|
0:00:12
|
in the next section here for the ios firewall we can look at reflexsive access list feature
|
|
0:00:18
|
that adds a basic stateful tracking
|
|
0:00:22
|
ability to access list we will see not as flexible as either the content based access control or these
|
|
0:00:28
|
the zone based policy firewall
|
|
0:00:30
|
that is going to be failure equipment to the asa marginal
|
|
0:00:33
|
policy framework
|
|
0:00:36
|
now the idea behind reflexsive access list
|
|
0:00:38
|
is that outbound traffic
|
|
0:00:40
|
is going to be watched as traffic
|
|
0:00:43
|
leaves inside going to the outside network of the router
|
|
0:00:46
|
and have an access list that is going to keep track of what traffic is leaving
|
|
0:00:51
|
make a top make a copy of this in this state table
|
|
0:00:55
|
so similar to we will do with marginal the policy frame work
|
|
0:00:58
|
or as i mention or c c backward the
|
|
0:01:00
|
zoned based policy firewall
|
|
0:01:06
|
so once the traffic lives the network and goes to outbound access list
|
|
0:01:09
|
when we returns in inbound access list
|
|
0:01:12
|
is going to check state table that to see traffic
|
|
0:01:14
|
should be either permitted or denied
|
|
0:01:17
|
so the same type of logic topics in normal
|
|
0:01:19
|
stateful firewall and the
|
|
0:01:22
|
our entries are going to expire after inactivity
|
|
0:01:25
|
time out
|
|
0:01:26
|
now this is different than the the access stateful filtering of ios or the asa
|
|
0:01:33
|
because at an application level
|
|
0:01:36
|
the inspection engine knows
|
|
0:01:37
|
exactly what the application is supposed to do in terms of opening and closing the sessions
|
|
0:01:43
|
like a soft privacy with asa we are inspecting icmp
|
|
0:01:46
|
and a ping is going out
|
|
0:01:49
|
an echo is going to go out and going to return with an echo reply
|
|
0:01:53
|
once the reply comes in
|
|
0:01:55
|
comes back in then asa is going to remove
|
|
0:01:58
|
the outbound session from the state table
|
|
0:02:02
|
now with reflexsive access list i need on guessing as to what return traffic is going to be
|
|
0:02:07
|
router really not looking at the individual states that we are going through
|
|
0:02:11
|
it 's just trake traffic goes out
|
|
0:02:14
|
guess as to what come back in
|
|
0:02:17
|
it's going to be mirror image
|
|
0:02:19
|
of the outbound traffic and then after 5 minutes back
|
|
0:02:22
|
inactivity by default the entries are going to be removed
|
|
0:02:26
|
now we can modify this with the ip reflexsiveness
|
|
0:02:28
|
time up
|
|
0:02:30
|
but really is not going to be as accruate as to have
|
|
0:02:32
|
as if we had actually used a stateful
|
|
0:02:36
|
filtering mechanism
|
|
0:02:38
|
now the big limitations of reflexsive accesslist
|
|
0:02:41
|
is that we don't have any application level inspection
|
|
0:02:44
|
so what that's mean
|
|
0:02:46
|
is only dating work
|
|
0:02:48
|
with any standard tcp or udp
|
|
0:02:51
|
applications
|
|
0:02:51
|
with we gain standard application for tcp
|
|
0:02:55
|
means that the outbound flow
|
|
0:02:57
|
is the exact opposite of the inbound flow
|
|
0:03:00
|
flow and the good example of this
|
|
0:03:03
|
would be regular clear text web browsing
|
|
0:03:05
|
with http
|
|
0:03:08
|
where again we have a http client
|
|
0:03:10
|
where the web client that sends the first of the 3 way hand shake to the web server
|
|
0:03:15
|
where the
|
|
0:03:17
|
others protocols tcp
|
|
0:03:20
|
the source port
|
|
0:03:22
|
is going to be some random value
|
|
0:03:25
|
the destination port
|
|
0:03:28
|
is
|
|
0:03:30
|
the well known port which is port 80
|
|
0:03:33
|
we gain the first portion of the 3 way hand shake we hand sake this is going to be the syn
|
|
0:03:37
|
server reply back to the client with the syn
|
|
0:03:40
|
and the ack
|
|
0:03:43
|
this is portion 2 of the free way hand sake
|
|
0:03:45
|
the destination port
|
|
0:03:50
|
becomes what used to be
|
|
0:03:52
|
the source port
|
|
0:03:54
|
the destination port is now random port
|
|
0:03:58
|
and the source port
|
|
0:04:00
|
becomes 80
|
|
0:04:03
|
then the third portion
|
|
0:04:06
|
the clients reply with acknowledgement
|
|
0:04:08
|
and connection is going to be open
|
|
0:04:10
|
but the key here that since web browsing
|
|
0:04:13
|
http is a standard tcp
|
|
0:04:15
|
application the out
|
|
0:04:17
|
bound flow
|
|
0:04:19
|
is the exact opposite of the inbound flow
|
|
0:04:23
|
and this is with reflexsive accesslist is
|
|
0:04:27
|
the fact we are going to look at
|
|
0:04:29
|
a mirror image of the outbound flow
|
|
0:04:32
|
of as we should have as are inbound accesslist
|
|
0:04:37
|
so ..call reflexsive here we are looking at the
|
|
0:04:40
|
basicly reflextion
|
|
0:04:42
|
of the traffic the exact opposite our image
|
|
0:04:44
|
of what is going out is what we should automatically allow back in
|
|
0:04:49
|
now for any application that is non standard
|
|
0:04:52
|
