Post on 14-Dec-2015
DFL-210/800/1600/2500 Training Material
DFL fundamentalPart II
Created on 2007
©Copyright 2007. All rights reserved
Topic in NAT
• NAT behavior and DFL SAT & NAT• Do we must has NAT rule between SAT and
Allow for LAN • SAT Case Study : Things that NAT breaks
3
NAT – Source Address Translate
INSIDE OUTSIDE
Packet1Source: 2.2.2.2
Destination: 1.1.1.1
Packet1Source: 192.168.1.100
Destination: 1.1.1.1
192.168.1.100 1.1.1.1
Packet2Source: 1.1.1.1
Destination: 2.2.2.2
Packet2Source: 1.1.1.1
Destination: 192.168.1.1
NAT
The NAT router replaces the private address of green PC (192.168.1.100) with a Public routable Address (2.2.2.2)
DFL – Source Address Translate
5
NAT – Destination Address Translate
INSIDE OUTSIDE
Packet1Source: 192.168.1.1
Destination: 1.1.1.1
Packet1Source: 192.168.1.1Destination: 172.16.90.91
192.168.1.1 1.1.1.1
Packet2Source: 1.1.1.1
Destination: 2.2.2.2
Packet2Source: 172.16.90.91
Destination: 192.168.1.1
NAT
The NAT router is translating Both the Source and Destination Address in both directions.
DFL – Destination Address Translate
Orig. Dest. SAT Dest.----------------------------------------------------------------------------------------
172.16.90.1 1.1.1.1172.16.90.2 1.1.1.2172.16.90.3 1.1.1.3…. ….172.16.90.254 1.1.1.254
7
NAT – Dynamic NAT
INSIDE OUTSIDE
In this NAT design, a pool of public ip addresses serves private addresses 12 times as large.
NATOutside source1.1.1.1-1.1.1.20
(20 total addresses)
Inside source10.10.10.1-10.10.10.254
(254 total addresses)
Internet
8
NAT - NAPT
INSIDE OUTSIDE
Packet1Source: 2.2.2.2
Source port : 1026
Packet1Source: 192.168.1.1
Source port : 1026
Inside
Packet2Source: 2.2.2.2
Source port : 3000
Packet2Source: 192.168.1.101
Source port : 1026
NAT
By Translating Both the IP address and associated port, PAT allows Many hosts to simultaneously use a Single Global Address.
Outside
DFL - NAPT
Do we must has NAT rule between SAT and Allow for LAN
Do we must has NAT rule between SAT and Allow for LAN?
Do we must has NAT rule between SAT and Allow for LAN?
LAN user to web serverSAT & NAT
Do we must has NAT rule between SAT and Allow for LAN?
# Name ActionSource
IntSource
Net
Destination
Int
Destination Net
Service SAT parameter
1 SAT_Web_In
SAT any all-nets core wan_ip http-in SAT_Dest:Websrv_priv_ip
2 SAT_Web_Out
SAT lan Websrv_priv_ip
any all-nets 80 > all SAT_Src:wan_ip
3 FwdFast_Web_Out
FwdFast lan Websrv_priv_ip
any all-nets 80 > all
4 Fwd_Web_In
FwdFast wan1 all-nets core wan_ip http-in
5 NAT_lan_Web_In
NAT lan lannet core wan_ip http-in
Do we must has NAT rule between SAT and Allow for LAN?
DFL:/> rules -vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 SAT *:0.0.0.0/0 core:1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 5
2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 4
3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4
4 FwdFa wan1:0.0.0.0/0 core:1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 5
5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 0
External traffic to Internal web server (SAT & FwdFast)
External traffic to Internal web server (SAT & FwdFast)
A (SYN) B A (SYN,ACK) B A (ACK) B A (request GET) B A (request has succeeded) B A (FIN,ACK) B A (ACK) B A (FIN,ACK) B A (ACK) B
Do we must has NAT rule between SAT and Allow for LAN?
DFL:/> rules -vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 SAT *:0.0.0.0/0 core:1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 5
2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 4
3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4
4 FwdFa wan1:0.0.0.0/0 core:1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 5
5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 0
External traffic to Internal web server (SAT & FwdFast)
Do we must has NAT rule between SAT and Allow for LAN?
DFL:/> rules –vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 SAT *:0.0.0.0/0 core: 1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 1
2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 0
3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 0
4 FwdFa wan1:0.0.0.0/0 core: 1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 05 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 1
Internal traffic to Internal web server (SAT & NAT)
Case Study : Things that NAT breaks
Things that NAT breaks
1) The Protocols cryptographically requires the addresses are unaltered.
(e.g. IPSec or Kerberos 4,5)
2) There are embedded IP addresses in the data portion.
