Tag Archives: Nat

ALG breaking a Transfer Zone

This came when i tried to do a DNS Transfer Zone through a Cisco SOHO (877), which when triggered i received a RST packet from the router. Initially i was thinking that came from the server, but looking to the packet capture i observed the TTL was 254, which was the from router it self. Why? Answer ALG.

Because ALG can handle until a certain message size, the only way to fix this is DISABLE the ALG.

INTERNET#sh ver | i Vers
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)

[[email protected] ~]# dig -y @104.28.16.27 cocheno.com -t axfr;; communications error to 104.28.16.27#53: connection reset

Looking at the NAT Debug…..

Jan 11 23:15:10.146: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.150:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.150: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.150:  NAT-L4F: Policy check successful
Jan 11 23:15:10.150:  NAT-L4F: received fd1: 1073742971 and
tcp flags = 0x2, payload_len = 0
Jan 11 23:15:10.294:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.294: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.294:  NAT-L4F: received fd2: 1073742972 and
tcp flags = 0x12,payload_len = 0
Jan 11 23:15:10.298:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.298: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.298:  NAT-L4F: Received final ACK from fd1 : 1073742971 and
tcp flags = 0x10
Jan 11 23:15:10.298:  NAT-L4F:Transistioning to proxy: rc 0 error 0
Jan 11 23:15:10.298:  NAT-L4F: Successfully proxied this flow
Jan 11 23:15:10.298:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.298: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.298: NAT-ALG: lookup=0 l7_bytes_recd=125 appl_type=12
Jan 11 23:15:10.298: NAT-ALG: DNS l7_msg_size = 125
Jan 11 23:15:10.298: NAT-ALG: after state machine:
Jan 11 23:15:10.298: NAT-ALG: remaining_hdr_sz=0
Jan 11 23:15:10.298: NAT-ALG: remaining_payl_sz=0
Jan 11 23:15:10.298: NAT-ALG: tcp_alg_state=0
Jan 11 23:15:10.298: NAT-ALG: complete_msg_len=125
Jan 11 23:15:10.298:  l4f_send returns 125 bytes
Jan 11 23:15:10.298:  Complete buffer written to proxy
Jan 11 23:15:10.298:  NAT-L4F:NO DATA to read
Jan 11 23:15:10.446:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.446: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.454:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.454: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.454: NAT-ALG: lookup=1 l7_bytes_recd=1452 appl_type=12
Jan 11 23:15:10.454: NAT-ALG: DNS l7_msg_size = 31751
Jan 11 23:15:10.454: NAT-ALG: Unsupported l7_msg_size = 31751
Jan 11 23:15:10.454: NAT-L4F:CSM isn’t able to accept the pkt
Jan 11 23:15:10.458:  NAT-L4F:read RST, aborting
Jan 11 23:15:10.458:  NAT-L4F:setting ALG_NEEDED flag in subblock

 

How to disable DNS ALG?

INTERNET-RTR(config)#no ip nat service alg tcp dns

Notas Estudo BCVRE 170-010 parte 3

Chapter 7 NAT

3 tipos de NAT:
Source NAT
Destination NAT
Bidirectional NAT – combina a source e destination NAT para translation em ambas as direções

NAT Rulebases

O NAT usa rulebases diferentes para cada tipo de NAT, as rulebases são ordenadas numericamente e quando e feito um match o vRouter termina a execução da respectiva rulebase sem analisar outras rulebases.

Cada rulebase inclui 3 parâmetros:

Filtros, identificando o tráfego a ser Nated. Caso não seja definido nenhum filtro, todo e qualquer tráfego faz match.
Post-translation address, define o IP a ser substituído quando e feito o NAT. A opção masquerade usa o address da interface outbound
A interface onde a rule e aplicada e a direção.Deve ser especificada uma interface.

