1_NAT_ALG_and_Firewall.ppt
-
Upload
sandra4211 -
Category
Documents
-
view
572 -
download
0
Transcript of 1_NAT_ALG_and_Firewall.ppt
ConnectivityNA(P)T
3
Thomson Gateway NAT
>NAT: Network Address Translation ("IP Masquerading")
>NAPT: Network Address and Port Translation
4
Definition
>NAT: Maps IP addresses from one address realm to other Provides transparent routing (disparate address realms)
>Characteristics: Transparent address assignment Transparent routing through address translation ICMP error packet payload translation
5
Necessity
> IPv4: 32 bits
>Private networks 10.0.0.0, 172.16.0.0, 192.168.0.0
WAN
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.x 150.15.10.8
LAN: inside IP addresses WAN: outside IP addresses
6
Example
[IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [S.....][UT] eth0->pppoe0 : 50.50.1.1 100.0.1.1 0076 TCP 49125->50000 [S.....]
[IN] pppoe0-> : 100.0.1.1 50.50.1.1 0076 TCP 50000->49125 [S.A...][UT] pppoe0->eth0 : 100.0.1.1 40.0.1.1 0076 TCP 50000->10000 [S.A...]
[IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [..A...][UT] eth0->pppoe0 : 50.50.1.1 100.0.1.1 0076 TCP 49125->50000 [..A...]
[nat]=>maplistIdx Type Interface Outside Address Inside Address Use 1 NAPT pppoe0 50.50.1.1 40.0.1.1 1
40.0.1.1
PPPoE Server
100.0.1.1
Packetflow
Session flow
Address binding
NAPT: extension of NAT
7
Static vs. Dynamic NAT
>Static Address Assignment → Static NAT One-to-one address mapping Fixed in time
>Dynamic Address Assignment → Dynamic NAT Based on usage requirements and session flow Binding used and re-used
8
Basic NAT
>Block external addresses set aside for translation
>For sessions originating in private domain
>Example Static
Idx Type Interface Outside Address Inside Address
1 NAT ipoa0 50.0.0.138 unmapped
Access List................... 10.0.0.10 Foreign Address............... any
Protocol...................... any
Flags......................... Static Description................... Outbound Basic NAT
9
When to Use Basic NAT
> Inside address not routable on outside network
>Hiding inside addresses from outside world
>Avoid network renumbering when changing service provider
10
NAPT
>Extension: translation of transport identifiersTCP, UDP: port numbers ICMP: query identifiers
>Allows sharing single external addressIdx Type Interface Outside Address Inside Address Use
1 NAPT ipoa0 50.0.0.138 unmapped 2
Access List................... 40.0.0.0/16
Foreign Address............... any
Protocol...................... any
Flags......................... Static
Description................... Outbound NAPT without defserver
11
NAPT – Continued
NAPT uses ports from range [49125 - 65536]
[IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [S.....][UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49125->50000 [S.....][IN] ipoa0-> : 100.0.1.1 50.0.1.138 0076 TCP 50000->49125 [S.A...][UT] ipoa0->eth0 : 100.0.1.1 40.0.1.1 0076 TCP 50000->10000 [S.A...][IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [..A...][UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49125->50000 [..A...]
[IN] eth0-> : 40.0.1.2 100.0.1.1 0076 TCP 10001->50000 [S.....][UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49126->50000 [S.....][IN] ipoa0-> : 100.0.1.1 50.0.1.138 0076 TCP 50000->49126 [S.A...][UT] ipoa0->eth0 : 100.0.1.1 40.0.1.2 0076 TCP 50000->10001 [S.A...][IN] eth0-> : 40.0.1.2 100.0.1.1 0076 TCP 10001->50000 [..A...][UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49126->50000 [..A...]
12
When to Use NAPT
>Multiple private hosts accessing public network through same gateway
>Link specific traffic to private host
>Redirect all unknown incoming traffic to chosen private host
13
Two-Way NAT
> Sessions can be initiated from host both in public as in private network
> Used to make private servers available on Internet> Examples:
StaticIdx Type Interface Outside Address Inside Address Use
1 NAT pppoe0 50.0.0.138 40.0.1.1 0 Access List................... 40.0.1.1 Foreign Address............... any Protocol...................... any Flags......................... Static Description................... Two-way NAT
[IN]pppoe0-> : 100.0.1.1 50.0.0.138 0076 TCP 50000->10000 [S.....][UT]pppoe0->eth0 : 100.0.1.1 40.0.1.1 0076 TCP 50000->10000 [S.....][IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [S.A...][UT] eth0->pppoe0 : 50.0.0.138 100.0.1.1 0076 TCP 10000->50000 [S.A...]
