Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
43 views31 pages

DGTL Tscsec 507

Uploaded by

abaheabahe

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt

DGTL Tscsec 507

Uploaded by

abaheabahe
43 views31 pages

Original Title

DGTL-TSCSEC-507

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
43 views31 pages

DGTL Tscsec 507

Uploaded by

abaheabahe

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 31

#CiscoLive

Best Practices and


Troubleshooting Skills to Work
with NAT in FTD Cluster Setups
Aaron Vieyra
Technical Consulting Engineer
DGTL-TSCSEC-507

#CiscoLive
Agenda
• General NAT Overview
• NAT Types
• NAT Order
• PAT Advanced options
• Dynamic NAT on Clustered FTD
• Common Failure Scenarios and
Troubleshooting

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
General NAT Overview
Network Address Translation (NAT)
Why use NAT?
• Each host within an IP network is assigned a unique IP
address that identifies it
• RFC 1918 defines the private ranges that can be used
internally
• NAT allows private IP networks to connect to the internet

ISP
Inside Outside
192.168.1.100
Source IP Cisco
192.168.1.100 198.133.219.25

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Terminology on FTD
NAT
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network PC-Real
nat (inside,outside) static PC-Mapped
Inside Outside Additional Information:
Static translate 192.168.1.100/1234 to 158.12.1.3/1234
158.12.1.3

192.168.1.100 à 198.133.219.25 158.12.1.3 à 198.133.219.25

UN-NAT
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
Inside
Outside object network PC-Real
nat (inside,outside) static PC-Mapped
158.12.1.3 Additional Information:
NAT divert to egress interface inside
192.168.1.100 ß 198.133.219.25 158.12.1.3 ß 198.133.219.25 Untranslate 158.12.1.3/0 to 192.168.1.100/0

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
NAT Types
Static NAT
• Translates a real address to a mapped address
• Allows bidirectional connection initiation
• Some other uses of static NAT
• Port Translation à Allows translating a well-known port to an ephemeral
port
• Identity port translation à A single mapped IP translated to different well-
known ports
ASA# show run nat
!
object network PC-Real Outside
nat (inside,outside) static PC-Mapped Inside 158.12.1.3

ASA# show run object id PC-Real


object network PC-Real
Source IP
host 192.168.1.10 Public IP
ASA# show run object id PC-Mapped 192.168.1.10
198.133.219.25
object network PC-Mapped
host 158.12.1.3

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Identity NAT
• Allows to translate an IP to itself

• Bidirectional

• Commonly used for VPN traffic


Inside DMZ
A
B

192.168.1.100 10.10.1.10

ORIGINAL PACKET TRANSLATED PACKET


192.168.1.100 > 192.168.1.10 192.168.1.100 > 10.10.1.10

ASA# show run nat


nat (inside,DMZ) source static A-Real A-Mapped destination static DNS-Mapped DNS-Real

Real Source Mapped Source Mapped Destination Real Destination

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Dynamic NAT
• The translation is created only when the real host initiates the connection
• Translates a group of real addresses to a pool of mapped addresses
• The mapped pool typically has fewer IPs than the real group

ASA# show run nat Inside Outside A


object network inside-subnet C
nat (inside,outside) dynamic Mapped-pool-NAT
198.133.219.25
192.168.1.100 209.100.200.1

D 209.100.200.2
B

ASA# show run object id inside-subnet 192.168.1.101 198.133.219.40


object network inside-subnet
subnet 192.168.1.0 255.255.255.0
E
ASA# show run object id Mapped-pool-NAT
object network Mapped-pool-NAT
range 209.100.200.1 209.100.200.2
192.168.1.102

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Dynamic PAT
• Translates multiple real IPs to a single IP
• Real IP and source port are translated to the mapped IP and a unique port

Inside Outside
A
ASA# show run nat
object network Inside-subnet 198.133.219.25
nat (inside,outside) dynamic Mapped-IP
192.168.1.100:1025 209.165.201.1:3030

B 209.165.201.1:4482

209.165.201.1:1538
ASA# show run object id Inside-subnet 192.168.1.101:2041 198.133.219.40
object network Inside-subnet
subnet 192.168.1.0 255.255.255.0 C
ASA# show run object id Mapped-IP
object network Mapped-IP
host 209.165.201.1
192.168.1.102:3572
198.133.219.40

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Per-Session Port Address Translation
• Dynamic PAT xlates have a 30 second idle timeout by default

• Single global IP allows about 2000 conns/sec for TCP and UDP
firepower# show run timeout
timeout pat-xlate 0:00:30

• Per-Session Xlate feature allows immediate reuse of the mapped ports


• Per-Session PAT improves the scalability of PAT

firepower# show run all xlate


xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
PAT Advanced Options
Round-Robin
• The Round-Robin method assigns one address/port from each PAT address in the pool

A
inside
outside
object network Pool
range 172.16.1.4 172.16.1.5 10.4.1.33
object network users
range 10.4.1.33 10.4.1.34 172.16.1.4
nat (inside,outside) dynamic pat-pool Pool round-robin 172.16.1.5
B Server

