because there are more than 64,000 ports available, you are unlikely to run out of addresses, as can happen with dynamic NAT.

The translation is only in place for the duration of the connection, so a given user does not keep the same port number between connections. Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an ACL). Not only can you not predict the port number of the host, but the host does not have a global port number unless the host is the initiator. See Static NAT for reliable access to hosts.

PAT allows you to use a single global address, thus conserving routable addresses. You can even use the destination interface IP address as the PAT address. PAT does not work with multimedia applications that have an inbound data stream different from the outgoing control path.

Static NAT

Static NAT translates each local address to a fixed global address. With dynamic NAT and PAT, each host uses a different address or port for each consecutive connection. Because the global address is the same for each consecutive connection, and a persistent translation rule exists, static NAT allows hosts on the global network to initiate traffic to a local host (if the ACL allows it).

Static PAT

Static PAT is the same as static NAT, except that it allows you to specify the protocol (TCP or UDP) and port for the local and global addresses.

This feature allows you to identify the same global address across many different static rules, so long as the port is different for each rule (you cannot use the same global address for multiple static NAT rules).

For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static rules for:

local_ip_A/global_ip_A/FTP

local_ip_B/global_ip_A/HTTP

local_ip_C/global_ip_A/SMTP

You can also use this feature to translate a well-known port to a lesser-known port or the reverse. For example, if your inside web servers use port 8080, you can allow outside users to connect to port 80, then translate them to the correct port. Similarly, if you want to provide extra security, you can tell your web users to connect to lesser-known port 6785, then translate them to port 80 on the local network.

Bypassing NAT

When hosts on a higher security interface (inside) access hosts on a lower security interface (outside), you must configure NAT on the inside hosts or specifically configure the inside interface to bypass NAT. You can configure an interface to bypass NAT using two methods:

Identity NAT (Identify Address Translation Rules)—Identity NAT translates the local IP address to the same local IP address. This method allows you to set options described in the "Other Properties Controlled by Translation Rules" section.

You can configure identity NAT in three ways: similar to dynamic NAT, similar to static NAT, or auto-identity NAT. When you configure "dynamic" identity NAT, you do not specify the global interface. Therefore, you cannot choose to translate the local addresses when accessing one interface but use identity NAT when accessing another interface. Identity NAT is used for all interfaces that are accessed for connections. Regular dynamic NAT, on the other hand, allows you to specify a particular global interface on which to translate the addresses. Make sure that the local addresses for which you use identity NAT can be routed on all networks that are available according to your ACLs.

With static identity NAT, you specify the global interface on which you want to allow the local addresses to appear, so you can use identity NAT on one interface, and use regular translation on another for the same addresses. Static identity NAT also allows you to use policy NAT, which identifies the local and destination addresses when determining the local traffic to translate. (See below for more information about policy NAT.) For example, you can use static identity NAT for an inside address when it accesses the outside interface and the destination is server A, but use a translation when accessing the outside server B.

Auto-identity NAT, also called Identity Address Translation, is an optional feature provided by Firewall MC (see Configuring Management Controls, page 3-13). If Auto-identity NAT is enabled, Firewall MC automatically generates a static identity NAT rule for an address if no other translation rule is defined for that address or creates a No NAT rule. When the No NAT option is enabled, a firewall device suspends the requirement that each traffic flow is allowed only if a corresponding translation rule is defined.

You can further refine the Identity Address Translation feature by specifying that Firewall MC generate identity NAT rules only when no user-defined address translation rules exist. This refinement disables auto-identity NAT when you manually define any translation rule on any interface.

Rules that are created automatically with the Identity Address Translation feature do not appear in Firewall MC translation rule tables. Auto NAT is enabled by default. To disable this feature, select Configuration > MC Settings > Management.

NAT exemption (NAT 0 ACL)—With NAT exemption, the firewall device does not perform NAT at all on the identified addresses (specifically, no proxy ARP occurs). You cannot set NAT options with this method. Like static NAT, this method allows both local and global hosts to initiate connections.

Like "dynamic" identity NAT, you do not specify a global interface, so you must use NAT exemption on all interfaces. However, NAT exemption does allow you to specify the local and destination addresses when determining the local traffic to translate (similar to policy NAT), so you have greater control using NAT exemption.

Policy NAT

Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses in an extended ACL. You can also optionally specify the source and destination ports. Regular NAT considers only the local addresses.

To use Policy NAT, select Configuration > Translation Rules > Policy Dynamic Translations.