everything we chart about before like ftp
|
|
0:04:55
|
before doing active ftp versus passive ftp
|
|
0:04:58
|
or trace route
|
|
0:05:00
|
any type of voice of ip application
|
|
0:05:03
|
or typically the outbound flow
|
|
0:05:05
|
is not the exact opposite
|
|
0:05:07
|
inbound flow
|
|
0:05:08
|
we have had some sort application lavel inspections
|
|
0:05:12
|
and the reflexive access list feature does not support this
|
|
0:05:15
|
becasue its the pre cursor to the content based access control
|
|
0:05:19
|
and the pre cursor to the zone base policy firewall
|
|
0:05:23
|
so for very limited applications this is going work
|
|
0:05:26
|
but now does this true step of firewall they can do the application level inspection
|
|
0:05:33
|
now for the actual configuration
|
|
0:05:35
|
first portion that we need to watch traffic as it as it leading network
|
|
0:05:41
|
and we do with it access list
|
|
0:05:43
|
so we have access list that case and calling it outbound
|
|
0:05:46
|
its an extended acl
|
|
0:05:48
|
and it's going to watch in tcp traffic
|
|
0:05:50
|
that is leading
|
|
0:05:52
|
a make a copy instate table that i am calling stateful
|
|
0:05:56
|
now as the traffic returns back in the opposite direction
|
|
0:06:01
|
we have another accesslist in the case called inbound
|
|
0:06:05
|
that is going to evaluate the state table
|
|
0:06:08
|
now this statement here we evaluate this is what happen in
|
|
0:06:11
|
this is what happend impressively
|
|
0:06:13
|
in mergely policy framework
|
|
0:06:16
|
or in the seebck or the zone based policy firewall
|
|
0:06:19
|
or either the asa or the router
|
|
0:06:21
|
or we know check the state table first
|
|
0:06:24
|
when the traffic is retuning from the less secure network
|
|
0:06:27
|
to the more secured network
|
|
0:06:29
|
when the case asa
|
|
0:06:30
|
that would be low security lavel to the high
|
|
0:06:33
|
like the outside inside returned traffic
|
|
0:06:36
|
on the case of reflexsive access
|
|
0:06:38
|
we need to mandatory talet
|
|
0:06:39
|
what is the state table we need to look out
|
|
0:06:43
|
now the traffic is not matched
|
|
0:06:45
|
in the state table
|
|
0:06:47
|
which means that did not already leave the network
|
|
0:06:49
|
then we can fall back typically towards implicid denied
|
|
0:06:57
|
now some of the consideration for this
|
|
0:06:58
|
we need keep in mind that locally
|
|
0:07:01
|
generated traffic is not classified by outbound accesslist
|
|
0:07:06
|
so we saw the perform configure accesslist
|
|
0:07:08
|
that denied ip any any
|
|
0:07:10
|
on what the router outbound interfaces
|
|
0:07:13
|
still then prevent rader from sending icnpp
|
|
0:07:15
|
out that link
|
|
0:07:18
|
now with this means in case of reflex accesslist
|
|
0:07:22
|
is therefore any type of control plane traffic like our igp routing protocol
|
|
0:07:27
|
may be bgp may be
|
|
0:07:29
|
can form multi ask
|
|
0:07:31
|
it means that this traffic leaves routers interface
|
|
0:07:34
|
it's not going to watch
|
|
0:07:37
|
in the state table is not going to reflect to the state table
|
|
0:07:41
|
so this
|
|
0:07:41
|
means when the traffic returned back in
|
|
0:07:45
|
the rader is not going to expect this in thetraffic is going to draw
|
|
0:07:49
|
now this could also affect in any other type of locally generated management traffic
|
|
0:07:54
|
like a ping or telnet or traceoroute local
|
|
0:07:57
|
locally generated
|
|
0:07:58
|
on the command line of the router if i ping outbound
|
|
0:08:01
|
even afine m matching icmp reflex statement
|
|
0:08:05
|
the outbound accesslist is not going to classify that
|
|
0:08:10
|
so the typical solutions
|
|
0:08:11
|
for this easiest way is that as traffic
|
|
0:08:14
|
is received back inbound
|
|
0:08:16
|
we are justgoingto odd or manually
|
|
0:08:18
|
permitted or explicitly permitted
|
|
0:08:20
|
in the accesslist that repliedback en
|
|
0:08:25
|
so on the rader
|
|
0:08:26
|
have a reflexsively acl if i want to be ping from that router locally
|
|
0:08:31
|
it means outside
|
|
0:08:33
|
in accesslist that says to permit
|
|
0:08:36
|
echo reply
|
|
0:08:40
|
now the easy another potential
|
|
0:08:42
|
solution here the kind of hack on rouding process
|
|
0:08:44
|
is to used local policy based
|
|
0:08:47
|
because when traffic goes to the policy routing process or the pbr process
|
|
0:08:52
|
the rader then treats as trans traffic not as locally generatted traffic
|
|
0:08:59
|
so this is more kind of stupid rader track technically you could
|
|
0:09:03
|
locally policy routethen back out
|
|
0:09:07
|
so you treat a trans e traffic
|
|
0:09:10
|
but generally the easiest way is simply to to account for the inbound
|
|
0:09:14
|
flows
|
|
0:09:15
|
that are result result of your local control plan
|
|
0:09:20
|
so find trying to be bgp peering
|
|
0:09:22
|
on interface i have the reflexsively based you are applied
|
|
0:09:25
|
i would just need to permit
|
|
0:09:27
|
