Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
NAT
Deep Dive
John Len SE Andean Region
jleon@fortinet.com
Fortinet Confidential
Setting expectations
Mainly this is a hands-on
track
We expect that you know
Fortinet Confidential
Fortinet Confidential
What is NAT?
http://www.readwriteweb.com/archives/more_than_50_of_devices_at_ces_were_internet_connected.php
Fortinet Confidential
Fortinet Confidential
Fortinet Confidential
Fortinet Confidential
Fortinet Confidential
Application
Application
Presentation
Presentation
Presentation
Session
Session
Session
Transport
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
CLIENT
192.168.138
.32
192.168.13
8.1
9
Fortinet Confidential
200.20.32.1
SERVER
200.20.32.3
2
192.168.138.32 192.168.138.1
Application
Application
Application
Presentation
Presentation
Presentation
Session
Session
Session
Transport
Transport
Transport
Network
Network
Network
Data Link
Data Link
Data Link
Physical
Physical
Physical
CLIENT
192.168.138
.32
192.168.13
8.1
10
Fortinet Confidential
200.20.32.1
SERVER
200.20.32.3
2
NAT in FortiOS
Fortinet Confidential
12
Fortinet Confidential
SYN
13
Fortinet Confidential
SYN/AC
K
14
Fortinet Confidential
ACK
15
Fortinet Confidential
16
Fortinet Confidential
17
Fortinet Confidential
NP4
Performanc
e
Traffic
Features
Application
Features
18
Fortinet Confidential
Performanc
e
Traffic
Features
Application
Features
Fortinet Confidential
admin/<blank>
Apache 2.2.16
Whireshark
xuser/xuser
Port1 (Hostonly)
192.168.138.
10
3.xserver02:
20
Apache 2.2.16
vsftpd 2.3.0
xuser/xuser
Fortinet Confidential
xserver01
eth1
20.20.20.10
Port2 (Hostonly)
20.20.20.1
xserver02
eth1
20.20.20.20
21
Fortinet Confidential
22
Fortinet Confidential
xserver01
eth1
20.20.20.10
port1
192.168.138
.10
port2
20.20.20.1
Host PC
vmnet1
192.168.13
8.1
23
Fortinet Confidential
24
Fortinet Confidential
25
Fortinet Confidential
From:
192.168.138.1:561
74
To:
20.20.20.10:80
On:
port1
Forward
packet
26
Is this an
existing
session
?
Receive and
parse
packet data
Is the
traffic
allowed?
Fortinet Confidential
Allowed
Policy ID:
1
No
Allocate a new
session in
state table
Session
ID:
00000058
Search within
the security
policy
GW:
20.20.20.10
Interface:
port2
Route
for this
network
?
27
Fortinet Confidential
28
Fortinet Confidential
Destination NAT
One-to-one
DNAT on different subnets
Port Address Translation
Fortinet Confidential
30
Fortinet Confidential
SPORT
DADDR
DPORT
192.168.138.1
23456
192.168.138.100
80
xserver01
eth1
20.20.20.10
port1
192.168.138
.10
Host PC
vmnet1
192.168.13
8.1
31
Fortinet Confidential
192.168.138.