Note All types of NAT support policy NAT except NAT exemption. NAT exemption uses an ACL to identify the local addresses, but it differs from policy NAT in that the ports are not considered. See the Bypassing NAT, for other differences.

With policy NAT, you can create multiple NAT or static rules that identify the same local address as long as the source/port and destination/port combinations are unique for each rule. You can match different global addresses to each source/port and destination/port pair.

Figure 12-2 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the local address is translated to 209.165.202.129. When the host accesses the server at 209.165.200.225, the local address is translated to 209.165.202.130.

Figure 12-2 Policy NAT with Different Destination Addresses

Figure 12-3 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the local address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the local address is translated to 209.165.202.130.

Figure 12-3 Policy NAT with Different Destination Ports

Note Policy NAT does not support SQL*Net, which regular NAT does support. See Table 12-2 for information about NAT support for other protocols.

Managing Alias Command Support

Firewall MC does not support the defining of alias commands directly in the GUI. However, some fixup commands do not support outside NAT (dual nat). In these cases, the alias command is required. You can define alias commands manually using the Ending Commands feature.

The protocol fixups that do not support outside NAT are:

DNS

NetBIOS

rsh

sip

H323

See Defining Rules Manually Using CLI Syntax, page 13-1, for more information.

Order of NAT Commands Used to Match Local Addresses

The firewall device matches local traffic to NAT commands in the following order:

1. NAT exemption—First match. For example, you could have overlapping local/destination addresses in multiple NAT exemption commands, but only the first command is matched.

2. Static NAT—First match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple rules.

3. Static PAT—First match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple rules.

4. Policy NAT—First match. For example, you could have overlapping local/destination ports and addresses in multiple policy NAT commands, but only the first command is matched.

5. Regular NAT—Best match. The order of the NAT commands does not matter. The NAT rule that best matches the local traffic is used. For example, you can create a general rule to translate all addresses (0.0.0.0) on an interface. If you also create a rule to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific rule for 10.1.1.1 is used because it matches the local traffic best.

Global Addresses to Use

When you translate the local address to a global address, you can use the following global addresses:

Addresses on the same network as the global interface.

If you use addresses on the same network as the global interface (through which traffic exits the firewall device), the firewall device uses proxy ARP to answer any requests for translated addresses, and thus intercepts traffic destined for a local address. This solution simplifies routing because the firewall device does not have to be the gateway for any additional networks. However, this approach does limit the number of available addresses used for translations.

For PAT, you can even use the IP address of the global interface.

Addresses on a unique network.

If you need more addresses than are available on the global interface network, you can identify a different subnet. If you use OSPF and you advertise routes on the global interface, then the firewall device advertises the translated addresses. If the global interface is passive (not advertising routes) or you are using static routing, then you need to add a static route on the upstream router that sends traffic destined for the translated addresses to the firewall device.

DNS and NAT

Perhaps your network uses a DNS server to provide an address for a requested hostname. If NAT translations are used between the server location and your location, the address that the server provides will not be correct.

In this case, you must configure the firewall device to modify DNS replies by replacing the local address in the reply with a global address. The firewall device can process the DNS reply packets and correct the DNS reply packet data, as well as perform regular packet address translation. To enable this feature, click the Translate DNS Replies check box when you are configuring a policy or standard dynamic translation rule. For more information, see Adding or Editing a Dynamic Translation Rule, and Adding or Editing a Dynamic Policy NAT Rule.

Caution If you expose your internal DNS servers using a static NAT rule, you do not benefit from the address-hiding feature provided by translation rules. External users can simply request information about your trusted networks from the DNS servers that you expose.

For example, the DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the DMZ. You configure the firewall device to statically translate the ftp.cisco.com local address (10.1.3.14) to a global address (209.165.201.10) that is visible on the outside network (See Figure 12-4). You enable DNS reply modification on this static rule.

When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the global address (209.165.201.10). The firewall device refers to the static rule for the DMZ server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host tries to send traffic to 209.165.201.10 instead of accessing ftp.cisco.dom directly through the firewall device.

Figure 12-4 DNS Reply Modification

Other Properties Controlled by Translation Rules

The NAT configuration allows you to set some options for traffic that cannot be set anywhere else:

Setting the maximum connections—The maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections.

Setting the maximum embryonic connections—The maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. The default is 0, which means unlimited embryonic connections.

Disabling TCP sequence number randomization—Use this option only if another inline firewall is also randomizing sequence numbers and the result is scrambling the data.

Note You cannot set these options when you configure NAT exemption. However, you can set these options when you configure identity NAT. These options are also not available for NAT performed on a lower security interface when accessing a higher security interface.