traffic going to port 179 traffic coming from tcp 179 is a comes back in
|
|
0:09:35
|
now documentation wise we go to
|
|
0:09:38
|
the
|
|
0:09:39
|
router ios documentation
|
|
0:09:42
|
from the of the 12 2t configuration guide
|
|
0:09:45
|
this is going to be down under
|
|
0:09:47
|
security and the securing the
|
|
0:09:50
|
they repling
|
|
0:09:52
|
configuring ip session filtering
|
|
0:09:54
|
of reflexsive accesslist
|
|
0:09:57
|
now we see the syntax of this is very very straight forwards
|
|
0:10:00
|
we compare it to
|
|
0:10:02
|
either the c back or policy firewall
|
|
0:10:05
|
but the limitation is we do not have application lavel inspections
|
|
0:10:10
|
so any type of tcp or udp
|
|
0:10:13
|
application
|
|
0:10:14
|
that is not exact same inbound
|
|
0:10:17
|
flow actually oposite inbound flow
|
|
0:10:19
|
that is outbound flow
|
|
0:10:21
|
then reflexsive accesslist would not able to do with that
|
|
0:10:27
|
so let's take at look configuration example of this in our particular topology
|
|
0:10:32
|
where on router 1
|
|
0:10:35
|
we have gone 2
|
|
0:10:36
|
different interfaces were
|
|
0:10:38
|
the link that going to come to the frame in the network or to the lan clould here
|
|
0:10:43
|
this is going to be consider our
|
|
0:10:45
|
outside interface
|
|
0:10:48
|
then link that connects into vlan 111
|
|
0:10:50
|
this is going to be our inside now
|
|
0:10:53
|
so we want to track
|
|
0:10:55
|
trafic as is it moving from the inside out
|
|
0:10:58
|
then as it's tried to returned
|
|
0:11:00
|
router 1is going to decide
|
|
0:11:02
|
to permit the trafic based on the return state table
|
|
0:11:06
|
or is going to drop the trafick based on the accesslist that wouldbe applied to be
|
|
0:11:10
|
interface
|
|
0:11:14
|
our first step on router 1 create is to create the accesslist
|
|
0:11:18
|
that is going to classify the trafic as it is living the network
|
|
0:11:22
|
now the two different ways we can do look at the show iproute connected
|
|
0:11:27
|
we can have are 2 interfaces were the
|
|
0:11:29
|
were the
|
|
0:11:30
|
when interfaces ensure link this is going to be considered our outside interface
|
|
0:11:35
|
and the lan interface
|
|
0:11:37
|
the face eternet that is considered inside interface
|
|
0:11:42
|
now we look at the result of the traffic flow
|
|
0:11:45
|
the essentially only two ways
|
|
0:11:47
|
traffic could be classified here
|
|
0:11:50
|
we can watch it as it comes
|
|
0:11:52
|
in on the inside interface
|
|
0:11:55
|
or we can watch as it goes
|
|
0:11:57
|
out the outside interface
|
|
0:12:01
|
so i can reply
|
|
0:12:02
|
apply the reflexsive accesslist in on inside
|
|
0:12:05
|
or out on outside
|
|
0:12:08
|
you technically can either 1
|
|
0:12:10
|
but most of the time it 's little bit easier design wise to
|
|
0:12:13
|
apply the the
|
|
0:12:15
|
our accesslist outside out
|
|
0:12:19
|
now we get into in more
|
|
0:12:20
|
details this later we may get into
|
|
0:12:22
|
c back in zone based policy firewall
|
|
0:12:25
|
specially we may get into design of
|
|
0:12:27
|
three of more zones
|
|
0:12:30
|
similar too we have an asa here with we have not only the inside and the outside
|
|
0:12:35
|
we also have dmg
|
|
0:12:38
|
this type of
|
|
0:12:39
|
3 or more security design or security zone design
|
|
0:12:43
|
it's actually very difficult to implement
|
|
0:12:45
|
when we are looking at reflexsive accesslist
|
|
0:12:46
|
or the content based access control
|
|
0:12:51
|
so we look at the configuration example sometime
|
|
0:12:53
|
you see reflexsiveness
|
|
0:12:55
|
being applied in on
|
|
0:12:57
|
inside or out on the outside
|
|
0:13:00
|
it affects the going to accomplish same thing now
|
|
0:13:03
|
it's trying to watch the traffic is a leaves the network
|
|
0:13:06
|
and either selectively permit or deny
|
|
0:13:08
|
as it returns back inbound
|
|
0:13:18
|
so first we have
|
|
0:13:21
|
ip accesslist extended
|
|
0:13:23
|
this our outside
|
|
0:13:26
|
outside interface out
|
|
0:13:29
|
this is how is going to watch
|
|
0:13:32
|
or permit any tcp traffic
|
|
0:13:35
|
so i don't care what's coming from what's going to
|
|
0:13:38
|
but i am going to
|
|
0:13:42
|
to a state table go i am defining next so call
|
|
0:13:44
|
state table
|
|
0:13:47
|
i am going to same thing with
|
|
0:13:50
|
any udp packets
|
|
0:13:53
|
and any icmp the packets
|
|
0:14:00
|
now as the traffic returns
|
|
0:14:02
|
in the reverse manner
|
|
0:14:04
|
so this is going to be outside interface back inbound
|
|
0:14:07
|
i now need to check this reflexsive
|
|
0:14:10
|
state table i am creating
|
|
0:14:12
|
the c of entries already ban
|
|
0:14:15
|
from the inside
|
|
0:14:17
|
so again this step is what implicity already happen
|
|
0:14:20
|
with the c back zone based policy firewall
|
|
0:14:22
|
or with asa marginal policy
|
|
0:14:25
|
framework with the state table always check
|
|
0:14:27
|
first before we look at the accesslist
|
|
0:14:30
|
exception.
