DFL-210/800/1600/2500 Training Material DFL fundamental Part II Created on 2007 ©Copyright All rights reserved
Topic in NAT NAT behavior and DFL SAT & NAT Do we must has NAT rule between SAT and Allow for LAN SAT Case Study : Things that NAT breaks
3 NAT – Source Address Translate INSIDEOUTSIDE Packet1 Source: Destination: Packet1 Source: Destination: Packet2 Source: Destination: Packet2 Source: Destination: NAT The NAT router replaces the private address of green PC ( ) with a Public routable Address ( )
DFL – Source Address Translate
5 NAT – Destination Address Translate INSIDEOUTSIDE Packet1 Source: Destination: Packet1 Source: Destination: Packet2 Source: Destination: Packet2 Source: Destination: NAT The NAT router is translating Both the Source and Destination Address in both directions.
DFL – Destination Address Translate Orig. Dest.SAT Dest …
7 NAT – Dynamic NAT INSIDEOUTSIDE In this NAT design, a pool of public ip addresses serves private addresses 12 times as large. NAT Outside source (20 total addresses) Inside source (254 total addresses) Internet
8 NAT - NAPT INSIDEOUTSIDE Packet1 Source: Source port : 1026 Packet1 Source: Source port : 1026 Inside Packet2 Source: Source port : 3000 Packet2 Source: Source port : 1026 NAT By Translating Both the IP address and associated port, PAT allows Many hosts to simultaneously use a Single Global Address. Outside
DFL - NAPT
Do we must has NAT rule between SAT and Allow for LAN
Do we must has NAT rule between SAT and Allow for LAN?
LAN user to web server SAT & NAT
Do we must has NAT rule between SAT and Allow for LAN? #NameAction Source Int Source Net Destination Int Destination Net ServiceSAT parameter 1SAT_ Web_In SATanyall-netscorewan_iphttp-inSAT_Dest: Websrv_priv_ip 2SAT_ Web_Out SATlanWebsrv_ priv_ip anyall-nets80 > allSAT_Src: wan_ip 3FwdFast_ Web_Out FwdFastlanWebsrv_ priv_ip anyall-nets80 > all 4Fwd_ Web_In FwdFastwan1all-netscorewan_iphttp-in 5NAT_ lan_Web_In NATlanlannetcorewan_iphttp-in
Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports SAT *: /0 core: "http-in" "SAT_webIn" SETDEST Use: 5 2 SAT lan: *: /0 TCP 80 > ALL "SAT_webOut" SETSRC :80 Use: 4 3 FwdFa lan: *: /0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4 4 FwdFa wan1: /0 core: "http-in" "Allow_SAT_webIn" Use: 5 5 NAT lan: /24 core: "http-in" "NAT_lan-core_wan" Use: 0 External traffic to Internal web server (SAT & FwdFast)
A (SYN) B A (SYN,ACK) B A (ACK) B A (request GET) B A (request has succeeded) B A (FIN,ACK) B A (ACK) B A (FIN,ACK) B A (ACK) B
Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports SAT *: /0 core: "http-in" "SAT_webIn" SETDEST Use: 5 2 SAT lan: *: /0 TCP 80 > ALL "SAT_webOut" SETSRC :80 Use: 4 3 FwdFa lan: *: /0 TCP 80 > ALL "Allow_SAT_webOut" Use: 4 4 FwdFa wan1: /0 core: "http-in" "Allow_SAT_webIn" Use: 5 5 NAT lan: /24 core: "http-in" "NAT_lan-core_wan" Use: 0 External traffic to Internal web server (SAT & FwdFast)
Do we must has NAT rule between SAT and Allow for LAN? DFL:/> rules –v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports SAT *: /0 core: "http-in" "SAT_webIn" SETDEST Use: 1 2 SAT lan: *: /0 TCP 80 > ALL "SAT_webOut" SETSRC :80 Use: 0 3 FwdFa lan: *: /0 TCP 80 > ALL "Allow_SAT_webOut" Use: 0 4 FwdFa wan1: /0 core: "http-in" "Allow_SAT_webIn" Use: 0 5 NAT lan: /24 core: "http-in" "NAT_lan-core_wan" Use: 1 Internal traffic to Internal web server (SAT & NAT)
Case Study : Things that NAT breaks
Things that NAT breaks 1)The Protocols cryptographically requires the addresses are unaltered. (e.g. IPSec or Kerberos 4,5) 2)There are embedded IP addresses in the data portion. (e.g. H.323, SNMP, RSVP, FTP…) 3)An application requires pre-set or negotiated source/destination port values. (e.g. Rlogin, TFTP) TFTPRlogin
TFTP behaviour 1.Host A sends a "WRQ" to TFTP B with source= A's TID((transfer identifier), destination= TFTP B sends a "ACK" (with block number= 0) to host A with source= B's TID, destination= A's TID. A (A’s TID=2856) B (p69) A (A’s TID=2856) B (B’s TID=2566)
Rlogin Regulation When a Rlogin request is received. - the sever checks the client? Source port. If the port is not in the range of , the server abort the connection.
