Presentation is loading. Please wait.

Presentation is loading. Please wait.

DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved.

Similar presentations


Presentation on theme: "DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved."— Presentation transcript:

1 DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright All rights reserved

2 Topic in NAT NAT behavior and DFL SAT & NAT Do we must has NAT rule between SAT and Allow for LAN SAT Case Study : Things that NAT breaks

3 3 NAT – Source Address Translate INSIDEOUTSIDE Packet1 Source: Destination: Packet1 Source: Destination: Packet2 Source: Destination: Packet2 Source: Destination: NAT The NAT router replaces the private address of green PC ( ) with a Public routable Address ( )

4 DFL – Source Address Translate

5 5 NAT – Destination Address Translate INSIDEOUTSIDE Packet1 Source: Destination: Packet1 Source: Destination: Packet2 Source: Destination: Packet2 Source: Destination: NAT The NAT router is translating Both the Source and Destination Address in both directions.

6 DFL – Destination Address Translate Orig. Dest.SAT Dest …

7 7 NAT – Dynamic NAT INSIDEOUTSIDE In this NAT design, a pool of public ip addresses serves private addresses 12 times as large. NAT Outside source (20 total addresses) Inside source (254 total addresses) Internet

8 8 NAT - NAPT INSIDEOUTSIDE Packet1 Source: Source port : 1026 Packet1 Source: Source port : 1026 Inside Packet2 Source: Source port : 3000 Packet2 Source: Source port : 1026 NAT By Translating Both the IP address and associated port, PAT allows Many hosts to simultaneously use a Single Global Address. Outside

9 DFL - NAPT

10 Do we must has NAT rule between SAT and Allow for LAN

11 Do we must has NAT rule between SAT and Allow for LAN?

12

13 LAN user to web server SAT & NAT

14 Do we must has NAT rule between SAT and Allow for LAN? #NameAction Source Int Source Net Destination Int Destination Net ServiceSAT parameter 1SAT_ Web_In SATanyall-netscorewan_iphttp-inSAT_Dest: Websrv_priv_ip 2SAT_ Web_Out SATlanWebsrv_ priv_ip anyall-nets80 > allSAT_Src: wan_ip 3FwdFast_ Web_Out FwdFastlanWebsrv_ priv_ip anyall-nets80 > all 4Fwd_ Web_In FwdFastwan1all-netscorewan_iphttp-in 5NAT_ lan_Web_In NATlanlannetcorewan_iphttp-in

15 Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports SAT *: /0 core: "http-in" "SAT_webIn" SETDEST Use: 5 2 SAT lan: *: /0 TCP 80 > ALL "SAT_webOut" SETSRC :80 Use: 4 3 FwdFa lan: *: /0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4 4 FwdFa wan1: /0 core: "http-in" "Allow_SAT_webIn" Use: 5 5 NAT lan: /24 core: "http-in" "NAT_lan-core_wan" Use: 0 External traffic to Internal web server (SAT & FwdFast)

16 A  (SYN) B A  (SYN,ACK) B A  (ACK) B A  (request GET) B A  (request has succeeded) B A  (FIN,ACK) B A  (ACK) B A  (FIN,ACK) B A  (ACK) B

17 Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports SAT *: /0 core: "http-in" "SAT_webIn" SETDEST Use: 5 2 SAT lan: *: /0 TCP 80 > ALL "SAT_webOut" SETSRC :80 Use: 4 3 FwdFa lan: *: /0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4 4 FwdFa wan1: /0 core: "http-in" "Allow_SAT_webIn" Use: 5 5 NAT lan: /24 core: "http-in" "NAT_lan-core_wan" Use: 0 External traffic to Internal web server (SAT & FwdFast)

18 Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules –v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports SAT *: /0 core: "http-in" "SAT_webIn" SETDEST Use: 1 2 SAT lan: *: /0 TCP 80 > ALL "SAT_webOut" SETSRC :80 Use: 0 3 FwdFa lan: *: /0 TCP 80 > ALL "Allow_SAT_webOut" Use: 0 4 FwdFa wan1: /0 core: "http-in" "Allow_SAT_webIn" Use: 0 5 NAT lan: /24 core: "http-in" "NAT_lan-core_wan" Use: 1 Internal traffic to Internal web server (SAT & NAT)

19 Case Study : Things that NAT breaks

20 Things that NAT breaks 1)The Protocols cryptographically requires the addresses are unaltered. (e.g. IPSec or Kerberos 4,5) 2)There are embedded IP addresses in the data portion. (e.g. H.323, SNMP, RSVP, FTP…) 3)An application requires pre-set or negotiated source/destination port values. (e.g. Rlogin, TFTP) TFTPRlogin

21 TFTP behaviour 1.Host A sends a "WRQ" to TFTP B with source= A's TID((transfer identifier), destination= TFTP B sends a "ACK" (with block number= 0) to host A with source= B's TID, destination= A's TID. A (A’s TID=2856)  B (p69) A (A’s TID=2856)  B (B’s TID=2566)

22 Rlogin Regulation When a Rlogin request is received. - the sever checks the client? Source port. If the port is not in the range of , the server abort the connection.

