Professional Documents
Culture Documents
Connections
Lesson 4
ACK
10.0.0.11 Flag SYN Security Appliance SYN 172.30.0.50
No. 1 No. 2
Start the embryonic
No Data
connection counter.
Connectionless protocol
Efficient protocol for some services
Resourceful, but difficult to secure
192.168.6.9 10.0.0.11
Internet
10.0.0.11
10.0.0.4
g0/3 Partnernet
Security Level 50
g0/2 DMZ g0/4 Intranet
Security Level 30 Security Level 70
Internet
g0/0 outside g0/1 inside
Security Level 0 Security Level 100
192.168.6.20 10.0.0.4
Internet
10.0.0.4
Outside global
Dynamic
IP address pool 10.0.0.4
Translation
192.168.6.20-254
Inside NAT translates the addresses of hosts on a higher security level to a less
secure interface:
Dynamic translation
Static translation
NAT
192.168.0.20 10.0.0.11
Internet 10.0.0.11
10.0.0.4
Global Pool
192.168.0.17-32
192.168.0.0
Internet
Global Pool
192.168.0.3-16
10.0.0.0/24
192.168.0.20 10.0.0.11
Port 1024
Internet
10.0.0.11
192.168.0.20 10.0.0.4
Port 1025
10.0.0.4
Engineering Sales
Global .1
The outside interface is configured as a DHCP Address 192.168.0.0
DHCP client. (192.168.0.2) .2
The interface option of the global command
enables use of a DHCP address as the PAT
address. .1 10.0.0.0
The source addresses of hosts in network
10.0.0.0 are translated into a DHCP address
for outgoing access, in this case, 192.168.0.2. 10.0.2.0
10.0.1.0
The source port is changed to a unique
number greater than 1023.
Engineering Sales
192 .168.0.9
Source addresses of hosts in .1
network 10.0.1.0 are translated 192 .168.0.8 192.168.0.0
to 192.168.0.8 for outgoing .2
access.
Address 192.168.0.9 will be used .1 10.0.0.0
only when the port pool from
192.168.0.8 is at maximum
capacity. 10.0.1.0 10.0.2.0
Engineering Sales
NAT
192 .168.0.20
When hosts on the 10.0.0.0 network .1
PAT
access the outside network through the 192 .168.0.254 192.168.0.0
security appliance, they are assigned .2
Engineering Sales
DMZ Internet
Server
192.168.0.9
192.168.0.9
10.0.0.15
Internet
Outside Inside
DMZ
192.168.0.9 Internet
Server
192.168.0.9 Inside
Internet
Outside
NAT 0 ensures that the Internet server is translated to its own address
on the outside.
Security levels remain in effect with nat 0.
Interfaces
Real interface—DMZ
Mapped interface—Outside
IP Addresses
Real IP address—172.16.1.9
Mapped IP address—192.168.1.3
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-27
static Command
DMZ
Web Server
172.16.1.9
192.168.1.3
Internet
Outside Inside
ciscoasa(config)#
192.168.10.9
10.0.0.12
192.168.10.10
Internet
Outside Inside
10.0.0.11
ciscoasa(config)#
192.168.0.9/www
192.168.0.9/ftp
Internet
Outside Inside
ciscoasa(config)#
static (real_interface,mapped_interface) {tcp |
udp} {mapped_ip | interface} mapped_port
{real_ip real_port [netmask mask]}
Used to create a permanent translation between a mapped IP address and
port number and a specific real IP address and port number
– 192.168.0.9/www redirected to 172.16.1.9/www
– 192.168.0.9/ftp redirected to 172.16.1.10/ftp
192.168.0.9/FTP
192.168.0.9/2121
Internet
Outside Inside
Outside Inside
Internet
10.0.0.11
192.168.0.20 10.0.0.11
192.168.10.11
NAT
10.0.0.4
172.26.26.45
DoS Internet
Attack
SYN, SRC: 172.16.16.20, DST: 10.0.0.3
SYN, SRC: 172.16.16.20, DST: 10.0.0.3 Target
10.0.0.3
SYN, SRC: 172.16.16.20, DST: 10.0.0.3
Embryonic K
172.26.26.46 -AC K
Connection N
SY N-AC K
SY N-AC
? SY
?
?
Spoofed Host
172.16.16.20
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-37
SYN Cookies
SYN
Normal SYN-ACK (Cookie)
ACK (Cookie)
SYN
SYN-ACK
ACK
Internet
The security appliance responds to the SYN itself, which includes a cookie in the
TCP header of the SYN-ACK. The security appliance keeps no state information.
The cookie is a hash of parts of the TCP header and a secret key encoded into the initial sequence
number (ISN) field the appliance responds with in its SYN/ACK.
A legitimate client completes the handshake by sending the ACK back with the cookie.
If the cookie is authentic, the security appliance proxies the TCP session.
ciscoasa (config)#
ciscoasa(config)#
nat (if_name) nat_id real_ip [mask [dns] [outside] [[tcp]
max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]
Maximum number of simultaneous TCP or UDP connections that the local IP hosts
are allowed.
– A value of 0 disables protection (default).
– Idle connections are closed after the time specified in the timeout command.
HTTP
Translation
192.168.0.20 10.0.0.11
Internet
10.0.0.11
192.168.10.5
Outside Inside
Mapped Pool Local
Translation 192.168.0.20 10.0.0.11 10.0.0.4
192.168.10.11 Internet
10.0.0.4
ciscoasa#
show conn
Enables you to view all active connections
asa1#show conn
2 in use, 2 most used
asa1# show conn
2 in use, 9 most used
TCP out 192.168.10.11:80 in 10.0.0.11:2824 idle 0:00:03
bytes 2320 flags UIO
TCP out 192.168.10.11:80 in 10.0.0.11:2823 idle 0:00:03
bytes 3236 flags UIO
Connection
Internet
192.168.10.11 10.0.0.11
10.0.0.11
192.168.10.11 Internet
Conn:
TCP out 192.168.10.11 :80 in 10.0.0.11 :2824 idle 0:00:05 bytes 466 flags UIO
TCP out 192.168.10.11 :80 in 10.0.0.11 :2823 idle 0:00:05 bytes 1402 flags UIO
Conn:
TCP out 192.168.10.11 :80 in insidehost:2824 idle 0:00:05 bytes 466 flags UIO
TCP out 192.168.10.11 :80 in insidehost:2823 idle 0:00:05 bytes 1402 flags UIO
192.168.0.20 10.0.0.11
Internet
10.0.0.11
192.168.10.11
10.0.0.4
ciscoasa#
show xlate
Enables you to view translation slot information
asa1#show xlate
1 in use, 2 most used
Global 192.168.0.20 Local 10.0.0.11
Translation
192.168.0.20 10.0.0.11
Internet
192.168.10.11 10.0.0.11
The security appliance manages the TCP and UDP protocols through the use of a
translation table (for NAT sessions) and a connection table (for TCP and UDP
sessions).
The static command creates a permanent translation.
Mapping between local and global address pools is done dynamically with the nat
command.
The nat and global commands work together to hide internal IP addresses.
The security appliance supports PAT.
Configuring multiple interfaces requires a greater attention to detail, but it can be
done with standard security appliance commands.
SYN cookies, which you enable by setting embryonic connection limits in the nat or
static command, provide a means of checking the validity of incoming TCP
sessions.
10.0.P.0 10.0.Q.0
.10 .100 .100 .10
Web RTS RTS Web
FTP FTP
Student PC Student PC