Cut Through Proxy

This is not full fledged Proxy. This I call it Stateful Proxy. Here right side of firewall is inside network. Left side is unsecure connection. Test was done with VMWARE host as inside host. and outside network was accessed via DSL connection with host host OS windows XP. And was successful. When accessing any website traffic was intercepted by security appliance. Asking for username and password. If not correct drop the connections. Here in this configuration cut thru proxy is used to intercept egress tcp connections only.

Configuration of Firewall:

hostname pixfirewall
domain-name default.domain.invalid
enable password oyM4X.DeOBQWUivD encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet2
nameif inside
security-level 100
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd Q6PcEw0JPNC8SDNU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list icmp_in extended permit icmp any any
access-list private_ip_from_outside extended deny ip 10.0.0.0 255.0.0.0 any
access-list private_ip_from_outside extended deny ip 172.16.0.0 255.248.0.0 any
access-list private_ip_from_outside extended permit icmp any any
access-list private_ip_from_outside extended deny tcp any any eq 445
access-list private_ip_from_outside extended deny tcp any any eq 137
access-list deny_inside_to_outside extended deny tcp 192.168.0.0 255.255.0.0 any eq 445
access-list deny_inside_to_outside extended permit ip any any
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
! for letting data traffic flow from inside to outside
global (outside) 1 192.168.1.100
global (outside) 1 192.168.1.101
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group private_ip_from_outside in interface outside
access-group deny_inside_to_outside in interface inside
! default route to outside hop ip i.e. 192.168.1.1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 3:00:00 absolute
dynamic-access-policy-record DfltAccessPolicy
! authentication based on service accessed in this case all tcp based services(i.e. http , ftp, telnet etc)
aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
aaa authentication secure-http-client
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.56.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
!
!

Limiting Number of TCP and UDP Connections on Firewall

Dear All,
I somehow know about configuring natting on cisco firewall. But how about cool feature of controlling TCP and UDP connections on your security appliance. Remember when you try to configure nat on internal network or static natting for internal/DMZ server on outside interface for persistent connection from server to outside, you have an option for limiting TCP and UDP connections.

This is like this:
nat (inside) 1 0 0 tcp 25 25 udp 25
Irrespective of global command used, u can only control tcp and udp connections when using nat command.
Explaination:
Above nat command tells that any number of hosts from any hosts can xlated but each host will only can make 25 tcp established connections, 25 tcp embryonic connections can be made(those connections whose sys flag is on), and 25 udp connections. Remember, this configuration applies to each and every hosts trying to initiate connection from inside(Egress Traffic).


What About Static natting:
I take an example:

static (dmz,outside) tcp 1.1.1.1 21 192.168.1.3 21 netmask 255.255.255.255 tcp 0 25 udp 0

Here you see that mapping is done of inside host 192.168.1.3 which is ftp server with mask 255.255.255.255 i.e. only one host mapped on 1.1.1.1 which is outside ip. tcp 0 25 instructs that unlimited connections from outside can be made(0 means unlimited). Ebryonic connections cannot be more than 25. after 25 embryonic connections.

What happens after limit reaches:

Security appliance uses tcp cookie and behaves as proxy between host to host connection. when see's any emryonic connection more than 25 connections from any host, will intercept and behalf of that connecting host security appliance will recalculate the syn segment and send it to target host. If it gets syn ack segment it redirects to connecting host, can be called as source host. If security appliance gets ack segment back then it will allow connection or else drop that traffic.

By virtue of tcp cookie technology, tcp connections are not stored in DRAM. On the fly security appliance does processing. So by this, DoS can be mitigated.

Deploying Networks by using IGPs (OSPF and EIGRP) Redistribution BASIX ONLY

This is my simple network but intuitive. Hear I will not explain too much but some lit on it.

Upper half of the network is configured with OSPF(R1, R2, R3).

Lower half is configured with EIGRP(R3, R4, R5). You might be thinking why R3 is common in this network configuration. Coz it is only router where redistribution taking place.

There is one thing more in R3 configuration. The cloud C1 which is connected to R3. What is the purpose of this. This is your assignment to understand. LOL!

Configuration of R3 is:

!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex half
!
interface Ethernet1/0
ip address 192.168.3.6 255.255.255.252
ip nat inside
ip virtual-reassembly
ip ospf 1 area 0
duplex half
!
interface Ethernet1/1
ip address 192.168.3.2 255.255.255.252
ip nat inside
ip virtual-reassembly
ip ospf 1 area 0
duplex half
!
interface Ethernet1/2
ip address 192.168.2.6 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex half
!
interface Ethernet1/3
ip address 192.168.2.2 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex half
!
router eigrp 1
redistribute static
redistribute ospf 1 metric 10000 1000 255 1 1500
network 192.168.2.0 0.0.0.7
auto-summary
!
router ospf 1
log-adjacency-changes
redistribute static subnets
redistribute eigrp 1 subnets
default-information originate
!
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end

Configuration of R4:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
ip address 192.168.2.9 255.255.255.252
half-duplex
!
interface Ethernet1/1
no ip address
shutdown
half-duplex
!
interface Ethernet1/2
no ip address
shutdown
half-duplex
!
interface Ethernet1/3
ip address 192.168.2.1 255.255.255.252
half-duplex
!
!
router eigrp 1
network 192.168.2.1 0.0.0.0
network 192.168.2.9 0.0.0.0
auto-summary
!
ip http server
no ip http secure-server
no ip classless
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