10.4.1.34

ASA# show xlate


TCP PAT from inside:10.4.1.33/40111 to outside:172.16.1.4/40111 flags ri idle 0:00:03 timeout 0:00:30
TCP PAT from inside:10.4.1.33/40110 to outside:172.16.1.4/40110 flags ri idle 0:00:03 timeout 0:00:30
TCP PAT from inside:10.4.1.34/36709 to outside:172.16.1.5/36709 flags ri idle 0:00:07 timeout 0:00:30
TCP PAT from inside:10.4.1.34/36707 to outside:172.16.1.5/36707 flags ri idle 0:00:28 timeout 0:00:30

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Flat
• Flat translates source ports by using only the ephemeral port range 1024-65535

inside outside

A 10.4.1.33:123 à 172.16.1.254:80 172.16.1.4:8752 à 172.16.1.254:80

172.16.1.254

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network A
• Include-reserve
nat (inside,outside) dynamic pat-pool Pool flat
Additional Information: • To use the port range from 1 to 65535
Dynamic translate 10.4.1.33/123 to 172.16.1.2/17463

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Extended
• Extends PAT uniqueness to per destination instead of per interface

A
10.4.1.33:10000 > 172.16.1.254:23 172.16.1.4:10000 > 172.16.1.254:23

inside outside 172.16.1.254

B
10.4.1.34:10000 > 172.16.1.254:80 172.16.1.4:13831 > 172.16.1.254:80

• Extended • Extended and flat


object network Pool object network Pool
range 172.16.1.4 172.16.1.5 range 172.16.1.4 172.16.1.5
object network users object network users
range 10.4.1.33 10.4.1.34 range 10.4.1.33 10.4.1.34
nat (inside,outside) dynamic pat-pool Pool extended nat (inside,outside) dynamic pat-pool Pool extended flat

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
NAT Order
NAT Sections
• NAT rules are used to build the NAT policy table
ASA# show run nat
nat (outside,outside) source static VPN-Users VPN-Users destination static VPN-Users VPN-Users
!

NAT rules
object network PC-Real
nat (inside,outside) static PC-Mapped
!
object network VM
nat (internal,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic Users interface

ASA# show nat

Manual NAT Policies (Section 1)


1 (outside) to (outside) source static VPN-Users VPN-Users destination static VPN-Users VPN-Users
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)


NAT table 1 (inside) to (outside) source static PC-Real PC-Mapped
translate_hits = 0, untranslate_hits = 0
2 (internal) to (outside) source dynamic VM interface
translate_hits = 710, untranslate_hits = 611

Manual NAT Policies (Section 3)


1 (inside) to (outside) source dynamic Users interface
translate_hits = 0, untranslate_hits = 0

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Dynamic NAT on
Clustered FTD
Dynamic NAT on Clustered FTDs

Inside Outside
• FTD only supports spanned mode
interface
SYN unit-1
• Data interfaces are grouped into a
single EtherChannel
• Load balancing algorithm is performed unit-2

on the switches
• NAT can impact the throughput of the unit-3
cluster
SYN-ACK

unit-4

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
NAT pool address distribution
• The Master FTD pre-distributes addresses across the cluster

• PAT pools should have at least as many IPs available as number of units in the cluster

firepower# cluster exec show nat pool cluster


FTD CLI: unit-1-1(LOCAL):******************************************************
IP outside 172.16.1.2, owner unit-1-1, backup unit-2-1
IP outside:POOL-OUT-1 172.16.1.3, owner unit-1-1, backup unit-2-1
IP outside:POOL-OUT-1 172.16.1.4, owner unit-2-1, backup unit-1-1

object network SERVER-INSIDE


range 10.10.10.1 10.10.10.4
unit-2-1:*************************************************************
object network POOL-OUT-1
range 172.16.1.3 172.16.1.4 IP outside 172.16.1.2, owner unit-1-1, backup unit-2-1
object network SERVER-INSIDE IP outside:POOL-OUT-1 172.16.1.3, owner unit-1-1, backup unit-2-1
nat (inside,outside) dynamic pat-pool POOL-OUT-1 IP outside:POOL-OUT-1 172.16.1.4, owner unit-2-1, backup unit-1-1

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
When a unit leaves the cluster
• The PAT IP assigned to that unit will be rebalanced to another unit in the cluster

unit-1-1 and unit-2-1 part of the cluster


firepower# show nat pool cluster
IP outside:POOL-OUT-1 172.16.1.4, owner unit-1-1, backup unit-2-1
IP outside:POOL-OUT-1 172.16.1.3, owner unit-2-1, backup unit-1-1

inside

Master
unit-1-1 Slave
unit-1-1 owning both IP of the cluster unit-2-1

firepower# show nat pool cluster outside


IP outside:POOL-OUT-1 172.16.1.3, owner unit-1-1, backup unit-1-1
IP outside:POOL-OUT-1 172.16.1.4, owner unit-1-1, backup unit-1-1

