Académique Documents
Professionnel Documents
Culture Documents
Bogdan Doinea
Technical Manager CEE&RCIS
Cisco Networking Academy
bdoinea@cisco.com
2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Cisco Confidential
NAT defines the way that we translate private addresses into public
Cisco Confidential
192.168.10.10
Inside NAT
24000
141.85.99.10
80
209.100.65.10
24000
192.168.10.1
80
80
141.85.99.10
192.168.10.10
141.85.99.10
141.85.99.10
192.168.10.10
24000
209.100.65.1
141.85.99.10
80
209.100.65.10
24000
Cisco Confidential
Outside NAT
Its actually bidirectional NAT
The source address of packets coming from the Internet gets translated
192.168.10.30
24000
192.168.10.10
80
141.85.99.10
24000
192.168.10.1
80
80
141.85.99.10
192.168.10.10
192.168.10.10
209.100.65.10
192.168.10.30
24000
209.100.65.1
209.100.65.10
80
141.85.99.10
24000
Used in cases where hosts on the outside want to appear like they
Cisco Confidential
Cisco Confidential
What is DNAT?
A concept called port forwarding/port redirection, not Outside NAT
Cisco Confidential
external port
The PAT translations are saved to the RAM of the FW
Cisco Confidential
24000
141.85.99.10
80
209.100.65.1
24000
141.85.99.10
80
192.168.10.0 /24
.10
141.85.99.10
192.168.10.1
.20
192.168.10.20
24000
141.85.99.10
80
209.100.65.1
209.100.65.1
30000
141.85.99.10
80
Cisco Confidential
memory?
1
Cisco Confidential
10
Advanced Firewall
Configuration
The insides of Application Inspection
Cisco Confidential
11
192.168.10.10
192.168.10.1
209.100.65.1
Cisco Confidential
12
Case study:
Active FTP vs. Passive FTP
Cisco Confidential
13
Client
N+1
Data
N
Cmd
1
2
Server
21
Cmd
20
Data
1. The client initiates a connection to port 21 on the server using a random source port N >
1023.
2. The server responds with an ACK from its port 21 to the N port of the client
3. The client sends the command PORT N+1 over the control channel and opens port N+1
for receive. By this, the client is telling the server the port it wants to use for data transfer
4. The server tried to open(initiate) a connection from its port nr 20(default data port) to
the N+1 port on the client
5. The firewall block the connection at bullet 4, because it does not have a state object for it
in RAM memory
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
Client
N+1
Data
N
Cmd
1
2
Server
21
Cmd
X
Data
4
5
1. The client initiates a connection the the port nr. 21 of the server from a random source
port, N>1023. The client opens port N+1 for data transfer
2. The server sends an ACK from its port nr 21 to the N port on the client
3. The client sends the PASV command to the server
4. The server opens a random port X >1024 for data transfer and sends the command
Cisco Confidential
15
Conclusions:
Active FTP does not work by default if the client is behind a Firewall
Because of the stateful inspection
Because of NAT
Cisco Confidential
16
Cisco Confidential
17
What is MPF?
A set of structures and commands in ASA OS
A way of making logical connections between the various theoretical
concepts and their practical implementations
Cisco Confidential
18
Policy-map
Used to associate one or more actions to packets identified by the class-map
We have generic policy-maps that apply standard actions (inspect, police, set
connection etc) and inspection policy-maps that can specifically control
application layer information
Service-policy (comand)
Used to apply a policy at a global or interface level
Cisco Confidential
19
IP telephony
System Enginners
Class-map
Internet
SE
IP telephony
Policy-map
Inspect
Police
Prioritize
Service-policy
Outside
Cisco Confidential
20
Cisco Confidential
21
Cisco Confidential
22
ciscoasa# sh run
....
class-map inspection_default
match default-inspection-traffic
....
Cisco Confidential
23
ciscoasa(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list
Match an Access List
any
Match any packet
default-inspection-traffic Match default inspection
ctiqbe----tcp--2748
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
netbios---udp--137-138
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
tftp------udp--69
traffic:
dns-------udp--53
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
radius-acct---udp--1646
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
sqlnet----tcp--1521
waas------tcp--1-65535
Cisco Confidential
24
inspection
Step1: we give the policy map a name
Step2: we make an association with a class-map
Cisco Confidential
25
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
csc
Content Security and Control service module
exit
Exit from MPF class action configuration mode
flow-export
Configure filters for NetFlow events
help
Help for MPF policy-map class/match submode commands
inspect
Protocol inspection services
ips
Intrusion prevention services
no
Negate or set default values of a command
police
Rate limit traffic for this class
priority
Strict scheduling priority for this class
quit
Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set
Set connection values
shape
Traffic Shaping
Cisco Confidential
26
ciscoasa# sh run
..........
!
class-map example
match port tcp eq www
!
policy-map http_policy
class http_map
inspect http
police input 1000000
set connection conn-max 1000 per-client-embryonic-max 50
!
..........
Cisco Confidential
27
Cisco Confidential
28
If the policy-maps actions are different, the packets can match multiple
If the action is the same, the packets only match one class-map
Cisco Confidential
29
Cisco Confidential
30
leased lines
Whats the difference between having a leased line and a VPN?
The cost
Cisco Confidential
31
ISP
The overlay model makes the ISP network invisible to the client
The ISP routers do not get to know the client networks
Types of overlay VPNs: L2TP, PPTP, IPSec
Cisco Confidential
32
ISP
Overlay VPN models were dominating 90% of the market before the
popularity of MPLS
scheme
Cisco Confidential
33
Headquarters
Site-to-Site
Remote-access
Remote office
Remote office
Cisco Confidential
34
tunneling
Tunneling means an extra header is
Antet IP tunel
Antet IP original
Antet nivel 4
Date
Cisco Confidential
35
Cisco Confidential
36
IPSec: Confidentiality
Lungimea
cheii: 56 bii
Lungimea
cheii: 168
bii
Lungimea
cheii:
DH7256
bii
Lungimea
cheii: 160
bii
Cisco Confidential
37
IPSec: Integrity
Lungimea
cheii: 128
bii
Lungimea
cheii: 160
bii
DH7
Cisco Confidential
38
DH7
Cisco Confidential
39
working
The risk of passing company information over the Internet is very great
SSL
Remote office
Cisco Confidential
40
IPSec
SSL
Aplications
Encryption power
Authentication
Strong two-way
authentication
Moderate one-way or
two-way authentication
Ease of use
Moderate can be
challenging for a nontechnical user
Very easy
A preconfigured client is
necessary
IPSec = security
SSL = mobility, flexibility
Cisco Confidential
41
Cisco Confidential
42
and HTTPS
The user authenticates on the SSL portal to get access to
internal company web resources
Thin client
In this mode, the user downloads JAVA applets from the portal
The Applets behave like TCP Proxies for applications
The user connections to several applications through the TCP Proxy
(POP3, SMTP, IMAP, Telnet, SSH, CIFS)
The Applet makes a HTTP connection to the SSL Server that contains the
addressing information in the payload to reach another service
The SSL Server makes the connection to the end service inside the
company network
Cisco Confidential
43
The full client can usually be downloaded from the SSL portal
Cisco Confidential
44
Firewall-ul rspunde cu o
cheie public semnat cu
certificat
Cisco Confidential
45
R1
ASA
Fa0/1
Fa 0/0
Fa 0/2
Fa0/1
R2
outside
inside
Cisco Confidential
46
Thank you.