02-Configuring Translations and Connaection Limits
-
Upload
chuongnguyen -
Category
Documents
-
view
229 -
download
0
Transcript of 02-Configuring Translations and Connaection Limits
-
8/10/2019 02-Configuring Translations and Connaection Limits
1/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-1
Translations andConnections
-
8/10/2019 02-Configuring Translations and Connaection Limits
2/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-2
Transport Protocols
-
8/10/2019 02-Configuring Translations and Connaection Limits
3/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-3
Sessions in an IP World
In an IP world, a network session is a transactionbetween two end systems. It is carried out primarily overtwo transport layer protocols:
TCP UDP
-
8/10/2019 02-Configuring Translations and Connaection Limits
4/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-4
TCP
TCP is a connection-oriented, reliable-delivery, robust, and high-performance transport layer protocol.
TCP features:
Sequencing and acknowledgment of data
A defined state machine (open connection, data flow,retransmit, close connection)
Congestion detection and avoidance mechanisms
-
8/10/2019 02-Configuring Translations and Connaection Limits
5/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-5
TCP Initialization: Inside to Outside
Security Appliance
TCP Header
IP Header
The security appliance firstchecks access control lists(ACLs). It then checks for atranslation slot. If one is notfound, it creates one afterverifying NAT, global, and
AAA, if any. If OK, aconnection is created.
10.0.0.11
The security appliance utilizesthe stateful packet inspectionalgorithm:
Source IP, source port,destination IP, destinationport check
Sequence number check
Translation check
No. 1172.30.0.50
No. 2
No. 3No. 4
Start the embryonic
connection counter.No Data
Private Network
Source Port
Destination Address
Source Address
Initial Sequence No.
Destination Port
Flag
ACK
172.30.0.50
10.0.0.11
1026
23
49091
SYN
10.0.0.11
172.30.0.50
23
1026
92513
SYN-ACK
49092
Public Network
172.30.0.50
192.168.0.20
49769
SYN
192.168.0.20
172.30.0.50
23
1026
92513
SYN-ACK
49770
1026
23
-
8/10/2019 02-Configuring Translations and Connaection Limits
6/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-6
TCP Initialization: Inside to Outside(Cont.)
Private Network Public Network
Security Appliance
The security applianceresets the embryoniccounter for this client.
It then increases theconnection counter forthis host.
No. 5 No. 6
The security appliancestrictly enforces the
stateful packet
inspection algorithm.
Data Flows
172.30.0.50
192.168.0.20
1026
23
49770
ACK
92514
Source Port
Destination Address
Source Address
Initial Sequence No.
Destination Port
Flag
ACK
172.30.0.50
10.0.0.11
1026
23
49092
ACK
92514
TCP Header
IP Header
10.0.0.11 172.30.0.50
-
8/10/2019 02-Configuring Translations and Connaection Limits
7/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-7
UDP
Connectionless protocol
Efficient protocol for some services
Resourceful, but difficult to secure
-
8/10/2019 02-Configuring Translations and Connaection Limits
8/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-8
UDP (Cont.)
Security Appliance
UDP Header
IP Header
The security appliance firstchecks access control lists(ACLs). It then checks for atranslation slot. If one is notfound, it creates one afterverifying NAT, global, and
AAA, if any. If OK, a
connection is created.
The security appliance followsthe stateful packet inspectionalgorithm:
Source IP, source port,destination IP, destinationport check
Translation check
Private Network
Source Port
Destination Address
Source Address
Destination Port
172.30.0.50
10.0.0.11
1028
45000
10.0.0.11
172.30.0.50
45000
1028
Public Network
172.30.0.50
192.168.0.20
192.168.0.20
172.30.0.50
45000
1028
1028
45000
All UDP responses arrive fromoutside and within UDP user-configurable timeout (default is2 minutes).
10.0.0.11No. 1
172.30.0.50No. 2
No. 3No. 4
-
8/10/2019 02-Configuring Translations and Connaection Limits
9/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-9
Network AddressTranslation
-
8/10/2019 02-Configuring Translations and Connaection Limits
10/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-10
Addressing Scenarios
NAT was created to overcome several addressing problems thatoccurred with the expansion of the Internet:
To mitigate global address depletion To use RFC 1918 addresses internally
To conserve the internal address plan
NAT also increases security by hiding the internal topology.