Defining Translation Rules in Firewall MC

The types of translation rules that you can define using Firewall MC depend on the firewall device and the version of software running on that firewall device. Table 12-1 lists the different NAT features and when they were supported beginning with PIX Firewall version 6.0 and Firewall Services Module 1.1.2. Firewall MC does not support earlier firewall device versions.

Table 12-1 NAT Feature Support Matrix by Device Type and
Operation System 

NAT Feature
PIX Firewall
FWSM
Firewall MC

dynamic NAT

6.0

1.1.2

1.0

PAT

6.0

1.1.2

1.0

static NAT

6.0

1.1.2

1.0

static PAT

6.0

1.1.2

1.0

NAT 0 ACLS

6.0

1.1.2

1.2

dual NAT

6.2.1

2.1

1.2

policy NAT

6.3.2

2.1

1.3

same-level interface

2.1

1.3

auto NAT

1.0

split around1

1.0-.1.2.1

no split around

1.3

1 The split around feature prevents address overlap conflicts by splitting an address translation rule into multiple rules when other address translation rules contain addresses within its range. The result of the split is multiple rules defined around the addresses or ranges contained those other rules.


Table 12-2 Protocol Support Limitations with NAT and PAT 

Protocol
Default Port
PAT
NAT (1-1)
Limitations/Comments

DNS1

UDP/53

Yes

Yes

Only forward NAT. No PTR records are changed.

Passive FTP

TCP/21

No

Yes

None.

H.323 H.225 and RAS

TCP/1720

UDP/1718-1719

Yes

Yes

Does not support segmented messages.

ILS (LDAP)

TCP/389

Yes

Yes. No outside NAT.

No outside NAT.

MGCP

2427, 2727

No

No

None.

NetBIOS over IP2

No

No

None.

RTSP

TCP/554

No

No

No handling for HTTP cloaking.

SQL*Net

TCP/1521 (v.1)

Yes

Yes. No policy NAT.

V.1 and V.2. No policy NAT support.

Sun RPC

UDP/111 TCP/111

No

No

Payload not NATed.

XDMCP

UDP/117

No

No

None.

1 No NAT support is available for name resolution through WINS.

2 NetBIOS is supported by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138.


What's New in Firewall MC 1.3 NAT Support

The following features are new or changed in Firewall MC 1.3:

(New) Support for dynamic policy NAT and static policy PAT rules. These new rule types are not visible by default. If Policy Dynamic Translations does not appear under the Translation Rules area, select the Enable Policy NAT Rules Definition check box on the Configuration > MC Settings > Management page.

(Changed) Order of evaluation has changed. Previous versions of Firewall MC optimized translation rules around a "best match" semantic. In 1.3, Firewall MC defaults to the firewall device logic, which uses a "first match" scheme for all rule types other than dynamic NAT. For more information on evaluation order, see Order of NAT Commands Used to Match Local Addresses.

(Changed) Previously, if a NAT 0 ACL was defined, Firewall MC disabled any automatically created static identity NAT rules or rules using No NAT. This is no longer true.

(Dropped) Split around. In version 1.0-1.2.1, Firewall MC provided a split around feature for NAT rules to avoid overlapping addresses. In version 1.3, this feature is not longer supported. Instead, a warning message is issued for overlapping addresses.

Notes About Translation Rules

If you attempt to add a rule at the device that conflicts with another rule on the device or higher in the hierarchy, you will see a warning message about the conflict. However, if you add a rule at the group level, Firewall MC does not check for conflicts within the child devices of that group.

You must run NAT even if you have routable IP addresses on your secure networks (a unique feature of firewall devices). You can run NAT by translating the IP address to itself on the outside interface. You can also opt to use No NAT.

Hosts cannot contact hosts on other interfaces unless static or dynamic NAT rules have been created. You can use Address Identity Translation for this purpose, which is enabled by default.

Unless they reside on interfaces with the same security level and the same level interface feature is enabled (Configuration > Device Settings > Interfaces), hosts cannot contact hosts on other interfaces unless static or dynamic NAT rules have been created.

We recommend that you define building blocks before you define translation rules, for example, address pools, network groups, and services groups.

Before you can create dynamic rules, you must create an address translation pool. To do this, select Configuration > Building Blocks > Address Translation Pools.

Static address translation should not overlap with a global IP address pool on the same external interface. It causes the overlapping address to become unavailable for dynamic address translation.

Static translation rules are applied on a first match basis. You can only see the rules defined at the current scope, and therefore, you can edit all visible static translation rules.

