DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007....

DFL-210/800/1600/2500 Training Material

DFL fundamentalPart II

Created on 2007

©Copyright 2007. All rights reserved

Topic in NAT

• NAT behavior and DFL SAT & NAT• Do we must has NAT rule between SAT and

Allow for LAN • SAT Case Study : Things that NAT breaks

3

NAT – Source Address Translate

INSIDE OUTSIDE

Packet1Source: 2.2.2.2

Destination: 1.1.1.1



192.168.1.100 1.1.1.1





NAT

The NAT router replaces the private address of green PC (192.168.1.100) with a Public routable Address (2.2.2.2)

DFL – Source Address Translate

5

NAT – Destination Address Translate

INSIDE OUTSIDE



Packet1Source: 192.168.1.1Destination: 172.16.90.91

192.168.1.1 1.1.1.1





NAT

The NAT router is translating Both the Source and Destination Address in both directions.

Gary Chuang

Virtual Server in reverse direction

DFL – Destination Address Translate

Orig. Dest. SAT Dest.----------------------------------------------------------------------------------------

172.16.90.1 1.1.1.1172.16.90.2 1.1.1.2172.16.90.3 1.1.1.3…. ….172.16.90.254 1.1.1.254

7

NAT – Dynamic NAT

INSIDE OUTSIDE

In this NAT design, a pool of public ip addresses serves private addresses 12 times as large.

NATOutside source1.1.1.1-1.1.1.20

(20 total addresses)

Inside source10.10.10.1-10.10.10.254

(254 total addresses)

Internet

8

NAT - NAPT

INSIDE OUTSIDE


Source port : 1026


Source port : 1026

Inside


Source port : 3000


Source port : 1026

NAT

By Translating Both the IP address and associated port, PAT allows Many hosts to simultaneously use a Single Global Address.

Outside

DFL - NAPT

Do we must has NAT rule between SAT and Allow for LAN

Do we must has NAT rule between SAT and Allow for LAN?

LAN user to web serverSAT & NAT


# Name ActionSource

IntSource

Net

Destination

Int

Destination Net

Service SAT parameter

1 SAT_Web_In

SAT any all-nets core wan_ip http-in SAT_Dest:Websrv_priv_ip

2 SAT_Web_Out

SAT lan Websrv_priv_ip

any all-nets 80 > all SAT_Src:wan_ip

3 FwdFast_Web_Out

FwdFast lan Websrv_priv_ip

any all-nets 80 > all

4 Fwd_Web_In

FwdFast wan1 all-nets core wan_ip http-in

5 NAT_lan_Web_In

NAT lan lannet core wan_ip http-in


DFL:/> rules -vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 SAT *:0.0.0.0/0 core:1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 5

2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 4

3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4

4 FwdFa wan1:0.0.0.0/0 core:1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 5

5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 0

External traffic to Internal web server (SAT & FwdFast)


A (SYN) B A (SYN,ACK) B A (ACK) B A (request GET) B A (request has succeeded) B A (FIN,ACK) B A (ACK) B A (FIN,ACK) B A (ACK) B


DFL:/> rules -vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 SAT *:0.0.0.0/0 core:1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 5



4 FwdFa wan1:0.0.0.0/0 core:1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 5

5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 0



DFL:/> rules –vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 SAT *:0.0.0.0/0 core: 1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 1



4 FwdFa wan1:0.0.0.0/0 core: 1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 05 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 1

Internal traffic to Internal web server (SAT & NAT)

Case Study : Things that NAT breaks

Things that NAT breaks

1) The Protocols cryptographically requires the addresses are unaltered.

(e.g. IPSec or Kerberos 4,5)

2) There are embedded IP addresses in the data portion.

(e.g. H.323, SNMP, RSVP, FTP…)

3) An application requires pre-set or negotiated source/destination port values.

