Analizando tráfico IPsec a través de un
ASA que realiza PAT
Fecha: junio del 2019
Escenario
En este laboratorio analizamos el comportamiento de tráfico IPsec entre dos routers, pasando por un ASA
que realiza PAT a una IP pública.
El problema que se plantea es que el tunel se establecía en fase I (ISAKMP) pero sin tráfico en fase II (ESP),
entonces se presenta la cuestión de que en la fase I, al ser tráfico UDP 500 o 4500 se puede “natear” pero
que pasa con el ESP ? ya que es puramente de capa 3 y no aplica al PAT (mediante puertos de capa 4), para
eso deberemos realizar capturas y analizar las tablas XLATE del ASA.
En definitiva, este escenario analiza IPSec y NAT-T.
Cliente#sh crypto isakmp sa (verificamos fase I)
IPv4 Crypto ISAKMP SA
dst src state conn-id status
200.0.0.1
192.168.0.9 QM_IDLE
2000 ACTIVE
IPv6 Crypto ISAKMP SA
Cliente#sh crypto ipsec sa (verificamos
fase II)
interface: Vlan1
Crypto map tag: VPN, local addr 192.168.0.9
protected vrf: (none)
local ident (addr/mask/prot/port):
(10.0.1.0/255.255.255.0/0/0)
remote
ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 200.0.0.1 port 4500 (esto indica que negoció NAT-T)
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts
digest: 0 (debería al menos
enviarlos y no tener retorno)
#pkts decaps: 0, #pkts
decrypt: 0, #pkts verify: 0 (el
peer al no recibir no envió respuestas)
#pkts compressed: 0, #pkts decompressed: 0
#pkts
not compressed: 0, #pkts compr. failed: 0
#pkts
not decompressed: 0, #pkts decompress failed: 0
#send
errors 0, #recv errors 0
local crypto endpt.: 192.168.0.9, remote crypto endpt.: 200.0.0.1
path
mtu 1500, ip mtu 1500, ip mtu idb Vlan1
current outbound spi: 0x70029E4E(1879219790)
PFS
(Y/N): Y, DH group: group5
inbound esp sas:
spi: 0xBCE87022(3169349666)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map:
VPN
sa timing: remaining key lifetime (k/sec): (4293066/894)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
Cliente#
1.- Capturas con IPsec detrás de PAT:
Se instaló un switch que realiza port mirroring para poder capturar el tráfico ISAKMP y ESP.
Verificamos que el PAT se realiza dentro de la negociación ISAKMP en UDP 500, al cambiar
a UDP 4500 el ASA deja de “patear”.
Búsqueda en la web:
2.- Simulación en el ASA del tráfico ESP (fase II) y el PAT:
El problema de esta simulación es que no hay negociación ISAKMP previa, ni el paquete
tiene parámetros SPI configurados, pero es interesante que se dropee a nivel NAT/PAT.
ciscoasa# packet-tracer
input inside rawip 192.168.0.9 50 200.0.0.1 detailed
|
Phase: 1
el protocolo 50 es ESP
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in
200.0.0.0 255.255.255.252
outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface inside
access-list INSIDE extended permit ip any any
Additional Information:
Forward
Flow based lookup yields rule:
in id=0xa7fbf180, priority=13, domain=permit,
deny=false
hits=0, user_data=0xa98e0040, cs_id=0x0, use_real_addr, flags=0x0,
protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward
Flow based lookup yields rule:
in id=0xac045e78, priority=0,
domain=inspect-ip-options, deny=true
hits=6, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside,outside) source dynamic
obj-192.168.0.0 interface
Additional Information:
Forward
Flow based lookup yields rule:
in id=0xac04c1f0, priority=6, domain=nat,
deny=false
hits=7, user_data=0xab818f18, cs_id=0x0, flags=0x0, protocol=0
src
ip/id=192.168.0.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Result:
input-interface:
inside
input-status: up
input-line-status: up
output-interface:
outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by
configured rule
ciscoasa#
3.- Se modifica el PAT por NAT 1 a 1:
3.1.- Verificación inicial en el router cliente:
Cliente#sh crypto isakmp sa (no
hay túneles activos)
IPv4 Crypto ISAKMP SA
dst
src state conn-id status
IPv6 Crypto ISAKMP SA
Cliente#
3.2.- Limpiamos las sesiones/conexiones:
ciscoasa# clear xlate
INFO: 1 xlate deleted
ciscoasa#
ciscoasa# clear
conn
1 connection(s) deleted.
ciscoasa#
3.3.- Se reemplaza la
config:
ciscoasa# conf
t
ciscoasa(config)# no nat (inside,outside) source dynamic obj-192.168.0.0 interface
ciscoasa(config)# nat (inside,outside) source static obj-192.168.0.9 interface
ciscoasa(config)# end
3.4.- Se genera tráfico interesante:
C:\>ping 10.0.0.1
Haciendo ping a 10.0.0.1 con 32 bytes de datos:
Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=254 (funciona !)
Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=254
3.5.- Verificación de tunel en fase I:
Cliente#sh
crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
200.0.0.1
192.168.0.9 QM_IDLE
2001 ACTIVE
IPv6 Crypto ISAKMP SA
3.6.- Verificación de tunel en fase II:
Cliente#sh
crypto ipsec sa
interface: Vlan1
Crypto map tag: VPN, local addr 192.168.0.9
protected vrf: (none)
local ident (addr/mask/prot/port):
(10.0.1.0/255.255.255.0/0/0)
remote
ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 200.0.0.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts
encaps: 2, #pkts encrypt: 2, #pkts digest: 2 (hay paquetes enviados)
#pkts decaps: 2, #pkts
decrypt: 2, #pkts verify: 2 (hay
paquetes recibidos)
#pkts compressed: 0, #pkts decompressed: 0
#pkts
not compressed: 0, #pkts compr. failed: 0
#pkts
not decompressed: 0, #pkts decompress failed: 0
#send
errors 0, #recv errors 0
local crypto endpt.: 192.168.0.9, remote crypto endpt.: 200.0.0.1
path
mtu 1500, ip mtu 1500, ip mtu idb Vlan1
current outbound spi: 0x70029E4E(1879219790)
PFS
(Y/N): Y, DH group: group5
inbound esp sas:
spi: 0xBCE87022(3169349666)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map:
VPN
sa timing: remaining key lifetime (k/sec): (4293066/894)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound esp sas:
spi: 0x70029E4E(1879219790)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map:
VPN
sa timing: remaining key lifetime (k/sec): (4293066/894)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
Cliente#
3.7.- Captura con NAT 1 a 1:
4.- Se verifica reemplazando el ASA por un router con PAT:
El router al no ser statefull realiza los PAT sin problemas, el tunel levantó (fase I) y con tráfico (fase II).
Router#sh ip nat trans
Pro Inside global Inside local Outside local Outside
global
udp 200.0.0.2:4500 192.168.0.9:4500 200.0.0.1:4500 200.0.0.1:4500
Router#
5.- Pruebas en ASA con inspección de IPsec y PAT:
5.1.- Se vuelve a configurar PAT y policy de inspección IPsec:
conf t
no nat (inside,outside) source static
obj-192.168.0.9 interface
nat (inside,outside) source dynamic
obj-192.168.0.0 interface
!
access-list IPSec extended permit udp any any
eq isakmp
access-list IPSec extended permit udp any any
eq 4500
!
class-map IPSec
match
access-list IPSec
exit
!
policy-map type inspect ipsec-pass-thru IPSec
parameters
esp
per-client-max 10 timeout 0:05:00
exit
!
policy-map global_policy
class
IPSec
inspect
ipsec-pass-thru
end
5.2.- Verificamos que no hayan túneles ni sesiones UDP establecidas:
ciscoasa# clear
xlate
INFO: 1 xlate deleted
ciscoasa# clear
conn
1 connection(s) deleted.
ciscoasa#
ciscoasa# sh
conn
1 in use, 2 most used
UDP outside 200.0.0.1:4500 inside
192.168.0.9:4500, idle 0:00:22, bytes 600, flags -
ciscoasa#
5.3.- Disparamos tráfico VPN y verificamos:
ciscoasa# sh
conn
1 in use, 3 most used
UDP outside 200.0.0.1:4500 inside
192.168.0.9:4500, idle 0:00:00, bytes 53120, flags -
ciscoasa#
ciscoasa# sh
xlate
3 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s -
static, I - identity, T - twice
e
- extended
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags
sIT idle 0:31:58 timeout 0:00:00
UDP PAT from inside:192.168.0.9/4500 to
outside:200.0.0.2/4500 flags ri idle 0:02:03 timeout 0:00:30 (contacto ISAKMP y tráfico ESP)
UDP PAT from inside:192.168.0.9/500 to
outside:200.0.0.2/500 flags ri idle 0:00:02 timeout 0:00:30 (primer contacto ISAKMP)
ciscoasa#
ciscoasa#sh
service-policy global
Global policy:
Service-policy:
global_policy
Class-map: inspection_default
Inspect: icmp, packet 0, drop 0, reset-drop 0
Class-map: IPSec
Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 34, drop 0, reset-drop 0
ciscoasa#
5.4.- Captura de la inicialización del túnel y tráfico ESP:
Notar la diferencia de tiempo entre los paquetes 9 (fase I) y 10 (fase II).
6.- Anexo de data sobre NAT-T:
How does NAT-T work
with ISAKMP/IPsec?
NAT Traversal performs
two tasks:
1.- Detects if both ends support NAT-T
2.- Detects NAT devices along the transmission
path (NAT-Discovery)
Step one occurs in ISAKMP Main Mode messages
one and two.
If both devices support NAT-T, then
NAT-Discovery is performed in ISKAMP Main Mode messages (packets) three and
four.
THe NAT-D payload sent is a hash of the
original IP address and port. Devices exchange two NAT-D packets, one with
source
IP and port, and another with destination IP
and port. The receiving device recalculates the hash and compares it with the
hash it received; if they don't match a NAT
device exists.
