SERVICES TCP (2/2)

1
SERVICES TCP (2/2)
2
Protocoles ARP / RARP
3
Protocole ARP

• Address Resolution Protocol - RFC 826
• Permet de résoudre l'adresse physique d'une
  machine à partir de son adresse logique (IP)
• Principe de fonctionnement
• A souhaite dialoguer avec B via un réseau
  (Ethernet par exemple)
• A ne connaît pas l'adresse Ethernet de B, mais
  son adresse IP
• A envoie une requête ARP en diffusion sur le
  réseau
• B transmet son adresse Ethernet dans une réponse
  ARP
• A conserve cette adresse en mémoire dans une
  table ARP(prévoir un temporisateur de validité
  des données pour s'assurer de l'existence des
  stations)

4
Protocole ARP

• Address Resolution Protocol - RFC 826
• Evite d'avoir une base de données (couple
  d'adresses) centrale
• Les requêtes ARP restent locales (non transmises
  par les routeurs)
• ARP est un protocole de résolution d'adresse
  ouvert il n'est pas restreint à la résolution
  des adresses Ethernet et IP
• Le datagramme ARP est transporté avec un champ
  type Ethernet 0806

5
Protocole ARP

• Dialogue de A vers B
• A émet une requête ARP
• IP(A)132.156.1.1
• IP(B)132.156.1.10
• Eth(A)080026234567
• Eth(B)???
• B renvoie une réponse ARP

6
Protocole ARP

• Dialogue de A vers C
• A émet une requête ARP
• routeur (ayant proxy ARP) renvoie une réponse
  ARPLe proxy-ARP (RFC 1027)

7
Protocole ARP

• Format paquet ARP

Adresse destination protocole (32 bits)

8
Protocole ARP Exemple de table ARP de routeur
Protocole
Interface
Adresse physique
Adresse
IP IP IP IP IP IP IP IP
Eth0 Eth0 Eth1 TR0 TR0 Eth2 Eth2 Eth2
02608C2EC381 08002007F0FA 02608C2ECC38
550020003C5E 10004566FA12 02608C2EC380
02608CFAFE12 55002000E4E5
131.122.1.2 131.122.1.3 132.122.1.1 132.123.1.2
132.123.1.3 28.2.10.10 28.2.10.11 28.2.10.11
9
Cas du Proxy ARPfonction intégrée de base à un
routeur
10
DHCP
11
Service ARPA DHCP (RFC 2131)

• Dynamic Host Configuration Protocol
• Avantages
• permet de s'affranchir de l'attribution statique
  des adresses IP
• augmente la sécurité
• Architecture client/serveur
• serveur DHCP (attribue les adresses IP)
• clients DHCP (sans adresse IP fixe)

sans DHCP
132.156.1.100
132.156.1.4
132.156.1.0
132.156.1.3
132.156.1.2
132.156.1.1
avec DHCP
pool d'ad. IP132.156.1.1132.156.1.2132.156.1.3
. . .
132.156.1.100
0.0.0.0
132.156.1.0
0.0.0.0
0.0.0.0
0.0.0.0
12

• Le protocole BOOTP permet aux clients sans disque
  de démarrer et de configurer automatiquement
  TCP/IP. Le protocole DHCP (Dynamic Host
  Configuration Protocol) constitue une extension
  de BOOTP. Il centralise et gère lattribution des
  informations de configuration TCP/IP en affectant
  automatiquement des adresses IP à des ordinateurs
  configurés pour utiliser DHCP.
• Un serveur DHCP donne les informations suivantes
  à son client
• Une _at_ IP
• Un masque de sous-réseau
• Une adresse de passerelle par défaut, une adresse
  DNS et une adresse WINS.

13

• Fonctionnement
• Un serveur DHCP configure son client grâce à un
  processus en quatre phases
• Demande de bail (DHCPDISCOVER).En effet, le poste
  client va demander une adresse IP au()x
  serveur(s) en utilisant 0.0.0.0 comme adresse
  source et 255.255.255.255 comme adresse de
  destination.
• Proposition de bail (DHCPOFFER). Le serveur DHCP
  va envoyer une proposition au client (_at_ IP, durée
  de bail, _at_ matérielle du client, masque et _at_ IP
  du serveur DHCP).
• Sélection de bail (DHCPREQUEST). Le client va
  accepter la première proposition quil a reçu en
  informant les autres serveurs DHCP de sa
  sélection.

14

• Accusé de réception du bail IP (DHCPACK). Le
  serveur DHCP va envoyer au client un accusé de
  réception validant le bail. Il se peut que le
  serveur DHCP renvoie le message DHCPNACK pour
  confirmer la non conclusion du bail.
• Une adresse IP proposé par un serveur DHCP a une
  durée de vie limitée appelé bail. Lorsque le
  client aura atteint 50 de sa durée, il envoiera
  un DHCPREQUEST à son serveur DHCP afin de le
  renouveler.