|
|
0:14:37
|
so next minute configure our accesslist
|
|
0:14:40
|
ip accesslist extended that is outside
|
|
0:14:42
|
outside in
|
|
0:14:45
|
outside in is going to say to evaluate
|
|
0:14:49
|
this state table so that's the particular
|
|
0:14:52
|
entries i created
|
|
0:14:54
|
and make sure we not dropping traffic that we want to allow through
|
|
0:14:58
|
i am going to deny everything else
|
|
0:15:01
|
then i am going to generate a sys log message
|
|
0:15:03
|
to see exactally what packets i am dropping
|
|
0:15:09
|
now we again real design you do after careful with this
|
|
0:15:12
|
because anytime you are logging
|
|
0:15:14
|
package and accesslist entry
|
|
0:15:17
|
it means the traffic flow is going to be
|
|
0:15:19
|
process ways
|
|
0:15:20
|
so there are lots of flow that is being denied as we moving from the outside in
|
|
0:15:26
|
the result would be when you look at the
|
|
0:15:28
|
show
|
|
0:15:29
|
processess cpu or so process cpu
|
|
0:15:33
|
we would see the process
|
|
0:15:35
|
that is called ip input
|
|
0:15:39
|
and we don't ever really see here because not many package are transiting
|
|
0:15:44
|
but we work to
|
|
0:15:45
|
at the same pack of through router let say we go to
|
|
0:15:50
|
switch to you
|
|
0:15:52
|
and let's send a bunch in this direction
|
|
0:16:00
|
let's ping router 2 for example we ping 200.0.0.2
|
|
0:16:05
|
if i send a bunch of this package
|
|
0:16:10
|
and router 1 we look at the cpu let's look for input
|
|
0:16:17
|
it's going to be best process your ip input
|
|
0:16:20
|
now under normal circumstances you should see the cpu urilisation for ip input fairly low
|
|
0:16:27
|
if you see at somewhere around 80 90 percent or higher
|
|
0:16:31
|
genarally this means that too much traffic is going to be proccess switch
|
|
0:16:34
|
and either router
|
|
0:16:35
|
and either router is undergoing dening service attack
|
|
0:16:39
|
or the something wrong when configuration
|
|
0:16:41
|
that you process swtiching traffic if you are not suppose to be
|
|
0:16:45
|
you also see the look at show cpu
|
|
0:16:49
|
history
|
|
0:16:51
|
and you look at the visual graph
|
|
0:16:55
|
if you look at the graphs you see that
|
|
0:16:56
|
over the past 60 second over the past
|
|
0:16:59
|
hour that the
|
|
0:17:02
|
of the urilisation is very high you would see like
|
|
0:17:04
|
the bunch of astres of here
|
|
0:17:08
|
where this is the cpu utilisation of time
|
|
0:17:12
|
where this is the cpu urilisation of time that can be an indication problems ip input process
|
|
0:17:21
|
but my purpose here that it's going to be useful just for us to see
|
|
0:17:25
|
other any necessary flow in a network
|
|
0:17:28
|
that i am accidently dening that i have come back later and permit
|
|
0:17:34
|
so now looks at the show accesslist
|
|
0:17:37
|
we have two less we have the outside in and outside out
|
|
0:17:42
|
on the interface now which is serial 0/0/0.12
|
|
0:17:47
|
i want ip access group
|
|
0:17:49
|
outside out out
|
|
0:17:55
|
and in in
|
|
0:18:00
|
and notice you first line where i mistyped the syntex
|
|
0:18:04
|
i said under score o u
|
|
0:18:06
|
now i forget the tee
|
|
0:18:09
|
notice you the iso pursue did not generated log message that tell me that accesslist name was wrong
|
|
0:18:17
|
so i reference accesslist that does not exist
|
|
0:18:20
|
it's not going to deny traffic still going allow it
|
|
0:18:24
|
that 's not really configuration i want
|
|
0:18:29
|
we get see very soon as we apply the list log message
|
|
0:18:31
|
that comes in
|
|
0:18:33
|
says on that acccessless the outside in
|
|
0:18:36
|
i deny osp trafficing
|
|
0:18:39
|
from router two
|
|
0:18:41
|
it's going to the osp multi guest 224 005
|
|
0:18:45
|
then as result that my
|
|
0:18:47
|
i gp neighbour relationship went down
|
|
0:18:51
|
because that neighbour then exceeds the ospf dead intervals
|
|
0:18:59
|
so with this is the mean about this
|
|
0:19:02
|
to accesslist
|
|
0:19:08
|
if you look at routing design here on router 1
|
|
0:19:11
|
on it's outside interface
|
|
0:19:15
|
it's using ospf as igp for the routing control plan
|
|
0:19:23
|
this means that that i check the traffic as it comes back in
|
|
0:19:27
|
in on the outside interface i have to explsively allow this
|
|
0:19:31
|
now i need edit this list it is outside in
|
|
0:19:35
|
in save permit ospf traffic back in
|
|
0:19:38
|
so ip access list extended outside in
|
|
0:19:41
|
and i need to put before sequence number 20
|
|
0:19:45
|
so we say sequence number 11 is going to permit ospf
|
|
0:19:50
|
ospf any any
|
|
0:19:53
|
if i work
|
|
0:19:55
|
intrepating let's sayno 20 that's going to remove deny any any
|
|
0:19:59
|
depending on the other types of traffic that i have
|
|
0:20:02
|
there may be a number of different flows that i need to allow
|
|
0:20:06
|
so i may need permit eigrp
|
|
0:20:09
|
