Date post: | 28-Apr-2018 |
Category: |
Documents |
Upload: | trinhhuong |
View: | 230 times |
Download: | 5 times |
ASA version 9.1 NAT Hands-on Configuration Lab LTRSEC-3023
Gerard van Bon - CSE Security
Markus Frey - CSE Security
2
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Introduction
Who created this lab
Why we wanted to create this Lab
What we hope you get out of it
Jay Johnston [email protected] Technical Leader, Services 9 years @ Cisco
David White [email protected] Technical Leader, Services 13 years @ Cisco
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Agenda
4 hour class with 5 hands-on Labs
Format is alternating Lecture… then Lab
Lectures will focus on NAT migration and configuring NAT on the ASA
For each Lab, you will have approximately 20 minutes
After each Lab, we will walk through the solution
There will be 1 – 15 minute break
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Lab Design
By Popular Demand This Lab is designed around ASDM!
However… we are CLI guys, so we have added that in there too :-)
5
Background Knowledge NAT Migration Upgrading the ASA to version 8.3+
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
The Basics
ASA Version 8.3 is syntactically very different from all previous versions
The core of the ASA – NAT and ACLs were both fundamentally altered
If you were used to the old CLI style, it is a big adjustment
8.3 Upgrade Information
7
1. NAT configuration is completely different, and can be applied both in
nat commands as well as in a network object
2. Real-IPs are used in ACLs, instead of NATed IPs
3. NAT statements only accept named objects – no more IP addresses
Key Changes
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Version 8.3+ Upgrade Information
Increased memory requirements
ASA-5505s through ASA-5540s shipped before Feb 2010 do not meet minimum memory requirements for 8.3+
Memory should be upgraded prior to upgrading to 8.3+
Zero-downtime upgrade is supported from 8.2 to 8.3
Upgrade Considerations
8
ASA-5505
https://supportforums.cisco.com/docs/DOC-11643
ASA-5510 through ASA-5540
http://www.cisco.com/en/US/docs/security/asa/hw/video/5500/asa_5510_mem_upgd.html
ASA Memory Upgrade Videos
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Version 8.3+ Upgrade Information Memory Requirement Matrix
9
ASA License
Pre-8.3
Memory
Requirement
8.3+ Memory
Requirement Memory Part Number
5505 All other licenses 256 MB 256 MB No Memory Upgrade
Needed
5505 Unlimited Inside Hosts 256 MB 512 MB ASA5505-MEM-512=
5505 Security Plus (failover) 256 MB 512 MB ASA5505-MEM-512=
5510 All licenses 256 MB 1024 MB ASA5510-MEM-1GB=
5520 All licenses 512 MB 2048 MB ASA5520-MEM-2GB=
5540 All licenses 1024 MB 2048 MB ASA5540-MEM-2GB=
5550 All licenses 4096 MB 4096 MB No Memory Upgrade
Needed
558x All licenses 8-24 GB 8-24 GB No Memory Upgrade
Needed
For your
reference
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Version 8.3+ Upgrade Information
Cisco only supports upgrade from 8.2 to either 8.3 or 8.4
Incremental upgrade steps might be necessary
Upgrade Paths
10
7.0
7.1
7.2
8.0 8.1 (5580 ONLY)
8.2
8.3
8.4
ASA 5505-5550 ASA 5580 ASA 5585
EOL
EOL
EOL
EOL
For your
reference
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Version 8.3+ Upgrade Information
Upgrade process is identical to all previous upgrades
– From the CLI – set the first boot system command to be the new image
– From ASDM – under Device Management Boot Image
At boot, ASA reads startup config. If the version in the startup-config is less than 8.3 and the nat_ident_migrate file is not in flash, the ASA determines this is an upgrade and automatically initiates the config conversion process.
How to Upgrade
11
ASA-5520# show startup-config
: Saved
: Written by dwhitejr at 09:55:35.534 UTC Tue Apr 17 2012
!
ASA Version 8.2(5)
!
hostname ASA-5520
domain-name cisco.com
enable password TRPEas6f/aa6JSPL level 1 encrypted
Version < 8.3,
convert config
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
ASDM Upgrade Process
In ASDM, Select:
Configuration Device Management System Image/Configuration Boot Image/Configuration
Then Reload
Tools System Reload
Set Boot Image
12
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Version 8.3+ Upgrade Information
After first boot, the running config will contain the new, upgraded/converted configuration
The startup-config still maintains the ‘old’ config
Issue a ‘write memory’ to save the upgraded config to startup.