(e.g. Rlogin, TFTP)

TFTPRlogin


FTP active mode and FTP server is at outside


FTP passive mode and FTP server is at inside


FTP passive mode and FTP server is at inside with FTP ALG

Hands-onNAT ALG and Second IP

User Authentication

User Authentication

• Admin Users• User Authentication Type• Authentication server• Authentication Rule

Admin User

Treeview: User Authentication => Local User Database

User Authentication Type

• Authentication User and User Groups• PPTP Users and User Groups• L2TP Users and User Groups• Xauth User• IKE ID list

Authentication server

User Auth Rule

Treeview: User Authentication => User Authentication Rule =>Add New

Authentication Users and User Groups

- Scenario

Authentication Users and User Groups – Process flow

Hands-onAuthentication Users and User Groups

• Configuration concept– User Database ( local, external)– IP address object (incl. credential)– WebUI before Rules– User Authentication Rule– IP Rule

Authentication Users and User Groups – User Database

Authentication Users and user Groups – IP address object

Authentication Users and user Groups – WebUI before rules

Authentication Users and user Groups – User Authentication Rule

Authentication Users and user Groups – IP Rule

Authentication Users and user Groups – VSA (for user credential in RADIUS)

IAS configuration

1) IAS must notify firewall that any users that matches this policy belong to the designated “user-group". In the “Edit Profile” of a policy, click on the “advanced tab”.

2) Press “Add” to add a new attribute for VSA.

3) Type 5089 in “Enter Vendor Code”.

4) Click on “Configure Attribute” Enter the attributes.

Xauth

the exchange of Attribute Payload using ISAKMP message

Identification List

Identification List

CountryState

LocalityOrganization nameOrganization UnitCommon Name

Email

ASN.1 DN

Identification List

Hands-onUser Authentication

PPTP/L2TP

PPTP/L2TP

• Architecture• Function• Protocol use• Authentication • Encryption

PPTP

Protocol involve: control connection: TCP 1723; GRE Tunnel: IP Protocol 47

PPTP

PPTP extended GRE header

55

L2TP

L2TP modes

L2TP in IP/UDP Encapsulation

UDP port 1701

L2TP Decapsulation

Thing need to be concerned

• Windows performs L2TP over IPSec by default– Click Start > Run: Type regedit– Double-click HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > Ras

Man > Parameters.

– Double-click ProhibitIPSec: Type 1 in the Value data field, select Hexadecimal as the base value, then click OK.

– Reboot.

Thing need to be concerned

62

L2TP over IPSec – Configuration Concept

• Configuration Concept – Server– User Database (local, external)– IP address object– IPSec tunnel– L2TP tunnel– Authentication– IP Rule

L2TP over IPSec – Configuration Concept

1

2

3

1

2

3

2

64

PPTP LAN-to-LANScenario

65

PPTP LAN-to-LANConfiguration Concept

• Configuration Concept – Server– IP address object– User Database (local, external)– PPTP tunnel (Server)– Authentication– IP Rule

66

PPTP LAN-to-LANCentral Office – IP Address

Tree view: Objects => Address Book

67

PPTP LAN-to-LAN Central Office – User Database

Tree view: User Authentication => Local User Database

68

PPTP LAN-to-LANCentral Office - Tunnel

Tree view: Interfaces => PPTP/L2TP Servers

69

PPTP LAN-to-LAN Central Office – User Authentication Rule

Tree view: User Authentication => User Authentication Rules

70

PPTP LAN-to-LAN Central Office – IP Rule

Tree view: Rules => IP Rules

71

PPTP LAN-to-LAN Configuration Concept

• Configuration Concept – Client– IP address– PPTP tunnel (Client)– IP Rule

72

PPTP LAN-to-LANNew York - Address

Tree view: Objects => Address Book

73

PPTP LAN-to-LANNew York – PPTP Client

Tree view: Interfaces => PPTP/L2TP Client

74

PPTP LAN-to-LAN New York - IPRule

Tree view: Rules => IP Rules

75

PPTP LAN-to-LANDone and Activate

Configuration Done!!!