15

• Lorsquon rallume lordinateur, celui-ci a gardé,
  dans son registre, son _at_ IP. Il envoie un message
  au serveur DHCP demandant sil peut réutiliser
  cette _at_.
• Si un réseau dentreprise est en formé de
  sous-réseaux, il faut que les routeurs agissent
  en tant quagents de relais DHCP.
• Si les routeurs ne sont pas des agents de relais,
  alors il faut un serveur DHCP sur chaque
  sous-réseau.

16

• Installation
• Un service DHCP sinstalle sur un serveur Windows
  ou UNIX Il a besoin dune _at_ IP statique, dun
  masque de sous-réseau, et dune étendue DHCP.
• Attention, certains serveurs sensibles ont besoin
  dune _at_ IP statique tel que le PDC.
• Commandes (sur MS Windows)
• IPCONFIG /ALL permet dobtenir la configuration
  IP du système dexploitation de lordinateur et
  de la carte réseau.
• IPCONFIG /RELEASE permet la libération dun bail.
• IPCONFIG /RENEW permet la mise à jour dun bail.

17

• Configuration sur un routeur Cisco
• ip dhcp excluded-address 172.16.1.100
  172.16.1.103
• ip dhcp pool 0 network 172.16.0.0 /16
• domain-name cisco.com
• dns-server 172.16.1.102 172.16.2.102
• netbios-name-server 172.16.1.103 172.16.2.103
• netbios-node-type h-node
• default-router 172.16.1.100
• lease 30 (en JJ HH MM ou infinite, default 1
  jour)

18
Service ARPA DHCP

• le format du paquet DHCP est similaire à celui de
  BootP
• Options DHCP
• 2 Offre DHCP
• 3 Demande DHCP
• 4 Décline DHCP
• 5 Ack DHCP
• 6 Nack DHCP
• 7 Résilier DHCP

Code (53)
longueur
Type (1-7)
19
Inconvénients Disponibilité des serveurs
DHCP Sécurité (wifi, serveur non officiel)
20
Les requêtes DHCP étant envoyées en broadcast (à
tout le monde) sur le réseau, il est possible
pour une personne mal intentionnée dutiliser son
propre serveur DHCP afin de diffuser des
configurations malicieuses. En effet, cela est
possible en laissant le serveur DHCP pirate
répondre plus rapidement aux requêtes DHCP que le
serveur DHCP présent sur le réseau, offrant ainsi
aux utilisateurs des configurations prédéfinies
et destinées à des actions malicieuses
21
(No Transcript)
22
Réseau avec DHCP Snooping Le principe de
fonctionnement du DHCP Snooping est simple. Etant
donné que les requêtes DHCP Offer et DHCP ACK
peuvent provenir uniquement des serveurs DHCP, il
suffit donc de déterminer sur les commutateurs
(switchs) les ports autorisés à diffuser ces
requêtes. De cette manière, seuls les ports
configurés comme étant des ports de confiance
(trusted port), pourrons renvoyer aux postes
clients des configurations réseaux.
23
(No Transcript)
24
Class ID DHCPBut personnaliser les
informations données par DHCP à chaque poste
dune même étendue
25
ICMP
26

• Protocole ICMP RFC 792, 896, 1256
• Principales caractéristiques
• protocole de report d'erreurs dans
  l'environnement IP
• fonctionne en mode non connecté
• messages ICMP acheminés par IP
• fait partie obligatoirement des modules logiciels
  IP
• Quelques utilisations
• commande "ping"
• commande "traceroute"

27
Protocole ICMP Format des paquets ICMP

• TYPE
• nature du message ICMP et format du paquet
• CODE
• code de l'erreur reportée
• CHECKSUM
• vérification de l'intégrité du
• message ICMP (identique au
• calcul du checksum IP)
• DONNEES
• dépend du type de message ICMP (généralement
  l'entête IP plus les premiers octets du
  datagramme à l'origine du message d'erreur)

0
8
15
Code
Type
Checksum
DATA
28
Protocole ICMP

• champ  type  

Code
Type
Checksum
DATA
Type
Message ICMP
0 3 4 5 8 11 12 13 14 15 16 17 18
Echo Reply Destination Unreachable --gt Source
Quench Redirect Echo Request Time Exceeded for a
Datagram Parameter Problem Timestamp
Request Timestamp Reply Information
Request Information Reply Address Mask
Request Address Mask Reply
Code
Description
012 3 4 5
Network UnreachableHost Unreachable Protocol
Unreachable Port unreachable Fragm. needed and DF
set Source route failed
Quelques valeurs du champ code pour type 3
(Destination Unreachable)
29
ICMP Ping à travers un routeur
Configuration - _at_ IP station - Masque associé -
_at_ IP passerelle
Table routage
ICMP
Configuration - _at_ IP station - Masque associé -
_at_ IP passerelle
NET port A 1 B 2
IP
A
MAC
Phys
Routeur
Réseau B
1
2
Réseau A
Table ARP
Requête Echo
Requête Echo
_at_D _at_ B _at_S _at_ A _at_D Mac _at_ FFFFF _at_S Mac A
_at_D _at_ B _at_S _at_ A _at_D Mac _at_FFFFFF _at_S Mac R
Réponse Echo
_at_ IP _at_ Mac routeur routeur A routeur
_at_D _at_ A _at_S _at_ B _at_D Mac _at_R _at_S Mac B
30
ICMP commande traceroute

