Sunday, March 3, 2013

Avoiding TCP/UDP Port Exhaustion Cisco ASA v8.3 +

This blog will talk about ephemeral port exhaustion, reduction for ASA  version 8.3+

In a  Network Translation and with PAT  ( port address transalation ) , a client  source address and port numbers are mapped to  a single NAT'd source. This is commonly called SNAT ( source NAT'ing ). Doing this for a hand full of clients machine is not critical. Since the src_port is expiring and temporary used and forever changing.

 This process of temporary using a src_port is called "ephemeral". So take this machine that I'm typing this blog on;

sahel01:~ kfelix$ netstat -anb | grep 173.194.37
tcp4       0      0      ESTABLISHED 13055289458842816507 16388355481610749693
tcp4       0      0      ESTABLISHED 15459865186999302185 9569308347896001739
tcp4       0      0       ESTABLISHED 15473202674970397607 15450657414193203890
tcp4       0      0       ESTABLISHED 15449916008292693779 12065556332899070703
tcp4       0      0       ESTABLISHED 15492483522701840990 3940907087701085868
tcp4       0      0       ESTABLISHED 15477778475099826089 15062947145072305196
tcp4       0      0       ESTABLISHED 15438052770712463118 3139346528096674657
tcp4       0      0       ESTABLISHED 15488600259388646219 15127239438245289869
tcp4       0      0       ESTABLISHED 15483982617081443018 10306197250605854565
tcp4       0      0       ESTABLISHED 15455030726895744807 1904923687428027451
tcp4       0      0      ESTABLISHED 15470383348861326017 14981341516604182217
tcp4       0      0       ESTABLISHED 15481242668143010244 7539585777278819841
tcp4       0      0      ESTABLISHED 15432894841306047757 2262450451104512765
tcp4       0      0       ESTABLISHED 12970665585636111507 2756341486126288227
tcp4       0      0      ESTABLISHED 1108777738390402656 2871967635688444387

The port#s in bold, are my ephemeral port that's short live. Every time I connect via my browser to a page or link, it will create a new session until that tcp session is torn down. Same if I ssh to an external host or conduct a dns query. The port number are always increasing in a round-robbin fashion.

So if you have a few thousands of machines doing this,  and stacked behind one single /32 NAT host address, you can run out of available ports range. The available port-range is technically 0-65536, but common we only use the number 1024 and greater. 

And port #0 is never to be used or seen, since it's reserved by IANA.

So how do we avoid this potential port exhaustion in a big enterprise networks ?

Simple, you need to create numerous NAT_pools and spread the SNAT around to  allow for more possible connections.

So as in my earlier cisco router sample, the ASA is  similar in approach and design.


we create 4 object-groups for the networks ranges in  my /16 network;


object network mynat_group1
   description “ my range 10.100.{0-63).0/24 “   

object network mynat_group2

  description  “ my range 10.100.{64-127).0/24 “    

object network mynat_group3
   description “ my range 10.100.{128-191).0/24 “

object network mynat_group4
   description “ my range 10.100.{192-255).0/24 “


Next we  build  4 static public global address for the PATs

object network public1

   description  ” my public ip_address ending in  dot 201”

 object network public2

   description  ” my public ip_address ending in  dot 202”

object network public3

   description  ” my public ip_address ending in  dot 203”

object network public3

   description   ” my public ip_address ending in  dot 204”



We now apply the  nat mapping, in my example  I'm using a a single inside/outside  interfaces and to cover the /16 range;

nat (inside,outside) source dynamic mynat_group1  public1 
nat (inside,outside) source dynamic mynat_group2  public2  
nat (inside,outside) source dynamic mynat_group3  public3
nat (inside,outside) source dynamic mynat_group4  public4


So as you can  we have means to  control and eliminate  ephemeral port exhaustion for cisco routers and firewalls.

Ken Felix

Freelance Network/Security Engineer

kfelix  @  hyperfeed  d-o-t com

No comments:

Post a Comment