The upgrade process saves the following files to disk:
First Boot
13
<version>_startup_cfg.sav
upgrade_startup_errors_<timestamp>.log
nat_ident_migrate
Pre-converted config file
Informational Messages,
Warnings, and Conversion
Errors. Flag (zero-byte file) indicating
config migration took place
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Version 8.3+ Upgrade Information
Examine the contents of the upgrade_startup_errors… file
First Boot
14
ASA-5520-2# more disk0:/upgrade_startup_errors_201206010013.log
INFO: MIGRATION - Saving the startup errors to file
'flash:upgrade_startup_errors_201206010013.log'
Reading from flash...
!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map',
'dynamic-filter classify-list', 'aaa match' will be migrated from
using IP address/ports as seen on interface, to their real values.
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file
'flash:8_2_5_0_startup_cfg.sav'
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Version 8.3+ Upgrade Information
If you encounter problems after upgrading and cannot troubleshoot, you must use the downgrade CLI command
Simply changing the boot variable back to the older image will cause issues such as NAT config loss
Specify the old image and auto-saved pre-upgrade config file
Downgrade Procedure
15
ASA# downgrade disk0:/asa825-k8.bin disk0:/8_2_5_0_startup_cfg.sav
The device will reload and downgrade to the specified image.
Press [Y]es or <newline> to confirm (any other key will abort):Y
INFO: Boot parameters cleared
INFO: Boot system configured to be disk0:/asa825-k8.bin
Cryptochecksum: 649f039b 0c1e911f 73cf3717 d93017a9
3616 bytes copied in 1.740 secs (3616 bytes/sec)
INFO: Saving disk0:/8_2_5_0_startup_cfg.sav to startup-config
Copy in progress...C
3550 bytes copied in 0.10 secs
Process shutdown finished
Rebooting…
Let the Fun Begin!
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Objective
The objective is simple, keep your web server up (100% availability).
Watch the status of your server on the screen. Green means UP Red means Down
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Lab – General Rules
1. Do Not – Remove the IP Address from your ASA
2. Do Not – Shutdown any of the Interfaces on your ASA
3. Do Not – Block SSH access to your ASA (by modifying the ‘ssh …’ commands
4. Do Not – Remove/Change usernames or passwords
5. Do Not – Modify the AAA configuration
6. Do Not – Block access from our monitoring server (10.1.1.211) to your web server
7. Please see us if you feel the need to ‘reboot’ your ASA
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Lab – Initial Connectivity
The Lab Guide provides the topology and all connectivity information.
Follow the steps there to:
1. Establish the SSH Session to your ASA
2. Verify your Web Server is serving up your web page
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Lab - Topology
10.2.XX.0/24
10.3
.XX
.0/2
4
10
.4.X
X.0
/24
192.168.1.0/24
XX = Pod Number
SSH Authentication: Use Putty to 10.2. XX.2 user: cisco pass: cisco
ASDM Authentication: https://10.2. XX.2 user: cisco pass: cisco
Web Server
10.3.XX.50
HTTP to Web Server
SSH to Outside of ASA
.1 .2
Insid
e
Outside
DM
Z
Web Server
10.3.XX.60
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Important Notes
The ASAs are in production, so only make changes to them that you would make on your own production ASAs to turn up new services.
After each lab, we will reset the configurations to a default state, and you will be kicked out. You will lose your SSH/ASDM connection and will need to reconnect.
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
LAB 1
You have been hired as a civilian Networking Expert for the US Fast Attack Submarine fleet stationed at Naval Base San Diego.
Preparations are currently underway for the USS Magnus to be deployed. Your job is to upgrade the USS Magnus’ ASA from version 8.2 to version 8.4, and verify access to the dive control system web server behind the ASA.
Network Objects
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
object network Servers
The Basics
A network object is a named container which holds:
• An IP (host, network, range, or FQDN)
• (Optional) Description
• (Optional) NAT rule - for the object
What is a Network Object?