if i we're using
|
|
0:20:11
|
rip 4 routing that would be udp any any = to rip
|
|
0:20:16
|
if i was using bgp i would have to permit tcp any any = 179
|
|
0:20:22
|
which is bgp
|
|
0:20:24
|
but would also have to permit it
|
|
0:20:26
|
from 179
|
|
0:20:30
|
now for the bgp
|
|
0:20:31
|
flow i would want to match it in both directions here
|
|
0:20:35
|
i would want the source port and the destination port
|
|
0:20:41
|
because i don't necessarily know who is going to be the client
|
|
0:20:45
|
and whose going to be the server
|
|
0:20:48
|
now tcp is a standard tcp application just like telnet or web browsing is
|
|
0:20:53
|
where again we going to have that
|
|
0:20:55
|
reverse logic of the flows
|
|
0:20:58
|
where when the traffic goes out
|
|
0:21:00
|
its going to be well port as the destination
|
|
0:21:03
|
then when the traffic returns in its going to be using the well known as the source
|
|
0:21:08
|
so from router 1 perspective
|
|
0:21:10
|
if it is the tcp client
|
|
0:21:14
|
it means that its local traffic
|
|
0:21:16
|
going out
|
|
0:21:18
|
is going to 179
|
|
0:21:21
|
so lets say for example that router 1 has a bgp peering with router 3
|
|
0:21:26
|
when this traffic leaves
|
|
0:21:28
|
the source port
|
|
0:21:30
|
is random
|
|
0:21:32
|
and the destination is 179
|
|
0:21:36
|
when the traffic returns back in
|
|
0:21:39
|
since router 3 is the tcp server
|
|
0:21:42
|
the source port is 179
|
|
0:21:44
|
and the destination port is
|
|
0:21:46
|
random
|
|
0:21:49
|
so for TCP flows when you're matching and typically we want to do it bi-directionally
|
|
0:21:54
|
either to the port or from the port
|
|
0:22:00
|
now what if we had
|
|
0:22:02
|
different ip sec vpns or ssl vpns going through this filter
|
|
0:22:09
|
what else we need to match in this access list lets say that the
|
|
0:22:13
|
asa here
|
|
0:22:15
|
is..... an easy......vpn....
|
|
0:22:20
|
easy vpn server
|
|
0:22:25
|
that we have end host down here
|
|
0:22:29
|
that is terminating the vpn client
|
|
0:22:33
|
or may be its the other way round or may be the asa 2 may be this is the server and test pc is terminating
|
|
0:22:39
|
an ip sec vpn
|
|
0:22:43
|
so we need to think about
|
|
0:22:44
|
first how we do the negotiation of the term
|
|
0:22:47
|
that would be udp
|
|
0:22:50
|
udp any any that is equal to
|
|
0:22:51
|
port 500 for i
|
|
0:22:55
|
if you say ickamp
|
|
0:22:58
|
that for the pay load of the tunnel
|
|
0:23:01
|
we would need to think about how is it actually tunnel
|
|
0:23:04
|
is it going to be running in
|
|
0:23:06
|
esp
|
|
0:23:07
|
is it running over ah
|
|
0:23:10
|
is esp tunnel over udp or over TCP
|
|
0:23:14
|
for that the native
|
|
0:23:16
|
tunnel support that would be esp
|
|
0:23:20
|
esp any any or possibly ah
|
|
0:23:24
|
the authentication header
|
|
0:23:27
|
if its going over udp
|
|
0:23:30
|
depending whether we going over through natural versa or not
|
|
0:23:33
|
we may need udp 4500
|
|
0:23:37
|
we may need udp 10,000
|
|
0:23:39
|
depends on what's the servers doing
|
|
0:23:43
|
if we were allowing
|
|
0:23:44
|
and ssl vpn
|
|
0:23:47
|
this would be bgp
|
|
0:23:50
|
going to 443
|
|
0:23:55
|
so the key point here is you need to know what are the differences between these individual application flows
|
|
0:24:00
|
that are related to these types of services
|
|
0:24:03
|
now you don't necessarily need to memorise all these
|
|
0:24:06
|
because by using the logging of the access list
|
|
0:24:09
|
we can quickly see what is going to be dropped
|
|
0:24:13
|
so when we get into some more of our advanced application of doing the
|
|
0:24:17
|
ip tunnels and the ssl vpn tunnels
|
|
0:24:21
|
and the
|
|
0:24:22
|
tack accel radius we will how using the according the access-list
|
|
0:24:26
|
can make a little bit easier for us to figure out exactly what are the flows
|
|
0:24:30
|
that we need to permit
|
|
0:24:32
|
or the ones that are denied thats not going to affect our activity
|
|
0:24:41
|
so now at the end of our list lets go ahead and add again deny ip any any
|
|
0:24:46
|
if we now look at our show access list
|
|
0:24:52
|
we could see some of these ports that are used are well known
|
|
0:24:55
|
codes already
|
|
0:24:57
|
the 179 was bgp
|
|
0:24:59
|
the 500 was ic camp
|
|
0:25:01
|
this one here 4500
|
|
0:25:03
|
its says non ic camp this is for
|
|
0:25:09
|
its for natural version or nat transparency
|
|
0:25:13
|
so port 4500 by default
|
|
0:25:16
|
then
|
|
0:25:17
|
this one 443 that kind of odd that doesn't have a
|
|
0:25:20
|
a number there
|
|
0:25:21
|
by name this for ssl
|
|
0:25:24
|
for https
|
|
0:25:27
|
but we could see now we don't have any
|
|
0:25:29
|
hits on the
|
|
0:25:31
|
the final access list on ip any any
|
|
0:25:34
|
so it looks like there is nothing is
|
|
0:25:36
|
being dropped does coming back in that length
|
|
0:25:41
|