10.0.0.11
10.0.0.4
10.0.0.11192.168.6.9
NAT
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
11/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-11
Access Through the Security Appliance
Allowed(unless explicitly denied)
More SecureLess Secure
g0/0 outsideSecurity Level 0
g0/1 insideSecurity Level 100
g0/4 IntranetSecurity Level 70
g0/3 PartnernetSecurity Level 50
g0/2 DMZSecurity Level 30
More SecureLess SecureDenied
(unless explicitly allowed viastatic and access list)
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
12/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-12
Inside Address Translation
Inside NAT translates the addresses of hosts on a higher security level to a lesssecure interface:
Dynamic translation
Static translation
10.0.0.4
10.0.0.11
10.0.0.4192.168.6.20
NAT
Outside Global
IP Address
192.168.6.10
Inside
IP Address
10.0.0.11
Static
Translation
Dynamic
Translation10.0.0.4
Outside global
IP address pool
192.168.6.20-254
Web
Server
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
13/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-13
Dynamic Inside NAT
Configures dynamic translations for the 10.0.0.0/24 network
asa1(config)# nat (inside) 110.0.0.0 255.255.255.0
asa1(config)# global (outside) 1192.168.0.20-192.168.0.254netmask 255.255.255.0
10.0.0.11
10.0.0.4
10.0.0.11192.168.0.20
NAT
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
14/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-14
Two Interfaces with NAT
asa1(config)# nat (inside) 1 10.0.0.0 255.255.255.0
asa1(config)# nat (inside) 2 10.2.0.0 255.255.255.0
asa1(config)# global (outside) 1 192.168.0.3-192.168.0.16netmask 255.255.255.0
asa1(config)# global (outside) 2 192.168.0.17-192.168.0.32netmask 255.255.255.0
Enables all hosts on the inside networks to start outbound connections
Uses a separate global pool for each internal network
10.2.0.0 /24
192.168.0.0
10.0.0.0/24
Global Pool
192.168.0.17-32
Global Pool
192.168.0.3-16
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
15/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-15
Three Interfaces with NAT
asa1(config)# nat (inside)110.0.0.0 255.255.255.0
asa1(config)# nat (dmz) 1172.16.0.0 255.255.255.0
asa1(config)# global (outside) 1 192.168.0.20-192.168.0.254netmask 255.255.255.0
asa1(config)# global (dmz) 1 172.16.0.20-172.16.0.254netmask 255.255.255.0
Inside users can start outbound connections to both the DMZ and the Internet.
The nat (dmz)command enables DMZ services to access the Internet.
The global (dmz)command enables inside users to access the DMZ web server.
192.168.0.0 10.0.0.0
Global Pool172.16.0.20-254
DMZ
InsideGlobal Pool192.168.0.20-254
Outside
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
16/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-16
Port AddressTranslation
-
8/10/2019 02-Configuring Translations and Connaection Limits
17/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-17
Port Address Translation
10.0.0.11
10.0.0.4
10.0.0.11192.168.0.20
Port 1024
PAT
10.0.0.4192.168.0.20
Port 1025
PAT is a combination of an IP address and a
source port number. Many different sessions can be multiplexed
over a single global IP address.
Sessions are kept distinct by the use of different port
numbers.
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
18/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-18
PAT Example
Outside IP addresses are typicallyregistered with InterNIC.
Source addresses of hosts in network10.0.0.0 are translated to 192.168.0.3for outgoing access.
A single IP address (192.168.0.3) isassigned to the global pool.
The source port is dynamically changedto a unique number that is greater than1023.
asa1(config)#
route (outside) 0.0.0.0 0.0.0.0 192.168.0.1asa1(config)#nat (inside) 1 10.0.0.0 255.255.0.0
asa1(config)#global (outside) 1 192.168.0.3 netmask255.255.255.255
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
.2
.1
.1
Global Address
192.168.0.3
-
8/10/2019 02-Configuring Translations and Connaection Limits
19/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-19
PAT Using Outside Interface Address
The outside interface is configured as aDHCP client.
The interface option of the globalcommandenables use of a DHCP address as the PATaddress.
The source addresses of hosts in network10.0.0.0 are translated into a DHCP addressfor outgoing access, in this case, 192.168.0.2.
