Download presentation
Presentation is loading. Please wait.
Published byKate Brock Modified over 9 years ago
1
DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved
2
Topic in NAT NAT behavior and DFL SAT & NAT Do we must has NAT rule between SAT and Allow for LAN SAT Case Study : Things that NAT breaks
3
3 NAT – Source Address Translate INSIDEOUTSIDE Packet1 Source: 2.2.2.2 Destination: 1.1.1.1 Packet1 Source: 192.168.1.100 Destination: 1.1.1.1 192.168.1.100 1.1.1.1 Packet2 Source: 1.1.1.1 Destination: 2.2.2.2 Packet2 Source: 1.1.1.1 Destination: 192.168.1.1 NAT The NAT router replaces the private address of green PC (192.168.1.100) with a Public routable Address (2.2.2.2)
4
DFL – Source Address Translate
5
5 NAT – Destination Address Translate INSIDEOUTSIDE Packet1 Source: 192.168.1.1 Destination: 1.1.1.1 Packet1 Source: 192.168.1.1 Destination: 172.16.90.91 192.168.1.1 1.1.1.1 Packet2 Source: 1.1.1.1 Destination: 2.2.2.2 Packet2 Source: 172.16.90.91 Destination: 192.168.1.1 NAT The NAT router is translating Both the Source and Destination Address in both directions.
6
DFL – Destination Address Translate Orig. Dest.SAT Dest. ---------------------------------------------------------------------------------------- 172.16.90.1 1.1.1.1 172.16.90.2 1.1.1.2 172.16.90.3 1.1.1.3 …. 172.16.90.254 1.1.1.254
7
7 NAT – Dynamic NAT INSIDEOUTSIDE In this NAT design, a pool of public ip addresses serves private addresses 12 times as large. NAT Outside source 1.1.1.1-1.1.1.20 (20 total addresses) Inside source 10.10.10.1-10.10.10.254 (254 total addresses) Internet
8
8 NAT - NAPT INSIDEOUTSIDE Packet1 Source: 2.2.2.2 Source port : 1026 Packet1 Source: 192.168.1.1 Source port : 1026 Inside Packet2 Source: 2.2.2.2 Source port : 3000 Packet2 Source: 192.168.1.101 Source port : 1026 NAT By Translating Both the IP address and associated port, PAT allows Many hosts to simultaneously use a Single Global Address. Outside
9
DFL - NAPT
10
Do we must has NAT rule between SAT and Allow for LAN
11
Do we must has NAT rule between SAT and Allow for LAN?
13
LAN user to web server SAT & NAT
14
Do we must has NAT rule between SAT and Allow for LAN? #NameAction Source Int Source Net Destination Int Destination Net ServiceSAT parameter 1SAT_ Web_In SATanyall-netscorewan_iphttp-inSAT_Dest: Websrv_priv_ip 2SAT_ Web_Out SATlanWebsrv_ priv_ip anyall-nets80 > allSAT_Src: wan_ip 3FwdFast_ Web_Out FwdFastlanWebsrv_ priv_ip anyall-nets80 > all 4Fwd_ Web_In FwdFastwan1all-netscorewan_iphttp-in 5NAT_ lan_Web_In NATlanlannetcorewan_iphttp-in
15
Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports -- ----- ---------------------- ---------------------- -------------- 1 SAT *:0.0.0.0/0 core:1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 5 2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 4 3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4 4 FwdFa wan1:0.0.0.0/0 core:1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 5 5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 0 External traffic to Internal web server (SAT & FwdFast)
16
A (SYN) B A (SYN,ACK) B A (ACK) B A (request GET) B A (request has succeeded) B A (FIN,ACK) B A (ACK) B A (FIN,ACK) B A (ACK) B
17
Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports -- ----- ---------------------- ---------------------- -------------- 1 SAT *:0.0.0.0/0 core:1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 5 2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 4 3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4 4 FwdFa wan1:0.0.0.0/0 core:1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 5 5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 0 External traffic to Internal web server (SAT & FwdFast)
18
Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules –v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports -- ----- ---------------------- ---------------------- -------------- 1 SAT *:0.0.0.0/0 core: 1.2.3.4 "http-in" "SAT_webIn" SETDEST 172.31.31.200 Use: 1 2 SAT lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "SAT_webOut" SETSRC 1.2.3.4:80 Use: 0 3 FwdFa lan:172.31.31.200 *:0.0.0.0/0 TCP 80 > ALL "Allow_SAT_webOut" Use: 0 4 FwdFa wan1:0.0.0.0/0 core: 1.2.3.4 "http-in" "Allow_SAT_webIn" Use: 0 5 NAT lan:172.31.31.0/24 core:1.2.3.4 "http-in" "NAT_lan-core_wan" Use: 1 Internal traffic to Internal web server (SAT & NAT)
19
Case Study : Things that NAT breaks
20
Things that NAT breaks 1)The Protocols cryptographically requires the addresses are unaltered. (e.g. IPSec or Kerberos 4,5) 2)There are embedded IP addresses in the data portion. (e.g. H.323, SNMP, RSVP, FTP…) 3)An application requires pre-set or negotiated source/destination port values. (e.g. Rlogin, TFTP) TFTPRlogin
21
TFTP behaviour 1.Host A sends a "WRQ" to TFTP B with source= A's TID((transfer identifier), destination= 69. 2.TFTP B sends a "ACK" (with block number= 0) to host A with source= B's TID, destination= A's TID. A (A’s TID=2856) B (p69) A (A’s TID=2856) B (B’s TID=2566)
22
Rlogin Regulation When a Rlogin request is received. - the sever checks the client? Source port. If the port is not in the range of 512-1023, the server abort the connection.