100
port2
20.20.20.1
SADDR
SPORT
DADDR
DPORT
192.168.138.1
23456
20.20.20.10
80
32
Fortinet Confidential
33
Fortinet Confidential
34
Fortinet Confidential
35
Fortinet Confidential
Routing happens
after aDNAT
received
packet(proto=6,
36
Fortinet Confidential
37
38
policy_dir=0 tunnel=/
state=may_dirty
statistic(bytes/packets/allow_err): org=545/4/1 reply=581/3/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=20.20.20.10/192.168.138.1
hook=pre dir=org act=dnat 192.168.138.1:56200->192.168.138.100:80(20.20.20.10:80)
hook=post dir=reply act=snat 20.20.20.10:80->192.168.138.1:56200(192.168.138.100:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0000007a tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=192.168.138.1, bps=714
ACTION FOR REPLY
total session 1
DIRECTION TRAFFIC
Fortinet Confidential
Fortinet Confidential
40
Fortinet Confidential
41
Fortinet Confidential
DMAC
SENDER IP
DEST IP
ff:ff:ff:ff:ff:ff
192.168.138.1
192.168.138.10
PC1
vmnet1
MAC: 00:50:56:C0:00:01
IP: 192.168.138.1
42
Fortinet Confidential
FortiGate
port1
MAC:
00:0C:29:F7:65:46
IP: 192.168.138.10
192.168.138.10 is at 00:0C:29:F7:65:46
PC1
vmnet1
MAC: 00:50:56:C0:00:01
IP: 192.168.138.1
43
Fortinet Confidential
SMAC
DMAC
SENDER IP
DEST IP
00:0C:29:F7:65:4
6
00:50:56:C0:00:01
192.168.138.10
192.168.138.1
FortiGate
port1
MAC:
00:0C:29:F7:65:46
IP: 192.168.138.10
DMAC
SENDER IP
DEST IP
ff:ff:ff:ff:ff:ff
192.168.138.1
192.168.138.100
PC1
vmnet1
MAC: 00:50:56:C0:00:01
IP: 192.168.138.1
44
Fortinet Confidential
VIP:
192.168.138.100
FortiGate
port1
MAC:
00:0C:29:F7:65:46
IP: 192.168.138.10
00:0C:29:F7:65:4
6
PC1
vmnet1
MAC: 00:50:56:C0:00:01
IP: 192.168.138.1
45
Fortinet Confidential
00:50:56:C0:00:01
192.168.138.100
192.168.138.1
VIP:
192.168.138.100
FortiGate
port1
MAC:
00:0C:29:F7:65:46
IP: 192.168.138.10
46
Fortinet Confidential
47
Fortinet Confidential
Fortinet Confidential
SPORT
DADDR
DPORT
192.168.138.1
23456
50.50.50.10
80
xserver01
eth1
20.20.20.10
port1
192.168.138
.10
Host PC
vmnet1
192.168.13
8.1
50.50.50.1
49
Fortinet Confidential
50.50.50.10
port2
20.20.20.1
SADDR
SPORT
DADDR
DPORT
192.168.138.1
23456
20.20.20.10
80
50
Name: XTWebServer05Pub
Fortinet Confidential
Fortinet Confidential
52
Fortinet Confidential
53
Fortinet Confidential
54
Fortinet Confidential
CHALLENGE 1
Find out and explain to the team
whats going on
Time: 5 minutes tops
Tips: Use the same debugging
tools we used already
55
Fortinet Confidential
CHALLENGE 1
1.Sniffer shows that traffic doesnt leave the FortiGate
FGT_XT_12 # diag sniffer packet any 'port 80' 4
interfaces=[any]
filters=[port 80]
5.100864 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947
6.203151 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947
7.307608 port1 in 50.50.50.1.55916 -> 50.50.50.10.80: syn 1988918947
56
Fortinet Confidential
CHALLENGE 1
2.Review traffic flow
FGT_XT_12 # diag deb flo filter dport 80
Reverse Path
FGT_XT_12 # diag deb flo show con enable
Forwarding (RPF)
show trace messages on console
FGT_XT_12 # diag deb flo trace start 3 (a.k.a. anti-spoofing)
wont received
let this packet
go
FGT_XT_12 # id=36871 trace_id=1 msg="vd-root
a packet(proto=6,
50.50.50.1:55916->50.50.50.10:80) from port1." through
id=36871 trace_id=1 msg="allocate a new session-00000107"
id=36871 trace_id=1 msg="find SNAT: IP-20.20.20.10(from IPPOOL), port-80"
