Sunday, March 3, 2013

Avoiding TCP/UDP Port Exhaustion Cisco ASA v8.3 +

This blog will talk about ephemeral port exhaustion, reduction for ASA  version 8.3+

In a  Network Translation and with PAT  ( port address transalation ) , a client  source address and port numbers are mapped to  a single NAT'd source. This is commonly called SNAT ( source NAT'ing ). Doing this for a hand full of clients machine is not critical. Since the src_port is expiring and temporary used and forever changing.

 This process of temporary using a src_port is called "ephemeral". So take this machine that I'm typing this blog on;

sahel01:~ kfelix$ netstat -anb | grep 173.194.37
tcp4       0      0  172.72.16.252.50361      173.194.37.76.443      ESTABLISHED 13055289458842816507 16388355481610749693
tcp4       0      0  172.72.16.252.50358      173.194.37.36.443      ESTABLISHED 15459865186999302185 9569308347896001739
tcp4       0      0  172.72.16.252.50357      173.194.37.58.80       ESTABLISHED 15473202674970397607 15450657414193203890
tcp4       0      0  172.72.16.252.50353      173.194.37.36.80       ESTABLISHED 15449916008292693779 12065556332899070703
tcp4       0      0  172.72.16.252.50351      173.194.37.36.80       ESTABLISHED 15492483522701840990 3940907087701085868
tcp4       0      0  172.72.16.252.50350      173.194.37.36.80       ESTABLISHED 15477778475099826089 15062947145072305196
tcp4       0      0  172.72.16.252.50348      173.194.37.36.80       ESTABLISHED 15438052770712463118 3139346528096674657
tcp4       0      0  172.72.16.252.50347      173.194.37.36.80       ESTABLISHED 15488600259388646219 15127239438245289869
tcp4       0      0  172.72.16.252.50346      173.194.37.36.80       ESTABLISHED 15483982617081443018 10306197250605854565
tcp4       0      0  172.72.16.252.50343      173.194.37.36.80       ESTABLISHED 15455030726895744807 1904923687428027451
tcp4       0      0  172.72.16.252.50342      173.194.37.47.443      ESTABLISHED 15470383348861326017 14981341516604182217
tcp4       0      0  172.72.16.252.50341      173.194.37.58.80       ESTABLISHED 15481242668143010244 7539585777278819841
tcp4       0      0  172.72.16.252.50336      173.194.37.36.443      ESTABLISHED 15432894841306047757 2262450451104512765
tcp4       0      0  172.72.16.252.50333      173.194.37.74.80       ESTABLISHED 12970665585636111507 2756341486126288227
tcp4       0      0  172.72.16.252.50112      173.194.37.54.443      ESTABLISHED 1108777738390402656 2871967635688444387

The port#s in bold, are my ephemeral port that's short live. Every time I connect via my browser to a page or link, it will create a new session until that tcp session is torn down. Same if I ssh to an external host or conduct a dns query. The port number are always increasing in a round-robbin fashion.

So if you have a few thousands of machines doing this,  and stacked behind one single /32 NAT host address, you can run out of available ports range. The available port-range is technically 0-65536, but common we only use the number 1024 and greater. 

And port #0 is never to be used or seen, since it's reserved by IANA.

So how do we avoid this potential port exhaustion in a big enterprise networks ?

Simple, you need to create numerous NAT_pools and spread the SNAT around to  allow for more possible connections.


So as in my earlier cisco router sample, the ASA is  similar in approach and design.


1st 

we create 4 object-groups for the networks ranges in  my /16 network;

 

object network mynat_group1
   description “ my range 10.100.{0-63).0/24 “   
   subnet 10.100.0.0 255.255.192.0

object network mynat_group2

  description  “ my range 10.100.{64-127).0/24 “    
   subnet 10.100.64.0 255.255.192.0
 

object network mynat_group3
   description “ my range 10.100.{128-191).0/24 “
   subnet 10.100.128.0 255.255.192.0
 

object network mynat_group4
   description “ my range 10.100.{192-255).0/24 “

   subnet 10.100.192.0 255.255.192.0
 
2nd

Next we  build  4 static public global address for the PATs

-->
object network public1

   description  ” my public ip_address ending in  dot 201”
   subnet 1.1.1.201 255.255.255.255

 object network public2

   description  ” my public ip_address ending in  dot 202”
   subnet 1.1.1.202 255.255.255.255

object network public3

   description  ” my public ip_address ending in  dot 203”
   subnet 1.1.1.203 255.255.255.255

object network public3

   description   ” my public ip_address ending in  dot 204”
   subnet 1.1.1.204 255.255.255.255

 

 3rd



We now apply the  nat mapping, in my example  I'm using a a single inside/outside  interfaces and to cover the /16 range;


 
nat (inside,outside) source dynamic mynat_group1  public1 
nat (inside,outside) source dynamic mynat_group2  public2  
nat (inside,outside) source dynamic mynat_group3  public3
nat (inside,outside) source dynamic mynat_group4  public4
 

  
 

So as you can  we have means to  control and eliminate  ephemeral port exhaustion for cisco routers and firewalls.


Ken Felix

Freelance Network/Security Engineer

kfelix  @  hyperfeed  d-o-t com

No comments:

Post a Comment