The source port is changed to a uniquenumber greater than 1023.
asa1(config)# interface g0/1asa1(config-if)# ip address inside 10.0.0.1
255.255.255.0
asa1(config)# interface g0/0
asa1(config-if)# ip address outside dhcp
asa1(config)# nat (inside) 1 10.0.0.0 255.255.0.0
asa1(config)#
global (outside) 1 interface
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
.2
.1
.1
Global
DHCP Address
(192.168.0.2)
-
8/10/2019 02-Configuring Translations and Connaection Limits
20/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-20
Mapping Subnets to PAT Addresses
Each internal subnet is mapped to adifferent PAT address.
Source addresses of hosts in network10.0.1.0 are translated to 192.168.0.8for outgoing access.
Source addresses of hosts in network10.0.2.0 are translated to 192.168.0.9for outgoing access.
The source port is changed to a uniquenumber greater than 1023.
asa1(config)#nat (inside) 1 10.0.1.0 255.255.255.0
asa1(config)# nat (inside) 2 10.0.2.0 255.255.255.0
asa1(config)# global (outside) 1 192.168.0.8 netmask 255.255.255.255
asa1(config)# global (outside) 2 192.168.0.9 netmask 255.255.255.255
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
192 .168.0.8
.2
.1
.1
192 .168.0.9
-
8/10/2019 02-Configuring Translations and Connaection Limits
21/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-21
Backing Up PAT Addresses by UsingMultiple PATs
Source addresses of hosts innetwork 10.0.1.0 are translatedto 192.168.0.8 for outgoingaccess.
Address 192.168.0.9 will be used
only when the port pool from192.168.0.8 is at maximumcapacity.
asa1(config)#
nat (inside) 1 10.0.0.0 255.255.252.0
asa1(config)#global (outside) 1 192.168.0.8 netmask 255.255.255.255
asa1(config)# global (outside) 1 192.168.0.9 netmask 255.255.255.255
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
192 .168.0.8
.2
.1
.1
192 .168.0.9
-
8/10/2019 02-Configuring Translations and Connaection Limits
22/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-22
asa1(config)#
nat (inside)110.0.0.0 255.255.0.0asa1(config)#global (outside) 1 192.168.0.20-192.168.0.253 netmask
255.255.255.0
asa1(config)# global (outside) 1 192.168.0.254 netmask 255.255.255.255
When hosts on the 10.0.0.0 networkaccess the outside network through thesecurity appliance, they are assignedpublic addresses from the 192.168.0.20192.168.0.253 range.
When the addresses from the global poolare exhausted, PAT begins with the nextavailable IP address, in this case,192.168.0.254.
SalesEngineering
10.0.1.0 10.0.2.0
192.168.0.0
10.0.0.0
PAT
192 .168.0.254.2
.1
.1
NAT
192 .168.0.20
Augmenting a Global Pool with PAT
-
8/10/2019 02-Configuring Translations and Connaection Limits
23/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-23
Identity NAT
With NAT control enabled:
All packets traversing a security appliance require a translation rule.
Identity NAT is used to create a transparent mapping.
IP addresses on the higher security interface translate to themselveson alllower security interfaces.
InsideOutside
10.0.0.15
DMZ Internet
Server192.168.0.9
192.168.0.9
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
24/49 2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-24
Identity NAT: nat 0 Command
NAT 0 ensures that the Internet server is translated to its own address
on the outside. Security levels remain in effect with nat 0.
asa1(config)#nat (dmz) 0 192.168.0.9 255.255.255.255
Inside
Outside
DMZInternet
Server
192.168.0.9
192.168.0.9
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
25/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-25
Static Command
-
8/10/2019 02-Configuring Translations and Connaection Limits
26/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-26
Global NAT and Static NAT
NAT
For dynamic NAT and PAT address assignments Inside end user receives an address from a pool of available addresses
Used mostly for outbound end-user connections
Inside
Outside
Bob Smith10.0.0.11
Static
For NAT permanent address assignments
Used mostly for server connections
InsideOutside
Sam Jones10.0.0.12
FTP Server
172.16.1.10
Web Server
172.16.1.9
GlobalPool
FixedFixed
Bob Smith10.0.0.11
Sam Jones10.0.0.12
Internet
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
27/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-27
static Command: Parameters
Interfaces
Real interfaceDMZ
Mapped interfaceOutside
IP Addresses
Real IP address172.16.1.9
Mapped IP address192.168.1.3
InsideOutside
FTP Server
172.16.1.10
Web Server
172.16.1.9
192.168.1.3192.168.1.4
Bob Smith10.0.0.11
Sam Jones10.0.0.12
DMZ
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
28/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-28
static Command
asa1(config)# static (dmz,outside) 192.168.1.3172.16.1.9
netmask 255.255.255.255
Packets sent to 192.168.1.3on the outsideare translated to 172.16.1.9 on theDMZ. The web server IP address is permanently mapped to IP address 192.168.1.3.