• Traceroute

31

• Traceroute est un outil logiciel (couche
  applicative)
• permet d'identifier les différents noeuds
  (routeurs) traversés par un datagramme IP destiné
  à une machine distante
• basé sur l'utilisation des messages ICMP de type
  TTL Exceeded

32
HSRP hot standby redundant protocol
33
Configuration 1er routeur Interface Ethernet0
ip address 171.16.6.5 255.255.255.0 standby 1 ip
171.16.6.100 !--- Assigns a standby group and
standby IP address standby 1 priority 105 !---
Assign a priority (105 in this case) to the
router interface (e0) !--- for a particular group
number (1). The default is 100. Standby 1
preempt !--- Allows the router to become the
active router when its priority !--- is higher
than all other HSRP-configured routers in the hot
standby group.
34
!--- If you do not use the standby preempt
command in the configuration !--- for a router,
that router will not become the active router,
even if !--- its priority is higher than all
other routers. Standby 1 track Serial0 !---
Indicates that HSRP will track Serial0 interface.
!--- The interface priority can also be
configured which indicates the !--- amount by
which the router priority is decremented when
!--- the interface goes down. The default is
10. interface Serial0 ip address 171.16.2.5
255.255.255.0
35
Configuration 2nd routeur interface Ethernet0 ip
address 171.16.6.6 255.255.255.0 !--- Assigns an
IP address to the interface. standby 1 ip !---
Indicates the hot standby group. Here the IP
address of the virtual router !--- is not
configured. See the note below. standby 1
preempt !--- Allows the router to become the
active router when its priority !--- is higher
than all other HSRP-configured routers in the hot
standby group. !--- If you do not use the
standby preempt command in the configuration
!--- for a router, that router will not become
the active router, even if
36
!--- its priority is higher than all other
routers. standby 1 track Serial1 !--- Indicates
that HSRP will track Serial1 interface. !--- The
interface priority can also be configured which
indicates the !--- amount by which the router
priority is decremented when !--- the interface
goes down. The default is 10. !--- The priority
is also not configured and hence the default
!--- priority value of 100 is applied. interface
Serial1 ip address 171.16.7.6 255.255.255.0
37
Note R2 does not have a standby IP address
configured. This is intentional in order to
demonstrate that this is a valid configuration.
When R1 and R2 exchange HSRP hellos, R2 learns
the standby IP address from R1. Configuring R2
with a standby IP address (same standby address
configured on R1) is also a valid configuration.
38
R1show standby Ethernet0 - Group 1 Local state
is Active, priority 105, may preempt Hellotime 3
sec, holdtime 10 sec Next hello sent in
1.458 Virtual IP address is 171.16.6.100
configured Active router is local Standby router
is 171.16.6.6 expires in 8.428 Virtual mac
address is 0000.0c07.ac01 2 state changes, last
state change 020949 IP redundancy name is
"hsrp-Et0-1" (default) Priority tracking 1
interface, 1 up Interface Decrement
State Serial0 10 Up
39
R2show standby Ethernet0 - Group 1 Local state
is Standby, priority 100, may preempt Hellotime 3
sec, holdtime 10 sec Next hello sent in
1.814 Virtual IP address is 171.16.6.100 Active
router is 171.16.6.5, priority 105 expires in
9.896 Standby router is local 3 state changes,
last state change 001021 IP redundancy name is
"hsrp-Et0-1" (default) Priority tracking 1
interface, 1 up Interface Decrement
State Serial1 10 Up
40
Translation dadresse NAT
Principes dadressage public/privé Pénurie
dadresses officielles Sécurité RFC
1918 10.0.0.0 - 10.255.255.255 ( ? prefix)
172.16.0.0 - 172.31.255.255 ( ? prefix)
192.168.0.0 - 192.168.255.255 ( ? prefix)
Discard des trames par 1er routeur Internet
traversé Solution  translation dadresses
mais  Important  Sensibilité des applications
41
Network AddressTranslation Dans sa plus simple
configuration, le NAT sopère sur un routeur à 2
interfaces  une  inside  avec des adresses non
autorisées ou non routées sur Internet qui
doivent donc être translatées (converties) en
adresses légales (officielles, publiques) avant
de sortir vers lextérieur (par la seconde
interface   outside ). NAT est défini
notamment dans le RFC 1631
42
(No Transcript)
43
Inside NAT addressing
44
NAT outside addressing
45

• Inside local Configured IP address assigned to a
  host on the inside network. Address may be
  globally unique, allocated out of the private
  address space defined in RFC 1918, or might be
  officially allocated to another organization.
• Inside global The IP address of an inside host
  as it appears to the outside network, "Translated
  IP Address." Addresses can be allocated from a
  globally unique address space, typically provided
  by the ISP (if the enterprise is connected to the
  global Internet).
• Outside local The IP address of an outside host
  as it appears to the inside network.
• Outside global The configured IP address
  assigned to a host in the outside network.

