Dear All,
I somehow know about configuring natting on cisco firewall. But how about cool feature of controlling TCP and UDP connections on your security appliance. Remember when you try to configure nat on internal network or static natting for internal/DMZ server on outside interface for persistent connection from server to outside, you have an option for limiting TCP and UDP connections.
This is like this:
nat (inside) 1 0 0 tcp 25 25 udp 25
Irrespective of global command used, u can only control tcp and udp connections when using nat command.
Explaination:
Above nat command tells that any number of hosts from any hosts can xlated but each host will only can make 25 tcp established connections, 25 tcp embryonic connections can be made(those connections whose sys flag is on), and 25 udp connections. Remember, this configuration applies to each and every hosts trying to initiate connection from inside(Egress Traffic).
What About Static natting:
I take an example:
static (dmz,outside) tcp 1.1.1.1 21 192.168.1.3 21 netmask 255.255.255.255 tcp 0 25 udp 0
Here you see that mapping is done of inside host 192.168.1.3 which is ftp server with mask 255.255.255.255 i.e. only one host mapped on 1.1.1.1 which is outside ip. tcp 0 25 instructs that unlimited connections from outside can be made(0 means unlimited). Ebryonic connections cannot be more than 25. after 25 embryonic connections.
What happens after limit reaches:
Security appliance uses tcp cookie and behaves as proxy between host to host connection. when see's any emryonic connection more than 25 connections from any host, will intercept and behalf of that connecting host security appliance will recalculate the syn segment and send it to target host. If it gets syn ack segment it redirects to connecting host, can be called as source host. If security appliance gets ack segment back then it will allow connection or else drop that traffic.
By virtue of tcp cookie technology, tcp connections are not stored in DRAM. On the fly security appliance does processing. So by this, DoS can be mitigated.
No comments:
Post a Comment