25
host 192.168.1.2
subnet 10.1.0.0 255.255.0.0
range 10.1.1.1 10.1.1.254
fqdn www.cisco.com
description Server Net
nat static 209.165.200.3
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Network Objects
You use Network Objects to identify ‘things’
Apply the Network Objects in:
• Object-groups
• Access-lists
• NAT Rules
26
WebServer
host 10.1.1.3
ServerNet
subnet 10.1.1.0
255.255.255.0
ClientRange
range 10.1.1.3
10.1.1.5
object-group network ServerFarm
network-object object WebServer
network-object object ServerNet
access-list outside permit tcp any object WebServer eq 80
nat (inside,outside) source static WebServer PublicWebServer
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Creating a Network Object
Configuration Firewall Objects Network Objects/Groups
Add Network Object
ASDM (and CLI)
27
object network WebServer
host 10.1.1.3
CLI
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Creating a Network Object
Additionally, in ASDM Network Objects can be created in many other places.
In the workflows of Access-Rules or NAT Rules
ASDM (and CLI)
28
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Network Objects
Upon upgrade, the ASA converts all IPs used in NAT (static, nat and global commands) to objects.
The objects are named starting with obj- followed by the IP or network Example: obj-10.2.2.3
For large networks, this is the easiest naming scheme to follow
Small networks may choose to name their objects with more contextual / real names Example: WebServer Note: this causes manual recursion for CLI users not experienced with the names
Naming Conventions
29
Object NAT NAT defined within and object
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Object NAT (Auto-NAT)
Object NAT is the simplest form of NAT, and is defined within a network object
Need to identify
1. If the object is static, or dynamically translated
2. (Optionally) What interfaces the translation applies (Appears under the Advanced button in ASDM)
Can specify the Translated address by IP!
31
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Object NAT (Auto-NAT) ASDM Rule View
32
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Object NAT (Auto-NAT) Creation in ASDM
33
Type of Network Object
Type of NAT to
Apply to the Object
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Object-NAT (Auto-NAT) CLI Examples of Object NAT
object network obj-WebServer
host 10.3.19.50
nat (inside,outside) static 198.51.100.50
object network Servers
subnet 10.0.54.0 255.255.255.0
nat (inside,outside) static 203.0.113.0
object network InternalUsers
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface
Host Based Object NAT
Network Based Object NAT
Dynamic PAT (interface overload) Object NAT
Manual NAT Also called “Twice NAT”
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Manual NAT (Twice NAT)
Manual NAT is used to specify how to translate traffic depending on the Destination IP/subnet of the packet
Manual NAT rules can come ‘before’ Object NAT rules (default) (Section 1)
‘after-auto’ – after the Object NAT rules (Section 3).
Manual NAT Rules
Manual NAT Rules
Object NAT Rules Section 1
Section 2
Section 3
Creating Manual NAT rules in ASDM
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Manual NAT (Twice NAT)
Manual NAT is configured using only Objects or Object-Groups – NO IPs!
Manual NAT is also called Twice-NAT because it can specify how to translate the source and the destination of the packet (“NAT the packet twice”)
If the Manual NAT line specifies an identity translation for the destination, then the destination is not changed, and the destination is simply used to match the packet.
Translate Translate
Source Destination
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Manual NAT ASDM Breakdown – Source Translated
38
Forward
Flow Reverse
Flow
Translate
Source ‘Match’
Destination
‘Match’ Source Un-NAT
Destination
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Manual NAT ASDM Breakdown - Twice NAT
39
Forward
Flow Reverse
Flow
Translate
Source Translate
Destination
Un-NAT Source Un-NAT
Destination
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
nat (in,out) source static inLocal inGlobal destination static outGlobal outLocal
Manual NAT command breakdown
Specify interfaces the
NAT rule applies to
Translate the source
statically (one to one)
Change the source IP
from ‘inLocal’ to ‘inGlobal’
For the packet to match
this translation the
destination IP must match
‘outGlobal’
Translate the destination
statically (one to one)
Change the destination IP
from ‘outGlobal’ to
‘outLocal’
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Manual NAT
Manual NAT can be used for policy NAT (NAT depending on the destination IP address)
Example configuration
object network ServerReal
host 10.3.19.50
object network ServerTrans
host 198.51.100.50
object network RemoteSite
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) source static ServerReal ServerTrans destination static RemoteSite
RemoteSite
Static Policy NAT
nat (inside,outside) source static ServerReal ServerTrans
Static NAT
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Manual NAT (Twice NAT)
Manual NAT should be used to translate the destination, or for policy NAT
object network ServerReal
host 10.3.19.50
object network ServerTrans
host 198.51.100.50
object network RemoteSite
subnet 10.0.0.0 255.255.255.0
object network RemoteTrans
subnet 203.0.113.0 255.255.255.0
nat (inside,outside) source static ServerReal ServerReal destination static RemoteSite RemoteSite
Static Policy NAT – NAT Exemption (for VPN)
nat (inside,outside) source static ServerReal ServerTrans destination static RemoteSite RemoteTrans
Static - Twice NAT
Translate
Source IP
Translate
Destination IP
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Order of Operations
The ASA configuration is built into the NAT Table (show nat)
The NAT Table is based on First Match (top to bottom)
Manual NAT Policies
(Section 1)
Auto NAT Policies
(Section 2)
Manual NAT [after auto] Policies
(Section 3)
Static NAT
Dynamic NAT
NAT Table
Longest Prefix
Shortest Prefix
Longest Prefix
Shortest Prefix
First Match
(in config)
First Match
(in config)
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Order of Operations ASA# show run nat
nat (inside,outside) source dynamic Users1 NATPool1
nat (inside,outside) source static ServerReal ServerTrans
!
