Connectivity NA(P)T

3 Thomson Gateway NAT > NAT: Network Address Translation ("IP Masquerading") > NAPT: Network Address and Port Translation

4 Definition > NAT: Maps IP addresses from one address realm to other Provides transparent routing (disparate address realms) > Characteristics: Transparent address assignment Transparent routing through address translation ICMP error packet payload translation

5 Necessity > IPv4: 32 bits > Private networks , , WAN x LAN: inside IP addresses WAN: outside IP addresses

6 Example [IN] eth0-> : TCP >50000 [S.....] [UT] eth0->pppoe0 : TCP >50000 [S.....] [IN]pppoe0-> : TCP >49125 [S.A...] [UT]pppoe0->eth0 : TCP >10000 [S.A...] [IN] eth0-> : TCP >50000 [..A...] [UT] eth0->pppoe0 : TCP >50000 [..A...] [nat]=>maplist Idx Type Interface Outside Address Inside Address Use 1 NAPT pppoe PPPoE Server Packet flow Session flow Address binding NAPT: extension of NAT

7 Static vs. Dynamic NAT > Static Address Assignment Static NAT One-to-one address mapping Fixed in time > Dynamic Address Assignment Dynamic NAT Based on usage requirements and session flow Binding used and re-used

8 Basic NAT > Block external addresses set aside for translation > For sessions originating in private domain > Example Static Idx Type Interface Outside Address Inside Address 1 NAT ipoa unmapped Access List Foreign Address any Protocol any Flags Static Description Outbound Basic NAT

9 When to Use Basic NAT > Inside address not routable on outside network > Hiding inside addresses from outside world > Avoid network renumbering when changing service provider

10 NAPT > Extension: translation of transport identifiers TCP, UDP: port numbers ICMP: query identifiers > Allows sharing single external address Idx Type Interface Outside Address Inside Address Use 1 NAPT ipoa unmapped 2 Access List /16 Foreign Address any Protocol any Flags Static Description Outbound NAPT without defserver

11 NAPT – Continued NAPT uses ports from range [ ] [IN] eth0-> : TCP >50000 [S.....] [UT] eth0->ipoa0 : TCP >50000 [S.....] [IN] ipoa0-> : TCP >49125 [S.A...] [UT] ipoa0->eth0 : TCP >10000 [S.A...] [IN] eth0-> : TCP >50000 [..A...] [UT] eth0->ipoa0 : TCP >50000 [..A...] [IN] eth0-> : TCP >50000 [S.....] [UT] eth0->ipoa0 : TCP >50000 [S.....] [IN] ipoa0-> : TCP >49126 [S.A...] [UT] ipoa0->eth0 : TCP >10001 [S.A...] [IN] eth0-> : TCP >50000 [..A...] [UT] eth0->ipoa0 : TCP >50000 [..A...]

12 When to Use NAPT > Multiple private hosts accessing public network through same gateway > Link specific traffic to private host > Redirect all unknown incoming traffic to chosen private host

13 Two-Way NAT > Sessions can be initiated from host both in public as in private network > Used to make private servers available on Internet > Examples: Static Idx Type Interface Outside Address Inside Address Use 1 NAT pppoe Access List Foreign Address any Protocol any Flags Static Description Two-way NAT [IN]pppoe0-> : TCP >10000 [S.....] [UT]pppoe0->eth0 : TCP >10000 [S.....] [IN] eth0-> : TCP >50000 [S.A...] [UT] eth0->pppoe0 : TCP >50000 [S.A...]

14 Connection Sharing HyperNAT – IP Passthrough > Allow public IP address to be used on LAN Default server IPSeC-AH client Any NAT issues … > While preserving NAPT access for other PCs UPnP v1.0 All known algs : IPsec, pptp/l2tp, sip, … > Public IP address assigned to PC manually or via DHCP continued 1-1 NAT routing during WAN IP address change event > Compatible with dial-on-demand !

