Analizando tráfico IPsec a través de un ASA que realiza PAT

Fecha: junio del 2019

 

Escenario

 

En este laboratorio analizamos el comportamiento de tráfico IPsec entre dos routers, pasando por un ASA

que realiza PAT a una IP pública.

El problema que se plantea es que el tunel se establecía en fase I (ISAKMP) pero sin tráfico en fase II (ESP),

entonces se presenta la cuestión de que en la fase I, al ser tráfico UDP 500 o 4500 se puede “natear” pero

que pasa con el ESP ? ya que es puramente de capa 3 y no aplica al PAT (mediante puertos de capa 4), para

eso deberemos realizar capturas y analizar las tablas XLATE del ASA.

 

En definitiva, este escenario analiza IPSec y NAT-T.

 

 

 

 

Cliente#sh crypto isakmp sa (verificamos fase I)

IPv4 Crypto ISAKMP SA

dst                   src                      state              conn-id   status

200.0.0.1       192.168.0.9     QM_IDLE      2000         ACTIVE

 

IPv6 Crypto ISAKMP SA

 

Cliente#sh crypto ipsec sa (verificamos fase II)

 

interface: Vlan1

    Crypto map tag: VPN, local addr 192.168.0.9

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

   current_peer 200.0.0.1 port 4500 (esto indica que negoció NAT-T)

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 (debería al menos enviarlos y no tener retorno)

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 (el peer al no recibir no envió respuestas)

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 192.168.0.9, remote crypto endpt.: 200.0.0.1

     path mtu 1500, ip mtu 1500, ip mtu idb Vlan1

     current outbound spi: 0x70029E4E(1879219790)

     PFS (Y/N): Y, DH group: group5

 

     inbound esp sas:

      spi: 0xBCE87022(3169349666)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4293066/894)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

Cliente#

 

1.- Capturas con IPsec detrás de PAT:

 

Se instaló un switch que realiza port mirroring para poder capturar el tráfico ISAKMP y ESP.

 

 

Verificamos que el PAT se realiza dentro de la negociación ISAKMP en UDP 500, al cambiar

a UDP 4500 el ASA deja de “patear”.

 

 

Búsqueda en la web:

 

Fuente: https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/inspect_basic.html#51666

 

2.- Simulación en el ASA del tráfico ESP (fase II) y el PAT:

 

El problema de esta simulación es que no hay negociación ISAKMP previa, ni el paquete

tiene parámetros SPI configurados, pero es interesante que se dropee a nivel NAT/PAT.

 

ciscoasa# packet-tracer input inside rawip 192.168.0.9 50 200.0.0.1 detailed

                                                                                                              |

Phase: 1                                                                                              el protocolo 50 es ESP

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   200.0.0.0       255.255.255.252 outside

 

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE in interface inside

access-list INSIDE extended permit ip any any

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0xa7fbf180, priority=13, domain=permit, deny=false

        hits=0, user_data=0xa98e0040, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

 

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0xac045e78, priority=0, domain=inspect-ip-options, deny=true

        hits=6, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

 

Phase: 4

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside,outside) source dynamic obj-192.168.0.0 interface

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0xac04c1f0, priority=6, domain=nat, deny=false

        hits=7, user_data=0xab818f18, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=192.168.0.0, mask=255.255.255.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

 

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

ciscoasa#

 

3.- Se modifica el PAT por NAT 1 a 1:

 

3.1.- Verificación inicial en el router cliente:

 

Cliente#sh crypto isakmp sa (no hay túneles activos)

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

 

IPv6 Crypto ISAKMP SA

Cliente#

 

3.2.- Limpiamos las sesiones/conexiones:

 

ciscoasa# clear xlate

INFO: 1 xlate deleted

ciscoasa#

ciscoasa# clear conn

1 connection(s) deleted.

ciscoasa#

 

3.3.- Se reemplaza la config:

 

ciscoasa# conf t

ciscoasa(config)# no nat (inside,outside) source dynamic obj-192.168.0.0 interface

ciscoasa(config)# nat (inside,outside) source static obj-192.168.0.9 interface

ciscoasa(config)# end

 

3.4.- Se genera tráfico interesante:

 

C:\>ping 10.0.0.1

 

Haciendo ping a 10.0.0.1 con 32 bytes de datos:

Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=254 (funciona !)

Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=254

 

3.5.- Verificación de tunel en fase I:

 

Cliente#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst                   src                      state              conn-id   status

200.0.0.1       192.168.0.9     QM_IDLE      2001         ACTIVE

 

IPv6 Crypto ISAKMP SA

 

3.6.- Verificación de tunel en fase II:

 

Cliente#sh crypto ipsec sa

 

interface: Vlan1

    Crypto map tag: VPN, local addr 192.168.0.9

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

   current_peer 200.0.0.1 port 4500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2 (hay paquetes enviados)

    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2 (hay paquetes recibidos)

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 192.168.0.9, remote crypto endpt.: 200.0.0.1

     path mtu 1500, ip mtu 1500, ip mtu idb Vlan1

     current outbound spi: 0x70029E4E(1879219790)

     PFS (Y/N): Y, DH group: group5

 

     inbound esp sas:

      spi: 0xBCE87022(3169349666)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4293066/894)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

     outbound esp sas:

      spi: 0x70029E4E(1879219790)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4293066/894)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

    

Cliente#

 

3.7.- Captura con NAT 1 a 1:

4.- Se verifica reemplazando el ASA por un router con PAT:

 

El router al no ser statefull realiza los PAT sin problemas, el tunel levantó (fase I) y con tráfico (fase II).

 

 

Router#sh ip nat trans

Pro Inside global         Inside local              Outside local        Outside global

udp 200.0.0.2:4500     192.168.0.9:4500   200.0.0.1:4500     200.0.0.1:4500

Router#

 

5.- Pruebas en ASA con inspección de IPsec y PAT:

5.1.- Se vuelve a configurar PAT y policy de inspección IPsec:

 

conf t

no nat (inside,outside) source static obj-192.168.0.9 interface

nat (inside,outside) source dynamic obj-192.168.0.0 interface

!

access-list IPSec extended permit udp any any eq isakmp

access-list IPSec extended permit udp any any eq 4500

!

class-map IPSec

 match access-list IPSec

 exit

!

policy-map type inspect ipsec-pass-thru IPSec

 parameters

  esp per-client-max 10 timeout 0:05:00

 exit

!

policy-map global_policy

 class IPSec

  inspect ipsec-pass-thru

 end

 

5.2.- Verificamos que no hayan túneles ni sesiones UDP establecidas:

 

ciscoasa# clear xlate

INFO: 1 xlate deleted

ciscoasa# clear conn

1 connection(s) deleted.

ciscoasa#

 

ciscoasa# sh conn

1 in use, 2 most used

UDP outside 200.0.0.1:4500 inside 192.168.0.9:4500, idle 0:00:22, bytes 600, flags -

ciscoasa#

 

5.3.- Disparamos tráfico VPN y verificamos:

 

ciscoasa# sh conn

1 in use, 3 most used

UDP outside 200.0.0.1:4500 inside 192.168.0.9:4500, idle 0:00:00, bytes 53120, flags -

ciscoasa#

 

ciscoasa# sh xlate

3 in use, 3 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

       e - extended

NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0

    flags sIT idle 0:31:58 timeout 0:00:00

UDP PAT from inside:192.168.0.9/4500 to outside:200.0.0.2/4500 flags ri idle 0:02:03 timeout 0:00:30 (contacto ISAKMP y tráfico ESP)

UDP PAT from inside:192.168.0.9/500 to outside:200.0.0.2/500 flags ri idle 0:00:02 timeout 0:00:30 (primer contacto ISAKMP)

ciscoasa#

 

ciscoasa#sh service-policy global

 

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: icmp, packet 0, drop 0, reset-drop 0

    Class-map: IPSec

      Inspect: ipsec-pass-thru _default_ipsec_passthru_map, packet 34, drop 0, reset-drop 0

ciscoasa#

 

5.4.- Captura de la inicialización del túnel y tráfico ESP:

 

 

Notar la diferencia de tiempo entre los paquetes 9 (fase I) y 10 (fase II).

 

6.- Anexo de data sobre NAT-T:

 

How does NAT-T work with ISAKMP/IPsec?

 

NAT Traversal performs two tasks:

 

1.- Detects if both ends support NAT-T

2.- Detects NAT devices along the transmission path (NAT-Discovery)

 

Step one occurs in ISAKMP Main Mode messages one and two. 

 

If both devices support NAT-T, then NAT-Discovery is performed in ISKAMP Main Mode messages (packets) three and four. 

THe NAT-D payload sent is a hash of the original IP address and port. Devices exchange two NAT-D packets, one with source

IP and port, and another with destination IP and port. The receiving device recalculates the hash and compares it with the

hash it received; if they don't match a NAT device exists.

 

If a NAT device has been determined to exist, NAT-T will change the ISAKMP transport with ISAKMP Main Mode messages

five and six, at which point all ISAKMP packets change from UDP port 500 to UDP port 4500.  NAT-T encapsulates the

Quick Mode (IPsec Phase 2) exchange inside UDP 4500 as well.  After Quick Mode completes data that gets encrypted on the

IPsec Security Association is encapsulated inside UDP port 4500 as well, thus providing a port to be used in the PAT device for

translation.