To provide the a comprehensive view of the active rules, dynamic translation rules (non-policy) defined at the group level are intermingled on a best-match basis with those defined at the selected scope. However, you can only edit rules at the level at which they are defined.

Additional translation rules are created automatically as necessary when the Identity Address Translation Rules feature is enabled, with some exceptions (see Bypassing NAT). These automatically created rules are not shown in the Translation Rules table. To enable the Identity Address Translation Rules feature, select Configuration > MC Settings > Management.

If you decide to use the Identity Address Translation Rules feature, you do not need to define NAT 0 ACL rules.

Configuring Dynamic NAT and Dynamic Policy NAT

You can create two types of dynamic NAT rules:

Dynamic NAT—Identify the local addresses within the NAT rule. For more information about dynamic NAT, see the Dynamic NAT. For more information about global addresses, see the Defining Address Translation Pools, page 10-35.

Dynamic Policy NAT—Identify the local addresses and destination addresses using an extended ACL. You can also optionally identify the source and destination port. See the Policy NAT, for more information.

Adding or Editing a Dynamic Translation Rule

Before You Begin

Define a network object identifying each host or server for which the rule applies.

Step 1 Select Configuration > Translation Rules > Dynamic Translations.

The Dynamic Translations page appears.

Step 2 Using the object selector, select the scope (if not already selected) to identify the device or device groups to which the rules will apply.

Note The Object bar displays the last scope that was selected under the Configuration tab.

Step 3 Do one of the following:

To add a row, click Add.

To edit a row, select the check box for the row, then click Edit.

Step 4 Select the original interface from the list.

Step 5 Enter the original address or click Select to display a list of defined objects.

a. Select the available object, then click Select =>.

The object is moved to the Selected Objects column.

b. Click OK.

Step 6 Select the address pool from the list that defines the available addresses to use for translation. You can select No NAT to define an identity translation rule.

Note Address pools are user-defined. If you have not already done so, you can define an address pool by selecting Configuration > Building Blocks  > Address Translation Pool.

Step 7 Select the Translate DNS Replies check box if you want to include a translated DNS address in the reply packet.

Step 8 Verify that you want to randomize sequence numbers. If not, deselect the check box.

Note Disable this feature only if another inline firewall is also randomizing sequence numbers and the result is scrambling the data.

Step 9 Enter the number of embryonic connections (for example, a three-way handshake), which is the number of connection attempts allowed before a firewall device denies connections (0 = unlimited connections).

Note We recommend setting the value to a lower number.

Step 10 Enter the maximum number of connections that are allowed to connect to dynamically translated IP addresses. Values are 0-65,535.
(0 = unlimited connections).

Step 11 Select the traffic direction.

Step 12 Click OK.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 12-3 describes the elements on the Dynamic Translation Rules page.

Table 12-3 Dynamic Translation Rules 

Element
Description

Original Interface

Interface from which outside traffic is received. Highest-level security traffic.

Inside—Connects to your internal network.

Outside—Connects to an external network or public Internet.

Original Address

Pool of addresses used for NAT.

Note If you are using a popup wizard, you can click Select to open a popup window from which to make your selection.

Address Pool

Displays list of address pools from which you make your selection. The address pool defines the addresses to use for translating the original address.

Note Select No NAT to define an identity translation rule.

Translate DNS Replies check box

Enables translation of DNS reply packets. See DNS and NAT.

Randomize Sequence Numbers check box

When selected, the firewall device randomizes sequence number of TCP packets. When enabled, set to true.

When deselected, the TCP Initial Sequence Number (ISN) randomization protection is turned off. When disabled, set to false.

Note Disable this feature only if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Without this protection, inside hosts with weak self-ISN protection become more vulnerable to TCP connection hijacking.

Embryonic Connections

Number of embryonic connections1 allowed before the firewall device denies connections. Protects inside systems from a denial of service attack perpetrated by flooding an interface with TCP SYN packets.

Values are 0-65,535 (0 = unlimited connections). Set a small value for slower firewall devices, and a higher value for faster ones.

Defining this limit helps prevent those attacks where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP synchronization (SYN) packets from clients to servers on a higher security level. The firewall establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The firewall accomplishes TCP intercept functionality using SYN cookies.

Note This option does not apply to outside NAT. The TCP intercept feature only applies to hosts or servers on a higher security level.

Max Connections

Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. Idle connections are closed after the idle timeout specified on the Timeouts page (see Configuring Timeouts, page 8-81).

Values are 0-65,535. Default is 0. (0 = unlimited).