76

PPTP LAN-to-LANVerification on CO site

Hands onPPTP LAN-to-LAN

Trouble Shooting

Trouble Shooting

• Troubleshooting by Layers• 7 - Application• 6 - Presentation• 5 - Session• 4 - Transport• 3 – Network• 2 – Data Link• 1 - Physical

Approach

Trouble shooting

What's in your Tool bag

Tool bag – WebUI- Layer1

Tool bag – CLI - Layer1

DFL-800:/> ifstat wan1 Iface wan1 Builtin r8139/8129 - Realtek RTL8139 Fast Ethernet Bus 0 Slot 2 IRQ 0 Media : "100BaseTx" Link Status : 100 Mbps full Duplex (autonegotiated) Receive Mode : Undefined MTU : 1500 Link Partner : 10BASE-T, 10BASE-T FD, 100BASE-TX, 100BASE-TX FD IP Address : 10.254.0.180 Hw Address : 0013:463d:876a PBR Membership: main

Software Statistics: Soft received : 123117 Soft sent : 175208 Send failures : 0 Dropped : 36 IP Input Errs : 0

Driver information / hardware statistics: IN : packets= 13 bytes= 854 errors= 0 dropped= 0 OUT: packets= 10 bytes= 600 errors= 0 dropped= 0 Collisions : 0 In : Length Errors : 0 In : Overruns : 0 In : CRC Errors : 0 In : Frame Errors : 0 In : FIFO Overruns : 0 In : Packets Missed : 0 Out: Sends Aborted : 0 Out: Carrier Errors : 0 Out: FIFO Underruns : 0 Out: SQE Errors : 0 Out: Late Collisions : 0

Tool bag – WEbUI - Layer3


DFL-800:/> routes -all -vFlags Network Iface Gateway Local IP Metric----- ------------------ -------------- --------------- --------------- ------ 127.0.0.1 core (Iface IP) 0 10.254.0.180 core (Iface IP) 0 192.168.120.254 core (Iface IP) 0 172.17.100.254 core (Iface IP) 0 192.168.12.1 core (Iface IP) 0 220.132.138.26 core (Iface IP) 0 192.168.1.0/24 ipsec_t1 90 10.254.0.0/24 wan1 100 192.168.120.0/24 wan2 100 172.17.100.0/24 dmz 100 192.168.12.0/24 lan 100 224.0.0.0/4 core (Iface IP) 0 0.0.0.0/0 ADSL1 90


DFL-800:/> ping 168.95.1.1 -srcip=192.168.12.150 -recvif=lan length=1400 -verbose

Rule and routing information for ping:PBR selected by rule "iface_member_main" - PBR table "main" allowed by rule "allow_ping-outbound" sent via route "0.0.0.0/0 via ADSL1, no gw" in PBR table "main"

Sending 1 1400-byte ping to 168.95.1.1 from 220.132.138.26.

Reply from 168.95.1.1 seq=0 time=150 ms TTL=248

Ping Results: Sent: 1, Received:1, Loss: 0%, Avg RTT: 150.0 ms

> ping { Dest. ip address } – [ count | length | pbr | recif | srcip | verbose ]

Trouble shooting - logging

Log is our best friend• Log severity default• Log reference

Trouble shooting - logging

Trouble shooting – IPRule set

DFL-800:/> rules 1-5 -ruleset=main -vContents of ruleset; default action is DROP# Act. Source Destination Protocol/Ports-- ----- ---------------------- ---------------------- --------------1 Drop lan:192.168.1.0/24 wan1:0.0.0.0/0 "smb-all" "drop_smb-all" Use: 0 2 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "ping-outbound" "allow_ping-outbound" Use: 0 3 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "ftp-passthrough" "allow_ftp-passthrough" Use: 0 4 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "all_tcpudp" "allow_standard" Use: 0 5 Allow lan:192.168.1.0/24 core:192.168.1.1 "ping-inbound" "ping_fw" Use: 1

>rules [range] –[ruleset | schedule | verbose]

Trouble Shooting in IPRule

Clear counter in >rules –v• >connections -close –all• >reconfigure• >rules -v

Trouble ShootingFinal Solution

• Final solution– Problem can not identify– Packet capture between Inside and Outside.– Time accuracy between capture and log


Time Accuracy in DFL


Time Accuracy in DFL

>time -sync –forceDFL-800:/> Timesync:Clockdrift(-4337s) too high(max +/-600s) -> Clock not updated!

DFL-800:/> time -sync -force Attempting to synchronize system time...

DFL-800:/> Server time: 2007-06-13 18:08:24 (UTC+08:00)Local time: 2007-06-13 18:05:24 (UTC+08:00) (diff: -180)

Local time successfully changed to server time.


Time Accuracy on Traffic analyzer


Time format on Traffic analyzer


Capture option on Traffic analyzer

DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007....

Documents

Transcript of DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007....