Caso seja especificado um port number no filtro ou post-translation address, deve ser especificado o Layer 4 protocol (TCP,UDP,ambos)

!NAT do tráfego com origem no source address usando o endereço da interface
[email protected]# show nat source
rule 10 {
source {
address 192.168.0.0/16
}
outbound-interface eth1
translation {
address masquerade
}
}

!Fazer o translate de vários port numbers de um IP Publico para um IP privado
[email protected]# show nat destination
rule 10 {
destination {
address 1.3.5.7
port 80
}
inbound-interface eth1
translation {
address 10.2.3.4
}
protocol tcp
}
rule 20 {
destination {
address 1.3.5.7
port 25
}
inbound-interface eth1
translation {
address 10.5.6.7
}
protocol tcp
}
rule 30 {
destination {
address 1.3.5.7
port 53
}
inbound-interface eth1
translation {
address 10.8.9.1
}
protocol udp
}

[email protected]:~$ show nat source rule
Disabled rules are not shown
Codes: X – exclude rule, M – masquerade rule
rule    intf              translation
—-    —-              ———–
M10     eth1             saddr 192.168.100.0/24 to 216.134.166.19
proto-all        sport ANY

[email protected]:~$ show nat destination rules
Disabled rules are not shown
Codes: X – exclude rule
rule    intf              translation
—-    —-              ———–
10      eth1             daddr 1.3.5.7 to 10.2.3.4
proto-tcp        dport 80
20      eth1             daddr 1.3.5.7 to 10.5.6.7
proto-tcp        dport 25
30      eth1             daddr 1.3.5.7 to 10.8.9.1
proto-udp        dport 53

[email protected]:~$ show nat source statistics
rule   pkts    bytes   interface
—-   —-    —–   ———10     528     38349   eth1
20     0       0       eth1
30     1359K   96M     eth1

!Ver as NAT translations activas
[email protected]:~$ show nat source trans
Pre-NAT              Post-NAT             Prot  Timeout
192.168.2.102        216.134.166.19       tcp   47
192.168.2.104        216.134.166.19       udp   0
192.168.2.102        216.134.166.19       udp   49
192.168.2.104        216.134.166.19       tcp   431740
192.168.2.104        216.134.166.19       tcp   431522
192.168.2.102        216.134.166.19       udp   179
192.168.2.104        216.134.166.19       tcp   431739
192.168.2.104        216.134.166.19       tcp   431988
192.168.2.104        216.134.166.19       tcp   431928
192.168.2.104        216.134.166.19       tcp   431810
192.168.2.106        216.134.166.19       tcp   326344
192.168.2.102        216.134.166.19       udp   28
192.168.2.102        216.134.166.19       udp   54
192.168.2.102        216.134.166.19       udp   179
192.168.2.104        216.134.166.19       udp   6
192.168.2.102        216.134.166.19       tcp   431848

Exclusion Filters

Permite excluir que sejam efetuados determinados NATs, por exemplo quando existem túneis VPN

Estes filters podem ser criados usando um ! ou “bang” como NOT Operator

[email protected]# show nat destination
rule 10 {
destination {
address 10.10.10.0/24
}
exclude
outbound-interface eth0
}
rule 40 {
outbound-interface eth0
translation {
address masquerade
}
}

Chapter 8 Licensing and Upgrades

Nota:Apartir de 1 Novembro 2013 o entitlement e processo de upgrade descrito neste documento já não se encontra disponível

Para registar o softawre e necessario configurar os seguintes parametros:
• Repository username
• Repository password
• Entitlement key

!Verificar se o vRouter foi registado com o Vyatta entitlement server
show entitlement

Upgrading the vRouter

Para efetuar upgrade usar o comando upgrade system image, este automaticamente
ira efectuar download da nova versão. É necessário ter pre-configurado os username/password de acesso ao repositório, senão serão solicitados os dados durante o upgrade

A imagem do vRouter tem 2 componentes: o próprio software vRouter e os respectivos controladores do Linux (drivers,system,..)
Caso o system template tenha sofrido alterações, e necessário efetuar um upgrade manual senão o processo de upgrade continua normalmente.