15 Connection Sharing HyperNAT – IP Passthrough Default Server Service/Portmaps

Connectivity – NAT ALGs

17 Definition ALG = Application Level Gateway Translates addresses and ports NAT engine cannot handle Opens firewall Creates NAT mappings

18 ALG Intervention Level OSI LayerTCP/IPNetwork node 7ApplicationHTTP FTP SMTP SNMP Telnet gateway 6Presentation 5Session 4TransportTCP UDP 3NetworkIPRouter 2Data-link (MAC)SLIP PPP Bridge 1Physical repeater UTP-kabel NAPT ALG

19 ALGs Real Actions > Create connection > Delete connection > Search connection > Packet modification > Add NAT mapping > Remove NAT mapping

20 Supported ALGs > IP6to4 > PPTP (VPN) > ESP (IPSec) > IKE (IPSec) > SIP (VoIP) > JABBER > CU/SeeMe > RAUDIO > RTSP > ILS (NetMeeting phonebook) > H245 (NetMeeting) > H323 (NetMeeting) > IRC > FTP

21 ALGs Triggering Each ALG is bound to (range of) port(s) {Administrator}[connection]=>applist Application Proto DefaultPort Traces Timeout IP6TO4 6to4 0 enabled unavailable PPTP tcp 1723 enabled unavailable ESP esp 0 unavailable 15' 0" IKE udp 500 disabled 15' 0" SIP udp 5060 disabled 6 0" JABBER tcp 5222 disabled 2' 0" CU/SeeMe udp 7648 enabled unavailable RAUDIO(PNA) tcp 7070 enabled unavailable RTSP tcp 554 enabled unavailable ILS tcp 389 unavailable 5' 0" H245 tcp 0 unavailable 5' 0" H323 tcp 1720 enabled unavailable IRC tcp 6667 enabled 5' 0" LOOSE(UDP) udp 0 enabled 5' 0" FTP tcp 21 enabled unavailable Available ALGs:

22 FTP ALG No firewall opening needed Firewall must accept incoming connection on port 1027, coming from port 2024 inbound port shift mapping must be present LANWAN Tests: Inbound vs. outbound One vs. multiple LAN clients One vs. multiple WAN servers LAN server

Managed Security Service Firewall

24 Managed Security Service Firewall - Overview > Firewall has 2 functions Protect ST Gateway from unwanted management access Police traffic LAN to WAN and vice versa > Mapped on 2 Fwall services Firewall (fwd) > GUI/CLI ServiceManager (sink/src) > CLI

25 Managed Security Service Firewall - Default Policies Edit Level

26 Stateful firewall CLI configuration > General configuration :firewall config state Tcpchecks Udpchecks Icmpchecks

27 Stateful firewall CLI configuration > Firewall menu Chain > Incoming data is intercepted at packet interception points with chains attached to them > List : shows available chains > Sink and source chains manages data sent/received to/from CPE host. > Sink/source traffic controlled by hostmanager Rule > Every chain can have a set of rules, each with an index. > Lowest index rules are executed first

28 Data Flow overview Service MANAGER HOST SERVICES SYSTEM SERVICES Manual firewall rules

29 Firewall levels > Only related to forward chain !

30 Firewall rules > Rules are linked to chains. > Main actions : drop, accept, deny, count > Classification criteria Source and destination interface Source and destination IP Service : > Services from the :expr menu > Manual expressions can be created > Classifiers : Tos, precedence, proto, dscp Source/destination port ranges

31 Firewall rules > Example with level=disabled

32 Firewall level > Different levels according ICSA specification > Set, check level : Firewall level set

33 Hands on - Firewall > Create a rule which drops http forwarding if the level of the firewall is set to Standard. :firewall level set … :firewall rule add > chain forward_level > … > Create a rule which drops ftp to the CPE. :firewall rule add > chain sink > … > Create a rule which denies udp with dest port 666 initiated from the CPE :expr add > type serv > … :firewall rule add > chain source > … ip debug sendto addr= dstport=666