Beruflich Dokumente
Kultur Dokumente
Connections
Firewall v1.02-1
Transport Protocols
Firewall v1.02-2
Sessions in an IP World
In an IP world, a network session is a transaction
between two end systems. It is carried out primarily over
two transport layer protocols:
TCP
UDP
Firewall v1.02-3
TCP
TCP is a connection-oriented, reliable-delivery, robust, and highperformance transport layer protocol.
TCP features:
Firewall v1.02-4
10.0.0.11
172.30.0.50
1026
23
49091
Public Network
192.168.0.20
172.30.0.50
1026
23
49769
ACK
10.0.0.11
No. 1
Flag
SYN
172.30.0.50
10.0.0.11
23
1026
IP Header
92513
TCP Header
49092
SYN-ACK
SYN
No. 2
172.30.0.50
No Data
No. 4
Security Appliance
172.30.0.50
No. 3
192.168.0.20
23
1026
92513
49770
SYN-ACK
Firewall v1.02-5
Source Address
Destination Address
172.30.0.50
1026
Source Port
Destination Port
23
49092
92514
Flag
ACK
Public Network
The security appliance
resets the embryonic
counter for this client.
It then increases the
connection counter for
this host.
Security Appliance
192.168.0.20
172.30.0.50
1026
23
49770
92514
ACK
10.0.0.11
No. 6
No. 5
Data Flows
172.30.0.50
IP Header
TCP Header
Firewall v1.02-6
UDP
Connectionless protocol
Efficient protocol for some services
Resourceful, but difficult to secure
Firewall v1.02-7
UDP (Cont.)
Private Network
Source Address
Destination Address
10.0.0.11
10.0.0.11
172.30.0.50
Source Port
1028
Destination Port
45000
Public Network
192.168.0.20
172.30.0.50
1028
45000
Security Appliance
No. 1
No. 2
No. 4
172.30.0.50
10.0.0.11
45000
1028
172.30.0.50
No. 3
172.30.0.50
192.168.0.20
45000
1028
IP Header
UDP Header
2011 Pham Dinh Thong. All rights reserved.
Firewall v1.02-8
Network Address
Translation
Firewall v1.02-9
Addressing Scenarios
NAT
192.168.6.9
Internet
10.0.0.11
10.0.0.11
10.0.0.4
Firewall v1.02-10
Allowed
More Secure
g0/3 Partnernet
Security Level 50
g0/2 DMZ
Security Level 30
g0/4 Intranet
Security Level 70
Internet
g0/0 outside
Security Level 0
Less Secure
g0/1 inside
Security Level 100
Denied
More Secure
Firewall v1.02-11
10.0.0.4
Internet
10.0.0.4
Dynamic
Translation
Outside global
IP address pool
192.168.6.20-254
Outside Global
IP Address
Static
Translation 192.168.6.10
10.0.0.4
Inside
IP Address
10.0.0.11
Web
Server
10.0.0.11
Inside NAT translates the addresses of hosts on a higher security level to a less
secure interface:
Dynamic translation
Static translation
2011 Pham Dinh Thong. All rights reserved.
Firewall v1.02-12
10.0.0.11
Internet
10.0.0.11
10.0.0.4
Firewall v1.02-13
Internet
192.168.0.0
Global Pool
192.168.0.3-16
10.0.0.0/24
Firewall v1.02-14
Global Pool
172.16.0.20-254
Inside
Global Pool
192.168.0.20-254
Internet
192.168.0.0
10.0.0.0
Outside
asa1(config)# nat (inside) 1 10.0.0.0 255.255.255.0
asa1(config)# nat (dmz) 1 172.16.0.0 255.255.255.0
asa1(config)# global (outside) 1 192.168.0.20-192.168.0.254
netmask 255.255.255.0
asa1(config)# global (dmz) 1 172.16.0.20-172.16.0.254
netmask 255.255.255.0
Inside users can start outbound connections to both the DMZ and the Internet.
The nat (dmz) command enables DMZ services to access the Internet.
The global (dmz) command enables inside users to access the DMZ web server.
2011 Pham Dinh Thong. All rights reserved.
Firewall v1.02-15
Port Address
Translation
Firewall v1.02-16
10.0.0.11
Port 1024
Internet
192.168.0.20
10.0.0.4
10.0.0.11
Port 1025
10.0.0.4
Firewall v1.02-17
PAT Example
asa1(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
asa1(config)# nat (inside) 1 10.0.0.0 255.255.0.0
asa1(config)# global (outside) 1 192.168.0.3 netmask
255.255.255.255
.1
Global Address
192.168.0.3
.1
10.0.0.0
10.0.2.0
10.0.1.0
Engineering
2011 Pham Dinh Thong. All rights reserved.
192.168.0.0
.2
Sales
Firewall v1.02-18
.1
Global
DHCP Address 192.168.0.0
(192.168.0.2) .2
.1
10.0.2.0
10.0.1.0
Engineering
2011 Pham Dinh Thong. All rights reserved.
10.0.0.0
Sales
Firewall v1.02-19
192 .168.0.9
.1
192 .168.0.8
192.168.0.0
.2
.1
10.0.1.0
Engineering
2011 Pham Dinh Thong. All rights reserved.
10.0.0.0
10.0.2.0
Sales
Firewall v1.02-20
192 .168.0.9
.1
192 .168.0.8
192.168.0.0
.2
.1
10.0.2.0
10.0.1.0
Engineering
2011 Pham Dinh Thong. All rights reserved.
10.0.0.0
Sales
Firewall v1.02-21
NAT
192 .168.0.20
.1
PAT
192 .168.0.254
192.168.0.0
.2
.1
10.0.2.0
10.0.1.0
Engineering
2011 Pham Dinh Thong. All rights reserved.
10.0.0.0
Sales
Firewall v1.02-22
Identity NAT
DMZ
Internet
Server
192.168.0.9
192.168.0.9
10.0.0.15
Internet
Outside
Inside
Firewall v1.02-23
Internet
Server
Inside
Internet
Outside
NAT 0 ensures that the Internet server is translated to its own address
on the outside.
