1 / 33

Connectivity NA(P)T

Connectivity NA(P)T. Thomson Gateway NAT. NAT: Network Address Translation ("IP Masquerading") NAPT: Network Address and Port Translation. Definition. NAT: Maps IP addresses from one address realm to other Provides transparent routing (disparate address realms) Characteristics:

gaurav
Download Presentation

Connectivity NA(P)T

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ConnectivityNA(P)T

  2. Thomson Gateway NAT • NAT: Network Address Translation ("IP Masquerading") • NAPT: Network Address and Port Translation

  3. Definition • NAT: • Maps IP addresses from one address realm to other • Provides transparent routing (disparate address realms) • Characteristics: • Transparent address assignment • Transparent routing through address translation • ICMP error packet payload translation

  4. 10.0.0.1 WAN 10.0.0.2 10.0.0.x 150.15.10.8 10.0.0.3 Necessity • IPv4: 32 bits • Private networks 10.0.0.0, 172.16.0.0, 192.168.0.0 WAN: outside IP addresses LAN: inside IP addresses

  5. Example PPPoE Server 100.0.1.1 40.0.1.1 [nat]=>maplist Idx Type Interface Outside Address Inside Address Use 1 NAPT pppoe0 50.50.1.1 40.0.1.1 1 Packet flow Address binding • [IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [S.....] • [UT] eth0->pppoe0 : 50.50.1.1 100.0.1.1 0076 TCP 49125->50000 [S.....] • [IN] pppoe0-> : 100.0.1.1 50.50.1.1 0076 TCP 50000->49125 [S.A...] • [UT] pppoe0->eth0 : 100.0.1.1 40.0.1.1 0076 TCP 50000->10000 [S.A...] • [IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [..A...] • [UT] eth0->pppoe0 : 50.50.1.1 100.0.1.1 0076 TCP 49125->50000 [..A...] NAPT: extension of NAT Session flow

  6. Static vs. Dynamic NAT • Static Address Assignment → Static NAT • One-to-one address mapping • Fixed in time • Dynamic Address Assignment → Dynamic NAT • Based on usage requirements and session flow • Binding used and re-used

  7. Basic NAT • Block external addresses set aside for translation • For sessions originating in private domain • Example • Static Idx Type Interface Outside Address Inside Address 1 NAT ipoa0 50.0.0.138 unmapped Access List................... 10.0.0.10 Foreign Address............... any Protocol...................... any Flags......................... Static Description................... Outbound Basic NAT

  8. When to Use Basic NAT • Inside address not routable on outside network • Hiding inside addresses from outside world • Avoid network renumbering when changing service provider

  9. NAPT • Extension: translation of transport identifiers • TCP, UDP: port numbers • ICMP: query identifiers • Allows sharing single external address Idx Type Interface Outside Address Inside Address Use 1 NAPT ipoa0 50.0.0.138 unmapped 2 Access List................... 40.0.0.0/16 Foreign Address............... any Protocol...................... any Flags......................... Static Description................... Outbound NAPT without defserver

  10. NAPT – Continued • [IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [S.....] • [UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49125->50000 [S.....] • [IN] ipoa0-> : 100.0.1.1 50.0.1.138 0076 TCP 50000->49125 [S.A...] • [UT] ipoa0->eth0 : 100.0.1.1 40.0.1.1 0076 TCP 50000->10000 [S.A...] • [IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [..A...] • [UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49125->50000 [..A...] • [IN] eth0-> : 40.0.1.2 100.0.1.1 0076 TCP 10001->50000 [S.....] • [UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49126->50000 [S.....] • [IN] ipoa0-> : 100.0.1.1 50.0.1.138 0076 TCP 50000->49126 [S.A...] • [UT] ipoa0->eth0 : 100.0.1.1 40.0.1.2 0076 TCP 50000->10001 [S.A...] • [IN] eth0-> : 40.0.1.2 100.0.1.1 0076 TCP 10001->50000 [..A...] • [UT] eth0->ipoa0 : 50.0.1.138 100.0.1.1 0076 TCP 49126->50000 [..A...] NAPT uses ports from range [49125 - 65536]

  11. When to Use NAPT • Multiple private hosts accessing public network through same gateway • Link specific traffic to private host • Redirect all unknown incoming traffic to chosen private host

  12. Two-Way NAT • Sessions can be initiated from host both in public as in private network • Used to make private servers available on Internet • Examples: • Static Idx Type Interface Outside Address Inside Address Use 1 NAT pppoe0 50.0.0.138 40.0.1.1 0 Access List................... 40.0.1.1 Foreign Address............... any Protocol...................... any Flags......................... Static Description................... Two-way NAT [IN]pppoe0-> : 100.0.1.1 50.0.0.138 0076 TCP 50000->10000 [S.....] [UT]pppoe0->eth0 : 100.0.1.1 40.0.1.1 0076 TCP 50000->10000 [S.....] [IN] eth0-> : 40.0.1.1 100.0.1.1 0076 TCP 10000->50000 [S.A...] [UT] eth0->pppoe0 : 50.0.0.138 100.0.1.1 0076 TCP 10000->50000 [S.A...]