object network Users2
nat (inside,outside) dynamic NATPool2
object network SecureServ
nat (inside,outside) static 203.0.113.82
!
nat (inside,outside) after-auto source dynamic Users3 NATPool3
nat (inside,outside) after-auto source static Servers ServersTrans
ASA# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic Users1 NATPool1
translate_hits = 3321, untranslate_hits = 0
2 (inside) to (outside) source static ServerReal ServerTrans
translate_hits = 0, untranslate_hits = 93829
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static SecureServ 203.0.113.82
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic Users2 NATPool2
translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic Users3 NATPool3
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static Servers ServersTrans
translate_hits = 0, untranslate_hits = 0
NAT line hit counts
increment when new
connections match
NAT rule
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Real-IP
Finally, a reminder that with 8.3+ Real-IPs are used in ACLs
object network obj-WebServer
host 10.3.19.50
nat (inside,outside) static 198.51.100.50
!
access-list allowIn permit tcp any host 10.3.19.50 eq 80
!
access-group allowIn in interface outside
Real, UnTranslated address
of internal Server
198.51.100.50
Web Server
10.3.19.50
outside
10.3.19.50
inside
Inbound ACL permits traffic
destined to 10.3.19.50
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Troubleshooting using TCP Ping
New troubleshooting tool added in ASA ver 8.4.1
Why is it needed??? Consider the following…
www server
(209.165.200.225) 10.1.1.7
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Troubleshooting using TCP Ping
Previously – limited reachability tools: Ping and Traceroute
Access to client machine?
www server
(209.165.200.225)
ICMP Echo Request
ICMP Echo Reply
ICMP Echo Request
ICMP Echo Reply ICMP Echo Reply
ICMP Echo Request
Attempts to validate the path
…but with ICMP
What about
NAT and/or PAT?
10.1.1.7
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Troubleshooting using TCP Ping
Sources TCP SYN packet with Client’s IP and injects it into Client’s interface of the ASA
Internal hosts are PATed
to 198.51.100.2
www server
(209.165.200.225) 10.1.1.7
inside outside
Packet with SRC
of 10.1.1.7 injected
on Inside interface
Packet PATed to
198.51.100.2
on Egress
ASA Datapath
Validated
(NAT, ACLs, etc)
TCP SYN sent
to server
TCP SYN+ACK
sent from server
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
TCP Ping – The Big Picture
Validates 2 of the 3 legs of the connection from client to server
www server
(209.165.200.225) 10.1.1.7
inside outside
TCP path from client side of ASA
to Server through the cloud
-Validated-
2nd Leg 1st Leg 3rd Leg
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
TCP Ping - Example
www server
(209.165.200.225) 10.1.1.7
inside outside
asa# ping tcp
Interface: inside
Target IP address: 209.165.200.225
Target IP port: 80
Specify source? [n]: y
Source IP address: 10.1.1.7
Source IP port: [0]
Repeat count: [5]
Timeout in seconds: [2]
Type escape sequence to abort.