14
Connection SharingHyperNAT – IP Passthrough
>Allow public IP address to be used on LAN “Default server” IPSeC-AH client Any NAT issues …
>While preserving NAPT access for other PCs UPnP v1.0 All known alg’s : IPsec, pptp/l2tp, sip, …
>Public IP address assigned to PC manually or via DHCP continued 1-1 NAT routing during WAN IP address change event
> Compatible with dial-on-demand !
192.168.1.64
192.168.1.65
a.b.c.dPublic IP Address
a.b.c.d
WAN side Address
15
Connection SharingHyperNAT – IP Passthrough
192.168.1.x
a.b.c.dIP Public
49k
65k
1
49k
65k
149k
65k
1
a.b.c.dIP Public
“Default Server”
Service/Portmaps
Connectivity – NAT ALGs
17
Definition
ALG = Application Level Gateway Translates addresses and ports NAT engine cannot
handle “Opens firewall” Creates NAT mappings
18
ALG Intervention Level
OSI Layer TCP/IP Network node
7 Application HTTPFTPSMTPSNMPTelnet
gateway
6 Presentation
5 Session
4 Transport TCPUDP
3 Network IP Router
2 Data-link (MAC) SLIPPPP
Bridge
1 Physical repeaterUTP-kabel
NAPT
ALG
19
ALGs Real Actions
>Create connection
>Delete connection
>Search connection
>Packet modification
>Add NAT mapping
>Remove NAT mapping
20
Supported ALGs
> IP6to4
>PPTP (VPN)
>ESP (IPSec)
> IKE (IPSec)
>SIP (VoIP)
>JABBER
>CU/SeeMe
>RAUDIO>RTSP> ILS (NetMeeting
phonebook)>H245 (NetMeeting)>H323 (NetMeeting)> IRC>FTP
21
ALGs Triggering
Each ALG is bound to (range of) port(s)
{Administrator}[connection]=>applist Application Proto DefaultPort Traces Timeout IP6TO4 6to4 0 enabled unavailable PPTP tcp 1723 enabled unavailable ESP esp 0 unavailable 15' 0" IKE udp 500 disabled 15' 0"SIP udp 5060 disabled 6 0"JABBER tcp 5222 disabled 2' 0" CU/SeeMe udp 7648 enabled unavailable RAUDIO(PNA) tcp 7070 enabled unavailable RTSP tcp 554 enabled unavailable ILS tcp 389 unavailable 5' 0" H245 tcp 0 unavailable 5' 0" H323 tcp 1720 enabled unavailable IRC tcp 6667 enabled 5' 0" LOOSE(UDP) udp 0 enabled 5' 0" FTP tcp 21 enabled unavailable
Available ALGs:
22
FTP ALG
No firewall opening needed
Firewall must accept incoming connection on port 1027, coming from port 2024 → inbound port shift mapping must be present
LAN WAN
Tests:• Inbound vs. outbound• One vs. multiple LAN
clients• One vs. multiple WAN
servers• LAN server
Managed Security Service Firewall
24
Managed Security Service Firewall - Overview
>Firewall has 2 functions Protect ST Gateway from
unwanted management access Police traffic LAN to WAN and vice
versa
>Mapped on 2 Fwall services Firewall (fwd)
> GUI/CLI
ServiceManager (sink/src)> CLI
25
Managed Security Service Firewall - Default Policies
Edit Level
26
Stateful firewall CLI configuration
>General configuration :firewall config
state Tcpchecks Udpchecks Icmpchecks
27
Stateful firewall CLI configuration
>Firewall menu Chain
>Incoming data is ‘intercepted’ at packet interception points with chains attached to them
>List : shows available chains>Sink and source chains manages data sent/received to/from CPE
‘host’. >Sink/source traffic controlled by hostmanager
Rule>Every chain can have a set of rules, each with an index.>Lowest index rules are executed first
28
Data Flow overview
Service MANAGER
HOST SERVICESSYSTEM SERVICES
Manual firewall rules
29
Firewall levels
>Only related to forward chain !
30
Firewall rules
>Rules are linked to chains.>Main actions : drop, accept, deny, count>Classification criteria
Source and destination interface Source and destination IP Service :
>Services from the :expr menu>Manual expressions can be created>Classifiers :
• Tos, precedence, proto, dscp• Source/destination port ranges
31
Firewall rules
>Example with level=disabled
32
Firewall level
>Different levels according ICSA specification
>Set, check level : Firewall level set
33
Hands on - Firewall
> Create a rule which drops http forwarding if the level of the firewall is set to Standard.
:firewall level set … :firewall rule add
> chain forward_level> …
> Create a rule which drops ftp to the CPE. :firewall rule add
> chain sink> …
> Create a rule which denies udp with dest port 666 initiated from the CPE :expr add
> type serv> …
:firewall rule add > chain source> …
ip debug sendto addr=192.168.2.1 dstport=666