46
Principales caractéristiques Static Address
Translation Etablissement dun mapping
un-pour-un entre adresses locales and
globales Dynamic Address Translation
Etablissement dun dynamic mapping entre
adresses locales and globales Définition dun
pool dadresses pour lallocation des global
addresses.Intéressant lorsque le nombre
dadresses officielles est inférieur au nombre
dadresses locales (fréquent). Match
Host Affecter la même Host portion dune IP
Address et translater seulement le Network
prefix. Utile pour identifier les users.
47
Port Address Translation (PAT) Several internal
addresses can be NATed to only one or a few
external addresses by using a feature called Port
Address Translation (PAT) which is also referred
to as "overload," a subset of NAT functionality.
PAT uses unique source port numbers on the
Inside Global IP address to distinguish between
translations. Because the port number is encoded
in 16 bits, the total number could theoretically
be as high as 65,536 per IP address. PAT will
attempt to preserve the original source port, if
this source port is already allocated PAT will
attempt to find the first available port number
starting from the beginning of the appropriate
port group 0-511, 512-1023, or 1024-65535. If
there is still no port available from the
appropriate group and more than one IP address is
configured, PAT will move to the next IP address
and try to allocate the original source port
again. This continues until it runs out of
available ports and IP addresses.
48
Concepts PAT
49
Destination Address Rotary Translation A dynamic
form of destination translation can be configured
for some outside-to-inside traffic. Once a
mapping is set up, a destination address matching
one of those on an access list will be replaced
with an address from a rotary pool. Allocation is
done in a round-robin basis, performed only when
a new connection is opened from the outside to
the inside. All non-TCP traffic is passed
untranslated (unless other translations are in
effect). This feature was designed to provide
protocol translation load distribution. It is not
designed to be used as a substitute technology
for Cisco's LocalDirector product. Destination
address rotary translation should not be used to
provide Web service load balancing because it
knows nothing about service availability. As a
result, if a Web server were to become offline,
the destination address rotary translation
feature would continue to send requests to the
downed server.
50
(No Transcript)
51
Limites du NAT Traffic Types/Applications
supportés Tout TCP/UDP traffic qui ne comporte
pas de source and/or destination IP addresses
dans la partie application de la trame.
Applications avec  verrue NAT  HTTP TFTP telne
t Problème résiduel Netmeeting v3
52
Conclusions Eviter NAT au sein dune même
entreprise Cas des fusions de 2
sociétés Pérennité de connectivité ??
Redéfinition dun nouveau plan dadressage
lourd mais préférable
53
Cisco Configuration Commands Interface
Configuration Commands ip nat inside outside
Interfaces need to be marked whether they are
on the inside or the outside. Global
Configuration Commands Defining a pool ip nat
pool ltnamegt ltstart-ipgt ltend-ipgt netmask
ltnetmaskgt prefix-length ltprefix-lengthgt type
rotary Defines a pool of addresses using
start address, end address, and netmask. These
addresses will be allocated as needed.
54
Enabling translation of inside source addresses
ip nat inside source list ltaclgt pool ltnamegt
overload static ltlocal-ipgtltglobal-ipgt The
first form enables dynamic translation. Packets
from addresses that match those on the simple
access list are translated using global addresses
allocated from the named pool. The optional
keyword overload enables port translation for UDP
and TCP. The term overload is equivalent to Port
Address Translation (PAT). The second form of the
command sets up a single static translation.
55
Enabling translation of inside destination
addresses ip nat inside destination list ltaclgt
pool ltnamegt static ltglobal-ipgt ltlocal-ipgt
Commande similaire à la  source translation
command . For dynamic destination translation
to make any sense, the pool should be a
rotary-type pool. (option rotary dans lIP nat
pool correspondant). Mais quel besoin ? ? ? voir
le dernier exemple de ce chapitre
56
Enabling translation of outside source addresses
ip nat outside source list ltaclgt pool ltnamegt
static ltglobal-ipgt ltlocal-ipgt The first form
(list..pool..) enables dynamic translation.
Packets from addresses that match those on the
simple access list are translated using local
addresses allocated from the named pool. The
second form (static) of the command sets up a
single static translation. Quel besoin  par
exemple cas dun réseau outside de même adresse
réseau que le réseau inside cas dune société
qui naurait pas choisi des adresses officielles
ou conformes au RFC1918
57
Configuring translation timeouts ip nat