 

To visualize how this works and how the IP packet is encapsulated:

 

1.- Clear text packet will be encrypted/encapsulated inside an ESP packet

2.- ESP packet will be encapsulated inside a UDP/4500 packet.

 

 

NAT-T  encapsulates ESP packets inside UDP and assigns both the Source and Destination ports as 4500. 

After this encapsulation there is enough information for the PAT database binding to build successfully.  Now ESP packets can

be translated through a PAT device.

 

 When a packet with source and destination port of 4500 is sent through a PAT device (from inside to outside), the PAT device

will change the source port from 4500 to a random high port, while keeping the destination port of 4500. When a different

NAT-T session passes through the PAT device, it will change the source port from 4500 to a different random high port, and so on.

This way each local host has a unique database entry in the PAT devices mapping ip address/port4500 to the public ip address/port.

 

 

Fuente: https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442

 

 

7.- Configuraciones de los equipos:

 

7.1.- Del ASA:

 

ciscoasa# sh runn

: Saved

:

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 200.0.0.2 255.255.255.252

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

boot system disk0:/asa847-30-k8.bin

ftp mode passive

object network obj-192.168.0.10

 host 192.168.0.10

object network obj-192.168.0.0

 subnet 192.168.0.0 255.255.255.0

object network obj-200.0.0.1

 host 200.0.0.1

object network obj-192.168.0.9

 host 192.168.0.9

access-list IPSec extended permit udp any any eq isakmp

access-list IPSec extended permit udp any any eq 4500

access-list INSIDE permit ip any any

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic obj-192.168.0.0 interface

access-group INSIDE in interface inside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map IPSec

 match access-list IPSec

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect ipsec-pass-thru IPSec

 parameters

  esp per-client-max 10 timeout 0:05:00

policy-map global_policy

 class inspection_default

  inspect icmp

 class IPSec

  inspect ipsec-pass-thru

!

Cryptochecksum:b0b4abdc4e58e79b3eae5db74549989b

: end

ciscoasa#

 

7.2.- Configuración del router cliente:

 

Cliente#sh runn (sólo lo mas relevante)

Building configuration...

 

Current configuration : 1644 bytes

!

! Last configuration change at 16:41:10 UTC Fri Jun 21 2019

version 15.2

!

hostname Cliente

!

ip dhcp pool DHCP

 network 10.0.1.0 255.255.255.0

 default-router 10.0.1.1

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 5

 lifetime 3600

crypto isakmp key Presh4red address 200.0.0.1     

!

crypto ipsec transform-set ENCRIPTA esp-aes 256 esp-sha-hmac

 mode tunnel

!

crypto map VPN 10 ipsec-isakmp

 set peer 200.0.0.1

 set security-association lifetime seconds 900

 set transform-set ENCRIPTA

 set pfs group5

 match address 101

!

interface FastEthernet0

!

interface FastEthernet1

 switchport access vlan 2

!

interface FastEthernet2

 switchport access vlan 2

!

interface FastEthernet3

 switchport access vlan 2

!

interface FastEthernet4

shutdown

!

interface Vlan1

 ip address 192.168.0.9 255.255.255.0

 crypto map VPN

!

interface Vlan2

 ip address 10.0.1.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 192.168.0.1

!

access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

!

end

 

Cliente#

 

7.3.- Configuración del router terminador de VPN:

 

TerminadorVPN# sh runn (sólo lo mas relevante)

Building configuration...

 

Current configuration : 1845 bytes

!

! Last configuration change at 15:31:44 UTC Fri Jun 21 2019

version 15.3

!

hostname TerminadorVPN

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 5

 lifetime 3600

crypto isakmp key Presh4red address 200.0.0.2     

crypto isakmp nat keepalive 10

!

crypto ipsec transform-set ENCRIPTA esp-aes 256 esp-sha-hmac

   mode tunnel

!

crypto map VPN 10 ipsec-isakmp

 set peer 200.0.0.2

 set security-association lifetime seconds 900

 set transform-set ENCRIPTA

 set pfs group5

 match address 101

!

interface FastEthernet0

!

interface FastEthernet1

 switchport access vlan 2

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

shutdown

!

interface Vlan1

 ip address 200.0.0.1 255.255.255.0

 crypto map VPN

!

interface Vlan2

 ip address 10.0.0.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 200.0.0.2

!

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

!

end

 

TerminadorVPN#

 

7.4.- Config del capturador de tráfico:

 

!

monitor session 1 source interface Fa0

monitor session 1 destination interface Fa3

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

 

(2019) Lonely nights with IPSec

Rosario, Argentina