Sending 5 TCP SYN requests to 209.165.200.225 port 80
from 10.1.1.7 starting port 3465, timeout is 5 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Specify Client’s
source Interface
Specify Client’s
real IP Address
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
LAB 2
The ASA upgrade on the USS Magnus went without a hitch, and your Commanders are impressed! Of course, the reward for a job well done is more work, and you have been deployed to the submarine the USS Carrington. A new ballistic missile control system is being deployed on the sub, and you are tasked with configuring NAT so that Central Command has access to the servers remotely
Using Object NAT, translate the dive control web server on the inside from 10.3.XX.50 to 209.165.XX.5 on the outside
Using Manual NAT, translate the ballistic missile control web server on the inside from 10.3.XX.60 to 209.165.XX.7 on the outside
Use static one-to-one translations, but only permit access to the Fire control system’s web interface.
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Object NAT vs. Manual NAT
Object NAT and Manual NAT are functionally equivalent.
object network ServerReal
host 10.3.19.50
object network ServerTrans
host 198.51.100.50
object network ServerReal
nat (inside,outside) source static ServerTrans
Object NAT
nat (inside,outside) source static ServerReal ServerTrans
Manual NAT
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Object NAT vs. Manual NAT
The difference is where the entries exist in the NAT table (different sections)
ASA# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static ServerReal ServerTrans
translate_hits = 0, untranslate_hits = 87
Source - Origin: 10.3.19.50/32, Translated: 198.51.100.50/32
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static ServerReal ServerTrans
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.3.19.50/32, Translated: 198.51.100.50/32
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Object NAT vs. Manual NAT
Objects are re-usable throughout the configuration. Use them if you can, and define NAT within them (easy to change IP addresses)
Can reference global IP without creating a new object
NAT Table is automatically ordered, avoids most accidental NAT configuration overlaps
When to use either type?
Manual NAT
Object NAT
Required for translating based on destination IP address (Policy-NAT)
Required for NAT Exemption (No NAT for VPN traffic)
Allows for complete control of NAT configuration ordering
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT: Using ‘Any’ interface designator
Example: All packets sourced AND destined to RFC 1918 (local) networks should not be translated through the ASA
Allows a NAT rule to apply to ANY interface
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT: Using ‘Any’ interface designator
Ex: Translate a DMZ server to the same global IP on ALL 200 ASA interfaces
dm
z
172.16.12.4
NAT: 209.165.200.125
Use global ACL rule to permit traffic to real address of server
If the server’s IP address changes, no problem! Just edit the
object and the NAT and ACL rules are taken care of
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
LAB 3
You’ve been at sea for three weeks now. Based on your stellar performance, the Captain has promoted you. You now manage the Sub Fleet’s Networking group. Congratulations! You have just been deployed on a training mission to the USS Robertson, where you will update the network team on the fleet’s new security practices
While in the mess hall, you overhear one of your trainees telling a teammate that “ASA NAT rules MUST ALLWAYS be configured from the inside to the outside, and never from outside to inside”. You pull the engineer aside and take him to the ship’s network center to show him he is mis-informed
First create a Manual NAT the dive control system (10.3.XX.50) to the global IP Address of 209.165.XX.5 when passing from the Inside to the Outside. Next, you will delete that rule and add an equivalent inverted rule from the Outside to the Inside. In both cases you will be able to access the webserver via the Global IP Address of 209.165.XX.5
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Troubleshooting: ASDM Packet Tracer
Packet Tracer allows you to trace the packet as it passes through the ASA
You can trace either a crafted packet, or a packet that was previously captured
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Packet Tracer
Pod19# capture out interface outside access-list cap trace
Pod19# show capture out
. . .
43: 19:30:24.765615 802.1Q vlan#5 P0 10.1.1.211.43730 > 10.3.19.50.80: S
612034548:612034548(0) win 5840 <mss 1460,sackOK,timestamp 372044700
0,nop,wscale 6>
Pod19# show capture out trace packet-number 43
Trace Captured Packet
Pod32# packet-tracer input inside icmp 10.3.32.20 8 0 192.168.1.1
…
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-10.3.32.20
nat (inside,outside) static 209.165.200.225
Additional Information:
Static translate 10.3.32.20/0 to 209.165.200.225/0
Packet Tracer from CLI
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Troubleshooting: ‘show nat’ CLI
Prior to 8.3, show xlate was the best command to use for troubleshooting NAT issues.