Things that NAT breaks FTP active mode and FTP server is at outside
Things that NAT breaks FTP passive mode and FTP server is at inside
Things that NAT breaks FTP passive mode and FTP server is at inside with FTP ALG
Hands-on NAT ALG and Second IP
User Authentication
Admin Users User Authentication Type Authentication server Authentication Rule
Admin User Treeview: User Authentication => Local User Database Treeview: System => Remote Management`
User Authentication Type Authentication User and User Groups PPTP Users and User Groups L2TP Users and User Groups Xauth User IKE ID list
Authentication server
User Auth Rule Treeview: User Authentication => User Authentication Rule =>Add New
Authentication Users and User Groups - Scenario
Authentication Users and User Groups – Process flow
Hands-on Authentication Users and User Groups Configuration concept –User Database ( local, external) –IP address object (incl. credential) –WebUI before Rules –User Authentication Rule –IP Rule
Authentication Users and User Groups – User Database
Authentication Users and user Groups – IP address object
Authentication Users and user Groups – WebUI before rules
Authentication Users and user Groups – User Authentication Rule
Authentication Users and user Groups – IP Rule
Authentication Users and user Groups – VSA (for user credential in RADIUS) IAS configuration 1)IAS must notify firewall that any users that matches this policy belong to the designated “user-group". In the “Edit Profile” of a policy, click on the “advanced tab”. 2)Press “Add” to add a new attribute for VSA. 3)Type 5089 in “Enter Vendor Code”. 4)Click on “Configure Attribute” Enter the attributes.
Xauth
the exchange of Attribute Payload using ISAKMP message
Xauth
When using XAUTH agent, there is no need to specify the receiving interface, or source network, as this information is not available at the XAUTH phase. For the reason, only one XAUTH user authentication rule can be defined.
Identification List
Country State Locality Organization name Organization Unit Common Name ASN.1 DN
Identification List
Hands-on User Authentication
PPTP/L2TP
Architecture Function Protocol use Authentication Encryption
PPTP Protocol involve: control connection: TCP 1723; GRE Tunnel: IP Protocol 47
PPTP PPTP extended GRE header
55 L2TP
L2TP modes
L2TP in IP/UDP Encapsulation UDP port 1701
L2TP Decapsulation
Thing need to be concerned Windows performs L2TP over IPSec by default –Click Start > Run: Type regedit –Double-click HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > RasMan > Parameters. –Double-click ProhibitIPSec: Type 1 in the Value data field, select Hexadecimal as the base value, then click OK. –Reboot.
Thing need to be concerned
62 L2TP over IPSec – Configuration Concept Configuration Concept – Server –User Database (local, external) –IP address object –IPSec tunnel –L2TP tunnel –Authentication –IP Rule
L2TP over IPSec – Configuration Concept
64 PPTP LAN-to-LAN Scenario
65 PPTP LAN-to-LAN Configuration Concept Configuration Concept – Server –IP address object –User Database (local, external) –PPTP tunnel (Server) –Authentication –IP Rule