translation timeout ltsecondsgt Dynamic
translations time out after a period of non-use.
When port translation is not configured,
translation entries time out after 24 hours. This
time can be adjusted with the above command or
the following variations ip nat translation
udp-timeout ltsecondsgt ip nat translation
dns-timeout ltsecondsgt ip nat translation
tcp-timeout ltsecondsgt When port translation is
configured, there is finer control over
translation entry timeouts, because each entry
contains more context about the traffic using it.
Non-DNS UDP translations time out after 5
minutes DNS times out in 1 minute. TCP
translations time out after 24 hours.
58
Exec Commands Show active translations show ip
nat translations verbose Show translation
statistics show ip nat statistics Clearing
dynamic translations clear ip nat translation
Clears all dynamic translations. clear ip nat
translation ltglobal-ipgt Clears a simple
translation. clear ip nat translation
ltglobal-ipgt ltlocal-ipgt ltprotogt ltglobal-portgt
ltlocal-portgt Clears a particular dynamic
translation.
59
Debugging debug ip nat ltlistgt detailed
60
Exemples de Configuration The following
sample configuration translates between inside
hosts addressed from either the 192.168.1.0 or
192.168.2.0 nets to the globally-unique
171.69.233.208/28 network. La translation ne
concerne que ces 2 seuls réseaux.
61
ip nat pool net-20 171.69.233.209 171.69.233.223
netmask 255.255.255.240 ip nat inside source list
1 pool net-20 ! interface Ethernet0 ip address
171.69.232.182 255.255.255.240 ip nat
outside ! interface Ethernet1 ip address
192.168.1.94 255.255.255.0 ip nat
inside ! access-list 1 permit 192.168.1.0
0.0.0.255 access-list 1 permit 192.168.2.0
0.0.0.255
62
The next sample configuration translates between
inside hosts addressed from the 9.114.11.0 net to
the globally unique 171.69.233.208/28 network.
Packets from outside hosts addressed from
9.114.11.0 net (the "true" 9.114.11.0 net) are
translated to appear to be from net
10.0.1.0/24. Cas dune société qui naurait pas
choisi comme adressage interne un adressage
public ou conforme au RFC1918.
63
ip nat pool net-20 171.69.233.209 171.69.233.223
netmask 255.255.255.240 ip nat pool net-10
10.0.1.1 10.0.1.254 netmask 255.255.255.0 ip nat
inside source list 1 pool net-20 ip nat outside
source list 1 pool net-10 interface Ethernet0 ip
address 171.69.232.182 255.255.255.240 ip nat
outside interface Ethernet1 ip address
9.114.11.39 255.255.255.0 ip nat
inside ! access-list 1 permit 9.114.11.0
0.0.0.255 La translation ne concerne que ce seul
réseau.
64
Configuration du pool The pool configuration
syntax has been extended to allow discontiguous
ranges of addresses ip nat pool ltnamegt
netmask ltmaskgt prefix-length ltlengthgt This
command will put the user into IP NAT Pool
configuration mode, where a sequence of address
ranges can be configured. There is only one
command in this mode address ltstartgt ltendgt
Router(config)ip nat pool fred prefix-length
24 Router(config-ipnat-pool)address
171.69.233.225 171.69.233.226 Router(config-ipnat-
pool)address 171.69.233.228 171.69.233.238 This
configuration creates a pool containing addresses
171.69.233.225-226 and 171.69.233.228-238
(171.69.233.227 has been omitted).
65
Translating to interface's address As a
convenience for users wishing to translate all
inside addresses to the address assigned to an
interface on the router, the NAT code allows one
to simply name the interface when configuring the
dynamic translation rule ip nat inside source
list ltnumbergt interface ltinterfacegt overload If
there is no address on the interface, or it the
interface is not up, no translation will occur.
Example ip nat inside source list 1 interface
Serial0 overload
66
Static translations with ports Services on the
inside network (like mail) will require
additional configuration. This command allows the
user to map certain services of certain inside
hosts. ip nat inside source static tcp udp
ltlocaladdrgt ltlocalportgt ltglobaladdrgt
ltglobalportgt Example ip nat inside source
static tcp 192.168.10.1 25 171.69.232.209 25
67
Translation Entry Limit Using the following
command, Cisco IOS NAT can be configured to limit
the number of translation entries it creates.
The default is that there is no limit. ip nat
translation max-entries ltngt
68
Provide TCP Load Distribution Another use of NAT
is unrelated to Internet addresses. Your
organization may have multiple hosts that must
communicate with a heavily used host. Using NAT,
you can establish a virtual host on the inside
network that coordinates load sharing among real
hosts. Destination addresses that match an access
list are replaced with addresses from a rotary
pool. Allocation is done in a round-robin basis,
and only when a new connection is opened from the
outside to the inside. Non-TCP traffic is passed
untranslated (unless other translations are in
effect).
69