With the NAT changes introduced in 8.3, one should now use the show nat detail command
Allows for visibility of IPs/Networks within an object
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Pod19# show nat detail
Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static obj-10.3.19.98 obj-209.165.200.252 destination
static obj-209.165.201.0 obj-209.165.201.0
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.3.19.98/32, Translated: 209.165.200.252/32
Destination - Origin: 209.165.201.0/24, Translated: 209.165.201.0/24
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj-HR-unixServer 209.165.200.225
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.3.19.20/32, Translated: 209.165.200.225/32
2 (inside) to (outside) source static obj-HR-linuxServer 209.165.200.227
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.3.19.22/32, Translated: 209.165.200.227/32
show xlate vs. show nat detail Pod19# show xlate
14 in use, 16 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from dmz:10.3.19.98 to outside:209.165.200.252
flags s idle 0:00:07 timeout 0:00:00
NAT from inside:10.3.19.20 to outside:209.165.200.225
flags s idle 0:00:07 timeout 0:00:00
NAT from inside:10.3.19.22 to outside:209.165.200.227
flags s idle 0:00:07 timeout 0:00:00
Real
(UnMapped) IP
Translated
(Mapped) IP
Real (UnMapped)
Source IP Translated (Mapped)
Source IP
Real (UnMapped)
Destination IP Translated (Mapped)
Destination IP
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Object-NAT (Auto-NAT)
NAT with PAT overload can also be configured within Object NAT, but requires nested configuration
object network NATPool
range 209.165.201.1 209.165.201.250
object network PAT-1
host 209.165.201.251
object network PAT-2
host 209.165.201.252
!
object-group network nat-pat-group
network-object object NATPool
network-object object PAT-1
network-object object PAT-2
!
object network InternalUsers
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic nat-pat-group
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Advanced Features: One-to-many mapping
Translate one inside host to two different global IPs on an interface
65
webServer
webServerGlobal1
webServerGlobal2
object network webServer
host 192.168.1.99
object network webServerGlobal1
host 209.165.200.225
object network webServerGlobal2
host 209.165.200.226
nat (inside,outside) source static webServer webServerGlobal1
nat (inside,outside) source static webServer webServerGlobal2
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Advanced Features: ‘pat-pool’ and ‘round-robin’
66
pat-pool allows a pool of addresses to be used as PAT global Ips
round-robin causes ASA to allocate PAT connections in round-robin fashion
object network inside-hosts
subnet 10.0.0.0 255.0.0.0
object network GlobalPATrange
range 209.165.200.225 209.165.200.254
!
nat (inside,outside) source dynamic inside-hosts pat-pool GlobalPATrange round-robin
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Advanced Features ‘flat’ and ‘include-reserve’
67
PAT By default ASA allocates global port within a similar range
nat (inside,outside) source dynamic inside-hosts pat-pool GlobalPATrange flat include-reserve
Original Src Port Translated Src Port
1-511 1-511
512-1023 512-1023
1024-65535 1024-65535
Original Src Port Translated Src Port
(flat)
Translated Src Port
(flat, include-reserve)
1-511 1024-65535 1-65535
512-1023 1024-65535 1-65535
1024-65535 1024-65535 1-65535
Using the flat keyword only allocates xlates in fixed range, avoiding lower port values and early exhaustion of lower port ranges
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Advanced Features: ‘extended’
Using extended causes the ASA to track a PAT xlate based on destination IP address and port in addition to source IP and port
Allows for > 65536 PAT xlates for a single global PAT IP
68
nat (inside,outside) source dynamic inside-hosts pat-pool GlobalPATrange extended
ASA(config)# show xlate local 10.1.2.3
41 in use, 3992 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
e - extended
TCP PAT from inside:10.1.2.3/12345 to outside:209.165.200.225/12345(192.168.1.2) flags rie
idle 0:00:03 timeout 0:00:30
ASA(config)#
Destination IP address of TCP Connection
Global PAT IP and Port
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
LAB 4
Your training session went well, and you have earned a week of rest back at base Naval Station San Diego. After your R&R is over, the commanders assigns you to help secure the new network design for a secret mini-Sub prototype, the USS Chambers.
The USS Chambers is only allocated 1 IP address on the outside network, which is assigned to the ASA’s outside interface. You must allow outside hosts to connect to the dive and control servers via this IP address, as well as PAT hosts on the inside to this interface IP
– PAT the dive control server at 10.3.XX.50 to the outside interface on TCP port 8080
– PAT the ballistic missile control server at 10.3.XX.60 to the outside interface on TCP port 8081
– Allow any user on the Inside 10.3.XX.0/24 network to access the Internet by PATing them to the outside interface.