Note This option does not apply to outside NAT. The firewall only tracks connections from a higher security interface to a lower security interface.

Direction

Options are relative to the original interface:

Outbound—Packets enter on an interface with a higher security level and leave on an interface with an equal or lower security level.

Inbound—Packets enter on an interface with a lower security level and leave on an interface with a higher security level.

1 A connection that has been started but not established, for example, a three-way TCP handshake.


Adding or Editing a Dynamic Policy NAT Rule

Before You Begin

If Policy Dynamic Translations does not appear under the Translation Rules area, select the Enable Policy NAT Rules Definition check box on the Configuration > MC Settings > Management page.

This feature is not supported by versions prior to PIX Firewall 6.3.2 and FWSM 2.1.

Step 1 Select Configuration  > Translation Rules >  Policy Dynamic Translations.

The Policy Dynamic Translations page appears.

Step 2 Using the object selector, select the scope to identify the device or device groups to which the rules will apply.

Note The Object bar displays the last scope that was selected under the Configuration tab.

Step 3 Do one of the following:

To add a row, click Insert.

To edit a row, select the appropriate check box, then click Edit.

Step 4 Select the original interface from the list. The list contains all interfaces defined at the current scope.

Step 5 Enter the original address or click Select to display a list of defined objects.

a. Select the available objects, then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

Step 6 Enter the destination address or click Select to display a list of defined objects.

a. Select the available objects, then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

Step 7 Enter the service or click Select to display a list of defined objects.

a. Select the available objects, then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

Step 8 Select the address pool that defines the available addresses to use for translation from the list.

Note Address pools are user-defined. If you have not already done so, you can define an address pool by selecting Configuration > Building Blocks  > Address Translation Pool.

Step 9 Select the Translate DNS Replies check box to include a translated DNS address in the reply packet.

Step 10 Verify that you want to randomize sequence numbers. If not, deselect the check box.

Note Disable this feature only if another inline firewall is also randomizing sequence numbers and the result is scrambling the data.

Step 11 Enter the number of embryonic connections (for example, a three-way handshake). This number is the number of connection attempts allowed before a firewall device denies connections (0 = unlimited connections).

Note We recommend setting the value to a lower number.

Step 12 Enter the maximum number of connections that are allowed to connect to statically translated IP addresses. Values are 0-65,535 (0 = unlimited connections).

Step 13 Enter the traffic direction.

Outbound—Packets entering on an interface with a higher security level and leaving on an interface with an equal or lower security level.

Inbound—Packets entering on an interface with a lower security level and leaving on an interface with a higher security level.

Step 14 Enter an optional description.

Step 15 Click OK.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 12-4 describes the elements on the Policy Dynamic Translations page.

Table 12-4 Policy Dynamic Translations 

Element
Description

Original Interface

Interface from which outside traffic is received. Highest-level security traffic.

Inside—Connects to your internal network.

Outside—Connects to an external network or public Internet.

Original Address

Pool of addresses used for NAT.

Note If you are using a popup wizard, you can click Select to open a popup window from which to make your selection.

Destination Address(es)

Displays list of network objects defined under Building Blocks > Network Objects. This field identifies those network objects for which this rule applies.

Service(s)

Displays list of network services and groups as defined under Building Blocks > Service Definitions and Building Blocks > Service Groups. This field identifies those network services for which this translation rule should applies.

Address Pool

Displays list of address pools from which you make your selection. The address pool defines the addresses to use for translating the original address.

Note Address pools are user-defined. If you have not already done so, you can define an address pool by selecting Configuration > Building Blocks  > Address Translation Pool.

Translate DNS Replies check box

Enables translation of DNS reply packets. See DNS and NAT.

Randomize Sequence Numbers check box

When selected, the firewall device randomizes sequence number of TCP packets. When enabled, set to true.

When deselected, the TCP Initial Sequence Number (ISN) randomization protection is turned off. When disabled, set to false.

Note Disable this feature only if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Without this protection, inside hosts with weak self-ISN protection become more vulnerable to TCP connection hijacking.

Embryonic Connections

Number of embryonic connections1 allowed before the firewall device denies connections. Protects inside systems from a denial of service attack perpetrated by flooding an interface with TCP SYN packets.

Values are 0-65,535 (0 = unlimited connections). Set a small value for slower firewall devices, and a higher value for faster ones.

Defining this limit helps prevent those attacks where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP synchronization (SYN) packets from clients to servers on a higher security level. The firewall establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The firewall accomplishes TCP intercept functionality using SYN cookies.