on router 1 if we look at now show ip route osp
|
|
0:25:45
|
we could see that we are learning
|
|
0:25:47
|
prefixes that are coming in and outside interface
|
|
0:25:52
|
so assuming now that this is working
|
|
0:25:56
|
lets go to the
|
|
0:25:59
|
the test pc that's behind router 1
|
|
0:26:03
|
and lets some traffic out lets send some pings
|
|
0:26:06
|
out to the rest of the network
|
|
0:26:08
|
we will do some web browsing let say that router 2 is going to listen for its http service
|
|
0:26:14
|
and we will see if these flows are going to allowed back in
|
|
0:26:17
|
on router 1 outside interface
|
|
0:26:26
|
so on router 2 lets go global config and will turn the web service on
|
|
0:26:30
|
ip http server
|
|
0:26:37
|
next on the test pc that behind router 1 there
|
|
0:26:41
|
lets see we if we can do a ping out to router 2
|
|
0:26:43
|
ping 200.0.0.2
|
|
0:26:50
|
that looks ok then lets
|
|
0:26:52
|
do some web browsing let go to
|
|
0:26:57
|
http://200.0.0.2
|
|
0:27:05
|
we will see we get the login prompt
|
|
0:27:08
|
so we should be able to get to the
|
|
0:27:09
|
the web management interface on router 2
|
|
0:27:12
|
now if we look at the result of this on router 1
|
|
0:27:15
|
what is different here
|
|
0:27:17
|
in this of configuration versus
|
|
0:27:19
|
the asa's monitor policy framework
|
|
0:27:22
|
or the cback or the zone based policy firewall
|
|
0:27:25
|
is that the router is not creating a state table per say
|
|
0:27:30
|
but what is now doing
|
|
0:27:32
|
is automatically
|
|
0:27:33
|
putting additional access list entries
|
|
0:27:37
|
at the top our outside in acl
|
|
0:27:42
|
and would see this if we look show access list outward
|
|
0:27:46
|
we can see that for the
|
|
0:27:48
|
outside in
|
|
0:27:52
|
we have the state table
|
|
0:27:55
|
and its say these are the entries that should processed first
|
|
0:27:59
|
when I'm matching this statement it say evaluate state table
|
|
0:28:03
|
its basically automatic entries in the access list that are exceptions
|
|
0:28:08
|
so its saying that the web browsing that router 2 did
|
|
0:28:11
|
the return should be sourced from port 80
|
|
0:28:15
|
and destined to the random port 1429
|
|
0:28:19
|
or it could be
|
|
0:28:21
|
icmp that came
|
|
0:28:24
|
from router 2 and its going to the
|
|
0:28:27
|
to the inside host or its going to
|
|
0:28:30
|
to switch to
|
|
0:28:33
|
where to actually switch to bunch of packets lets do just a regular ping
|
|
0:28:39
|
so we could see this is being matched by the state table
|
|
0:28:43
|
on router 1
|
|
0:28:46
|
but notice now even though the pings are don't being send
|
|
0:28:51
|
the reflex entries are automatically closed
|
|
0:28:55
|
its going to be based on what ever this
|
|
0:28:57
|
time out value is
|
|
0:29:01
|
so not truly stateful in a manner that the
|
|
0:29:04
|
the cback or the zone based policy firewall or the asa is
|
|
0:29:09
|
where its sending the traffic out
|
|
0:29:11
|
but it really doesn't know what the responses is going to come back in
|
|
0:29:14
|
its just guessing that if i flip the port number and i flip the source and destination
|
|
0:29:19
|
that really what should be
|
|
0:29:21
|
the return traffic
|
|
0:29:24
|
now we can where the is going to fall part
|
|
0:29:27
|
is any time we have any type of non standard application
|
|
0:29:31
|
so for example if we were try to do a trace route
|
|
0:29:35
|
through the firewall
|
|
0:29:38
|
and we talked about this in the case of the asa
|
|
0:29:41
|
the key here is that is the outbound flow
|
|
0:29:45
|
is different than the inbound flow
|
|
0:29:49
|
run router 1 if we look at the show access list
|
|
0:29:55
|
we see that the
|
|
0:30:03
|
the deny this should be getting hits
|
|
0:30:12
|
once it gets passed router
|
|
0:30:14
|
once it gets passed router 1so
|
|
0:30:17
|
actually what happening is this end host is trying to do dns resolution
|
|
0:30:22
|
so lets take a look at router come back
|
|
0:30:23
|
lets try this from lets say switch 2
|
|
0:30:26
|
lets trace to 200.0.0.2
|
|
0:30:32
|
so first halv is timing out its the asa
|
|
0:30:35
|
that is
|
|
0:30:39
|
dropping those packets
|
|
0:30:41
|
but once we get to router 1
|
|
0:30:43
|
which we would see that its the same case that these are being denied
|
|
0:30:48
|
now we really don't know what these are yet because we are not logging the access list entry
|
|
0:30:56
|
but its going to be the same logic before we saw the problem with the modular policy framework on the asa
|
|
0:30:58
|
then when the traffic goes out
|
|
0:31:01
|
and is returning back in
|
|
0:31:04
|
router 1 is watching either the icmp echo from the windows trace route
|
|
0:31:09
|
or the udp echos from the
|
|
0:31:12
|
the unix variation which is what the router is using
|
|
0:31:17
|
and if we look at the result of the access list here
|
|
0:31:20
|
we could see router 1 thinks if it is supposed to allow
