This case study shows a way of using the alias command. This command is set up so that it can deliver the results discussed in the section “NAT on the Destination IP Addresses.”
Example 8-3 provides a complete configuration for setting up the PIX Firewall to use the alias feature to achieve this result.
Consider a web server. If the web server and the client trying to access it are on the same PIX interface, the normal way of configuring the alias command (alias <Name of interface on which the server and client are located> <RFC 1918 address of the server> <Statically translated address of the server>) works fine. The alias command doctors the DNS server response for the name of the web server such that the client trying to connect to the server uses its private IP address to connect to it.
failover ip address failover 192.168.254.2 failover ip address unused 192.168.253.2
!The failover link command specifies which interface will be used to carry the
!state information to the standby PIX in case of a failover
failover link failover failover poll 15
arp timeout 14400
global (outside) 1 209.165.201.3 netmask 255.255.255.224 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0 0 access-list acl_out permit tcp any 209.165.201.5 eq 80
access-list acl_out permit icmp any any access-group acl_out in interface outside
no rip outside passive no rip outside default no rip inside passive no rip inside default no rip failover passive no rip failover default
route outside 0.0.0.0 0.0.0.0 209.165.201.4 1 timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip_media 0:02:00 telnet timeout 5
terminal width 80
Example 8-2 Configuration of the Primary PIX Device (Continued)
Case Studies 185
However, problems arise when the web server is sitting on a subnet connected to a different interface of the PIX than the client. In that case, the normal way of configuring the alias command does not work. The reason for this is that when the client sends a packet to the web server’s private IP address provided to it by the doctoring PIX, the PIX translates it back into the web server’s public or globally routable address and routes it out the public or outside interface. Of course, this is incorrect because the web server is not located on the public network but rather on a DMZ segment.
The way to fix this problem is to reverse the IP addresses configured in the alias command, as demonstrated in Example 8-3. Due to the reversal, the PIX no longer doctors the DNS response to another address, because it does not match the alias command setup. However, when the client sends a packet to the web server’s globally routable address, the PIX duti-fully changes the destination address to the web server’s private address and then sends it to the interface on which the web server is located.
Figure 8-14 shows the network topology for this case study.
Figure 8-14 Network Topology for This Case Study
Example 8-3 Configuring the PIX Firewall to Use the Alias Feature
pixfirewall#wr t PIX Version 5.2(5)
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10
continues Web Server
Client
10.51.8.100
10.0.0.0/8
Inside Interface
Int3 (10.51.8.1)
Outside Interface (172.17.241.155) Int2 (192.168.10.1)
192.168.10.0/24 192.168.10.5
192.168.5.0/24 (192.168.5.1)
nameif ethernet3 intf3 security15
!The access list that follows is used to allow access to the web server
access-list 101 permit tcp any host 172.17.241.250 eq www access-list 101 permit icmp any any
no pager
ip address outside 172.17.241.155 255.255.255.0 ip address inside 192.168.5.1 255.255.255.0 ip address intf2 192.168.10.1 255.255.255.0 ip address intf3 10.51.8.1 255.0.0.0 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.255
arp timeout 14400
!The command below sets up a global pool of one address for doing port address
!translation. The IP address used is the IP address of the outside interface
!itself. This is another way of defining a global pool of addresses.
global (outside) 1 interface
global (intf2) 1 192.168.5.101-192.168.5.200 nat (inside) 1 192.168.5.0 255.255.255.0 0 0 nat (intf3) 1 10.51.8.1 255.255.255.0 0 0
Example 8-3 Configuring the PIX Firewall to Use the Alias Feature (Continued)
Case Studies 187
Here is an explanation of the flow of events in Example 8-3:
Step 1 The client on the inside sends a DNS query to a DNS server.
Step 2 The DNS server responds with the IP address 172.17.241.250 to the PIX.
Step 3 The inside client tries to access 172.17.241.250 and sends a packet with this IP address as the destination to the PIX Firewall. However, because of the presence of the alias command, PIX does destination address translation and sends the packet to 192.168.10.5, which is the web server.
If the alias command were configured in the normal fashion:
alias (inside) 192.168.10.5 172.17.241.250 255.255.255.255
!This static command is used to allow users on the public network to access the
!web server using its globally routable address
static (intf2,outside) 172.17.241.250 192.168.10.5 netmask 255.255.255.25 5 0 0
!Please note how the alias command is configured. The normal way of configuring
!the alias command is as follows:
! alias (inside) 192.168.10.5 172.17.241.250 255.255.255.255
!Generic syntax:
! alias (interface) dnat_ip foreign_ip mask
!As you can see, the addresses have been swapped due to reasons explained above alias (inside) 172.17.241.250 192.168.10.5 255.255.255.255
access-group 101 in interface outside timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
route outside 0.0.0.0 0.0.0.0 172.17.241.200 1 aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius no snmp-server location
no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable
no sysopt route dnat isakmp identity hostname telnet timeout 5
ssh timeout 5 terminal width 80 : end
Example 8-3 Configuring the PIX Firewall to Use the Alias Feature (Continued)
the following would have been the sequence of events:
Step 1 The client on the inside sends a DNS query to a DNS server.
Step 2 The DNS server responds with the IP address 172.17.241.250 to the PIX, which alters this response to 192.168.10.5 because of the presence of the alias command.
Step 3 The inside client tries to access 192.168.10.5 and sends a packet with this IP address as the destination to the PIX Firewall. However, because of the presence of the alias command, PIX does not simply forward the packet to intf2. It performs destination address translation on the packet and sends it to 172.17.241.250 via the outside interface.
Step 4 The connection fails, because this IP address is in the same segment as the PIX outside interface and is left for a host that is supposedly directly connected.