Note This option does not apply to outside NAT. The TCP intercept feature only applies to hosts or servers on a higher security level.

Max Connections

Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. Idle connections are closed after the idle timeout specified on the Timeouts page (see Configuring Timeouts, page 8-81).

Values are 0-65,535. Default is 0. (0 = unlimited).

Note This option does not apply to outside NAT. The firewall only tracks connections from a higher security interface to a lower security interface.

Direction

Options are relative to the original interface:

Outbound—Packets enter on an interface with a higher security level and leave on an interface with an equal or lower security level.

Inbound—Packets enter on an interface with a lower security level and leave on an interface with a higher security level.

Description

Optional user-defined description that identifies the translation rule.

1 A connection that has been started but not established, for example, a three-way TCP handshake.


Deleting a Dynamic Translation Rule

Step 1 Select Configuration > Translation Rules > Dynamic Translations.

The Dynamic Translations page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The selected rule is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Configuring Static NAT and PAT

Under Static Translations, you can create static NAT and static PAT rules. If policy NAT is enabled, you can also create static policy NAT and PAT rules.

Static NAT—Identify the local addresses within the static rule. In a static NAT rule, the destination address is always "ANY." For more information about static NAT, see the Static NAT.

Static PAT—Identify the local addresses and ports within the static rule. For more information about static PAT, see the Static PAT.

Static Policy NAT—Identify the local addresses and destination addresses using an extended ACL. You can also optionally identify the source and destination port. See the Policy NAT, for more information.

Static Policy PAT—Identify the local addresses and ports and destination addresses and ports using an extended ACL.

To enable static policy NAT and PAT, select the Enable Policy NAT Rules Definition check box on the Configuration > MC Settings > Management. If enabled, the Destination Address(es) field appears in the static translations table. If policy NAT is enabled, the generated rules always use the access list form of the static command. Otherwise, the non-access list form of the static command is used.

Note For an FWSM, you can create up to 1,024 static NAT and static PAT rules combined. For a PIX Firewall, the number of rules depends on the model and memory installed in the appliance.

Important Notes About PAT Translation Rules

Do not use with H.323 applications and caching nameservers.

Do not use when multimedia applications must be run through a firewall device. Multimedia applications can conflict with port associations provided by PAT.

Do not use with a DNS server on a higher-level security interface that requires updates from a root nameserver on an outside interface.

To use with a passive FTP, set the Fixup FTP strict protocol with an access-list command rule to permit outbound FTP traffic. See Configuring Basic Fixups, page 8-84.

Adding or Editing a Static Translation Rule

You can define both host- and port-based statics in the Static Translation table. The host-based statics are inserted and ordered before the port-based static rules. This order is maintained when the commands are generated.

Before You Begin

Recommended but not required: Define a network object that identifies each host or server for which a rule applies. See Defining Network Objects, page 10-9.

Step 1 Select Configuration  > Translation Rules >  Static Translations.

The Static Translations page appears.

Step 2 Using the object selector, select the scope to identify the device or device groups to which the rules will apply.

Note The Object bar displays the last scope that was selected under the Configuration tab.

Step 3 Do one of the following:

To add a row, click Insert.

To edit a row, select the appropriate check box, then click Edit.

Step 4 Select the original interface from the list. The list contains all interfaces defined at the current scope.

Step 5 Enter the original address or click Select to display a list of defined objects.

a. Select the available objects, then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

Step 6 Determine the protocol type, then click the appropriate radio button.

Step 7 Enter the original port.

Note If you selected IP as your protocol, leave the original port blank.

Step 8 Select the translated interface from the list. The list contains all interfaces defined at the current scope.

Step 9 Enter the translated address or click Select to display a list of defined objects.

a. Select the available object, then click Select =>.

Note Only one translated address is allowed.

The object is moved to the Selected Objects column.

b. Click OK.

Step 10 Enter the translated port.

Step 11 If this rule is a static policy NAT rule, enter a destination address or click Select to display a list of defined objects. Otherwise, proceed to Step 12.

a. Select the available object, then click Select =>.

Note Any static translation rule with a destination address value other than "ANY" is a static policy NAT. The singleton value of ANY signifies a standard static NAT rule.

The object is moved to the Selected Objects column.

b. Click OK.

Step 12 Select the Translate DNS Replies check box to include a translated DNS address in the reply packet.

Step 13 Verify that you want to randomize sequence numbers. If not, deselect the check box.

Note Disable this feature only if another inline firewall is also randomizing sequence numbers and the result is scrambling the data.