23
Things that NAT breaks FTP active mode and FTP server is at outside
24
Things that NAT breaks FTP passive mode and FTP server is at inside
25
Things that NAT breaks FTP passive mode and FTP server is at inside with FTP ALG
26
Hands-on NAT ALG and Second IP
27
User Authentication
28
Admin Users User Authentication Type Authentication server Authentication Rule
29
Admin User Treeview: User Authentication => Local User Database Treeview: System => Remote Management`
30
User Authentication Type Authentication User and User Groups PPTP Users and User Groups L2TP Users and User Groups Xauth User IKE ID list
31
Authentication server
32
User Auth Rule Treeview: User Authentication => User Authentication Rule =>Add New
33
Authentication Users and User Groups - Scenario
34
Authentication Users and User Groups – Process flow
35
Hands-on Authentication Users and User Groups Configuration concept –User Database ( local, external) –IP address object (incl. credential) –WebUI before Rules –User Authentication Rule –IP Rule
36
Authentication Users and User Groups – User Database
37
Authentication Users and user Groups – IP address object
38
Authentication Users and user Groups – WebUI before rules
39
Authentication Users and user Groups – User Authentication Rule
40
Authentication Users and user Groups – IP Rule
42
Authentication Users and user Groups – VSA (for user credential in RADIUS) IAS configuration 1)IAS must notify firewall that any users that matches this policy belong to the designated “user-group". In the “Edit Profile” of a policy, click on the “advanced tab”. 2)Press “Add” to add a new attribute for VSA. 3)Type 5089 in “Enter Vendor Code”. 4)Click on “Configure Attribute” Enter the attributes.
43
Xauth
44
the exchange of Attribute Payload using ISAKMP message
45
Xauth
46
When using XAUTH agent, there is no need to specify the receiving interface, or source network, as this information is not available at the XAUTH phase. For the reason, only one XAUTH user authentication rule can be defined.
47
Identification List
48
Country State Locality Organization name Organization Unit Common Name Email ASN.1 DN
49
Identification List
50
Hands-on User Authentication
51
PPTP/L2TP
52
Architecture Function Protocol use Authentication Encryption
53
PPTP Protocol involve: control connection: TCP 1723; GRE Tunnel: IP Protocol 47
54
PPTP PPTP extended GRE header
55
55 L2TP
56
L2TP modes
57
L2TP in IP/UDP Encapsulation UDP port 1701
58
L2TP Decapsulation
59
Thing need to be concerned Windows performs L2TP over IPSec by default –Click Start > Run: Type regedit –Double-click HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters. –Double-click ProhibitIPSec: Type 1 in the Value data field, select Hexadecimal as the base value, then click OK. –Reboot.
60
Thing need to be concerned
62
62 L2TP over IPSec – Configuration Concept Configuration Concept – Server –User Database (local, external) –IP address object –IPSec tunnel –L2TP tunnel –Authentication –IP Rule
63
L2TP over IPSec – Configuration Concept 1 2 3 1 2 3 2
64
64 PPTP LAN-to-LAN Scenario
65
65 PPTP LAN-to-LAN Configuration Concept Configuration Concept – Server –IP address object –User Database (local, external) –PPTP tunnel (Server) –Authentication –IP Rule