If a NAT device has been determined to exist,
NAT-T will change the ISAKMP transport with ISAKMP Main Mode messages
five and six, at which point all ISAKMP packets
change from UDP port 500 to UDP port 4500.
NAT-T encapsulates the
Quick Mode (IPsec Phase 2) exchange inside UDP
4500 as well. After Quick Mode completes
data that gets encrypted on the
IPsec Security Association is encapsulated
inside UDP port 4500 as well, thus providing a port to be used in the PAT
device for
translation.
To visualize how this
works and how the IP packet is encapsulated:
1.- Clear text packet will be
encrypted/encapsulated inside an ESP packet
2.- ESP packet will be encapsulated inside a
UDP/4500 packet.
NAT-T
encapsulates ESP packets inside UDP and assigns both the Source and
Destination ports as 4500.
After this encapsulation there is enough
information for the PAT database binding to build successfully. Now ESP packets can
be translated through a PAT device.
When a
packet with source and destination port of 4500 is sent through a PAT device
(from inside to outside), the PAT device
will change the source port from 4500 to a random
high port, while keeping the destination port of 4500. When a different
NAT-T session passes through the PAT device, it
will change the source port from 4500 to a different random high port, and so
on.
This way each local host has a unique database
entry in the PAT devices mapping ip address/port4500 to the public ip
address/port.
Fuente: https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442
7.- Configuraciones de los equipos:
7.1.- Del ASA:
ciscoasa# sh runn
: Saved
:
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif
outside
security-level 0
ip
address 200.0.0.2 255.255.255.252
!
interface Ethernet0/1
nameif
inside
security-level 100
ip
address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa847-30-k8.bin
ftp mode passive
object network obj-192.168.0.10
host
192.168.0.10
object network obj-192.168.0.0
subnet
192.168.0.0 255.255.255.0
object network obj-200.0.0.1
host
200.0.0.1
object network obj-192.168.0.9
host
192.168.0.9
access-list IPSec extended permit udp any any
eq isakmp
access-list IPSec extended permit udp any any
eq 4500
access-list INSIDE permit ip any any
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic
obj-192.168.0.0 interface
access-group INSIDE in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map IPSec
match
access-list IPSec
class-map inspection_default
match
default-inspection-traffic
!
!
policy-map type inspect ipsec-pass-thru IPSec
parameters
esp
per-client-max 10 timeout 0:05:00
policy-map global_policy
class
inspection_default
inspect
icmp
class
IPSec
inspect
ipsec-pass-thru
!
Cryptochecksum:b0b4abdc4e58e79b3eae5db74549989b
: end
ciscoasa#
7.2.- Configuración del router cliente:
Cliente#sh runn (sólo lo mas relevante)
Building configuration...
Current configuration : 1644 bytes
!
! Last configuration change at 16:41:10 UTC Fri
Jun 21 2019
version 15.2
!
hostname Cliente
!
ip dhcp pool DHCP
network
10.0.1.0 255.255.255.0
default-router 10.0.1.1
!
crypto isakmp policy 10
encr aes
256
authentication pre-share
group 5
lifetime
3600
crypto isakmp key Presh4red address
200.0.0.1
!
crypto ipsec transform-set ENCRIPTA esp-aes 256
esp-sha-hmac
mode
tunnel
!
crypto map VPN 10 ipsec-isakmp
set peer
200.0.0.1
set
security-association lifetime seconds 900
set
transform-set ENCRIPTA
set pfs
group5
match
address 101
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
shutdown
!
interface Vlan1
ip
address 192.168.0.9 255.255.255.0
crypto
map VPN
!
interface Vlan2
ip
address 10.0.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
access-list 101 permit ip 10.0.1.0 0.0.0.255
10.0.0.0 0.0.0.255
!
end
Cliente#
7.3.- Configuración del router terminador de VPN:
TerminadorVPN# sh runn (sólo lo mas relevante)
Building configuration...
Current configuration : 1845 bytes
!
! Last configuration change at 15:31:44 UTC Fri
Jun 21 2019
version 15.3
!
hostname TerminadorVPN
!
crypto isakmp policy 10
encr aes
256
authentication
pre-share
group 5
lifetime
3600
crypto isakmp key Presh4red address
200.0.0.2
crypto isakmp nat keepalive 10
!
crypto ipsec transform-set ENCRIPTA esp-aes 256
esp-sha-hmac
mode
tunnel
!
crypto map VPN 10 ipsec-isakmp
set peer
200.0.0.2
set
security-association lifetime seconds 900
set
transform-set ENCRIPTA
set pfs
group5
match
address 101
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
shutdown
!
interface Vlan1
ip
address 200.0.0.1 255.255.255.0
crypto
map VPN
!
interface Vlan2
ip
address 10.0.0.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 200.0.0.2
!
access-list 101 permit ip 10.0.0.0 0.0.0.255
10.0.1.0 0.0.0.255
!
end
TerminadorVPN#
7.4.- Config del capturador de tráfico:
!
monitor session 1 source interface Fa0
monitor session 1 destination interface Fa3
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
(2019) Lonely nights with IPSec
Rosario, Argentina