O processo manual e similar ao criar uma nova VM com alguns passos adicionais:

1. Download the new template just as you did for your initial installation.
2. Copy the configuration file from your existing virtual machine. You can use SCP or FTP to copy it to an
external server, or use simple copy-paste from a console window.
3. Edit the configuration file to remove the hardware-specific settings. We’ll show you the details of what to
remove on the next screen.
4. Install a new virtual machine using the new template.
5. When your new VM has booted up, copy your edited configuration file to /config/config.boot on the new
system. This is the default configuration file for the vRouter device.
6. Reboot your new VM. When it boots, it will read the hardware values from the hypervisor software, and
pull the rest of the configuration data from the configuration file you just copied over.
7. Once your new VM is fully operational, you can cut over operations from the old VM. This cut over
represents the only downtime your network will experience during the upgrade process, and should be
almost non-disruptive depending on your hypervisor software.
You can verify the success of your device upgrade with the commands  show version and show system image

Referências:

Notas Estudo BCVRE 170-010 parte 1

Notas Estudo BCVRE 170-010 parte 2

Vyatta vRouter 5400 Online Documentation

Brocade Certified vRouter Engineer 2013 (BCVRE) Exam

Voucher gratuito Brocade Certified vRouter Engineer (BCVRE) 170-010 Exam

Network Functions Virtualization

Certification Brocade Community

Certification Exam Information

Check Point Order of Operations

Após alguma pesquisa a Check Point não é muito clara neste tema nas plataformas mais recentes. Este “Order of Operations” aplica-se ao FireWall-1 , e eventualmente ás novas plataformas.

Ligações estabelecidas são permitidas desde que estejam listados nas tabelas de estado e são aceites NATED conforme necessário. Para novas conexões, o FireWall-1 segue esta ordem de operações:

  • Inbound anti-spoof check (verifies that the source IP is included in the interface’s Topology setting)
  • Inbound check against the rulebase (includes properties)
  • NAT, if appropriate properties are enabled (see Chapter 10)
  • Outbound check against the rulebase (includes properties)
  • NAT, if appropriate properties are not enabled (see Chapter 10)

A base de regra é aplicada nas direções especificadas nas regras pelo “Install On field“. Na maior parte dos casos, isso significa que ambos entram e saem da gateway. No entanto, se uma regra especifica Src (saída) ou Dst (entrada), a regra aplica-se apenas nessa direção. Uma vez que um pacote coincide com uma regra, ele executa a ação listada no “Action field“,  não processando mais nenhuma regra. Para conexões autenticadas não passando por Security Servers, as regras e propriedades são processadas na seguinte ordem:

  • Rulebase properties listed as First are processed. Matches are accepted and not logged.
  • Rules 1 through n+1 (assuming n rules) are processed and logged according to their individual settings.
  • Rulebase properties listed as Before Last are then processed. Matches are accepted and not logged.
  • Rule n is processed and logged according to its setting.
  • Rulebase properties listed as Last are then processed. Matches are accepted and not logged.
  • The Implicit Drop rule is matched (no logging occurs).

Referências:

Check Point Firewall

Notas Network Address Translation (NAT)

O NAT é definido no RFC 1631

Name Location of Host Represented by Address IP Address Space in Which Address Exists
Inside Local address Inside the enterprise network Part of the enterprise IP address space;typically a private IP address
Inside Global address Inside the enterprise network Part of the public IP address space
Outside Local address In the public Internet; or, outside the enterprise network Part of the enterprise IP address space; typically a private IP address
Outside Global address In the public Internet; or, outside the enterprise network Part of the public IP address space

Ligações:

R1——-s2/1-(outside)R2-(Inside)f0/1———-f0/0-R3

Exemplo 1:

Usando Static NATs

R2(config)#
ip route 0.0.0.0 0.0.0.0 192.168.2.1

interface FastEthernet0/1
ip address 192.168.20.2 255.255.255.0
 ip nat inside

interface Serial2/1
ip address 192.168.2.2 255.255.255.0
 ip nat outside

ip nat inside source static 1.1.1.1 2.2.2.1

R3(config)#
ip route 0.0.0.0 0.0.0.0 192.168.20.2
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0

interface Loopback11
ip address 1.1.1.1 255.255.255.255
interface Loopback14
ip address 1.1.1.4 255.255.255.255
interface Loopback15
ip address 1.1.1.5 255.255.255.255
interface Loopback16
ip address 1.1.1.6 255.255.255.255
interface Loopback17
ip address 1.1.1.7 255.255.255.255
interface Loopback18
ip address 1.1.1.8 255.255.255.255
interface Loopback19
ip address 1.1.1.9 255.255.255.255
interface Loopback20
ip address 1.1.1.10 255.255.255.255

