Verifying the Operation: Outside to DMZ
This section demonstrates the operation of a static Auto NAT rule on a threat defense. As in the previous exercise, this one also uses the SSH service to generate traffic. However, unlike in the previous exercise, the SSH connection is initiated by an external host.
Before you begin, you should clear the NAT counters and any existing translations so that you will be able to notice any new changes quickly:
>
clear nat counters
>
clear xlate
Now you can try to access the internal DMZ server from an external host. Using an SSH client, connect to port 2200 of the translated (masqueraded) IP address 203.0.113.2. You are connected to the internal DMZ server, although the original IP address of the server is 172.16.1.10, and the server listens to port 22 for SSH connections. This happens due to the static NAT on the threat defense.
Example 17-12 shows confirmation that the inbound SSH traffic matches the first rule on the Auto NAT policy. The untranslate_hits counter confirms the matching of one connection in the reverse direction.
Example 17-12 Matching a Connection in the Reverse Direction
Click here to view code image
>
show nat detail
Auto NAT Policies (Section 2)
1 (DMZ_INTERFACE) to (OUTSIDE_INTERFACE) source static Serv-Real-172.16.1.10
Serv-Mask-203.0.113.2 service tcp ssh 2200
translate_hits = 0, untranslate_hits = 1
Source – Origin: 172.16.1.10/32, Translated: 203.0.113.2/32
Service – Protocol: tcp Real: ssh Mapped: 2200
2 (INSIDE_INTERFACE) to (OUTSIDE_INTERFACE) source dynamic Net-IN-192.168.1.0
pat-pool Pool-OUT-203.0.113.3-5 flat include-reserve
translate_hits = 0, untranslate_hits = 0
Source – Origin: 192.168.1.0/24, Translated (PAT): 203.0.113.3-203.0.113.5
>
Example 17-13 shows the status of the current translations. The flag confirms a static port translation between an external host and an internal DMZ server.
Example 17-13 Real-Time Translation Status
Click here to view code image
>
show xlate detail
1 in use, 2 most used
Flags: D – DNS, e – extended, I – identity, i – dynamic, r – portmap,
s – static, T – twice, N – net-to-net
TCP PAT from DMZ_INTERFACE:172.16.1.10 22-22 to OUTSIDE_INTERFACE:203.0.113.2
2200-2200
flags sr idle 0:00:54 timeout 0:00:00 refcnt 1 xlate id 0x7f516987ee00
>
To better understand the NAT operation, you can capture SSH traffic on an outside interface (on the translated port) and analyze it (see Example 17-14).
Example 17-14 Capturing SSH Traffic on an Outside Interface (on a Translated Port)
Click here to view code image
! Enable capture on outside interface:
>
capture ssh_traffic_outside_masked trace interface OUTSIDE_INTERFACE match tcp any
any eq 2200
! Verify that the capture is running:
>
show capture
capture ssh_traffic_inside type raw-data trace interface INSIDE_INTERFACE
[Capturing – 0 bytes]
match tcp any any eq ssh
capture ssh_traffic_outside type raw-data trace interface OUTSIDE_INTERFACE
[Capturing – 0 bytes]
match tcp any any eq ssh
capture ssh_traffic_outside_masked type raw-data trace interface OUTSIDE_INTERFACE
[Capturing – 0 bytes]
match tcp any any eq 2200
>
! Now, initiate an SSH connection from the external host to the internal DMZ server.
Use the masqueraded IP address and port number. It generates the following traffic.