(e.g. H.323, SNMP, RSVP, FTP…)
3) An application requires pre-set or negotiated source/destination port values.
(e.g. Rlogin, TFTP)
TFTPRlogin
Things that NAT breaks
FTP active mode and FTP server is at outside
Things that NAT breaks
FTP passive mode and FTP server is at inside
Things that NAT breaks
FTP passive mode and FTP server is at inside with FTP ALG
Hands-onNAT ALG and Second IP
User Authentication
User Authentication
• Admin Users• User Authentication Type• Authentication server• Authentication Rule
Admin User
Treeview: User Authentication => Local User Database
User Authentication Type
• Authentication User and User Groups• PPTP Users and User Groups• L2TP Users and User Groups• Xauth User• IKE ID list
Authentication server
User Auth Rule
Treeview: User Authentication => User Authentication Rule =>Add New
Authentication Users and User Groups
- Scenario
Authentication Users and User Groups – Process flow
Hands-onAuthentication Users and User Groups
• Configuration concept– User Database ( local, external)– IP address object (incl. credential)– WebUI before Rules– User Authentication Rule– IP Rule
Authentication Users and User Groups – User Database
Authentication Users and user Groups – IP address object
Authentication Users and user Groups – WebUI before rules
Authentication Users and user Groups – User Authentication Rule
Authentication Users and user Groups – IP Rule
Authentication Users and user Groups – VSA (for user credential in RADIUS)
IAS configuration
1) IAS must notify firewall that any users that matches this policy belong to the designated “user-group". In the “Edit Profile” of a policy, click on the “advanced tab”.
2) Press “Add” to add a new attribute for VSA.
3) Type 5089 in “Enter Vendor Code”.
4) Click on “Configure Attribute” Enter the attributes.
Xauth
Xauth
the exchange of Attribute Payload using ISAKMP message
Xauth
Identification List
Identification List
CountryState
LocalityOrganization nameOrganization UnitCommon Name
ASN.1 DN
Identification List
Hands-onUser Authentication
PPTP/L2TP
PPTP/L2TP
• Architecture• Function• Protocol use• Authentication • Encryption
PPTP
Protocol involve: control connection: TCP 1723; GRE Tunnel: IP Protocol 47
PPTP
PPTP extended GRE header
55
L2TP
L2TP modes
L2TP in IP/UDP Encapsulation
UDP port 1701
L2TP Decapsulation
Thing need to be concerned
• Windows performs L2TP over IPSec by default– Click Start > Run: Type regedit– Double-click HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > Ras
Man > Parameters.
– Double-click ProhibitIPSec: Type 1 in the Value data field, select Hexadecimal as the base value, then click OK.
– Reboot.
Thing need to be concerned
Thing need to be concerned
62
L2TP over IPSec – Configuration Concept
• Configuration Concept – Server– User Database (local, external)– IP address object– IPSec tunnel– L2TP tunnel– Authentication– IP Rule
L2TP over IPSec – Configuration Concept
1
2
3
1
2
3
2
64
PPTP LAN-to-LANScenario
65
PPTP LAN-to-LANConfiguration Concept
• Configuration Concept – Server– IP address object– User Database (local, external)– PPTP tunnel (Server)– Authentication– IP Rule
66
PPTP LAN-to-LANCentral Office – IP Address
Tree view: Objects => Address Book
67
PPTP LAN-to-LAN Central Office – User Database
Tree view: User Authentication => Local User Database
68
PPTP LAN-to-LANCentral Office - Tunnel
Tree view: Interfaces => PPTP/L2TP Servers
69
PPTP LAN-to-LAN Central Office – User Authentication Rule
Tree view: User Authentication => User Authentication Rules
70
PPTP LAN-to-LAN Central Office – IP Rule
Tree view: Rules => IP Rules
71
PPTP LAN-to-LAN Configuration Concept
• Configuration Concept – Client– IP address– PPTP tunnel (Client)– IP Rule
72
PPTP LAN-to-LANNew York - Address
Tree view: Objects => Address Book
73
PPTP LAN-to-LANNew York – PPTP Client
Tree view: Interfaces => PPTP/L2TP Client
74
PPTP LAN-to-LAN New York - IPRule
Tree view: Rules => IP Rules
75
PPTP LAN-to-LANDone and Activate
Configuration Done!!!