R3#ping 192.168.10.1 so loop11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/40/48 ms

R2#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 2.2.2.1:5         1.1.1.1:5          192.168.10.1:5     192.168.10.1:5

Exemplo 2:

Usando Dynamic NAT

R2(config)#

!Identificar as origens que usam o NAT
access-list 1 permit 1.1.1.4 0.0.0.3

!Criar a pool de IPs
ip nat pool Pool1 2.2.2.4 2.2.2.7 prefix-length 30

ip nat inside source list 1 pool Pool1

R3#ping 192.168.10.1 so loop11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/40/48 ms

R3#telnet 192.168.10.1 /source-interface loop15
Trying 192.168.10.1 … Open

R2#sh ip nat statistics
Total active translations: 5 (1 static, 4 dynamic; 2 extended)
Outside interfaces:
Serial2/1
Inside interfaces:
FastEthernet0/1
Hits: 108  Misses: 0
CEF Translated packets: 104, CEF Punted packets: 2
Expired translations: 6
Dynamic mappings:
— Inside Source
[Id: 1] access-list 1 pool Pool1 refcount 4
 pool Pool1: netmask 255.255.255.252
        start 2.2.2.4 end 2.2.2.7
        type generic, total addresses 4, allocated 2 (50%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 2.2.2.6:52716      1.1.1.5:52716      192.168.10.1:23    192.168.10.1:23
— 2.2.2.6            1.1.1.5            —                —
icmp 2.2.2.5:2         1.1.1.6:2          192.168.10.1:2     192.168.10.1:2
— 2.2.2.5            1.1.1.6            —                —
— 2.2.2.1            1.1.1.1            —                —

Exemplo 3:

Usando NAT overload

!Overload atraves de uma Pool

access-list 2 permit 1.1.1.8
ip nat pool Pool_GLOBAL 2.2.2.8 2.2.2.11 netmask 255.255.255.252
ip nat inside source list 2 pool Pool_GLOBAL overload

R3#telnet 192.168.10.1 /source-interface loop18

R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
— 2.2.2.1            1.1.1.1            —                —
tcp 2.2.2.10:39915     1.1.1.8:39915      192.168.10.1:23    192.168.10.1:23
tcp 192.168.2.2:19724  1.1.1.9:19724      192.168.10.1:23    192.168.10.1:23
tcp 192.168.2.2:51357  1.1.1.10:51357     192.168.10.1:23    192.168.10.1:23

Usando NAT overload da interface Outside

 

!Identificar as origens que usam o NAT
access-list 3 permit 1.1.1.9
access-list 3 permit 1.1.1.10

ip nat inside source list 3 interface Serial 2/1 overload

R3#telnet 192.168.10.1 /source-interface loop19
R3#telnet 192.168.10.1 /source-interface loop20

R2#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
— 2.2.2.1            1.1.1.1            —                —
tcp 2.2.2.10:39915     1.1.1.8:39915      192.168.10.1:23    192.168.10.1:23
tcp 192.168.2.2:19724  1.1.1.9:19724      192.168.10.1:23    192.168.10.1:23
tcp 192.168.2.2:51357  1.1.1.10:51357     192.168.10.1:23    192.168.10.1:23

Cisco Order of Operations

Existem 2 tabelas importantes que indicam a ordem das operações no IOS são a do NAT e QoS.

Operações no NAT:

Inside-to-Outside Outside-to-Inside
  • If IPSec then check input access list
  • decryption – for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • policy routing
  • routing
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption – for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing

Operações no QoS:

Inbound Outbound
  1. QoS Policy Propagation through Border Gateway Protocol (BGP) (QPPB)
  2. Input common classification
  3. Input ACLs
  4. Input marking (class-based marking or Committed Access Rate (CAR))
  5. Input policing (through a class-based policer or CAR)
  6. IP Security (IPSec)
  7. Cisco Express Forwarding (CEF) or Fast Switching
  1. CEF or Fast Switching
  2. Output common classification
  3. Output ACLs
  4. Output marking
  5. Output policing (through a class-based policer or CAR)
  6. Queueing (Class-Based Weighted Fair Queueing (CBWFQ) and Low Latency Queueing (LLQ)), and Weighted Random Early Detection (WRED)