id=36871 trace_id=1 msg="VIP-20.20.20.10:80, outdev-port1"
id=36871 trace_id=1 msg="DNAT 50.50.50.10:80->20.20.20.10:80"
id=36871 trace_id=1 msg="reverse path check fail, drop
57
Fortinet Confidential
CHALLENGE 1
3.Add a route to the 50.50.50.0/24 network on port1 and try browsing
again
Fortinet Confidential
59
Fortinet Confidential
Fortinet Confidential
SPORT
DADDR
DPORT
192.168.138.1
23456
192.168.138.100
8080
SADDR
SPORT
DADDR
DPORT
192.168.138.1
43213
192.168.138.100
21
xserver01
eth1
20.20.20.10
xserver02
eth1
20.20.20.20
port1
192.168.138
.10
Host PC
vmnet1
192.168.13
8.1
61
Fortinet Confidential
192.168.138.100:
8080
port2
20.20.20.1
192.168.138.100:
21
SADDR
SPORT
DADDR
DPORT
192.168.138.1
23456
20.20.20.10
80
SADDR
SPORT
DADDR
DPORT
192.168.138.1
43213
20.20.20.20
21
62
Fortinet Confidential
Name: XTFTPServer01Pub
63
Fortinet Confidential
64
Fortinet Confidential
65
Fortinet Confidential
Fortinet Confidential
Fortinet Confidential
Fortinet Confidential
69
Fortinet Confidential
Source NAT
Dynamic SNAT
Dynamic SNAT with Ranges
Static SNAT
Fortinet Confidential
71
Fortinet Confidential
SPORT
DADDR
DPORT
192.168.138.1
23456
192.168.138.100
80
port1
192.168.138
.10
Host PC
vmnet1
192.168.13
8.1
72
Fortinet Confidential
192.168.138.1
00
20.20.20.1
xserver01
eth1
20.20.20.10
port2
20.20.20.1
SADDR
SPORT
DADDR
DPORT
20.20.20.1
45123
20.20.20.10
80
73
Fortinet Confidential
74
Fortinet Confidential
75
SPORT
DADDR
DPORT
192.168.138.1
1234
20.20.20.10
80
PC1
192.168.13
8.1
SADDR
SPORT
DADDR
DPORT
20.20.20.1
1234
20.20.20.10
80
Web Server
20.20.20.10
PC2
192.168.13
8.2
76
Fortinet Confidential
20.20.20.1
ORIGINAL
REPLY
SNAT 192.168.138.1:1234,
20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
20.20.20.10:80, 192.168.138.1:1234
SADDR
SPORT
DADDR
DPORT
20.20.20.10
80
192.168.138.1
1234
SADDR
SPORT
DADDR
DPORT
20.20.20.10
80
20.20.20.1
1234
Web Server
20.20.20.10
PC2
192.168.13
8.2
77
Fortinet Confidential
20.20.20.1
ORIGINAL
REPLY
SNAT 192.168.138.1:1234,
20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
20.20.20.10:80, 192.168.138.1:1234
SPORT
DADDR
DPORT
192.168.138.2
5678
20.20.20.10
80
PC2
192.168.13
8.2
20.20.20.1
ORIGINAL
SNAT 192.168.138.1:1234,
20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:5678,
20.20.20.10:80
20.20.20.1:5678, 20.20.20.10:80
78
Fortinet Confidential
Web Server
20.20.20.10
SADDR
SPORT
DADDR
DPORT
20.20.20.1
5678
20.20.20.10
80
REPLY
20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:5678
20.20.20.10:80, 192.168.138.2:5678
SPORT
DADDR
DPORT
20.20.20.10
80
192.168.138.2
5678
PC2
192.168.13
8.2
20.20.20.1
ORIGINAL
SNAT 192.168.138.1:1234,
20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:5678,
20.20.20.10:80
20.20.20.1:5678, 20.20.20.10:80
79
Fortinet Confidential
Web Server
20.20.20.10
SADDR
SPORT
DADDR
DPORT
20.20.20.10
80
20.20.20.1
5678
REPLY
20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:5678
20.20.20.10:80, 192.168.138.2:5678
SPORT
DADDR
DPORT
192.168.138.2
1234
20.20.20.10
80
PC2
192.168.13
8.2
20.20.20.1
ORIGINAL
SNAT 192.168.138.1:1234,
20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:1234,
20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
80
Fortinet Confidential
Web Server
20.20.20.10
SADDR
SPORT
DADDR
DPORT
20.20.20.1
1234
20.20.20.10
80
REPLY
20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.2:1234
CONFLICT!