• The router performs the following process when
  translating rotary addresses
• 1.The user on Host B (9.6.7.3) opens a connection
  to virtual host at 1.1.1.127.
• .The router receives the connection request and
  creates a new translation, allocating the next
  real host (1.1.1.1) for the inside local IP
  address.
• .The router replaces the destination address with
  the selected real host address and forwards the
  packet.
• .Host 1.1.1.1 receives the packet and responds.
• .The router receives the packet, performs a NAT
  table lookup using the inside local address and
  port number, and the outside address and port
  number as the key. The router then translates the
  source address to the address of the virtual host
  and forwards the packet.
• The next connection request will cause the router
  to allocate 1.1.1.2 for the inside local address.

70
Note The access list must permit only those
addresses that are to be translated. (Remember
that there is an implicit "deny all" at the end
of each access list.) An access list that is too
permissive can lead to unpredictable results.
In the following example, the goal is to
define a virtual address, connections to which
are distributed among a set of real hosts. The
pool defines the addresses of the real hosts. The
access list defines the virtual address. If a
translation does not already exist, TCP packets
from serial 0 (the outside interface) whose
destination matches the access list are
translated to an address from the pool.
71
ip nat pool real-hosts 192.168.15.2 192.168.15.15
prefix-length 28 type rotary ip nat inside
destination list 2 pool real-hosts ! interface
serial 0 ip address 192.168.15.129
255.255.255.240 ip nat outside ! interface
ethernet 0 ip address 192.168.15.17
255.255.255.240 ip nat inside ! access-list 2
permit 192.168.15.1
72
Firewall Pare-feux

• Caractéristiques générales et offre du marché
• Firewall applicatifs basé sur PC OS connu
  (Unix, NT, Win2K, )
• Exemple  Firewall-1 de Checkpoint Software
• Notion statefull
• Firewall basé sur boitier standalone et OS
  propriétaire
• Exemple  PIX Cisco
• Offre Cisco  Cisco PIX 501 (option failover)
• IOS firewall pour routeur Cisco (mémoires
  requises)

73
(No Transcript)
74
Architecture DMZ 1.sans DMZ (sécurité)-
routeur avec FW intégré- routeur FW (2
interfaces)2. DMZ FW (gt 2 interfaces)
75

• PIX Cisco
• OS Similaire à IOS Cisco mais ce nest pas un
  IOS, commandes différentes
• Modes daccès  identique IOS
• Unprivileged mode  "gt" prompt.
• Privileged mode  t ""
• Enable, disable, exit, or quit
• Configuration mode "(config)" prompt avec la
  commade configure terminal
• 0 represents 0.0.0.0.
• Backups
• write memory
• tftp-server, write net