76
PPTP LAN-to-LANVerification on CO site
Hands onPPTP LAN-to-LAN
Trouble Shooting
Trouble Shooting
• Troubleshooting by Layers• 7 - Application• 6 - Presentation• 5 - Session• 4 - Transport• 3 – Network• 2 – Data Link• 1 - Physical
Approach
Trouble shooting
What's in your Tool bag
Tool bag – WebUI- Layer1
Tool bag – CLI - Layer1
DFL-800:/> ifstat wan1 Iface wan1 Builtin r8139/8129 - Realtek RTL8139 Fast Ethernet Bus 0 Slot 2 IRQ 0 Media : "100BaseTx" Link Status : 100 Mbps full Duplex (autonegotiated) Receive Mode : Undefined MTU : 1500 Link Partner : 10BASE-T, 10BASE-T FD, 100BASE-TX, 100BASE-TX FD IP Address : 10.254.0.180 Hw Address : 0013:463d:876a PBR Membership: main
Software Statistics: Soft received : 123117 Soft sent : 175208 Send failures : 0 Dropped : 36 IP Input Errs : 0
Driver information / hardware statistics: IN : packets= 13 bytes= 854 errors= 0 dropped= 0 OUT: packets= 10 bytes= 600 errors= 0 dropped= 0 Collisions : 0 In : Length Errors : 0 In : Overruns : 0 In : CRC Errors : 0 In : Frame Errors : 0 In : FIFO Overruns : 0 In : Packets Missed : 0 Out: Sends Aborted : 0 Out: Carrier Errors : 0 Out: FIFO Underruns : 0 Out: SQE Errors : 0 Out: Late Collisions : 0
Tool bag – WEbUI - Layer3
Tool bag – CLI - Layer3
DFL-800:/> routes -all -vFlags Network Iface Gateway Local IP Metric----- ------------------ -------------- --------------- --------------- ------ 127.0.0.1 core (Iface IP) 0 10.254.0.180 core (Iface IP) 0 192.168.120.254 core (Iface IP) 0 172.17.100.254 core (Iface IP) 0 192.168.12.1 core (Iface IP) 0 220.132.138.26 core (Iface IP) 0 192.168.1.0/24 ipsec_t1 90 10.254.0.0/24 wan1 100 192.168.120.0/24 wan2 100 172.17.100.0/24 dmz 100 192.168.12.0/24 lan 100 224.0.0.0/4 core (Iface IP) 0 0.0.0.0/0 ADSL1 90
Tool bag – CLI - Layer3
DFL-800:/> ping 168.95.1.1 -srcip=192.168.12.150 -recvif=lan length=1400 -verbose
Rule and routing information for ping:PBR selected by rule "iface_member_main" - PBR table "main" allowed by rule "allow_ping-outbound" sent via route "0.0.0.0/0 via ADSL1, no gw" in PBR table "main"
Sending 1 1400-byte ping to 168.95.1.1 from 220.132.138.26.
Reply from 168.95.1.1 seq=0 time=150 ms TTL=248
Ping Results: Sent: 1, Received:1, Loss: 0%, Avg RTT: 150.0 ms
> ping { Dest. ip address } – [ count | length | pbr | recif | srcip | verbose ]
Trouble shooting - logging
Log is our best friend• Log severity default• Log reference
Trouble shooting - logging
Trouble shooting – IPRule set
DFL-800:/> rules 1-5 -ruleset=main -vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 Drop lan:192.168.1.0/24 wan1:0.0.0.0/0 "smb-all" "drop_smb-all" Use: 0 2 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "ping-outbound" "allow_ping-outbound" Use: 0 3 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "ftp-passthrough" "allow_ftp-passthrough" Use: 0 4 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "all_tcpudp" "allow_standard" Use: 0 5 Allow lan:192.168.1.0/24 core:192.168.1.1 "ping-inbound" "ping_fw" Use: 1
>rules [range] –[ruleset | schedule | verbose]
Trouble Shooting in IPRule
Clear counter in >rules –v• >connections -close –all• >reconfigure• >rules -v
Trouble ShootingFinal Solution
• Final solution– Problem can not identify– Packet capture between Inside and Outside.– Time accuracy between capture and log
Trouble ShootingFinal Solution
Time Accuracy in DFL
Trouble ShootingFinal Solution
Time Accuracy in DFL
Trouble ShootingFinal Solution
Time Accuracy in DFL
>time -sync –forceDFL-800:/> Timesync:Clockdrift(-4337s) too high(max +/-600s) -> Clock not updated!
DFL-800:/> time -sync -force Attempting to synchronize system time...
DFL-800:/> Server time: 2007-06-13 18:08:24 (UTC+08:00)Local time: 2007-06-13 18:05:24 (UTC+08:00) (diff: -180)
Local time successfully changed to server time.
Trouble ShootingFinal Solution
Time Accuracy on Traffic analyzer
Trouble ShootingFinal Solution
Time format on Traffic analyzer
Trouble ShootingFinal Solution
Time format on Traffic analyzer
Trouble ShootingFinal Solution
Capture option on Traffic analyzer
Trouble ShootingFinal Solution
END