Security levels remain in effect with nat 0.
Firewall v1.02-24
Static Command
Firewall v1.02-25
Internet
Sam Jones
10.0.0.12
Outside
Global
Pool
NAT
Bob Smith
10.0.0.11
FTP Server
172.16.1.10
Fixed
Fixed
Internet
Static
Outside
Sam Jones
10.0.0.12
Inside
Bob Smith
10.0.0.11
Firewall v1.02-26
Internet
FTP Server
172.16.1.10
192.168.1.3
192.168.1.4
Outside
Sam Jones
10.0.0.12
Inside
Bob Smith
10.0.0.11
Interfaces
Real interfaceDMZ
Mapped interfaceOutside
IP Addresses
Real IP address172.16.1.9
Mapped IP address192.168.1.3
2011 Pham Dinh Thong. All rights reserved.
Firewall v1.02-27
static Command
DMZ
Web Server
172.16.1.9
192.168.1.3
Internet
Outside
Inside
ciscoasa(config)#
Firewall v1.02-28
Net Static
DMZ
Web Server
172.16.1.9
Internet
FTP Server
172.16.1.10
192.168.10.9
192.168.10.10
Outside
10.0.0.12
Inside
10.0.0.11
ciscoasa(config)#
Firewall v1.02-29
Web Server
172.16.1.9
FTP Server
172.16.1.10
192.168.0.9/www
192.168.0.9/ftp
Internet
Outside
Inside
ciscoasa(config)#
Firewall v1.02-30
Internet
FTP1 Server
172.16.1.9
FTP2 Server
172.16.1.10
192.168.0.9/FTP
192.168.0.9/2121
Outside
Inside
Firewall v1.02-31
Translation Behavior
Firewall v1.02-32
Inside
Internet
192.168.10.11
10.0.0.11
192.168.0.20
10.0.0.11
NAT
10.0.0.4
Firewall v1.02-33
Firewall v1.02-34
Firewall v1.02-35
Connection Limits
Administrator can set the following connection limits:
Emb_lim: Maximum number of embryonic connections per host. An
embryonic connection is a connection request that has not completed a
TCP three-way handshake between the source and the destination.
TCP_max_conns: Maximum number of simultaneous TCP connections
that each real IP host is allowed to use. Idle connections are closed after
the time specified by the timeout conn command.
udp_max_conns: Maximum number of simultaneous UDP connections
that each real IP host is allowed to use.
Firewall v1.02-36
Target
10.0.0.2
172.26.26.45
Internet
DoS
Attack
172.26.26.46
Target
10.0.0.3
Embryonic
Connection
Spoofed Host
172.16.16.20
2011 Pham Dinh Thong. All rights reserved.
Firewall v1.02-37
SYN Cookies
Normal
SYN
SYN-ACK (Cookie)
ACK (Cookie)
SYN
SYN-ACK
ACK
Internet
The security appliance responds to the SYN itself, which includes a cookie in the
TCP header of the SYN-ACK. The security appliance keeps no state information.
The cookie is a hash of parts of the TCP header and a secret key encoded into the initial sequence
number (ISN) field the appliance responds with in its SYN/ACK.
A legitimate client completes the handshake by sending the ACK back with the cookie.
If the cookie is authentic, the security appliance proxies the TCP session.
Firewall v1.02-38
Firewall v1.02-39
Firewall v1.02-40
Connections and
Translations
Firewall v1.02-41
Telnet
Connections
HTTP
Translation
10.0.0.11
192.168.0.20
Internet
10.0.0.11
192.168.10.5
Outside
Mapped Pool
Inside
Local
Translation
192.168.0.20
10.0.0.11
Connection
192.168.10.11:23
10.0.0.11:1026
Connection
192.168.10.11:80
10.0.0.11:1027
10.0.0.4
Firewall v1.02-42
Internet
10.0.0.4
ciscoasa#
show conn
Enables you to view all active connections
asa1#show conn
2 in use, 2 most used
asa1# show conn
2 in use, 9 most used
TCP out 192.168.10.11:80 in 10.0.0.11:2824 idle 0:00:03
bytes 2320 flags UIO
TCP out 192.168.10.11:80 in 10.0.0.11:2823 idle 0:00:03
bytes 3236 flags UIO
2011 Pham Dinh Thong. All rights reserved.
Firewall v1.02-43
10.0.0.11
Firewall v1.02-44
Internet
10.0.0.11
Firewall v1.02-45
10.0.0.11
Internet
10.0.0.11
192.168.10.11
10.0.0.4
ciscoasa#
show xlate
Enables you to view translation slot information
asa1#show xlate
1 in use, 2 most used
Global 192.168.0.20 Local 10.0.0.11
2011 Pham Dinh Thong. All rights reserved.
Firewall v1.02-46
10.0.0.11
Internet
192.168.10.11
10.0.0.11
Firewall v1.02-47
Summary
Firewall v1.02-48
Summary
The security appliance manages the TCP and UDP protocols through
the use of a translation table (for NAT sessions) and a connection
table (for TCP and UDP sessions).
The static command creates a permanent translation.
Mapping between local and global address pools is done dynamically
with the nat command.
The nat and global commands work together to hide internal IP
addresses.
Firewall v1.02-49