76
Configuration des Interfaces du
Firewall Assignation des IP Address and Subnet
Mask ip address inside ip_address netmask ip
address outside ip_address netmask Exemple ip
address inside 192.168.1.1 255.255.255.0
77
Changer les noms dInterface et les Security
Levels (optionnel) nameif ethernet0 outside
security0 (default) nameif ethernet1 inside
security100 (default) nameif ethernet2 intf2
security10 (default) Show nameif Donner des noms
significatifs  exemple  dmz1 Niveaux de
sécurité  100 est maximale, 0 minimale Ils
servent à contrôler les accès entre les systèmes
des différentes interfaces.
78
Principes Pour accéder à une interface de basse
sécurité depuis une interface de sécurité haute
utiliser les commandes nat et global (voir
exemples qui suivent). Par défaut pas de
restriction (si une commande nat est activée).
Utiliser des access-list pour restreindre les
droits (selon ladresse IP et/ou le port
TCP/UDP). Remarques  implicit deny (permit) all
existe comme avec IOS. Le wildcard mask nest pas
utilisé on utilise le masque  normal 
79
Pour accéder à un interface de haute sécurité
depuis une interface de sécurité basse utiliser
les commandes static et access-list (voir
exemples qui suivent). Par défaut tout est
interdit. Remarques  dans les anciennes
versions de PIX software (lt v5), la commande
conduit était utilisée (au lieu de static et
access-list).
80
Configuring the PIX Firewall for Routing route
outside 0 0 209.165.201.2 1 (route par
defaut) route inside 192.168.5.0 255.255.255.0
192.168.0.2 1 route dmz4 192.168.6.0
255.255.255.0 192.168.4.2 1 1 next hop
81
Routeur _at_
209.165.201.2
_at_
Outside 209.165.201.2
DMZ 192.168.4.1
PIX
192.168.4.2 Routeur 192.168.6.1
Inside 192.168.0.1
192.168.0.2
192.168.5.1
82
Etablir la connectivité Outbound avec NAT et
PAT Network Address Translation (NAT). Port
Address Translation (PAT) avec une seule globale
IP address 64,000 ports sont en théorie
disponibles (port codé sur 16 bits) Le PIX
Firewall associe une adresse interne avec une
adresse globale en utilisant un NAT identifier
(NAT ID).
83
Ajouter une nat commande pour chaque interface de
plus haut niveau de securité depuis laquelle vous
voulez que des users puissent initialiser des
connexions vers des interfaces de niveau de
sécurité inférieur  To let inside users start
connections on any lower security interface, use
the nat (inside) 1 0 0 command. To let dmz4
users start connections on any lower security
interface such as dmz3, dmz2, dmz1, or the
outside, use the nat (dmz4) 1 0 0
command. Instead of specifying "0 0," to let all
hosts start connections, you can specify a host
or a network address and mask. For example, to
let only host 192.168.2.42 start connections on
the dmz2 interface, you could specify the
following nat (dmz2) 1 192.168.2.42
255.255.255.255
84
LE "1" après linterface est le NAT ID. NAT ID 0
means to disable Network Address Translation. Le
NAT ID in the nat command has to be the same NAT
ID you use for the corresponding global
command. global (outside) 1 209.165.201.5
netmask 255.255.255.224 global (outside) 1
209.165.201.10-209.165.201.20 netmask
255.255.255.224
85
The first global command statement specifies a
single IP address, which the PIX Firewall
interprets as a PAT. The PAT lets up to 65,535
hosts start connections to the outside. PIX
Firewall permits one PAT global command statement
for each interface. The second global command
statement augments the pool of global addresses
on the outside interface. The PAT creates a pool
of addresses used only when the addresses in the
first global command statement are in use.
86
global (dmz1) 1 192.168.1.10-192.168.1.100
netmask 255.255.255.0 global (dmz2) 1
192.168.2.10-192.168.2.100 netmask
255.255.255.0 The global command statement for
dmz1 lets users on the inside,dmz2, dmz3, and
dmz4 start connections on the dmz1 interface. The
global command statement for dmz2 lets users on
the inside, dmz3, and dmz4 start connections on
the dmz2 interface. If you use network
subnetting, specify the subnet mask with the
netmask option.
87
You can track usage among different subnets by
mapping different internal subnets to different
PAT addresses. For example nat (inside) 1
10.1.1.0 255.255.255.0 nat (inside) 2 10.1.2.0
255.255.255.0 global (outside) 1
192.168.1.1 global (outside) 2 209.165.200.225
In this example, hosts on the internal network
10.1.1.0/24 are mapped to global address
192.168.1.1, and hosts on the internal network
10.1.2.0/24 are mapped to global address
209.165.200.225 in global configuration mode.
88
(No Transcript)
89
Example 1 Two Interfaces Without NAT nameif
ethernet0 outside security0 nameif ethernet1
inside security100 interface ethernet0
10baset interface ethernet1 10baset ip address
outside 209.165.201.3 255.255.255.224 ip address
inside 192.168.3.254 255.255.255.0 hostname
pixfirewall arp timeout 14400 no failover logging
buffered debugging nat (inside) 0 192.168.3.0
255.255.255.0 route outside 0.0.0.0 0.0.0.0
209.165.201.1 1 access-list ping_acl permit icmp
any any access-group ping_acl in interface
inside access-group ping_acl in interface
outside mtu outside 1500 mtu inside 1500
90
Example 2 Two Interfaces with NAT nameif
ethernet0 outside security0 nameif ethernet1
inside security100 interface ethernet0
10baset interface ethernet1 10baset ip address
outside 209.165.201.3 255.255.255.224 ip address
inside 192.168.3.1 255.255.255.0 hostname
pixfirewall arp timeout 14400 no failover logging
buffered debugging nat (inside) 1 0 0 global
(outside) 1 209.165.201.10-209.165.201.30 global
(outside) 1 209.165.201.8 route outside 0.0.0.0
0.0.0.0 209.165.201.1 1 access-list ping_acl
permit icmp any any access-group ping_acl in
interface inside access-group ping_acl in
interface outside mtu outside 1500 mtu inside
1500
91
(No Transcript)
92

• Exemple3 Interfaces sans NAT or PAT
• The network has the following IP addresses and
  network masks
• Outside network interface address 209.165.201.2,
  network mask 255.255.255.248
• Inside network interface address 209.165.201.9,
  network mask 255.255.255.248
• DMZ network interface address 209.165.201.17,
  network mask 255.255.255.248
• Step 1 Identify the security level and names of
  each interface by entering the following
  commands
• nameif ethernet0 outside security0
• nameif ethernet1 inside security100
• nameif ethernet2 dmz security50