66 PPTP LAN-to-LAN Central Office – IP Address Tree view: Objects => Address Book
67 PPTP LAN-to-LAN Central Office – User Database Tree view: User Authentication => Local User Database
68 PPTP LAN-to-LAN Central Office - Tunnel Tree view: Interfaces => PPTP/L2TP Servers
69 PPTP LAN-to-LAN Central Office – User Authentication Rule Tree view: User Authentication => User Authentication Rules
70 PPTP LAN-to-LAN Central Office – IP Rule Tree view: Rules => IP Rules
71 PPTP LAN-to-LAN Configuration Concept Configuration Concept – Client –IP address –PPTP tunnel (Client) –IP Rule
72 PPTP LAN-to-LAN New York - Address Tree view: Objects => Address Book
73 PPTP LAN-to-LAN New York – PPTP Client Tree view: Interfaces => PPTP/L2TP Client
74 PPTP LAN-to-LAN New York - IPRule Tree view: Rules => IP Rules
75 PPTP LAN-to-LAN Done and Activate Configuration Done!!!
76 PPTP LAN-to-LAN Verification on CO site
Hands on PPTP LAN-to-LAN
Trouble Shooting
Troubleshooting by Layers 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 – Network 2 – Data Link 1 - Physical
Approach
Trouble shooting What's in your Tool bag
Tool bag – WebUI- Layer1
Tool bag – CLI - Layer1 DFL-800:/> ifstat wan1 Iface wan1 Builtin r8139/ Realtek RTL8139 Fast Ethernet Bus 0 Slot 2 IRQ 0 Media : "100BaseTx" Link Status : 100 Mbps full Duplex (autonegotiated) Receive Mode : Undefined MTU : 1500 Link Partner : 10BASE-T, 10BASE-T FD, 100BASE-TX, 100BASE-TX FD IP Address : Hw Address : 0013:463d:876a PBR Membership: main Software Statistics: Soft received : Soft sent : Send failures : 0 Dropped : 36 IP Input Errs : 0 Driver information / hardware statistics: IN : packets= 13 bytes= 854 errors= 0 dropped= 0 OUT: packets= 10 bytes= 600 errors= 0 dropped= 0 Collisions : 0 In : Length Errors : 0 In : Overruns : 0 In : CRC Errors : 0 In : Frame Errors : 0 In : FIFO Overruns : 0 In : Packets Missed : 0 Out: Sends Aborted : 0 Out: Carrier Errors : 0 Out: FIFO Underruns : 0 Out: SQE Errors : 0 Out: Late Collisions : 0
Tool bag – WEbUI - Layer3
Tool bag – CLI - Layer3 DFL-800:/> routes -all -v Flags Network Iface Gateway Local IP Metric core (Iface IP) core (Iface IP) core (Iface IP) core (Iface IP) core (Iface IP) core (Iface IP) /24 ipsec_t /24 wan /24 wan /24 dmz /24 lan /4 core (Iface IP) /0 ADSL1 90
Tool bag – CLI - Layer3 DFL-800:/> ping srcip= recvif=lan length= verbose Rule and routing information for ping: PBR selected by rule "iface_member_main" - PBR table "main" allowed by rule "allow_ping-outbound" sent via route " /0 via ADSL1, no gw" in PBR table "main" Sending byte ping to from Reply from seq=0 time=150 ms TTL=248 Ping Results: Sent: 1, Received:1, Loss: 0%, Avg RTT: ms > ping { Dest. ip address } – [ count | length | pbr | recif | srcip | verbose ]
Trouble shooting - logging Log is our best friend Log severity default Log reference
Trouble shooting - logging
Trouble shooting – IPRule set DFL-800:/> rules 1-5 -ruleset=main -v Contents of ruleset; default action is DROP # Act. Source Destination Protocol/Ports Drop lan: /24 wan1: /0 "smb-all" "drop_smb-all" Use: 0 2 NAT lan: /24 wan1: /0 "ping-outbound" "allow_ping-outbound" Use: 0 3 NAT lan: /24 wan1: /0 "ftp-passthrough" "allow_ftp-passthrough" Use: 0 4 NAT lan: /24 wan1: /0 "all_tcpudp" "allow_standard" Use: 0 5 Allow lan: /24 core: "ping-inbound" "ping_fw" Use: 1 >rules [range] –[ruleset | schedule | verbose]
Trouble Shooting in IPRule Clear counter in >rules –v >connections -close –all >reconfigure >rules -v
Trouble Shooting Final Solution Final solution –Problem can not identify –Packet capture between Inside and Outside. –Time accuracy between capture and log
Trouble Shooting Final Solution Time Accuracy in DFL
Trouble Shooting Final Solution Time Accuracy in DFL
Trouble Shooting Final Solution Time Accuracy in DFL >time -sync –force DFL-800:/> Timesync:Clockdrift(-4337s) too high(max +/-600s) -> Clock not updated! DFL-800:/> time -sync -force Attempting to synchronize system time... DFL-800:/> Server time: :08:24 (UTC+08:00) Local time: :05:24 (UTC+08:00) (diff: -180) Local time successfully changed to server time.
Trouble Shooting Final Solution Time Accuracy on Traffic analyzer
Trouble Shooting Final Solution Time format on Traffic analyzer
Trouble Shooting Final Solution Time format on Traffic analyzer
Trouble Shooting Final Solution Capture option on Traffic analyzer
Trouble Shooting Final Solution
END