PC2
192.168.13
8.2
20.20.20.1
ORIGINAL
SNAT 192.168.138.1:1234,
20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:1234,
20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
81
Fortinet Confidential
SADDR
SPORT
DADDR
DPORT
20.20.20.10
80
20.20.20.1
1234
REPLY
20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:1234
20.20.20.10:80, 192.168.138.2:1234
SPORT
DADDR
DPORT
192.168.138.2
1234
20.20.20.10
80
PC2
192.168.13
8.2
20.20.20.1
ORIGINAL
SNAT 192.168.138.1:1234,
20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:1234,
20.20.20.10:80
20.20.20.1:2232, 20.20.20.10:80
82
Fortinet Confidential
Web Server
20.20.20.10
SADDR
SPORT
DADDR
DPORT
20.20.20.1
2232
20.20.20.10
80
REPLY
20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:2232
20.20.20.10:80, 192.168.138.2:1234
SPORT
DADDR
DPORT
20.20.20.10
80
192.168.138.2
5678
PC2
192.168.13
8.2
20.20.20.1
ORIGINAL
SNAT 192.168.138.1:1234,
20.20.20.10:80
20.20.20.1:1234, 20.20.20.10:80
SNAT 192.168.138.2:1234,
20.20.20.10:80
20.20.20.1:2232, 20.20.20.10:80
83
Fortinet Confidential
Web Server
20.20.20.10
SADDR
SPORT
DADDR
DPORT
20.20.20.10
80
20.20.20.1
2232
REPLY
20.20.20.10:80, 192.168.138.1:1234
DNAT 20.20.20.10:80, 20.20.20.1:2232
20.20.20.10:80, 192.168.138.2:1234
Fortinet Confidential
Clash counters increase: Session clash means when a new session need to
be created, an old session already exists so the old one is deleted and new
one is created.
(*) http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30357
85
Fortinet Confidential
86
Fortinet Confidential
Fortinet Confidential
SPORT
DADDR
DPORT
192.168.138.1
1234
192.168.138.100
80
SADDR
SPORT
DADDR
DPORT
192.168.138.56
4567
192.168.138.100
80
port1
192.168.138
.10
Host PC
vmnet1
192.168.138
.1
192.168.138
.2
192.168.138
.56
88
Fortinet Confidential
192.168.138.1
00
xserver01
eth1
20.20.20.10
20.20.20.2
20.20.20.5
port2
20.20.20.1
SADDR
SPORT
DADDR
DPORT
20.20.20.3
4321
20.20.20.10
80
SADDR
SPORT
DADDR
DPORT
20.20.20.2
7654
20.20.20.10
80
Name: IP_Pool_2_to_5
89
Fortinet Confidential
90
Fortinet Confidential
91
Fortinet Confidential
92
Fortinet Confidential
5. On the Host PC, open an HTTP session using telnet or just ping using
different source IP addresses
MAC OS X: #
Linux: #
Windows: <dont
5.
MAC OS X: #
6.
Linux: #
7.
192.168.138.100
93
Fortinet Confidential
ping S 192.168.138.X
94
Fortinet Confidential
192.168.138.254 20.20.20.2
SOURCE IP ADDRESSES ARE TRANSLATED USING A WRAPAROUND MECHANISM
95
Fortinet Confidential
96
Fortinet Confidential
192.168.138.254 20.20.20.254
EACH SOURCE IP IS TRANSLATED ALWAYS TO ITS MATCHING
ADDRESS
97
Fortinet Confidential
Fortinet Confidential
192.168.138.254:7654 20.20.20.254:7654
99
Fortinet Confidential
100
http://en.wikipedia.org/wiki/Network_address_translation
Fortinet Confidential
SPORT
DADDR
DPORT
192.168.138.2
1234
192.168.138.100
80
SADDR
SPORT
DADDR
DPORT
192.168.138.3
4567
192.168.138.100
80
port1
192.168.138
.10
Host PC
vmnet1
192.168.138
.1
192.168.138
.4
101
Fortinet Confidential
192.168.138.1
00
xserver01
eth1
20.20.20.10
20.20.20.2
20.20.20.5
port2
20.20.20.1
SADDR
SPORT
DADDR
DPORT
20.20.20.2
1234
20.20.20.10
80
SADDR
SPORT
DADDR
DPORT
20.20.20.3
4567
20.20.20.10
80
Name: Addr_Range_2_to_5
102
Fortinet Confidential
103
Fortinet Confidential
104
Fortinet Confidential
105
Fortinet Confidential
5. On the Host PC, open an HTTP session using telnet or just ping
using different source IP addresses
106
MAC OS X: #
Linux: #
Windows: <dont
Fortinet Confidential
107
Fortinet Confidential
108
Fortinet Confidential
SPORT
DADDR
DPORT
192.168.138.1
60000
20.20.20.10
80
SADDR
SPORT
DADDR
DPORT
192.168.138.1
60001
20.20.20.10
80
port1
192.168.138
.10
Host PC
vmnet1
192.168.138.1:6
0000
109
Fortinet Confidential
20.20.20.1:32
000
xserver01
eth1
20.20.20.10
port2
20.20.20.1
SADDR
SPORT
DADDR
DPORT
20.20.20.1
32000
20.20.20.10
80
SADDR
SPORT
DADDR
DPORT
20.20.20.1
32001
20.20.20.10
80
2. Create a firewall rule on top of the others allowing HTTP traffic from
any source to any destination. Allow NAT and use Central NAT table
for this rule.