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
When a unit joins the cluster
• The Master FTD attempts to find one or more unused PAT IPs from the PAT pool
and assign it to the newly joined unit

unit-1-1 owning both IPs of the cluster


firepower# show nat pool cluster
IP outside:POOL-OUT-1 172.16.1.3, owner unit-1-1, backup unit-1-1
IP outside:POOL-OUT-1 172.16.1.4, owner unit-1-1, backup unit-1-1
inside

Master Slave
unit-1-1 unit-2-1

The mapped IPs are rebalanced when unit-2-1 joins


outside
firepower# show nat pool cluster
IP outside:POOL-OUT-1 172.16.1.4, owner unit-1-1, backup unit-2-1
IP outside:POOL-OUT-1 172.16.1.3, owner unit-2-1, backup unit-1-1

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Common Failure Scenarios
and Best Practices
Scenario 1: PAT configured with a single IP

• The IP is assigned to the Master and the Slaves


have none available
• Translations are created only by the Master FTD

• The Slaves create director stub TCP/UDP/ICMP inside

conns and send those over the CCL to the


Master FTD
• CCL congestion and high conn/xlate load on the 209.165.201.1 outside

Master

To configure as many IPs on the


Solution
PAT pool as cluster members

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Xlate Replication
inside Master outside
SYN reaching the Master FTD
172.16.1.2
SYN SYN
firepower# show nat pool cluster
IP outside 172.16.1.2, owner unit-1-1, backup unit-2-1 unit-1-1
A Slave

10.4.1.33 172.16.1.1
telnet 172.16.1.1 80
Buffer logs on Master and captures unit-1-2

%FTD-6-305011: Built dynamic TCP translation from inside:10.4.1.33/40492 to outside:172.16.1.2/40492


%FTD-6-305012: Teardown dynamic TCP translation from inside:10.4.1.33/40492 to outside:172.16.1.2/40492 duration 0:00:00

firepower# show capture ingress

1 packets captured
1: 02:28:56.865799 802.1Q vlan#2847 P0 10.4.1.33.40492 > 172.16.1.1.80: S 2121437953:2121437953(0)

firepower# show capture egress

1 packet captured
1: 02:28:56.866547 802.1Q vlan#2809 P0 172.16.1.2.40492 > 172.16.1.1.80: S 2341746117:2341746117(0)

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Xlate Replication
inside Master outside
SYN reaching the Slave FTD
172.16.1.2

firepower# show nat pool cluster CCL


IP outside 172.16.1.2, owner unit-1-1, backup unit-2-1 unit-1-1
A Slave

Use trace and reinject-hide keywords 10.4.1.33 172.16.1.1


telnet 172.16.1.1 80
on captures for Clustered FTDs unit-1-2

Slave FTD Master FTD


Phase: 11 Phase: 6
Type: CLUSTER-EVENT Type: NAT
Subtype: Subtype:
Result: ALLOW Result: ALLOW
Config: Config:
Additional Information: object network Test
Input interface: 'inside' nat (inside,outside) dynamic interface
Flow type: NO FLOW Additional Information:
NAT: I (1) am redirecting packet to master (0) for PAT. Dynamic translate 10.4.1.33/40496 to 172.16.1.2/40496

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Scenario 2: PAT IP owned by Slave after Cluster
Event
object network POOL-OUT-1
host 172.16.1.3
object network Subnet-inside
Single IP à Bad practice
nat (inside,outside) dynamic pat-pool POOL-OUT-1

firepower# show cluster info Master should own 172.16.1.3


Cluster Cluster-TAC: On
Interface mode: spanned
This is "unit-1-1" in state MASTER
ID : 0
Site ID : 1
Version : 9.12(1)6
Serial No.: FLM234301L7 firepower# cluster exec show nat pool cluster
CCL IP : 1.1.1.1 unit-1-1(LOCAL):******************************************************
CCL MAC : 0015.c500.018f IP outside:POOL-OUT-1 172.16.1.3, owner unit-2-1, backup unit-1-1
Last join : 18:15:20 UTC Jul 19 2020
Last leave: N/A unit-2-1:*************************************************************
Other members in the cluster: IP outside:POOL-OUT-1 172.16.1.3, owner unit-2-1, backup unit-1-1
Unit "unit-2-1" in state SLAVE
ID : 1
Site ID : 2
Version : 9.12(1)6
Serial No.: FLM23420F97 To execute:
CCL IP : 1.1.2.1 Solution
CCL MAC : 0015.c500.028f # cluster exec clear xlate global <PAT IP>
Last join : 22:41:01 UTC Jul 21 2020
Last leave: 22:39:00 UTC Jul 21 2020

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Scenario 3: Distributed PAT Xlates in Cluster for
Multisession connections
TCP 172.16.1.3:51234

A inside outside

Error: Multiple conns


TCP 172.16.1.4:22421 comes from different
source IP

• Multisession connections are load-balanced to different cluster members

• Each FTD translates each connection using its own PAT IP

• To configure Static NAT for specific destination IP addresses


Solution
• FTD next releases distributes each PAT pool at port block level

#CiscoLive DGTL-TSCSEC-507 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Thank you

#CiscoLive
#CiscoLive

You might also like