Address Translation,Protocol and Application Issues(一),Applications with Multiple Connections,Protocol and Application Issues（二）,Applications and Embedded Addressing Information,Protocol and Application Issues（三）,Applications and Security Issues,TCP Connection Example,TCP Connection Example,Parts 1 and 2 The appliance compares packet information against the existing connections to the state table to determine if the packet is new or part of an existing connection. Since it is a new connection, it wont be found. The appliance then looks for an ACL applied in-bound in the interface. If one exists, the packet must match a permit statement in the list of statements to be allowed.If the packet is allowed, the appliance then compares the packet header information with the existing translation entries in the translation table to see if an existing transla-tion can be used, or if a new one needs to be created. Ill assume, however, that this is the first time the source has sent a packet through the appliance, so no existing translation entries in the xlate table will match.,TCP Connection Example,Parts 1 and 2 Next the appliance compares the information in the packet header with the config-ured translation policiesstatic and dynamicfor a match. If a match is not found, then the packet is dropped. If a match is found, a translation entry is built and added to the xlate table, the TCP sequence number is randomized, and the TCP connection is added o the conn table. The appliance then increments the embryonic connection counter. An embryonic con-nection is a half-open connection: it hasnt gone through the three-way handshake. The appliance keeps track of this kind of information to limit the effectiveness of TCP SYN flood attacks. If the limit is exceeded, the appliance will implement its TCP Intercept feature, discussed later in the chapter. The two idle timers are then started for the con-nection in the conn and xlate tables respectively.,TCP Connection Example,Parts 3 and 4 Once the destination receives the packet, it responds back with a TCP SYN/ACK re-sponse . Upon receiving the packet, the appliance compares the header information with the conn table to find a match; in this case, since the source initi-ated the connection in part 1, the connection is in the table. The appliance then validates the idle timer to ensure that the entry in the state table hasnt expired: If the entry has expired, it is removed from the conn table and the packet is dropped. If there wasnt a match in the conn table or the entry had timed out, then the ACL on the interface would be used to validate whether the packet was allowed inbound to the inside interface. therefore, the appliance then undoes the randomization of the acknowledgment number. This is the sequence number randomization (SNR) feature at work, which is used to defeat ses-sion hijacking attacks.,TCP Connection Example,TCP Connection Example,Parts 5 and 6 In part 5, the source completes the three-way handshake by sending a TCP ACK, shown in Figure 5-5. The appliance first compares packet information to the existing connections to the state table to determine if the packet is a new or part of an existing connection. Since it is an existing connection, it should be in the state table. If you examine the Outside Network column above part 2, this shows the packet header as it leaves the appliance. Notice that the source address was changed because of a match on the configured translation policy, and the TCP sequence number was ran-domized. The corresponding idle timers in the conn and state tables are reset, and the packet is forwarded to the destination, shown in part 6.Again, the appliance keeps track of the packets for the connection and updates the conn table appropriately. If no packets are seen for the duration of the idle timer or the connection is torn down by the source or destination, the entry is removed from the conn table.,ADDRESS TRANSLATION OVERVIEW,ADDRESS TRANSLATION OVERVIEW,Private Addresses,ADDRESS TRANSLATION OVERVIEW,Needs for Address Translation:You are merging two networks that have an overlapping address space. You need to make it appear that the overlapping network numbers are unique to the two different sides.Your ISP has assigned you a very small number of public addresses, and you need to provide many of your devices access to the Internet.You were assigned a public address space by your ISP, and when you change ISPs, your new ISP will not support your currently assigned address space.You have critical services on a single device, and you need to duplicate these resources across many devices. However, you need to make it appear that all of the devices that contain these resources appear as a single entity.,ADDRESS TRANSLATION OVERVIEW,Disadvantages of Address Translation: First, when address translation is performed by your address translation device (like the Cisco security appliances), it will have to change the IP addresses in the IP packet header and possibly even the port numbers in TCP or UDP segment headers. Because of this, the address translation device will have to perform additional processing not only to handle the translation process, but also to compute new checksums for the packets. Another problem that address translation introduces deals with troubleshooting net-work problems. Because address translation changes the source and/or destination IP addresses in the packet headers, it becomes more difficult to troubleshoot network prob-lems. When you examine the addresses in the packet header, you dont know whether you are dealing with the addresses that these machines have assigned on them, or with the addresses that they have been translated to by an address translation device.,