>
show capture ssh_traffic_outside_masked
59 packets captured
1: 05:21:23.785436 203.0.113.10.41760 > 203.0.113.2.2200: S
2089153959:2089153959(0) win 29200 <mss 1460,sackOK,timestamp 19887065 0,nop,
wscale 7>
2: 05:21:23.786168 203.0.113.2.2200 > 203.0.113.10.41760: S 29917599:29917599(0)
ack 2089153960 win 28960 <mss 1380,sackOK,timestamp 19892875 19887065,nop,wscale 7>
3: 05:21:23.786336 203.0.113.10.41760 > 203.0.113.2.2200: . ack 29917600 win 229
<nop,nop,timestamp 19887065 19892875>
4: 05:21:23.786855 203.0.113.10.41760 > 203.0.113.2.2200:
P 2089153960:2089154001(41) ack 29917600 win 229 <nop,nop,timestamp 19887066
19892875>
5: 05:21:23.787312 203.0.113.2.2200 > 203.0.113.10.41760: . ack 2089154001 win 227
<nop,nop,timestamp 19892876 19887066>
.
.
<Output is omitted for brevity>
Example 17-15 shows how to analyze the tracing data of a captured packet. The threat defense translates and allows the packet as you are connecting through IP address 203.0.113.2 and port 2200.
Example 17-15 Analyzing a Translated Packet (Where the Packet Matches a Rule)
Click here to view code image
>
show capture ssh_traffic_outside_masked packet-number 1 trace
59 packets captured
1: 05:21:23.785436 203.0.113.10.41760 > 203.0.113.2.2200:
S 2089153959:2089153959(0) win 29200 <mss 1460,sackOK,timestamp 19887065 0,nop,
wscale 7>
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type:
UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Serv-Real-172.16.1.10
nat (DMZ_INTERFACE,OUTSIDE_INTERFACE) static Serv-Mask-203.0.113.2 service tcp ssh
2200
Additional Information:
NAT divert to egress interface DMZ_INTERFACE
Untranslate 203.0.113.2/2200 to 172.16.1.10/22
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435457
access-list CSM_FW_ACL_ remark rule-id 268435457: ACCESS POLICY: AC Policy
– Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268435457: L7 RULE: Traffic Selection
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be
reached
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type:
NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Serv-Real-172.16.1.10
nat (DMZ_INTERFACE,OUTSIDE_INTERFACE) static Serv-Mask-203.0.113.2 service tcp
ssh 2200
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 505, packet dispatched to next module
Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: ‘SNORT Inspect’
Phase: 13
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Verdict: (pass-packet) allow this packet
Phase: 14
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.10 using egress ifc DMZ_INTERFACE
Phase: 15
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address a4ba.db9f.9460 hits 5205
Result:
input-interface: OUTSIDE_INTERFACE
input-status: up
input-line-status: up
output-interface: DMZ_INTERFACE
output-status: up
output-line-status: up
Action: allow
1 packet shown
>
Instead of using the translated address, if you attempt to connect using the original IP address, the connection attempt should fail. To verify it, you can use the command shown in Example 17-16, which analyzes the tracing data of a captured packet. The threat defense captures the packet when an external host attempts to connect to the internal DMZ server using its original IP address, but the attempt fails.
Example 17-16 Analyzing a Packet (Where the Packet Does Not Match a Rule)
Click here to view code image
>
show capture ssh_traffic_outside packet-number 1 trace
6 packets captured
1: 05:19:16.438255 203.0.113.10.48556 > 172.16.1.10.22: S 1315278899:1315278899(0)
win 29200 <mss 1460,sackOK,timestamp 19855229 0, nop,wscale 7>
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.1.10 using egress ifc DMZ_INTERFACE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435457
access-list CSM_FW_ACL_ remark rule-id 268435457: ACCESS POLICY: AC Policy
– Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268435457: L7 RULE: Traffic Selection
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be
reached
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type:
NAT
Subtype: rpf-check
Result: DROP
Config:
object network Serv-Real-172.16.1.10
nat (DMZ_INTERFACE,OUTSIDE_INTERFACE) static Serv-Mask-203.0.113.2 service tcp ssh
2200
Additional Information:
Result:
input-interface: OUTSIDE_INTERFACE
input-status: up
input-line-status: up
output-interface: DMZ_INTERFACE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
1 packet shown
>
Leave a Reply