93
An additional nameif command is required for the
third interface in this example. Step 2 Identify
the line speed of each interface by entering the
following commands interface ethernet0
10baset interface ethernet1 10baset interface
ethernet0 100basetx Step 3 Identify the IP
addresses for each interface ip address outside
209.165.201.2 255.255.255.248 ip address inside
209.165.201.9 255.255.255.248 ip address dmz
209.165.201.17 255.255.255.248
94
Step 4 Map access to the 209.165.201.19 host on
the outside interface static (dmz,outside)
209.165.201.5 209.165.201.19 Step 5 Use the
access-list command to let any outside user
access the DMZ host on any port access-list
acl_out permit tcp any host 209.165.201.5 access-g
roup acl_out in interface outside Remarques  on
peut spécifier un host extérieur autorisé à la
place de any ou spécifier un port qui serait le
seul autorisé (eq www en fin de commande).
95
The access-list command lets any outside user
access the host on any port. nameif ethernet0
outside security0 nameif ethernet1 inside
security100 nameif ethernet2 dmz
security50 interface ethernet0 10baset interface
ethernet1 10baset interface ethernet0
100basetx ip address outside 209.165.201.2
255.255.255.224 ip address inside 209.165.201.9
255.255.255.224 ip address dmz 209.165.201.17
255.255.255.224 hostname pixfirewall arp timeout
14400
96
Configuration (suite) no failover logging
buffered debugging nat (inside) 0 209.165.201.8
255.255.255.248 static (dmz,outside)
209.165.201.5 209.165.201.19 access-list acl_out
permit tcp any host 209.165.201.5 access-group
acl_out in interface outside route outside
0.0.0.0 0.0.0.0 209.165.201.1 1 mtu outside
1500 mtu inside 1500
97

• Exemple 4 3 interfaces avec PAT et NAT
• The network has the following IP addresses and
  network masks
• Outside network interface address 209.165.201.4,
  network mask 255.255.255.224
• Allowable global and static addresses on the
  outside network 209.165.201.5-209.165.201.30,
  network mask 255.255.255.224
• Inside network interface address 10.0.0.3,
  network mask 255.0.0.0
• DMZ network interface address 192.168.0.1,
  network mask 255.255.255.0

98

• Exemple4 3 interfaces avec PAT ni NAT
• the PIX Firewall has three interfaces and these
  attributes
• Address translation is performed between the
  interfaces.
• A web server on the DMZ interface is publicly
  accessible. The name command maps its host
  address to the name "webserver."
• The inside network has RFC1918 addresses
  (10.0.0.0), the DMZ interface has RFC 1918
  addresses (192.168.0.0), and the outside network
  has legal, registered addresses (209.165.201.0).
• TCP and UDP connections from the inside are
  allowed to go out on the DMZ and outside.

99
(No Transcript)
100
Step 1 Create a pool of global addresses for the
outside and DMZ interfaces. Because there are
limited outside IP addresses, add a PAT global to
handle overflow. The global (dmz) command gives
inside users access to the web server on the DMZ
interface. global (outside) 1 209.165.201.10-209.
165.201.30 global (outside) 1 209.165.201.5 global
(dmz) 1 192.168.0.10-192.168.0.20
101
Step 2 Let inside users start connections on the
DMZ and outside interfaces, and let DMZ users
start connections on the outside interface nat
(inside) 1 10.0.0.0 255.0.0.0 nat (dmz) 1
192.168.0.0 255.255.255.0 Step 3 Give the IP
address of the web server a label name
192.168.0.2 webserver
102
Step 4 Let any user on the outside interface
access the web server on the DMZ interface
static (dmz,outside) 209.165.201.6
webserver access-list acl_out permit tcp any host
209.165.201.6 eq 80 access-group acl_out in
interface outside The access-list command
statement is bound to the outside interface by
the access-group command statement.
103
Example 4 Three Interfaces with NAT nameif
ethernet0 outside security0 nameif ethernet1
inside security100 nameif ethernet2 dmz
security50 interface ethernet0 10full interface
ethernet1 10full interface ethernet2 10full ip
address outside 209.165.201.4 255.255.255.224 ip
address inside 10.0.0.3 255.0.0.0 ip address dmz
192.168.0.1 255.255.255.0 hostname pixfirewall
104
route outside 0.0.0.0 0.0.0.0 209.165.201.1
1 global (outside) 1 209.165.201.10-209.165.201.30
global (outside) 1 209.165.201.5 global (dmz) 1
192.168.0.10-192.168.0.20 nat (inside) 1 10.0.0.0
255.0.0.0 nat (dmz) 1 192.168.0.0
255.255.255.0 name 192.168.0.2 webserver static
(dmz,outside) 209.165.201.6 webserver access-list
acl_out permit tcp any host 209.165.201.6 eq 80
access-group acl_out in interface outside
105
(No Transcript)
106
XOT is X25 Over TCP, Request For Comments (RFC)
1613. This allows X.25 packets to be sent over a
Transmission Control Protocol/Internet Protocol
(TCP/IP) network instead of a Link Access
Procedure, Balanced (LAPB) link.
XOT
107
Intérêt (économiques)- pérennité des
applications X25- coûts télécom abaissés
mutualisation des liens avec les applications TCP
108
XOT example x25 traffic is tunneled through an
IP cloud. For example, connecting two X.25 clouds
that have no physical connection with a virtual
TCP tunnel across the IP cloud.