  13. Connection SharingHyperNAT – IP Passthrough • Allow public IP address to be used on LAN • “Default server” • IPSeC-AH client • Any NAT issues … • While preserving NAPT access for other PCs • UPnP v1.0 • All known alg’s : IPsec, pptp/l2tp, sip, … • Public IP address • assigned to PC manually or via DHCP • continued 1-1 NAT routing during WAN IP address change event • Compatible with dial-on-demand !

  14. Connection SharingHyperNAT – IP Passthrough Service/Portmaps “Default Server”

  15. Connectivity – NAT ALGs

  16. Definition ALG = Application Level Gateway • Translates addresses and ports NAT engine cannot handle • “Opens firewall” • Creates NAT mappings

  17. ALG Intervention Level ALG NAPT

  18. ALGs Real Actions • Create connection • Delete connection • Search connection • Packet modification • Add NAT mapping • Remove NAT mapping

  19. Supported ALGs • IP6to4 • PPTP (VPN) • ESP (IPSec) • IKE (IPSec) • SIP (VoIP) • JABBER • CU/SeeMe • RAUDIO • RTSP • ILS (NetMeeting phonebook) • H245 (NetMeeting) • H323 (NetMeeting) • IRC • FTP

  20. ALGs Triggering Each ALG is bound to (range of) port(s) Available ALGs: {Administrator}[connection]=>applist Application Proto DefaultPort Traces Timeout IP6TO4 6to4 0 enabled unavailable PPTP tcp 1723 enabled unavailable ESP esp 0 unavailable 15' 0" IKE udp 500 disabled 15' 0" SIP udp 5060 disabled 6 0" JABBER tcp 5222 disabled 2' 0" CU/SeeMe udp 7648 enabled unavailable RAUDIO(PNA) tcp 7070 enabled unavailable RTSP tcp 554 enabled unavailable ILS tcp 389 unavailable 5' 0" H245 tcp 0 unavailable 5' 0" H323 tcp 1720 enabled unavailable IRC tcp 6667 enabled 5' 0" LOOSE(UDP) udp 0 enabled 5' 0" FTP tcp 21 enabled unavailable

  21. FTP ALG LAN WAN • Tests: • Inbound vs. outbound • One vs. multiple LAN clients • One vs. multiple WAN servers • LAN server No firewall opening needed Firewall must accept incoming connection on port 1027, coming from port 2024 → inbound port shift mapping must be present

  22. Managed Security Service Firewall

  23. Firewall has 2 functions Protect ST Gateway from unwanted management access Police traffic LAN to WAN and vice versa Mapped on 2 Fwall services Firewall (fwd) GUI/CLI ServiceManager (sink/src) CLI Managed Security Service Firewall - Overview

  24. Managed Security ServiceFirewall - Default Policies Edit Level

  25. Stateful firewall CLI configuration • General configuration • :firewall config • state • Tcpchecks • Udpchecks • Icmpchecks

  26. Stateful firewall CLI configuration • Firewall menu • Chain • Incoming data is ‘intercepted’ at packet interception points with chains attached to them • List : shows available chains • Sink and source chains manages data sent/received to/from CPE ‘host’. • Sink/source traffic controlled by hostmanager • Rule • Every chain can have a set of rules, each with an index. • Lowest index rules are executed first

  27. Data Flow overview HOST SERVICES SYSTEM SERVICES Service MANAGER Manual firewall rules

  28. Firewall levels • Only related to forward chain !

  29. Firewall rules • Rules are linked to chains. • Main actions : drop, accept, deny, count • Classification criteria • Source and destination interface • Source and destination IP • Service : • Services from the :expr menu • Manual expressions can be created • Classifiers : • Tos, precedence, proto, dscp • Source/destination port ranges

  30. Firewall rules • Example with level=disabled

  31. Firewall level • Different levels according ICSA specification • Set, check level : • Firewall level set

  32. Hands on - Firewall • Create a rule which drops http forwarding if the level of the firewall is set to Standard. • :firewall level set … • :firewall rule add • chain forward_level • … • Create a rule which drops ftp to the CPE. • :firewall rule add • chain sink • … • Create a rule which denies udp with dest port 666 initiated from the CPE • :expr add • type serv • … • :firewall rule add • chain source • … • ip debug sendto addr=192.168.2.1 dstport=666

More Related