3. Create a new entry in Central NAT table
110
Fortinet Confidential
111
Fortinet Confidential
112
Fortinet Confidential
113
Fortinet Confidential
114
Fortinet Confidential
115
Fortinet Confidential
116
Fortinet Confidential
DIRECTION TRAFFIC
FGT_XT_12 #
117
Fortinet Confidential
Fortinet Confidential
Fortinet Confidential
Fortinet Confidential
121
Fortinet Confidential
122
Fortinet Confidential
Fortinet Confidential
124
Fortinet Confidential
Fortinet Confidential
126
Fortinet Confidential
127
Fortinet Confidential
128
Fortinet Confidential
129
Fortinet Confidential
Fortinet Confidential
Fortinet Confidential
PC1
Web Server
PC2
PC3
132
Fortinet Confidential
PC1
Web Server
PC2
HTTP/1.1
Persistence
Session
PC3
133
Fortinet Confidential
Fortinet Confidential
PC1
Encrypted
Clean
135
Fortinet Confidential
PC1
Encrypted
Encrypted
136
Fortinet Confidential
SADDR
SPORT
DADDR
DPORT
192.168.138.1
23456
192.168.138.100
443
xserver01
eth1
20.20.20.10
xserver02
eth1
20.20.20.20
port1
192.168.138
.10
Host PC
vmnet1
192.168.13
8.1
137
Fortinet Confidential
192.168.138.101
port2
20.20.20.1
SADDR
SPORT
DADDR
DPORT
192.168.138.1
1234
20.20.20.10
80
SADDR
SPORT
DADDR
DPORT
192.168.138.1
3456
20.20.20.20
80
138
Name: XT_HTTP_Check
Type: HTTP
Port: 80
URL: /index.html
Fortinet Confidential
Name: LB_Public_IP
Type: HTTP
Interface: port1
139
Port: 80
Fortinet Confidential
4.Create a firewall policy allowing HTTP traffic from port1 to port2 with
newly created Load-Balance VIP as destination.
4.Make sure this policy is on top of the others.
140
Fortinet Confidential
141
Fortinet Confidential
142
Fortinet Confidential
143
Fortinet Confidential
144
Fortinet Confidential
145
Fortinet Confidential
146
Fortinet Confidential
80' 1
syn
syn
syn
ack
syn
ack
psh
psh
ack
ack
psh
ack
psh
ack
fin
1375892443
293125801
2610757897 ack 1375892444
2610757898
1901104108 ack 293125802
1901104109
293125802 ack 1901104109
1375892444 ack 2610757898
293125867
1375892509
1901104109 ack 293125867
1901104461
2610757898 ack 1375892509
2610758250
1901104461 ack 293125867
147
Fortinet Confidential
148
Fortinet Confidential
149
$ mv index.html index.html.2
Fortinet Confidential
10. As long as the cookie remains valid you will be always redirected to
the same Web Server
150
Fortinet Confidential
151
Fortinet Confidential
152
Fortinet Confidential
Fortinet Confidential
154
Fortinet Confidential
155
Fortinet Confidential
156
Fortinet Confidential
157
Fortinet Confidential
158
Fortinet Confidential
159
Fortinet Confidential
next edit 0
set srcintf wan1
set dstintf internal
set srcaddr Phone_B
set dstaddr Phone_A
set action accept
set schedule always
set service SIP
set nat enable
set utm-status enable
set profile-protocol-options
default
set voip-profile default
end
160
Fortinet Confidential
161
Fortinet Confidential
162
Fortinet Confidential
163
Fortinet Confidential
Fortinet Confidential
NAT64
Typical scenario
Fortinet Confidential
166
Fortinet Confidential
NAT64 Configuration
config
set
set
set
end
system nat64
status [disable*|enable]
ipv6prefix <::/96> //default 64:FF9B::/96
always-synthetize-aaaa-record [disable*|enable]
Forwarding policy
Fortinet Confidential
168
Fortinet Confidential
NAT66 Configuration
Fortinet Confidential
Optional
Optional
Thank You
Obrigado
Gracias
John Len SE Andean Region
jleon@fortinet.com
170
Fortinet Confidential