InsideOutside
Web Server
172.16.1.9
192.168.1.3
DMZ
Internet
ciscoasa(config)#
static (real_interface,mapped_interface) {mapped_ip|
interface} real_ip[netmask mask]
Creates a permanent mapping between a real IP address and a mapped IP address
-
8/10/2019 02-Configuring Translations and Connaection Limits
29/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-29
Net Static
ciscoasa(config)#
asa1(config)# static (dmz,outside) 192.168.10.0 172.16.1.0
netmask 255.255.255.0
Creates mappings between IP addresses on one subnet and an IP addresses on another
subnet
Recommended when you want to translate multiple addresses with a single command
static (real_interface,mapped_interface) {mapped_ip|
interface} real_ip[netmask mask]
InsideOutside
FTP Server172.16.1.10
Web Server172.16.1.9
192.168.10.9192.168.10.10
10.0.0.11
DMZ
Internet10.0.0.12
Translates host IP addresses on the 172.16.1.0 subnet to IP addresses on the
192.168.10.0 subnet
-
8/10/2019 02-Configuring Translations and Connaection Limits
30/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-30
Static PAT: Port Redirection
Used to create a permanent translation between a mapped IP address andport number and a specific real IP address and port number
192.168.0.9/www redirected to 172.16.1.9/www
192.168.0.9/ftpredirected to 172.16.1.10/ftp
ciscoasa(config)#
static(real_interface,mapped_interface) {tcp |
udp} {mapped_ip| interface} mapped_port
{real_ip
real_port[netmask mask]}
192.168.0.9/www
InsideOutside
FTP Server
172.16.1.10
Web Server
172.16.1.9
DMZ
192.168.0.9/ftp
Internet
ftp 192.168.0.9
-
8/10/2019 02-Configuring Translations and Connaection Limits
31/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-31
static PAT Command: Port Redirection
asa1(config)# static (dmz,outside) tcp 192.168.0.9 ftp
172.16.1.9 ftpnetmask 255.255.255.255
asa1(config)# static (dmz,outside) tcp 192.168.0.9 2121172.16.1.10 ftpnetmask 255.255.255.255
192.168.0.9/FTP
InsideOutside
FTP2 Server
172.16.1.10
FTP1 Server
172.16.1.9
DMZ
192.168.0.9/2121Internet
ftp 192.168.0.9
Redirects packet destined for 192.168.0.9/FTPto 172.16.1.9 (first FTP server)
Redirects packet destined for 192.168.0.9/2121to 172.16.1.10(second FTP server)
-
8/10/2019 02-Configuring Translations and Connaection Limits
32/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-32
Translation Behavior
-
8/10/2019 02-Configuring Translations and Connaection Limits
33/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-33
Security Appliance Translation Function
Security appliance translation rules are configured between pairs of interfaces.
With NAT control enabled, a packet cannot be switched across the securityappliance if it does not match a translation slot in the translation table. Theexception is NAT 0, which does not create a translation entry.
If there is no translation slot, the security appliance tries to create a translationslot from its translation rules.
If no translation slot match is found, the packet is dropped.
10.0.0.11
10.0.0.4
10.0.0.11192.168.0.20192.168.10.11
Outside Inside
NAT
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
34/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-34
Matching Outbound Packet Addresses
A packet arrives at an inside interface:
The security appliance consults the access rules first.
The security appliance makes a routing decision to determine theoutbound interface.
The source address is checked against the local addresses in the translationtable:
If found, the source address is translated according to the translation slot.
Otherwise, the security appliance looks for a match to the local address in thefollowing order:
nat0 access-list(NAT exemption): In order, until first match
static(static NAT): In order, until first match
static {tcp | udp}(static PAT): In order, until first match
nat nat_idaccess-list(policy NAT): In order, until first match
nat(regular NAT): Best match
If no match is found, the packet is dropped.