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Advanced Features: ‘unidirectional’
Translate the traffic depending on the direction the conn was initiated
71
webServer
webServerGlobal1
webServerGlobal2
object network webServer
host 192.168.1.99
object network webServerGlobal1
host 209.165.200.225
object network webServerGlobal2
host 209.165.200.226
!
nat (inside,outside) source static webServer webServerGlobal1 unidirectional
nat (inside,outside) source static webServer webServerGlobal2
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Advanced Features
Disables proxy-arp for the configured global IP addresses
Useful if the NAT statements utilize very broad global networks
NAT Config Keyword: ‘no-proxy-arp’
72
RFC1918 Addresses
object-group network RFC1918
network-object object obj-10.0.0.0
network-object object obj-192.168.0.0
network-object object obj-172.16.0.0
!
nat (any,any) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 no-proxy-arp
RFC1918 Addresses
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
NAT Advanced Features
NAT commands override the routing table by default
Use ‘route-lookup’ to only apply NAT rules that match the routing table entries
73
NAT Config Keyword: ‘route-lookup’
nat (inside,outside) source static 172.16.0.0-net 172.16.0.0-net
nat (dmz,outside) source static 172.16.12.0-net 172.16.12.0-net
DM
Z
Inside Outside
172.16.0.0/16
172.16.12.0/24
172.16.12.4
nat (inside,outside) source static 172.16.0.0-net 172.16.0.0-net route-lookup
nat (dmz,outside) source static 172.16.12.0-net 172.16.12.0-net
match
match
Without route-lookup (default):
With route-lookup:
Inbound Packets to 172.16.12.4 Get
Routed to Inside Based on Order of NAT
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
LAB 5
The prototype mini-sub network is now completed, and the subs have been deployed. As a reword for your hard work, your boss is sending you to attend Cisco Live in San Diego! Before you can leave for the conference however, you must configure one last network for the USS Hammon
A new group of internal VPN networks are being setup for remote access to the sub computers. Integrate the requirements for this network topology, as described below:
– Allow anyone on the Naval Internet to access the Dive Control web server (10.3.XX.50) via the global IP Address 209.165.XX.5. Use Object NAT to complete this task.
– Allow only VPN users (which you are one of) on the 10.0.100.0/24 network to access the internal network (10.3.XX.0/24) via its Real IP.
– Finally, create a pool of 4 IP Addresses (10.2.XX.100 - 10.2.XX.104) to be used as a PAT pool for all outbound Naval Internet access (from either the inside or DMZ networks), and each new connection should use a different IP Address within the pool.
Closing Comments
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Final Thoughts
Understand the ASA Upgrade and Conversion Process
Understand the new NAT configurations in 8.3+
Understand the difference between Object and Manual NAT, and when you would choose to use one over the other
Understand how NAT rules are ordered / processed
What We Hope You Learned
Key Concepts
The new NAT config paradigm is flexible and powerful
The use of re-usable configuration objects (containers) helps simplify
NAT configuration
The ASA has great onboard tools to help you troubleshoot any NAT (or
general) configuration problems you might encounter
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Online Resources
TAC Security Show Podcast
Online learning modules (VoD Training)
Supportforums.cisco.com
Security RSS Feeds
78
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
TAC Security Podcast
Great way to obtain valuable troubleshooting insights.
Conversational shows, which focus on providing in-depth information on a given feature.
