In a Network Translation and with PAT ( port address transalation ) , a client source address and port numbers are mapped to a single NAT'd source. This is commonly called SNAT ( source NAT'ing ). Doing this for a hand full of clients machine is not critical. Since the src_port is expiring and temporary used and forever changing.
This process of temporary using a src_port is called "ephemeral". So take this machine that I'm typing this blog on;
sahel01:~
kfelix$ netstat -anb | grep 173.194.37
tcp4 0
0 172.72.16.252.50361 173.194.37.76.443 ESTABLISHED 13055289458842816507
16388355481610749693
tcp4 0
0 172.72.16.252.50358 173.194.37.36.443 ESTABLISHED 15459865186999302185
9569308347896001739
tcp4 0
0 172.72.16.252.50357 173.194.37.58.80 ESTABLISHED 15473202674970397607
15450657414193203890
tcp4 0
0 172.72.16.252.50353 173.194.37.36.80 ESTABLISHED 15449916008292693779
12065556332899070703
tcp4 0
0 172.72.16.252.50351 173.194.37.36.80 ESTABLISHED 15492483522701840990
3940907087701085868
tcp4 0
0 172.72.16.252.50350 173.194.37.36.80 ESTABLISHED 15477778475099826089
15062947145072305196
tcp4 0
0 172.72.16.252.50348 173.194.37.36.80 ESTABLISHED 15438052770712463118
3139346528096674657
tcp4 0
0 172.72.16.252.50347 173.194.37.36.80 ESTABLISHED 15488600259388646219
15127239438245289869
tcp4 0
0 172.72.16.252.50346 173.194.37.36.80 ESTABLISHED 15483982617081443018
10306197250605854565
tcp4 0
0 172.72.16.252.50343 173.194.37.36.80 ESTABLISHED 15455030726895744807
1904923687428027451
tcp4 0
0 172.72.16.252.50342 173.194.37.47.443 ESTABLISHED 15470383348861326017
14981341516604182217
tcp4 0
0 172.72.16.252.50341 173.194.37.58.80 ESTABLISHED 15481242668143010244
7539585777278819841
tcp4 0
0 172.72.16.252.50336 173.194.37.36.443 ESTABLISHED 15432894841306047757
2262450451104512765
tcp4 0
0 172.72.16.252.50333 173.194.37.74.80 ESTABLISHED 12970665585636111507
2756341486126288227
tcp4 0
0 172.72.16.252.50112 173.194.37.54.443 ESTABLISHED 1108777738390402656
2871967635688444387
The port#s in bold, are my ephemeral port that's short live. Every time I connect via my browser to a page or link, it will create a new session until that tcp session is torn down. Same if I ssh to an external host or conduct a dns query. The port number are always increasing in a round-robbin fashion.
So if you have a few thousands of machines doing this, and stacked behind one single /32 NAT host address, you can run out of available ports range. The available port-range is technically 0-65536, but common we only use the number 1024 and greater.
And port #0 is never to be used or seen, since it's reserved by IANA.
So how do we avoid this potential port exhaustion in a big enterprise networks ?
Simple, you need to create numerous NAT_pools and spread the SNAT around to allow for more possible connections.
So as in my earlier cisco router sample, the ASA is similar in approach and design.
1st
we create 4 object-groups for the networks ranges in my /16 network;
object network mynat_group1
description “ my range 10.100.{0-63).0/24 “
subnet 10.100.0.0 255.255.192.0
object network mynat_group2
description “ my range 10.100.{64-127).0/24 “
subnet 10.100.64.0 255.255.192.0
object network mynat_group3
description “ my range 10.100.{128-191).0/24 “
subnet 10.100.128.0 255.255.192.0
object network mynat_group4
description “ my range 10.100.{192-255).0/24 “
subnet 10.100.192.0 255.255.192.0
2ndNext we build 4 static public global address for the PATs
-->
object
network public1
description
” my public ip_address ending in
dot 201”
subnet 1.1.1.201 255.255.255.255
subnet 1.1.1.201 255.255.255.255
object network public2
description
” my public ip_address ending in
dot 202”
subnet 1.1.1.202 255.255.255.255
subnet 1.1.1.202 255.255.255.255
object
network public3
description
” my public ip_address ending in
dot 203”
subnet 1.1.1.203 255.255.255.255
subnet 1.1.1.203 255.255.255.255
object
network public3
description ” my public ip_address ending in dot 204”
subnet 1.1.1.204 255.255.255.255
subnet 1.1.1.204 255.255.255.255
3rd
We now apply the nat mapping, in my example I'm using a a single inside/outside interfaces and to cover the /16 range;
nat (inside,outside) source dynamic mynat_group1 public1
nat (inside,outside) source dynamic mynat_group2 public2
nat (inside,outside) source dynamic mynat_group3 public3
nat (inside,outside) source dynamic mynat_group4 public4
So as you can we have means to control and eliminate ephemeral port exhaustion for cisco routers and firewalls.
Ken Felix
Freelance Network/Security Engineer
kfelix @ hyperfeed d-o-t com
No comments:
Post a Comment