-
8/10/2019 02-Configuring Translations and Connaection Limits
35/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-35
SYN Cookies andConnection Limits
-
8/10/2019 02-Configuring Translations and Connaection Limits
36/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-36
Connection Limits
Administrator can set the following connection limits:
Emb_lim:Maximum number of embryonic connections per host. Anembryonic connection is a connection request that has not completed a
TCP three-way handshake between the source and the destination.TCP_max_conns:Maximum number of simultaneous TCP connections
that each real IP host is allowed to use. Idle connections are closed afterthe time specified by the timeout conn command.
udp_max_conn s:Maximum number of simultaneous UDP connectionsthat each real IP host is allowed to use.
-
8/10/2019 02-Configuring Translations and Connaection Limits
37/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-37
TCP Three-Way Handshake
172.26.26.45
Target
10.0.0.2
Spoofed Host
172.16.16.20
172.26.26.46
SYN, SRC: 172.26.26.45, DST: 10.0.0.2
SYN-ACK
ACK
SYN, SRC:172.16.16.20, DST: 10.0.0.3
Target
10.0.0.3
DoS
Attack
SYN, SRC:172.16.16.20, DST: 10.0.0.3
SYN, SRC:172.16.16.20, DST: 10.0.0.3
Normal
Embryonic
Connection?
??
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
38/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-38
SYN Cookies
SYN
SYN-ACK (Cookie)
ACK (Cookie)
Normal
SYN
SYN-ACK
ACK
The security appliance responds to the SYN itself, which includes a cookie in the
TCP header of the SYN-ACK. The security appliance keeps no state information. The cookie is a hash of parts of the TCP header and a secret keyencoded into the initial sequence
number (ISN) field the appliance responds with in its SYN/ACK.
A legitimate client completes the handshake by sending the ACK back with the cookie.
If the cookie is authentic, the security appliance proxies the TCP session.
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
39/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-39
asa1(config)# nat (inside) 1 0 0 0 25
asa1(config)# static (inside,outside) 192.168.0.11
172.16.0.2 0 25
ciscoasa (config)#
nat (if_name) nat_idreal_ip[mask[dns] [outside] [[tcp]
max_conns[emb_limit]] [udp udp_max_conns] [norandomseq]]
ciscoasa (config)#
static (real_interface,mapped_interface) {mapped_ip|
interface} {real_ip[netmask mask]} | {access-list
access_list_name} [dns] [[tcp] max_conns[emb_lim]] [udp
udp_max_conns] [norandomseq [nailed]]
Embryonic Connection Limit
Setting the embryonic connections (emb_l im) enables TCP proxying via SYN cookies.
A value of 0 disables protection (default).
When the embryonic connection limit is exceeded, all connections are proxied.
-
8/10/2019 02-Configuring Translations and Connaection Limits
40/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-40
Maximum number of simultaneous TCP or UDP connections that the local IP hostsare allowed.
A value of 0 disables protection (default). Idle connections are closed after the time specified in the timeoutcommand.
asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 200 25
asa1(config)# static (inside,outside) 192.168.0.11
172.16.0.2 0 0 udp 100
ciscoasa(config)#
static (real_interface,mapped_interface) {mapped_ip|
interface} {real_ip[netmask mask]} | {access-list
access_list_name} [dns] [[tcp] max_conns[emb_lim]] [udp
udp_max_conns] [norandomseq [nailed]]
nat (if_name) nat_idreal_ip[mask[dns] [outside] [[tcp]
max_conns[emb_limit]] [udp udp_max_conns] [norandomseq]]
ciscoasa(config)#
TCP/UDP Maximum Connection Limit
-
8/10/2019 02-Configuring Translations and Connaection Limits
41/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-41
Connections andTranslations
-
8/10/2019 02-Configuring Translations and Connaection Limits
42/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-42
Connections vs. Translations
Translations: NATMapped address to real address
PATMapped address and port to real address and port
Connections: Host address and port to host address and port
Inside
Local
Outside
Mapped Pool
10.0.0.11192.168.0.20
10.0.0.11
10.0.0.4Translation
10.0.0.11192.168.0.20
192.168.10.5
Translation
Connections
Connection 192.168.10.11:23 10.0.0.11:1026
Connection 192.168.10.11:80 10.0.0.11:1027
192.168.10.11
Telnet
HTTP
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
43/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-43
show conn
asa1#show conn
2 in use, 2 most used
asa1# show conn2 in use, 9 most usedTCP out 192.168.10.11:80 in 10.0.0.11:2824 idle 0:00:03bytes 2320 flags UIOTCP out 192.168.10.11:80 in 10.0.0.11:2823 idle 0:00:03bytes 3236 flags UIO
ciscoasa#
Enables you to view all active connections
10.0.0.4
10.0.0.11
192.168.10.11
Connection
Internet
show conn Command
-
8/10/2019 02-Configuring Translations and Connaection Limits
44/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-44
10.0.0.11192.168.10.11
Connection
asa1# show conn detail2 in use, 9 most usedFlags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,E - outside back connection, F - outside FIN, f - inside FIN,G - group, g - MGCP, H - H.323, h - H.225.0,
I - inbound data,
i - incomplete, J - GTP, j - GTP data, k - Skinny media,M - SMTP data, m - SIP media,O - outbound data, P - inside back conn,q - SQL*Net data, R - outside acknowledged FIN,R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN,s - awaiting outside SYN, T - SIP, t - SIP transient,U - up
TCP outside:192.168.10.11/80 inside:10.0.0.11/2824 flags UIOTCP outside:192.168.10.11/80 inside:10.0.0.11/2823 flags UIO
show conn detail Command
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
45/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-45
asa1# show local-hostInterface dmz: 0 active, 0 maximum active, 0 deniedInterface inside: 1 active, 5 maximum active, 0 denied
local host: < 10.0.0.11 >,TCP flow count/limit = 2/300TCP embryonic count to host = 0TCP intercept watermark = 25UDP flow count/limit = 0/unlimited
Conn:TCP out 192.168.10.11 :80 in 10.0.0.11 :2824 idle 0:00:05 bytes 466 flags UIOTCP out 192.168.10.11 :80 in 10.0.0.11 :2823 idle 0:00:05 bytes 1402 flags UIO
Interface outside: 1 active, 1 maximum active, 0 deniedlocal host: < 192.168.10.11 >,TCP flow count/limit = 2/unlimitedTCP embryonic count to host = 0TCP intercept watermark = unlimitedUDP flow count/limit = 0/unlimited
Conn:TCP out 192.168.10.11 :80 in insidehost:2824 idle 0:00:05 bytes 466 flags UIOTCP out 192.168.10.11 :80 in insidehost:2823 idle 0:00:05 bytes 1402 flags UIO
10.0.0.11192.168.10.11
Connection
Internet
show local-host Command
-
8/10/2019 02-Configuring Translations and Connaection Limits
46/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-46
show xlate
Enables you to view translation slot information
asa1#show xlate
1 in use, 2 most used
Global 192.168.0.20 Local 10.0.0.11
ciscoasa#
10.0.0.11
10.0.0.4
10.0.0.11192.168.0.20
192.168.10.11
Translation
Internet
show xlate Command
-
8/10/2019 02-Configuring Translations and Connaection Limits
47/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-47
asa1# show xlate detail1 in use, 3 most usedFlags: D - DNS, d - dump, I - identity, i -dynamic, n -no random, r - portmap, s - static
NATfrom inside:10.0.0.11 to outside:192.168.0.20 flags i
10.0.0.11
10.0.0.11192.168.0.20
192.168.10.11
Translation
show xlate detail Command
Internet
-
8/10/2019 02-Configuring Translations and Connaection Limits
48/49
2011 Pham Dinh Thong. All rights reserved. Firewall v1.02-48
Summary
-
8/10/2019 02-Configuring Translations and Connaection Limits
49/49
Summary
The security appliance manages the TCP and UDP protocols throughthe use of a translation table (for NAT sessions) and a connectiontable (for TCP and UDP sessions).
The staticcommand creates a permanent translation.
Mapping between local and global address pools is done dynamicallywith the natcommand.
The natand globalcommands work together to hide internal IPaddresses.
The security appliance supports PAT.
Configuring multiple interfaces requires a greater attention to detail,but it can be done with standard security appliance commands.
SYN cookies, which you enable by setting embryonic connectionlimits in the nat or static command, provide a means of checking thevalidity of incoming TCP sessions.