Verifying the Operation: Outside to Inside
The NAT rule you created earlier evaluates the forward traffic—the traffic that originates from INSIDE_INTERFACE and is destined for OUTSIDE_INTERFACE. However, any traffic in the reverse direction does not match this rule. You can verify this by capturing SSH traffic on OUTSIDE_INTERFACE and by analyzing the trace data.
Example 17-8 shows how to enable the capture tool on the outside interface.
Example 17-8 Capturing SSH Traffic on the Threat Defense OUTSIDE_INTERFACE
Click here to view code image
! Enable capture on the outside interface:
>
capture ssh_traffic_outside trace interface OUTSIDE_INTERFACE match tcp any any
eq 22
! Threat defense begins capturing SSH traffic on the outside interface:
>
show capture
capture ssh_traffic_inside type raw-data trace interface INSIDE_INTERFACE
[Capturing – 0 bytes]
match tcp any any eq ssh
capture ssh_traffic_outside type raw-data trace interface OUTSIDE_INTERFACE
[Capturing – 0 bytes]
match tcp any any eq ssh
>
Now if you attempt to connect from an external host to an internal host, regardless of the destination IP address you choose—either original or masqueraded—the connection attempt fails.
Example 17-9 shows the failed connection attempts from the external host 203.0.113.10 to the same internal host—through the masqueraded IP address 203.0.113.3 and the original IP address 192.168.1.10.22.
Example 17-9 Captured Traffic on the Threat Defense OUTSIDE_INTERFACE Shows Only SYN (S) Packets
Click here to view code image
>
show capture ssh_traffic_outside
8 packets captured
1: 03:56:51.100290 203.0.113.10.48400 > 203.0.113.3.22: S 3636330443:3636330443(0)
win 29200 <mss 1460,sackOK,timestamp 18618684 0,nop,wscale 7>
2: 03:56:52.097269 203.0.113.10.48400 > 203.0.113.3.22: S 3636330443:3636330443(0)
win 29200 <mss 1460,sackOK,timestamp 18618934 0,nop,wscale 7>
3: 03:56:54.101343 203.0.113.10.48400 > 203.0.113.3.22: S 3636330443:3636330443(0)
win 29200 <mss 1460,sackOK,timestamp 18619435 0,nop,wscale 7>
4: 03:56:58.105478 203.0.113.10.48400 > 203.0.113.3.22: S 3636330443:3636330443(0)
win 29200 <mss 1460,sackOK,timestamp 18620436 0,nop,wscale 7>
5: 03:57:22.069759 203.0.113.10.53048 > 192.168.1.10.22:
S 1744936567:1744936567(0) win 29200 <mss 1460,sackOK,timestamp 18626426 0,nop,
wscale 7>
6: 03:57:23.066250 203.0.113.10.53048 > 192.168.1.10.22:
S 1744936567:1744936567(0) win 29200 <mss 1460,sackOK,timestamp 18626676 0,nop,
wscale 7>
7: 03:57:25.070369 203.0.113.10.53048 > 192.168.1.10.22:
S 1744936567:1744936567(0) win 29200 <mss 1460,sackOK,timestamp 18627177 0,nop,
wscale 7>
8: 03:57:29.082469 203.0.113.10.53048 > 192.168.1.10.22:
S 1744936567:1744936567(0) win 29200 <mss 1460,sackOK,timestamp 18628180 0,nop,
wscale 7>
8 packets shown
>
Example 17-10 analyzes the trace data of the first captured packet, where the external host tries to connect to the internal host using its masqueraded IP address, 203.0.113.3.
Example 17-10 Trying to Connect to the Masqueraded IP Address of an Internal Host
Click here to view code image
>
show capture ssh_traffic_outside packet-number 1 trace
8 packets captured
1: 03:56:51.100290 203.0.113.10.48400 > 203.0.113.3.22: S 3636330443:3636330443(0)
win 29200 <mss 1460,sackOK,timestamp 18618684 0,nop,wscale 7>
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 203.0.113.3 using egress ifc OUTSIDE_INTERFACE
Result:
input-interface: OUTSIDE_INTERFACE
input-status: up
input-line-status: up
output-interface: OUTSIDE_INTERFACE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (
nat-no-xlate-to-pat-pool
) Connection to PAT address without pre-exist-
ing xlate
1 packet shown
>
Example 17-11 analyzes the trace data of the fifth captured packet where the external host tries to connect to the internal host by using its original IP address, 192.168.1.10.
Example 17-11 Trying to Connect to the Original IP Address of an Internal Host
Click here to view code image
>
show capture ssh_traffic_outside packet-number 5 trace
8 packets captured
5: 03:57:22.069759 203.0.113.10.53048 > 192.168.1.10.22: S 1744936567:
1744936567(0) win 29200 <mss 1460,sackOK,timestamp 18626426 0,nop,wscale 7>
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.10 using egress ifc INSIDE_INTERFACE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435457
access-list CSM_FW_ACL_ remark rule-id 268435457: ACCESS POLICY: AC Policy
– Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268435457: L7 RULE: Traffic Selection
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be
reached
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type:
NAT
Subtype: rpf-check
Result: DROP
Config:
object network Net-IN-192.168.1.0
nat (INSIDE_INTERFACE,OUTSIDE_INTERFACE) dynamic pat-pool Pool-OUT-203.0.113.3-5
flat include-reserve
Additional Information:
Result:
input-interface: OUTSIDE_INTERFACE
input-status: up
input-line-status: up
output-interface: INSIDE_INTERFACE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
1 packet shown
>
Leave a Reply