66
66 PPTP LAN-to-LAN Central Office – IP Address Tree view: Objects => Address Book
67
67 PPTP LAN-to-LAN Central Office – User Database Tree view: User Authentication => Local User Database
68
68 PPTP LAN-to-LAN Central Office - Tunnel Tree view: Interfaces => PPTP/L2TP Servers
69
69 PPTP LAN-to-LAN Central Office – User Authentication Rule Tree view: User Authentication => User Authentication Rules
70
70 PPTP LAN-to-LAN Central Office – IP Rule Tree view: Rules => IP Rules
71
71 PPTP LAN-to-LAN Configuration Concept Configuration Concept – Client –IP address –PPTP tunnel (Client) –IP Rule
72
72 PPTP LAN-to-LAN New York - Address Tree view: Objects => Address Book
73
73 PPTP LAN-to-LAN New York – PPTP Client Tree view: Interfaces => PPTP/L2TP Client
74
74 PPTP LAN-to-LAN New York - IPRule Tree view: Rules => IP Rules
75
75 PPTP LAN-to-LAN Done and Activate Configuration Done!!!
76
76 PPTP LAN-to-LAN Verification on CO site
77
Hands on PPTP LAN-to-LAN
78
Trouble Shooting
79
Troubleshooting by Layers 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 – Network 2 – Data Link 1 - Physical
80
Approach
81
Trouble shooting What's in your Tool bag
82
Tool bag – WebUI- Layer1
83
Tool bag – CLI - Layer1 DFL-800:/> ifstat wan1 Iface wan1 Builtin r8139/8129 - Realtek RTL8139 Fast Ethernet Bus 0 Slot 2 IRQ 0 Media : "100BaseTx" Link Status : 100 Mbps full Duplex (autonegotiated) Receive Mode : Undefined MTU : 1500 Link Partner : 10BASE-T, 10BASE-T FD, 100BASE-TX, 100BASE-TX FD IP Address : 10.254.0.180 Hw Address : 0013:463d:876a PBR Membership: main Software Statistics: Soft received : 123117 Soft sent : 175208 Send failures : 0 Dropped : 36 IP Input Errs : 0 Driver information / hardware statistics: IN : packets= 13 bytes= 854 errors= 0 dropped= 0 OUT: packets= 10 bytes= 600 errors= 0 dropped= 0 Collisions : 0 In : Length Errors : 0 In : Overruns : 0 In : CRC Errors : 0 In : Frame Errors : 0 In : FIFO Overruns : 0 In : Packets Missed : 0 Out: Sends Aborted : 0 Out: Carrier Errors : 0 Out: FIFO Underruns : 0 Out: SQE Errors : 0 Out: Late Collisions : 0
84
Tool bag – WEbUI - Layer3
85
Tool bag – CLI - Layer3 DFL-800:/> routes -all -v Flags Network Iface Gateway Local IP Metric ----- ------------------ -------------- --------------- --------------- ------ 127.0.0.1 core (Iface IP) 0 10.254.0.180 core (Iface IP) 0 192.168.120.254 core (Iface IP) 0 172.17.100.254 core (Iface IP) 0 192.168.12.1 core (Iface IP) 0 220.132.138.26 core (Iface IP) 0 192.168.1.0/24 ipsec_t1 90 10.254.0.0/24 wan1 100 192.168.120.0/24 wan2 100 172.17.100.0/24 dmz 100 192.168.12.0/24 lan 100 224.0.0.0/4 core (Iface IP) 0 0.0.0.0/0 ADSL1 90
86
Tool bag – CLI - Layer3 DFL-800:/> ping 168.95.1.1 -srcip=192.168.12.150 -recvif=lan length=1400 - verbose Rule and routing information for ping: PBR selected by rule "iface_member_main" - PBR table "main" allowed by rule "allow_ping-outbound" sent via route "0.0.0.0/0 via ADSL1, no gw" in PBR table "main" Sending 1 1400-byte ping to 168.95.1.1 from 220.132.138.26. Reply from 168.95.1.1 seq=0 time=150 ms TTL=248 Ping Results: Sent: 1, Received:1, Loss: 0%, Avg RTT: 150.0 ms > ping { Dest. ip address } – [ count | length | pbr | recif | srcip | verbose ]
87
Trouble shooting - logging Log is our best friend Log severity default Log reference
88
Trouble shooting - logging
89
Trouble shooting – IPRule set DFL-800:/> rules 1-5 -ruleset=main -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports -- ----- ---------------------- ---------------------- -------------- 1 Drop lan:192.168.1.0/24 wan1:0.0.0.0/0 "smb-all" "drop_smb-all" Use: 0 2 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "ping-outbound" "allow_ping-outbound" Use: 0 3 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "ftp-passthrough" "allow_ftp-passthrough" Use: 0 4 NAT lan:192.168.1.0/24 wan1:0.0.0.0/0 "all_tcpudp" "allow_standard" Use: 0 5 Allow lan:192.168.1.0/24 core:192.168.1.1 "ping-inbound" "ping_fw" Use: 1 >rules [range] –[ruleset | schedule | verbose]
90
Trouble Shooting in IPRule Clear counter in >rules –v >connections -close –all >reconfigure >rules -v
91
Trouble Shooting Final Solution Final solution –Problem can not identify –Packet capture between Inside and Outside. –Time accuracy between capture and log
92
Trouble Shooting Final Solution Time Accuracy in DFL
93
Trouble Shooting Final Solution Time Accuracy in DFL
94
Trouble Shooting Final Solution Time Accuracy in DFL >time -sync –force DFL-800:/> Timesync:Clockdrift(-4337s) too high(max +/-600s) -> Clock not updated! DFL-800:/> time -sync -force Attempting to synchronize system time... DFL-800:/> Server time: 2007-06-13 18:08:24 (UTC+08:00) Local time: 2007-06-13 18:05:24 (UTC+08:00) (diff: -180) Local time successfully changed to server time.
95
Trouble Shooting Final Solution Time Accuracy on Traffic analyzer
96
Trouble Shooting Final Solution Time format on Traffic analyzer
97
Trouble Shooting Final Solution Time format on Traffic analyzer
98
Trouble Shooting Final Solution Capture option on Traffic analyzer
99
Trouble Shooting Final Solution
100
END
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.