|
|
0:31:23
|
these udp flows back in
|
|
0:31:26
|
or its supposed to be allowing these
|
|
0:31:28
|
icp flows back in
|
|
0:31:30
|
where really thats not what it is
|
|
0:31:35
|
so the outbound traffic here is udp
|
|
0:31:39
|
but the inbound return flow needs to want for the trace route
|
|
0:31:45
|
so if i want to test pc and switch to be able to trace route through router 1
|
|
0:31:50
|
with reflexive accesses will i would need to allow back in on the outside interface
|
|
0:31:58
|
its going to be icmp be specifically what type
|
|
0:32:05
|
its going to be the icmp time exceeded and the icmp port unreachable s
|
|
0:32:11
|
so unreachable that has the sub code of port unreachable
|
|
0:32:15
|
and then time exceeded
|
|
0:32:18
|
now i technically had to do this on asa 1 as well
|
|
0:32:22
|
because we did log in here we would see that
|
|
0:32:25
|
the even the inspection of icmp this is not going to catch it
|
|
0:32:29
|
so on asa 2 lets say show access list
|
|
0:32:32
|
i would need access list outside in
|
|
0:32:36
|
permit icmp any any
|
|
0:32:38
|
unreachable
|
|
0:32:51
|
access list outside and permit any any unreachable and then permit
|
|
0:32:56
|
icmp any any
|
|
0:32:59
|
time exceeded
|
|
0:33:02
|
and will say access group
|
|
0:33:06
|
access outside in
|
|
0:33:10
|
in interface outside
|
|
0:33:12
|
so router 1 is need to do the same configuration here
|
|
0:33:16
|
when we show run section access list
|
|
0:33:22
|
for access list outside in
|
|
0:33:27
|
lets put these entries on the top i will sequence no 1 say icmp any any
|
|
0:33:32
|
time exceeded
|
|
0:33:38
|
time exceeded and entry 2 says permit icmp any any
|
|
0:33:42
|
code unreachable
|
|
0:33:47
|
so now if we would do trace route
|
|
0:33:50
|
from the windows command line
|
|
0:33:53
|
or if we would do the trace route from switch 2
|
|
0:33:57
|
we should see this come back in
|
|
0:34:00
|
and if we look at router 1 and look at the show access list
|
|
0:34:08
|
we see we get the port unreachable and then time exceeded are going to be ones in the
|
|
0:34:13
|
are the intermediate path so if i were to trace someone
|
|
0:34:16
|
further along than that
|
|
0:34:19
|
lets say were to trace to
|
|
0:34:22
|
router 4 let trace to 172.16.4.4
|
|
0:34:33
|
and lets do this on switch 2 as well trace
|
|
0:34:36
|
172.16.4.4
|
|
0:34:39
|
so the packets do get all the way there for look at router 1 show ip access list or show access list
|
|
0:34:45
|
because its both of these types time exceeded and port unreachable
|
|
0:34:51
|
there is a question of port unreachable for the new experience or for the
|
|
0:34:56
|
Microsoft trace route the Microsoft will be
|
|
0:35:00
|
an icmp echo reply
|
|
0:35:02
|
so if we one way we could see this actually i haven't really talked about this yet but
|
|
0:35:08
|
within the scope of
|
|
0:35:10
|
this type of lab environment of if
|
|
0:35:13
|
you are trying to track down some sort of network flow
|
|
0:35:17
|
that basically that network is unusable anyways
|
|
0:35:20
|
you can't bebug the transit traffic between the routers interfaces
|
|
0:35:25
|
the problem is in order to do this we process switch the traffic
|
|
0:35:29
|
and this is going to cause the cpu to be very high
|
|
0:35:32
|
so in a lab environment this is fine this doesn't matter
|
|
0:35:35
|
a bit in production you have to be very very careful in this
|
|
0:35:38
|
in the way we could do this
|
|
0:35:40
|
is to first we are going to create a access list
|
|
0:35:44
|
that is
|
|
0:35:46
|
we say access list 111
|
|
0:35:52
|
permit
|
|
0:35:54
|
ip host
|
|
0:35:57
|
10
|
|
0:35:59
|
192.168.118.100
|
|
0:36:02
|
any
|
|
0:36:05
|
so that the windows machine i was doing the traces from
|
|
0:36:09
|
so its from that host or to that host
|
|
0:36:15
|
so in either direction
|
|
0:36:19
|
then on the transit interface on router 1 if we look at the show ip route connected
|
|
0:36:26
|
which are serial 0/0/0.12
|
|
0:36:30
|
im going to say no ip route cash
|
|
0:36:34
|
and the same on the fast ethernet
|
|
0:36:35
|
so what this is doing is stabling the sub process
|
|
0:36:39
|
which means that all of the traffic is going to be process which
|
|
0:36:43
|
in the reason that need to do this
|
|
0:36:45
|
transit traffic on the router interface is sub-switched
|
|
0:36:49
|
which means you would not see the outward in the bebug
|
|
0:36:53
|
we will do this a lot more we're looking at
|
|
0:36:55
|
trouble shooting different type of ip sec tunnels or advanced security
|
|
0:36:59
|
we will actually look at the transit traffic
|
|
0:37:02
|
what i can now do is look at the debug ip packet detail
|
|
0:37:06
|
and filter this through accesslist 111
|
|
0:37:10
|
so its going to show me the debug output but only for traffic that came from or is going to that individual host
|
|
0:37:16
|
so now lets back to the host
