The rule applied depend whether the traffic is part of an inbound or an outbound connection. A connection is inbound if its establishing packet passed from a lower to a higher security zone. A connection is outbound if its establishing packet passed from a higher to lower security zone.
At present, outside is the lowest security zone. Then in ascending order: public, lab and servers.
Each zone attaches to the PIX through one of its interfaces and is part of a separate Local Area Network. It is equivalent to speak of the public zone or the PIX's public interface, for instance. The outside zone attaches to the university backbone, and has an address inside the space of university backbone addresses - 220.127.116.11. The backbone sees the PIX as a router behind which lie all machines in the class C IP address block 18.104.22.168/24.
However, no machines of that address lie behind the PIX. Every other interface is assigned a network of the type known as private-local. These addresses are suppressed if found on the backbone and are therefore unroutable outside of the department. Access between these interfaces and the outside interface, and among inner interfaces, requires that the addresses be rewritten on passage from interface to interface. The control of which machines have rewritten addresses, and under what conditions a rewriting is allowed, is the key mechanism by which the PIX controls access between interfaces, and therfore, between zones.
To pass between interfaces, the PIX maintains a translation table in which it creates xlate slots. A xlate slot is (this is a simplified explanation) the four items:
(inner-interface, outer-interface) global-address, local-addresswhere the inner-interface is the interface serving the zone of higher security and is associated with the local-address; the outer-interface is the interface of serving the zone of lower security and is associated with the global-address.
Before a connection can be established between zones, a xlate slot must exist. Xlate slots are either allocated statically during the PIX configuration or they are created dynamically when needed. Outbound connections will use a static slot if it exists, but if not, an xlate slot can be created dynamically. Inbound connections must use a static xlate slot.
An inbound connection is a connection initiatiated by a packet coming from a lower security interface to a higher security interface. The xlate slot for such a connection must configured manually, it is static. If there is no matching xlate slot, the packet is dropped. Here is the configuration line creating the static xlate slot which permits access to our public server:
static (public,outside) 22.214.171.124 172.18.0.2An inbound connection can be established, where a packet with destination address of 126.96.36.199, arriving on the outside interface, will be forwarded to the public interface after rewriting the destination address to 172.18.0.2. Response packets will arrive at the public interface with source address 172.18.0.2. The source address will be rewritten to 188.8.131.52 and forward to the outside interface.
An outbound connection is a connection initiatiated by a packet on a higher security interface heading to a lower security interface. If a static xlate slot for an outbound connection does not exist staticly, a dynamic slot can be created. A pair of configuration lines allow the creation of dynamic xlate slots:
nat (lab) 2 0.0.0.0 0.0.0.0 0 0 global (outside) 2 184.108.40.206-220.127.116.11These lines permit any machine in the lab zone to connect outside the department. They say that packets entering the lab interface can leave the outside interface with new addresses chosen from the range 18.104.22.168-231.
An example machine, say 172.19.1.123, could create the following xlate slot on first attempting to connect outside the department:
(lab,outside) 22.214.171.124 172.19.1.123where the address 126.96.36.199 is arbitrarily chosen from the global block and persists for the host for some time, so that all connections from this host get the same renumbering. Packets traveling from the lab to the outside interface will have their source address rewritten from 172.19.1.123 to 188.8.131.52. Response packets returning from the outside to the lab interface will have their destination address rewritten from 184.108.40.206 to 220.127.116.11.
Once a connection is set up, packets for the connection flow unhindered, whichever way the packet passes through the PIX. Setting up a connection requires two steps:
ACL's (Access Lists) apply for both inbound and outbound connections. For inbound connections, it is the ACL of the lower security interface that rules; for outbound connections, the ACL of the higher security interface applies. In the previous example, we created a static xlate to offer the services of our public server to the outside world. A web request will find this xlate and then attempt to create a connection. This access list line allows that connection:
access-list acl_out permit tcp any host 18.104.22.168 eq wwwThe PIX provides several additional security services by examining the contents of connections. Also certain protocols write their IP addresses in to the body of the message. For these, the PIX must provide a fix-up, where it rewrites this embedded IP addresses as it does the header addresses. The most famous example of this is the FTP protocol.