Solved: Re: PIX's Security Level Confusion.

kengyiam · ‎02-16-2006

Hi guys,

I done some search on the Internet to know more about this Pix's security level function. But in no vain.

Can you guys advise me on what this security level 100 or 0 is all about? Do I need to set all my inside intefaces to 100 while outside to 0? If thats the case, my internal systems can't access the outside network since they are of different security level.

Last question here. I have a router with 2 ints: fa0/0(connect to isp, 100.100.100.2) and fa0/1(connect to a inside pix, 10.2.1.1). My pix outside int address is 10.2.1.2(connect to the router's fa0/1) and its ethernet1 address is 192.168.1.1. This router will do a NAT on behalf of my internal network.

My problem is do I need to do a NAT on the PIX to get my 192.168.1.0 network translate to 10.2.1.2 when accessing the Internet. From there on, the router will translate the NATed addresses to public addresses using its NAT again. In this way, its a double NAT process. Is this method feasible? Any other better method other than doing a double NAT?

Please kindly advise me on my 2 doubts.:)

Thank you so much in advanced.

pkhatri · ‎02-16-2006

Hi,

The use of security levels indicates the relative security of the interface to the PIX. A higher security level means that the interface is to be treated with a high degree of security while a lower security level means that the interface connects to a less trusted network. In general, you would consider your internal LAN interface as 100, your DMZ segments as something between 0 and 100 and the internet-facing interface as 100.

Devices connecting to high-security interfaces can initiate connections to low-security interfaces with the use of 'nat' and 'global' commands - you can choose not to use NAT. For devices in lower-security interfaces to communicate with devices in higher-security interfaces, you have to allow access through an access-list and a static statement.

In your setup, if the router is already doing NAT there is absolutely no reason to NAT on the PIX as well. Just configure your router NAT source addresses from the 192.168.1.0/24 and you should be fine.

On your PIX, configure the following:

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

That will tell the PIX not to NAT these addresses.

Hope that helps - pls rate the post if it does.

Paresh

View solution in original post

pkhatri · ‎02-16-2006

Hi,

The use of security levels indicates the relative security of the interface to the PIX. A higher security level means that the interface is to be treated with a high degree of security while a lower security level means that the interface connects to a less trusted network. In general, you would consider your internal LAN interface as 100, your DMZ segments as something between 0 and 100 and the internet-facing interface as 100.

Devices connecting to high-security interfaces can initiate connections to low-security interfaces with the use of 'nat' and 'global' commands - you can choose not to use NAT. For devices in lower-security interfaces to communicate with devices in higher-security interfaces, you have to allow access through an access-list and a static statement.

In your setup, if the router is already doing NAT there is absolutely no reason to NAT on the PIX as well. Just configure your router NAT source addresses from the 192.168.1.0/24 and you should be fine.

On your PIX, configure the following:

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

That will tell the PIX not to NAT these addresses.

Hope that helps - pls rate the post if it does.

Paresh

kengyiam · ‎02-16-2006

Hi Paresh,

"Devices connecting to high-security interfaces can initiate connections to low-security interfaces with the use of 'nat' and 'global' commands - you can choose not to use NAT. For devices in lower-security interfaces to communicate with devices in higher-security interfaces, you have to allow access through an access-list and a static statement"

In the above statement, you mentioned that I can initiate from higher level security to a lower level security thru nat and global but I can choose not to use NAT too? Is there any way to show me an example. I must admit that Im a newbie in PIX OS command. haha. Do I need to write firewall rules to allow these high2low connection?

As for lower security level to initiate a connection to a higer level security interface, all I have to do is to write rules to allow the traffic to pass through? Is that what you mean?

Thank you again.

pkhatri · ‎02-16-2006

Example 1 - sessions initiated from inside to outside with NAT

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 202.1.1.0 netmask 255.255.255.0

In this case, the 10.1.1.0/24 addresses will be NAT'ed to 202.1.1.0/24 and allowed out...

Example 2 - sessions initiated from inside to outside without NAT

nat (inside) 0 10.1.1.0 255.255.255.0

In this case, the 10.1.1.0/24 addresses will be not be NATed at all but will be allowed to initiate connections to the outside network

Example 3 - sessions initiated from outside to inside

access-list ACL_In permit tcp any host 202.1.1.1

static (inside, outside) 202.1.1.1 10.1.1.1 netmask 255.255.255.255

In this case, connections from outside to inside host 202.1.1.1 will be admitted and the 202.1.1.1 address will be NATed to 10.1.1.1

Pls do remember to rate posts.

Paresh

kengyiam · ‎02-16-2006

Hi Paresh,

Thank you so much. I will try to test with your advice soon. Cool man.

Patrick Iseli · ‎02-17-2006

Note: You need to know that a higher security level can allways access the lower security levels if there is no access-list on the interface.

A lower level as the outside interface need to have am access-lits to connect to any higher security level interfaces for example to access a web or mail server on a DMZ interface. Without any access-list all traffic is dropped.

Same security level interfaces, for example two DMZ interfaces cannot talk to each other.

Have you seen this guide ?

Establishing Connectivity:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

Cisco wrote:

Multiple Interfaces and Security Levels

All PIX Firewalls provide at least two interfaces, which by default, are called outside and inside, and are assigned a security level of 0 and 100, respectively. A lower security level indicates that the interface is relatively less protected than the higher security level. Typically, the outside interface is connected to the public Internet, while the inside interface is connected to your private network and is protected from public access.

Many PIX Firewall models provide up to eight interfaces, to let you create one or more perimeter networks, also called bastion networks or demilitarized zones (DMZs). A DMZ is a network that is more secure than the outside interface but less secure than the inside interface. You can assign security levels to your perimeter networks from 0 to 100. Typically, you put mail servers or web servers that need to be accessed by users on the public Internet in a DMZ to provide some protection, but without jeopardizing the resources on your internal network.

Getting started guide:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html#wp1033192

sincerely

Patrick