|
|
0:37:19
|
and lets do the trace again
|
|
0:37:23
|
if we look at router 1
|
|
0:37:25
|
we should see once the packet actually gets there
|
|
0:37:29
|
its going to tell us what the
|
|
0:37:31
|
the packet is
|
|
0:37:34
|
and we could go further if we say debug ip packet dump
|
|
0:37:38
|
111
|
|
0:37:39
|
it would show us the actual packet pay load
|
|
0:37:42
|
like as if you at looking in a packet analysier like a sniffer
|
|
0:37:49
|
so here its shows the traffic leaving and returning it says it came from
|
|
0:37:55
|
packet came from me going to them
|
|
0:37:59
|
that was icmp type 11 code 0
|
|
0:38:04
|
then there was also
|
|
0:38:06
|
type 8 code 0
|
|
0:38:20
|
so lets see if we see the final reply
|
|
0:38:27
|
from router 4
|
|
0:38:29
|
so this is what is want to see what did router 4 actually send back
|
|
0:38:33
|
and it is
|
|
0:38:35
|
those 3 different types of traffic here
|
|
0:38:38
|
there was traffic from me originally
|
|
0:38:42
|
so we will go all the way to the top, its a lot of upward to sort through here
|
|
0:38:46
|
but from router 1
|
|
0:38:48
|
it was type 11 code 0
|
|
0:38:52
|
then from
|
|
0:38:54
|
the actual source of the trace
|
|
0:38:57
|
it was type 8 code 0
|
|
0:39:01
|
and then finally
|
|
0:39:03
|
from the final destination which is rotuer 4
|
|
0:39:06
|
it was type 0 code 0
|
|
0:39:11
|
so its type 8 11 and 0 lets look this up lets say icmp
|
|
0:39:16
|
type codes
|
|
0:39:20
|
where 11 should be our time exceeded
|
|
0:39:23
|
time exceeded type 11 code 0 this is going to go from any one in the transit path
|
|
0:39:28
|
then typ 8
|
|
0:39:30
|
code 0 this is the echo this is ping coming from them
|
|
0:39:34
|
and then 0 code 0 is the reply
|
|
0:39:38
|
this is showing as that the windows host
|
|
0:39:40
|
is using just pings for the trace route
|
|
0:39:46
|
now if were to change this lets say on the access list
|
|
0:39:50
|
lets show access-list 100
|
|
0:39:53
|
or 111 i called it
|
|
0:39:56
|
now lets say what i want to look at what coming from switch 2 as well
|
|
0:40:00
|
so i will say accesslist
|
|
0:40:03
|
111 permit ip host
|
|
0:40:06
|
192.168.118.8
|
|
0:40:09
|
any
|
|
0:40:11
|
or going to them
|
|
0:40:15
|
now when i send my traffic from here
|
|
0:40:19
|
router 1 is going to see the bebug for that particular host
|
|
0:40:25
|
so the key point here that you don't necessarily memorise these type of minute details about the traffic flows
|
|
0:40:31
|
as long as you know how you can figure it out
|
|
0:40:34
|
when you actually need this information
|
|
0:40:36
|
and this is one of the ways that you can do it
|
|
0:40:39
|
so if we look this now it says that there was type 3 code 3
|
|
0:40:44
|
from rotuer 4
|
|
0:40:47
|
then if we scroll towards the top
|
|
0:40:50
|
we will see that these udp packets coming from the source of the trace routes
|
|
0:40:55
|
this udp traffic is trying to solicit an icmp reply
|
|
0:41:00
|
which is type 11 code 0 that's our time exceeded
|
|
0:41:05
|
then for the final destination its trying to solicit
|
|
0:41:08
|
the
|
|
0:41:10
|
type 3 code 3 which is the unreachable
|
|
0:41:13
|
sub code 4 unreachable
|
|
0:41:17
|
so lets look at the final configuaration for this if we look at the interface level
|
|
0:41:22
|
we have the accesslist thats watching the traffic out
|
|
0:41:26
|
and then watching it as it comes back in
|
|
0:41:30
|
when we look at these configs
|
|
0:41:33
|
the one that is applied out bound out
|
|
0:41:36
|
this is what is reflecting the traffic to the state table
|
|
0:41:39
|
then we could see this time up this in in secs its five mins by default
|
|
0:41:45
|
so we are watching the traffic as it goes out
|
|
0:41:47
|
there is returns back in which checking that state table to see if its already matched
|
|
0:41:52
|
if it is matched here then is going to permit the traffic
|
|
0:41:56
|
if not then we making an exception saying that any of the control plans does allow it
|
|
0:42:01
|
otherwise we are going to drop it
|
|
0:42:07
|
but if were to test this from router 1 lets say we ping to router 2
|
|
0:42:14
|
again since the local accesslist
|
|
0:42:18
|
is not affecting the outbound traffic
|
|
0:42:21
|
rotuer 1 cannot match its own
|
|
0:42:24
|
traffic
|
|
0:42:26
|
so if router 1 wanted to do a ping
|
|
0:42:28
|
or rotuer 1 wanted to do a telnet
|
|
0:42:32
|
i will need to on the outside in
|
|
0:42:36
|
for the inbound accesslist
|
|
0:42:38
|
i would need to allow this traffic back in
|
|
0:42:42
|
so i could say for example in
|
|
0:42:45
|
accesslist outside in
|
|
0:42:49
|
sequence no. 3 will permit
|
|
0:42:52
|
ip traffic thats going to router 1 itself
|
|
0:42:59
|
any traffic to this host
|
|
0:43:02
|
so now i should be able to ping
|
|
0:43:05
|
and now i should be able to telnet
|
|
0:43:08
|
because now this accesslist entry is allowing traffic to return back in
|