Step 14 Enter the number of embryonic connections (for example, a three-way handshake). This number is the number of connection attempts allowed before a firewall device denies connections (0 = unlimited connections).

Note We recommend setting the value to a lower number.

Step 15 Enter the maximum number of connections that are allowed to connect to statically translated IP addresses. Values are 0-65,535 (0 = unlimited connections).

Step 16 Click OK.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 12-5 describes the elements on the Static Translations page.

Table 12-5 Static Translations 

Element
Description

Original Interface

Interface from which outside traffic is received. Highest-level security traffic.

Original Address

Source network object1 name or IP address of host. One element only is permitted.

Note If you are using a wizard, you can click Select to open a popup window from which to make your selection.

Protocol

TCP

UDP

IP—Port column is 0 in the Static Translations table.

Original Port

Original port used.

Note No port is used for IP.

Translated Interface

Interface used for outgoing traffic.

Translated Address

Translated network object 1 name or IP address of host. One element only is permitted.

Note If you are using a popup wizard, you can click Select to open a popup window from which to make your selection.

Translated Port

Translated port used.

Destination Address(es)

(Policy NAT mode only) Displays list of network objects defined under Building Blocks > Network Objects. This field identifies those network objects for which this rule applies. If a value other than ANY is specified in this field, the rule represents a static policy PAT rule.

Translate DNS Replies check box

Enables translation of DNS reply packets. See DNS and NAT.

Randomize Sequence Numbers check box

When selected, the firewall device randomizes sequence number of TCP packets. When enabled, set to true.

When deselected, the TCP Initial Sequence Number (ISN) randomization protection is turned off. When disabled, set to false.

Note Disable this feature only if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Without this protection, inside hosts with weak self-ISN protection become more vulnerable to TCP connection hijacking.

Embryonic Connections

Number of embryonic connections2 allowed before the firewall device denies connections. Protects inside systems from a denial of service attack perpetrated by flooding an interface with TCP SYN packets.

Values are 0-65,535 (0 = unlimited connections). Set a small value for slower firewall devices, and a higher value for faster ones.

Defining this limit helps prevent those attacks where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP synchronization (SYN) packets from clients to servers on a higher security level. The firewall establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The firewall accomplishes TCP intercept functionality using SYN cookies.

Note This option does not apply to outside NAT. The TCP intercept feature only applies to hosts or servers on a higher security level.

Max Connections

Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. Idle connections are closed after the idle timeout specified on the Timeouts page (see Configuring Timeouts, page 8-81).

Values are 0-65,535. Default is 0. (0 = unlimited).

Note This option does not apply to outside NAT. The firewall only tracks connections from a higher security interface to a lower security interface.

Description

Optional user-defined description that identifies the translation rule.

1 Network objects are defined in Building Blocks. Select Configuration > Building Blocks > Network Objects. See Defining Network Objects, page 10-9.

2 A connection that has been started but not established, for example, a three-way TCP handshake.


Deleting a Static Translation Rule

Step 1 Select Configuration > Translation Rules > Static Translation Rule.

The Static Translations page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The selected rule is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Bypassing NAT

You can bypass NAT by using identity NAT or NAT exemption. See Bypassing NAT, for more information about these two methods.

Topics to be discussed are:

Configuring Identity NAT

Configuring NAT Exemption Rules

Configuring Identity NAT

You can manually define identify NAT rules by using static or dynamic translations; simply define rules where the translated address and the original address match. However, you can also configure Firewall MC to automatically define identity NAT rules. Additional translation rules are created automatically as necessary when the Identity Address Translation Rules feature is enabled. These automatically created rules are not shown in the Translation Rules table. To enable the Identity Address Translation Rules feature, select Configuration > MC Settings > Management.

Configuring NAT Exemption Rules

Translation exception rules, referred to as NAT 0 ACLs, abort all other address translation logic. If a packet matches the NAT 0 ACL rule for the incoming or outgoing interfaces, no translation table entries are created in the session table of the firewall device.

Although NAT 0 ACL is grouped as a translation rule in the GUI, it does not translate addresses. NAT 0 ACL uses ACLs to identify what traffic should be exempt from any other translation rules.

Important Notes About NAT 0 ACL Rules

On import, if a service other than IP is specified in the ACE of a NAT 0 ACL, a warning results. The service is automatically changed to IP. No user intervention is required.

A PIX Firewall always interprets the service of NAT 0 ACL as IP. As a result, you are not prompted for a service when you are configuring a NAT 0 ACL.