23 Things that NAT breaks FTP active mode and FTP server is at outside

24 Things that NAT breaks FTP passive mode and FTP server is at inside

25 Things that NAT breaks FTP passive mode and FTP server is at inside with FTP ALG

26 Hands-on NAT ALG and Second IP

27 User Authentication

28 Admin Users User Authentication Type Authentication server Authentication Rule

29 Admin User Treeview: User Authentication => Local User Database Treeview: System => Remote Management`

30 User Authentication Type Authentication User and User Groups PPTP Users and User Groups L2TP Users and User Groups Xauth User IKE ID list

31 Authentication server

32 User Auth Rule Treeview: User Authentication => User Authentication Rule =>Add New

33 Authentication Users and User Groups - Scenario

34 Authentication Users and User Groups – Process flow

35 Hands-on Authentication Users and User Groups Configuration concept –User Database ( local, external) –IP address object (incl. credential) –WebUI before Rules –User Authentication Rule –IP Rule

36 Authentication Users and User Groups – User Database

37 Authentication Users and user Groups – IP address object

38 Authentication Users and user Groups – WebUI before rules

39 Authentication Users and user Groups – User Authentication Rule

40 Authentication Users and user Groups – IP Rule

41

42 Authentication Users and user Groups – VSA (for user credential in RADIUS) IAS configuration 1)IAS must notify firewall that any users that matches this policy belong to the designated “user-group". In the “Edit Profile” of a policy, click on the “advanced tab”. 2)Press “Add” to add a new attribute for VSA. 3)Type 5089 in “Enter Vendor Code”. 4)Click on “Configure Attribute” Enter the attributes.

43 Xauth

44 the exchange of Attribute Payload using ISAKMP message

45 Xauth

46 When using XAUTH agent, there is no need to specify the receiving interface, or source network, as this information is not available at the XAUTH phase. For the reason, only one XAUTH user authentication rule can be defined.

47 Identification List

48 Country State Locality Organization name Organization Unit Common Name ASN.1 DN

49 Identification List

50 Hands-on User Authentication

51 PPTP/L2TP

52 Architecture Function Protocol use Authentication Encryption

53 PPTP Protocol involve: control connection: TCP 1723; GRE Tunnel: IP Protocol 47

54 PPTP PPTP extended GRE header

55 55 L2TP

56 L2TP modes

57 L2TP in IP/UDP Encapsulation UDP port 1701

58 L2TP Decapsulation

59 Thing need to be concerned Windows performs L2TP over IPSec by default –Click Start > Run: Type regedit –Double-click HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters. –Double-click ProhibitIPSec: Type 1 in the Value data field, select Hexadecimal as the base value, then click OK. –Reboot.

60 Thing need to be concerned

61

62 62 L2TP over IPSec – Configuration Concept Configuration Concept – Server –User Database (local, external) –IP address object –IPSec tunnel –L2TP tunnel –Authentication –IP Rule

63 L2TP over IPSec – Configuration Concept

64 64 PPTP LAN-to-LAN Scenario

65 65 PPTP LAN-to-LAN Configuration Concept Configuration Concept – Server –IP address object –User Database (local, external) –PPTP tunnel (Server) –Authentication –IP Rule

66 66 PPTP LAN-to-LAN Central Office – IP Address Tree view: Objects => Address Book

67 67 PPTP LAN-to-LAN Central Office – User Database Tree view: User Authentication => Local User Database

68 68 PPTP LAN-to-LAN Central Office - Tunnel Tree view: Interfaces => PPTP/L2TP Servers

69 69 PPTP LAN-to-LAN Central Office – User Authentication Rule Tree view: User Authentication => User Authentication Rules

70 70 PPTP LAN-to-LAN Central Office – IP Rule Tree view: Rules => IP Rules

71 71 PPTP LAN-to-LAN Configuration Concept Configuration Concept – Client –IP address –PPTP tunnel (Client) –IP Rule

72 72 PPTP LAN-to-LAN New York - Address Tree view: Objects => Address Book

73 73 PPTP LAN-to-LAN New York – PPTP Client Tree view: Interfaces => PPTP/L2TP Client

74 74 PPTP LAN-to-LAN New York - IPRule Tree view: Rules => IP Rules

75 75 PPTP LAN-to-LAN Done and Activate Configuration Done!!!