New episodes posted Monthly
79
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Podcast Episodes
80
Ep. # Topic Ep. # Topic
27 IOS Embedded Event Manager (EEM) 13 HTTP Filtering on the ASA
26 Troubleshooting IPSec VPNs 12 Securing Cisco Routers
25 Understanding DMVPN and GETVPN 11 ASA Anyconnect VPN
24 The Cisco Identity Services Engine 10 ASA Version 8.3 Overview
23 The Cisco ASA Services Module 9 Multiple Context Mode on the ASA and FWSM
Platforms
22 How Cisco uses the Web Security Appliance to
protect its network 8 ASA Advanced Application Protocol Inspection
21 Cisco Live! Las Vegas 2011 7 Monitoring Firewall Performance
20 This Week In TAC! 6 Tips for Taking the CCIE Security Exam
19 Troubleshooting the NAC Appliance 5 Troubleshooting Firewall Failover, Part 2
18 Useful ASA and IPS Commands and Features You
Might Not Know About 4
Troubleshooting Firewall Failover Part 1; Guest Omar
Santos from PSIRT
17 Answering Questions From The Cisco Support
Community 3 Transparent Firewall Mode; Lifecycle of a TAC Case
16 Mitigating a SQL attack with ASA, IPS and IOS
Firewall 2 New Features Introduced with ASA Version 8.2
15 Using Certificates on the ASA and IOS platforms 1 Using the ASA Packet Capture Utility for
Troubleshooting
14 TCP connections through the ASA and FWSM
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Online Learning Modules – VoD Training
Great way to learn about new features in the ASA
From www.cisco.com select: Products and Services
Security Secure Edge and Brach (expand) Cisco ASA 5500 Series Adaptive Security Appliances
Training resources
Online learning modules
OR Search cisco.com for ASA Online Learning Modules
Direct link
– http://www.cisco.com/en/US/partner/products/ps6120/tsd_ products_support_online_learning_modules_list.html
81
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Supportforums.cisco.com
Public wiki – anyone can author articles
Combines supportwiki and Netpro forums
Sections for: ASA, FWSM and PIX
Hundreds of Sample Configs
Troubleshooting Docs
FAQs
82
http://supportforums.cisco.com/
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Security Hot Issues – RSS Feeds
Subscribe with an RSS reader
Receive weekly updates on the Hot Issues customers are facing
Separate feeds for: ASA, FWSM, ASDM
83
https://supportforums.cisco.com/docs/DOC-5727
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Any Final Questions?
84
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Call to Action…
Visit the World of Solutions:-
Cisco Campus
Walk-in Labs
Technical Solutions Clinics
Meet the Engineer
Lunch Time Table Topics, held in the main Catering Hall
Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014
85
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Complete your online session evaluation
Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt
Complete Your Online Session Evaluation
86
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
For your
reference
TCP Connection Termination Reasons — Quick Reference
Reason Description
Conn-Timeout Connection Ended Because It Was Idle Longer Than the Configured Idle Timeout
Deny Terminate Flow Was Terminated by Application Inspection
Failover Primary Closed The Standby Unit in a Failover Pair Deleted a Connection Because of a Message Received from the Active Unit
FIN Timeout Force Termination After Ten Minutes Awaiting the Last ACK or After Half-Closed Timeout
Flow Closed by Inspection Flow Was Terminated by Inspection Feature
Flow Terminated by IPS Flow Was Terminated by IPS
Flow Reset by IPS Flow Was Reset by IPS
Flow Terminated by TCP Intercept
Flow Was Terminated by TCP Intercept
Invalid SYN SYN Packet Not Valid
Idle Timeout Connection Timed Out Because It Was Idle Longer than the Timeout Value
IPS Fail-Close Flow Was Terminated Due to IPS Card Down
SYN Control Back Channel Initiation from Wrong Side
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
For your
reference
TCP Connection Termination Reasons — Quick Reference (Cont.)
Reason Description
SYN Timeout Force Termination After Two Minutes Awaiting Three-Way Handshake Completion
TCP Bad Retransmission Connection Terminated Because of Bad TCP Retransmission
TCP Fins Normal Close Down Sequence
TCP Invalid SYN Invalid TCP SYN Packet
TCP Reset-I TCP Reset Was Sent From the Inside Host
TCP Reset-O TCP Reset Was Sent From the Outside Host
TCP Segment Partial Overlap
Detected a Partially Overlapping Segment
TCP Unexpected Window Size Variation
Connection Terminated Due to a Variation in the TCP Window Size
Tunnel Has Been Torn Down
Flow Terminated Because Tunnel Is Down
Unauth Deny Connection Denied by URL Filtering Server
Unknown Catch-All Error
Xlate Clear User Executed the ‘Clear Xlate’ Command
© 2014 Cisco and/or its affiliates. All rights reserved. LTRSEC-3023 Cisco Public
Anyconnect Access to Your Pod
Launch a web browser to:
https://64.102.242.78:10000
Note the port 10000
It will ask you to authenticate use the info below, X is your pod #: username: podX password: diegoX
Anyconnect will download and install. You will now have access to your ASA and the Web Server