Additional translation rules are created automatically as necessary when the Identity Address Translation Rules feature is enabled. These automatically created rules are not shown in the Translation Rules table. To enable the Identity Address Translation Rules feature, select Configuration > MC Settings > Management.

If you want to use the Identity Address Translation Rules feature, you cannot define NAT 0 ACL rules.

If you define a NAT 0 ACL rule and you previously enabled the Identity Address Translation Rules feature, the latter becomes disabled.

NAT 0 ACL rules are listed sequentially and are applied in the order in which they appear in the NAT 0 ACL Rule table. For more information on processing of rules, see

Inserting or Editing a NAT 0 ACL Rule

Note If you previously enabled the Identity Address Translation Rules feature, also called auto-identity NAT, and you are now using NAT 0 ACL rules, the auto-identity NAT feature is automatically disabled.

Step 1 Select Configuration  > Translation Rules > Translation Exception Rules (NAT 0 ACL) > [Mandatory or Default].

The respective Translation Exception Rules (NAT 0 ACL) page appears.

Step 2 Using the object selector, select the scope (if not already selected) to identify the device or device groups to which the rules apply.

Note The Object bar displays the last scope that was selected under the Configuration tab.

Step 3 Do one of the following:

To add a row, click Insert.

To paste a row that has been cut or copied to the clipboard, select the check box above which to add a new row, then click Paste.

To edit a row, select the appropriate check box, then click Edit.

To view all NAT 0 rule tables (mandatory and default) from Global down to the current scope, click View All.

A page appears from which you can print the tables.

Step 4 Verify that the Enable rule check box is selected.

Step 5 Select the action.

Do not translate—Traffic is exempt from all other translation rules. Equates to "permit."

Translate—Traffic is not exempt from all other translation rules on traffic. Equates to "deny."

Step 6 Enter the source addresses or click Select to display a list of defined objects.

a. Select the available objects, then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the NAT 0 ACL popup window.

Step 7 Enter the destination addresses or click Select to display a list of defined objects.

a. Select the available objects, then click Select =>.

The objects are moved to the Selected Objects column.

b. Click OK.

You are returned to the NAT 0 ACL popup window.

Step 8 Enter the source interface from the list. The list displays all interfaces defined at the current scope.

Step 9 Enter the traffic direction.

Outbound—Packets entering on an interface with a higher security level and leaving on an interface with an equal or lower security level.

Inbound—Packets entering on an interface with a lower security level and leaving on an interface with a higher security level.

Step 10 Enter an optional description.

Step 11 Click OK.

Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 12-6 describes the elements on the NAT 0 ACL Rules page.

Table 12-6 NAT 0 ACL Rules 

Element
Description

Enable rule check box

Enables No NAT rules.

When you select the Enable rule check box during rule configuration, the rule is shown as true in the rules table in the Enabled column.

Action

Do not translate—Traffic is exempt from all other translation rules. Equates to "permit."

Translate—Traffic is not exempt from all other translation rules on traffic. Equates to "deny."

Source Address(es)

Source network object1 names or addresses of hosts that are subject to filtering. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Destination Address(es)

Destination network object 1 names or addresses of hosts that are subject to filtering. Multiple entries are separated by commas.

Note If you are configuring a rule, you can click Select to open a popup window from which to make your selection.

Source Interface

Interface from which traffic originates.

Note If you are configuring a rule, a list displays all interfaces defined at the current scope.

Traffic Direction

Options are relative to the source interface:

Outbound—Packets enter on an interface with a higher security level and leave on an interface with an equal or lower security level.

Inbound—Packets enter on an interface with a lower security level and leave on an interface with a higher security level.

Description

Optional user-defined description that identifies the NAT 0 ACL rule.

1 Network objects are defined in Building Blocks. Select Configuration > Building Blocks > Network Objects. See Defining Network Objects, page 10-9.


Deleting a NAT 0 ACL Rule

Step 1 Select Configuration  > Translation Rules > Translation Exception Rules (NAT 0 ACL) > [Mandatory or Default].

The respective Translation Exception Rules (NAT 0 ACL) page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The selected rule is removed from the table, and the information is removed from the assigned firewall device configuration files when they are deployed.

Viewing Translation Rules

Select Configuration  > Translation Rules > View All Translations to display the complete set of translation rules in evaluation order. The view represents the selected scope and above in the hierarchy, similar to the Configuration  > Device Settings > View All feature. For static rules, all host-based static rules from all hierarchy levels are displayed before the port statics rules.

Note Policy NAT rules are not displayed if you have not selected the Enable Policy NAT Rules Definition check box on the Configuration > MC Settings > Management page.