76 76 PPTP LAN-to-LAN Verification on CO site

77 Hands on PPTP LAN-to-LAN

78 Trouble Shooting

79 Troubleshooting by Layers 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 – Network 2 – Data Link 1 - Physical

80 Approach

81 Trouble shooting What's in your Tool bag

82 Tool bag – WebUI- Layer1

83 Tool bag – CLI - Layer1 DFL-800:/> ifstat wan1 Iface wan1 Builtin r8139/ Realtek RTL8139 Fast Ethernet Bus 0 Slot 2 IRQ 0 Media : "100BaseTx" Link Status : 100 Mbps full Duplex (autonegotiated) Receive Mode : Undefined MTU : 1500 Link Partner : 10BASE-T, 10BASE-T FD, 100BASE-TX, 100BASE-TX FD IP Address : Hw Address : 0013:463d:876a PBR Membership: main Software Statistics: Soft received : Soft sent : Send failures : 0 Dropped : 36 IP Input Errs : 0 Driver information / hardware statistics: IN : packets= 13 bytes= 854 errors= 0 dropped= 0 OUT: packets= 10 bytes= 600 errors= 0 dropped= 0 Collisions : 0 In : Length Errors : 0 In : Overruns : 0 In : CRC Errors : 0 In : Frame Errors : 0 In : FIFO Overruns : 0 In : Packets Missed : 0 Out: Sends Aborted : 0 Out: Carrier Errors : 0 Out: FIFO Underruns : 0 Out: SQE Errors : 0 Out: Late Collisions : 0

84 Tool bag – WEbUI - Layer3

85 Tool bag – CLI - Layer3 DFL-800:/> routes -all -v Flags Network Iface Gateway Local IP Metric core (Iface IP) core (Iface IP) core (Iface IP) core (Iface IP) core (Iface IP) core (Iface IP) /24 ipsec_t /24 wan /24 wan /24 dmz /24 lan /4 core (Iface IP) /0 ADSL1 90

86 Tool bag – CLI - Layer3 DFL-800:/> ping srcip= recvif=lan length= verbose Rule and routing information for ping: PBR selected by rule "iface_member_main" - PBR table "main" allowed by rule "allow_ping-outbound" sent via route " /0 via ADSL1, no gw" in PBR table "main" Sending byte ping to from Reply from seq=0 time=150 ms TTL=248 Ping Results: Sent: 1, Received:1, Loss: 0%, Avg RTT: ms > ping { Dest. ip address } – [ count | length | pbr | recif | srcip | verbose ]

87 Trouble shooting - logging Log is our best friend Log severity default Log reference

88 Trouble shooting - logging

89 Trouble shooting – IPRule set DFL-800:/> rules 1-5 -ruleset=main -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports Drop lan: /24 wan1: /0 "smb-all" "drop_smb-all" Use: 0 2 NAT lan: /24 wan1: /0 "ping-outbound" "allow_ping-outbound" Use: 0 3 NAT lan: /24 wan1: /0 "ftp-passthrough" "allow_ftp-passthrough" Use: 0 4 NAT lan: /24 wan1: /0 "all_tcpudp" "allow_standard" Use: 0 5 Allow lan: /24 core: "ping-inbound" "ping_fw" Use: 1 >rules [range] –[ruleset | schedule | verbose]

90 Trouble Shooting in IPRule Clear counter in >rules –v >connections -close –all >reconfigure >rules -v

91 Trouble Shooting Final Solution Final solution –Problem can not identify –Packet capture between Inside and Outside. –Time accuracy between capture and log

92 Trouble Shooting Final Solution Time Accuracy in DFL

93 Trouble Shooting Final Solution Time Accuracy in DFL

94 Trouble Shooting Final Solution Time Accuracy in DFL >time -sync –force DFL-800:/> Timesync:Clockdrift(-4337s) too high(max +/-600s) -> Clock not updated! DFL-800:/> time -sync -force Attempting to synchronize system time... DFL-800:/> Server time: :08:24 (UTC+08:00) Local time: :05:24 (UTC+08:00) (diff: -180) Local time successfully changed to server time.

95 Trouble Shooting Final Solution Time Accuracy on Traffic analyzer

96 Trouble Shooting Final Solution Time format on Traffic analyzer

97 Trouble Shooting Final Solution Time format on Traffic analyzer

98 Trouble Shooting Final Solution Capture option on Traffic analyzer

99 Trouble Shooting Final Solution

100 END


Download ppt "DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright 2007. All rights reserved."

Similar presentations


Ads by Google