Book Excerpt: Cisco Secure Internet Security Solutions, part 2 - Page 3

By Cisco Press | Posted Sep 14, 2001
Page 3 of 5   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Assigning IP Addresses
The next two lines assign an IP address and subnet mask to the inside and outside interfaces. The words inside and outside are used because that is what you have named with the nameif command. Substitute whatever name you have given to this particular interface. The IP addresses on each interface must reside on different subnets.

The full ip address command follows:

 ip address interface_name ip_address subnet_mask

global Command
One of the strengths of the PIX Firewall is its ability to support NAT and PAT. The global command, in conjunction with the nat command, is used to assign the IP addresses that packets receive as they cross the interface. The global command defines a pool of global addresses. This pool provides an IP address for each outbound connection and for inbound connections resulting from these outbound connections. Whether NAT or PAT is used depends on how the global command is used. If you are connecting to the Internet, the global addresses should be registered. Nonroutable IP addresses are used here for illustrative purposes only. Using routable IP addresses becomes a vital consideration when using VPNs that terminate on the PIX Firewall, because without a routable IP address the VPN will never travel over the Internet. The syntax for the global command follows:

 global [( interface_name)] nat_id global_ip[- global_ip]
 [netmask global_netmask]
The interface_name is the name assigned with the nameif command. The nat_id is an integer. The nat_id must match the number used in the nat command. Although almost any number can be used (as long as the number is consistent between the global and nat commands), the number 0 is reserved for special cases. The use of 0 is covered in the section "nat Command."

The global-ip can take one of two forms. The form chosen determines whether NAT or PAT is used. If PAT is to be used, enter a single IP address. All packets from all hosts will receive this address as they cross the interface. If NAT is to be used, enter an address range for the IP addresses to be seen from the outside. For example, if you wish to use the single address of 192.10.10.1, you would enter the following:

 global (outside) 1 192.10.10.1 255.255.255.0
If, on the other hand, you wish to use NAT and use a whole Class C subnet, you would enter the following:
 global (outside) 1 192.10.10.1-192.10.10.254 255.255.255.0
You could also use more than a Class C network by adjusting the IP addresses entered and the subnet mask. The following example uses a 23-bit subnet mask and allows you to use all IP addresses between 192.10.10.1 and 192.10.11.254. When an address range overlaps subnets, the broadcast and network addresses are not used by the global command.
 global (outside) 1 192.10.10.1-192.10.11.254 255.255.254.0
When you want to use PAT, you use a single address instead of a range. PAT supports up to 65,535 concurrent translations. There are some limitations in the use of PAT. For example, PAT cannot be used with H.323 and multimedia applications. These types of applications expect to be able to assign certain ports within the application. PAT also does not work in conjunction with the established command. Because the ports are changed when using PAT, these applications fail. As in the basic configuration, the following line sets a single IP address:
 global (outside) 1 192.168.1.100 255.255.255.0
The use of the global command requires reverse DNS PTR entries to ensure that external network addresses are accessible through the PIX Firewall. Without these PTR entries, you will see slow or intermittent Internet connectivity and File Transfer Protocol (FTP) requests consistently failing. DNS servers on a higher security level needing updates from a name server on an outside interface must use the static command, which will be explained in the "Realistic Configuration" section (part 3).

The subnet mask should match the subnet mask on the network segment. Use the ranges of IP addresses to limit the hosts used, not the subnet mask. In more advanced configurations later in this chapter, you will see how to use NAT and PAT together and how to use multiple global ranges.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter