Verifying the Operation: Inside to Outside
This section describes how to verify the NAT operation on a threat defense. To demonstrate the translation process, this example uses SSH traffic.
Let’s initiate a connection from an internal host 192.168.1.10 to an external SSH server 203.0.113.10. If NAT is operational on the threat defense, the external SSH server sees 203.0.113.3 as the source IP address of the internal host instead of its original source IP address, 192.168.1.10.
Example 17-4 shows an SSH connection between the internal client and the external server. The connection table shows the original IP address (192.168.1.10) of the internal server with a translation (xlate) ID. However, you can determine the masqueraded or translated address (203.0.113.3) from the translation table.
Example 17-4 Connection and Translation Tables
Click here to view code image
>
show conn detail
1 in use, 3 most used
Inspect Snort:
preserve-connection: 1 enabled, 0 in effect, 2 most enabled, 0 most in
effect
Flags: A – awaiting responder ACK to SYN, a – awaiting initiator ACK to SYN,
b – TCP state-bypass or nailed,
C – CTIQBE media, c – cluster centralized,
D – DNS, d – dump, E – outside back connection, e – semi-distributed,
F – initiator FIN, f – responder FIN,
G – group, g – MGCP, H – H.323, h – H.225.0, I – initiator data,
i – incomplete, J – GTP, j – GTP data, K – GTP t3-response
k – Skinny media, L – decap tunnel, M – SMTP data, m – SIP media
N – inspected by Snort (1 – preserve-connection enabled, 2 – preserve-
connection in effect)
n – GUP, O – responder data, o – offloaded,
P – inside back connection, p – passenger flow
q – SQL*Net data, R – initiator acknowledged FIN,
R – UDP SUNRPC, r – responder acknowledged FIN,
T – SIP, t – SIP transient, U – up,
V – VPN orphan, v – M3UA W – WAAS,
w – secondary domain backup,
X – inspected by service module,
x – per session, Y – director stub flow, y – backup stub flow,
Z – Scansafe redirection, z – forwarding stub flow
TCP OUTSIDE_INTERFACE: 203.0.113.10/80 INSIDE_INTERFACE: 192.168.1.10/47958,
flags Ux N1, qos-rule-id 268462080, idle 8s, uptime 8s, timeout 1h0m, bytes 0,
xlate id
0x2b7716a7a780
Initiator: 192.168.1.10, Responder: 203.0.113.10
Connection lookup keyid: 2158727
>
>
show xlate detail
1 in use, 2 most used
Flags: D – DNS, e – extended, I – identity, i – dynamic, r – portmap,
s – static, T – twice, N – net-to-net
TCP PAT from INSIDE_INTERFACE:192.168.1.10/47958 to OUTSIDE_INTER-
FACE:203.0.113.3/47958 flags ri idle 0:00:04 timeout 0:00:30 refcnt 1 xlate id
0x2b7716a7a780
>
By looking at the output of the show nat detail command, you can determine whether the traffic matches a particular NAT rule and how many times a rule finds a match.
Example 17-5 confirms that the Auto NAT rule found one matching connection when a host sent traffic from INSIDE_INTERFACE to OUTSIDE_INTERFACE.
Example 17-5 Matching One Connection in the Forward Direction
Click here to view code image
>
show nat detail
Auto NAT Policies (Section 2)
1 (INSIDE_INTERFACE) to (OUTSIDE_INTERFACE) source dynamic Net-IN-192.168.1.0 pat-
pool Pool-OUT-203.0.113.3-5 flat include-reserve
translate_hits = 1
, untranslate_hits = 0
Source – Origin: 192.168.1.0/24, Translated (PAT): 203.0.113.3-203.0.113.5
>
To analyze the NAT operation further, you can capture traffic in real time as a threat defense translates the original addresses. Chapter 8, “Capturing Traffic for Advanced Analysis,” describes the steps to capture traffic using the management center GUI. As an alternative, you can also capture traffic directly using the threat defense CLI. The examples in this chapter demonstrate how to use the CLI tools to capture and examine live traffic.
Example 17-6 demonstrates the capture of any SSH traffic on the inside interface. Later, you will analyze the translation of these packets.
Example 17-6 Capturing SSH Traffic on the Threat Defense Inside Interface
Click here to view code image
! Begin the capture of SSH traffic on inside interface.
>
capture ssh_traffic_inside trace interface INSIDE_INTERFACE match tcp any any
eq 22
! Verify if the threat defense is running a capture for SSH traffic.
>
show capture
capture ssh_traffic_inside type raw-data trace interface INSIDE_INTERFACE [Capturing
– 0 bytes]
match tcp any any eq ssh
>
At this stage, you can initiate an SSH connection from the internal host to the external SSH server. The threat defense should capture the traffic on the inside interface. You can view the packets in the CLI.
Example 17-7 shows the first few captured packets for an SSH connection. Later, it analyzes the first packet to demonstrate the detailed operation of an address translation.
Example 17-7 Analyzing Captured Packets
Click here to view code image
! To view all of the captured packets (press Ctrl+C to exit from a long show):
>
show capture ssh_traffic_inside
81 packets captured
1: 02:59:47.220310 192.168.1.10.41934 > 203.0.113.10.22:
S 1482617093:1482617093(0) win 29200 <mss 1460,sackOK,timestamp 15243390
0,nop,wscale 7>
2: 02:59:47.221149 203.0.113.10.22 > 192.168.1.10.41934:
S 1409789153:1409789153(0) ack 1482617094 win 28960 <mss 1380,sackOK,timestamp
17762742 15243390,nop,wscale 7>
3: 02:59:47.221256 192.168.1.10.41934 > 203.0.113.10.22: . ack 1409789154
win 229 <nop,nop,timestamp 15243390 17762742>
4: 02:59:47.221729 192.168.1.10.41934 > 203.0.113.10.22:
P 1482617094:1482617135(41) ack 1409789154 win 229 <nop,nop,timestamp 15243391
17762742>
5: 02:59:47.222186 203.0.113.10.22 > 192.168.1.10.41934: . ack 1482617135
win 227 <nop,nop,timestamp 17762742 15243391>
.
.
<Output is omitted for brevity>
! To analyze the first captured packet:
>
show capture ssh_traffic_inside packet-number 1 trace
81 packets captured
1: 02:59:47.220310 192.168.1.10.41934 > 203.0.113.10.22:
S 1482617093:1482617093(0) win 29200 <mss 1460,sackOK,timestamp 15243390
0,nop,wscale 7>
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 203.0.113.10 using egress ifc OUTSIDE_INTERFACE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435457
access-list CSM_FW_ACL_ remark rule-id 268435457: ACCESS POLICY: AC Policy
– Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268435457: L7 RULE: Traffic Selection
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be
reached
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 6
Type:
NAT
Subtype:
Result: ALLOW
Config:
object network Net-IN-192.168.1.0
nat (INSIDE_INTERFACE,OUTSIDE_INTERFACE) dynamic pat-pool Pool-OUT-203.0.113.3-5
flat include-reserve
Additional Information:
Dynamic translate 192.168.1.10/41934 to 203.0.113.3/41934
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 442, packet dispatched to next module
Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: ‘SNORT Inspect’
Phase: 13
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Verdict: (pass-packet) allow this packet
Phase: 14
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 203.0.113.10 using egress ifc OUTSIDE_INTERFACE
Phase: 15
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0023.2472.1d3c hits 139985869104448
Phase: 16
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Result:
input-interface: OUTSIDE_INTERFACE
input-status: up
input-line-status: up
output-interface: OUTSIDE_INTERFACE
output-status: up
output-line-status: up
Action: allow
1 packet shown
>
Leave a Reply