R5 Configurtion:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
ip address 192.168.2.10 255.255.255.252
half-duplex
!
interface Ethernet1/1
no ip address
shutdown
half-duplex
!
interface Ethernet1/2
ip address 192.168.2.5 255.255.255.252
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
!
router eigrp 1
network 192.168.2.5 0.0.0.0
network 192.168.2.10 0.0.0.0
auto-summary
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

R1 Configuration:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
interface Ethernet1/1
ip address 192.168.3.1 255.255.255.252
ip ospf 1 area 0
half-duplex
!
interface Ethernet1/2
ip address 192.168.3.10 255.255.255.252
ip ospf 1 area 0
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
!
router ospf 1
log-adjacency-changes
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

R2 Configuration:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
ip address 192.168.3.5 255.255.255.252
ip ospf 1 area 0
half-duplex
!
interface Ethernet1/1
no ip address
shutdown
half-duplex
!
interface Ethernet1/2
ip address 192.168.3.9 255.255.255.252
ip ospf 1 area 0
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
!
router ospf 1
log-adjacency-changes
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

How to configure FAILOVER on cisco pix in GNS3.












Configuration according to diagram.

As with all cisco firewall the rule of thumb is traffic traverse from higher security level to lower security level, without applying any ACL whereby applying only nat or no nat-control(i.e. only with routing suffices without any translation). If outside hosts(lower security level) want to initiate connection to inside host(higher security level), appliance must have static nat and ACL configured. As of above scenario, I used nat-control. Inside network in network diagram is right side of firewalls (security level 100) and outside network is left side of firewalls(security level 0). Failover is configured on FW0 and FW1.

How is host on the same computer is connected in inside network?

This was done via VMWARE OS and given default gateway ip of failover ip of firewalls. Interesting feature of failover is when you try to configure Active appliance(FW1) and save it. It replicates to standby firewall(FW0) for e.g. ip addresses of interfaces, routing, natting etc. In other words, they are mirror of each other.

So here is the configuration for FW1(Active):
PIX Version 8.0(2)
!
hostname PIXDOWN
domain-name domain.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.250 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.56.2 255.255.255.0
!
interface Ethernet2
description Management Interface
nameif MGMT_INT
security-level 99
ip address 192.168.200.1 255.255.255.0
management-only
!
interface Ethernet3
nameif DMZ
security-level 50
ip address 10.81.200.1 255.255.255.252 standby 10.81.200.2
!
interface Ethernet4
description LAN/STATE Failover Interface
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner motd This is CISCO PIX 525
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name domain.local
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any traceroute
pager lines 24
logging enable
logging standby
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu MGMT_INT 1500
mtu DMZ 1500
failover
failover lan unit primary
failover lan interface LANFAIL Ethernet4
failover lan enable
failover polltime unit 5 holdtime 15
failover replication http
failover link LANFAIL Ethernet4
failover interface ip LANFAIL 10.81.199.1 255.255.255.252 standby 10.81.199.2
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 192.168.1.20
global (outside) 1 192.168.1.21
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 0 25 udp 25
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.56.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.56.1 255.255.255.255 outside
telnet timeout 5
ssh scopy enable
ssh 192.168.56.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.200.10-192.168.200.254 MGMT_INT
dhcpd enable MGMT_INT
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
<--- More --->.
No Response from Mate
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp authenticate
ntp server 207.46.232.182 prefer
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
prompt hostname context
Cryptochecksum:27b6669bbc3bab31a8254dca80e44377
: end

Here is the configuration for FW0(Standby):


PIX Version 8.0(2)
!
hostname PIXDOWN
domain-name domain.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.250 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.56.2 255.255.255.0
!
interface Ethernet2
description Management Interface
nameif MGMT_INT
security-level 99
ip address 192.168.200.1 255.255.255.0
management-only
!
interface Ethernet3
nameif DMZ
security-level 50
ip address 10.81.200.1 255.255.255.252 standby 10.81.200.2
!
interface Ethernet4
description LAN/STATE Failover Interface
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner motd This is CISCO PIX 525
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name domain.local
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any traceroute
pager lines 24
logging enable
logging standby
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu MGMT_INT 1500
mtu DMZ 1500
failover
failover lan unit secondary
failover lan interface LANFAIL Ethernet4
failover lan enable
failover polltime unit 5 holdtime 15
failover replication http
failover link LANFAIL Ethernet4
failover interface ip LANFAIL 10.81.199.1 255.255.255.252 standby 10.81.199.2
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 192.168.1.20
global (outside) 1 192.168.1.21
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 0 25 udp 25
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.56.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.56.1 255.255.255.255 outside
telnet timeout 5
ssh scopy enable
ssh 192.168.56.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.200.10-192.168.200.254 MGMT_INT
dhcpd enable MGMT_INT
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp authenticate
ntp server 207.46.232.182 prefer
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
prompt hostname context
Cryptochecksum:a1c86e0759da13e6ca07ec971350e88a
: end

And on both routers I configured bridging on interfaces F0/0 and vlan 1
Here is the configuration for both router and is nearly same for both. Oh! by the way used cisco 3660 with ESW module
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
bridge irb
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
bridge-group 1
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
!
interface FastEthernet1/1
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
no ip address
bridge-group 1
!
interface BVI1
ip address dhcp
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end