ASA testing of TCP serial number disruption

I. Overview:

I listened to the ASA course of yeslab's instructor QIN Ke and talked about ASA's random initialization of serial numbers to disrupt TCP. So I set up an environment for testing and found that not only is the serial number initialized by TCP disrupted, the subsequent TCP packet serial numbers will also be disrupted.

---- Postscript: After listening to the subsequent tutorials, we know that the initialization serial number is disrupted because subsequent changes are based on the initial serial number, for example, if the first SYN Packet ISN serial number is A, the fourth packet serial number is B, and the first SYN Packet ISN serial number is ', after disturbing the B 'of the serial number of the fourth packet, then the B-A = B'-A', that is, their difference is always the same.

Ii. Basic ideas and conclusions:A. build the environment and perform packet capture tests on both sides of the asa B. the relative random number displayed by the packet capture software. The actual data is the real serial number C. ASA not only disrupts the serial number of the TCP initialization package, but also disconnects other packets. D. policy-map can be used to prohibit ASA from disrupting the serial number. Iii. Test topology: 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0630302446-0.jpg "title =" 1.JPG" alt = "223453812.jpg"/> 4. Basic Configuration: A. Outside router:Interface Ethernet0/0
Ip address 202.100.1.1 255.255.255.0
No shutline vty 0 4
Password cisco
Loginip route 0.0.0.0 0.0.0.0 202.100.1.10 B. ASA842 Firewall:Interface GigabitEthernet0
Nameif Outside
Security-level 0
Ip address 202.100.1.10 255.255.255.0
Interface GigabitEthernet1
Nameif DMZ
Security-level 50
Ip address 192.168.1.10 255.255.255.0
Interface GigabitEthernet2
Nameif Inside
Security-level 100
Ip address 10.1.1.10 255.255.255.0 C. Inside router:Interface Ethernet0/0
Ip address 10.1.1.1 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10 5. TCP serial number disruption test: A. If there is no NAT, the Inside router Telnet the Outside router:

Inside router TCP first package:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0630303400-1.jpg "title =" 2.JPG" alt = "223604839.jpg"/>

---- From the annotation relative sequence number of the packet capture, we can see that seq 0 is actually a relative value, and the actual value is D6D2CFDC.

First TCP packet of the Outside router:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/063030B23-2.jpg "title =" 3.JPG" alt = "223717681.jpg"/>

--- It is easy to see from the comparison of the two figures that the serial numbers of syn packets on both sides are different, although the relative values are both 0. Fourth Inside router TCP package:650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06303060b-3.jpg "title =" 4.JPG" alt = "223822384.jpg"/> Outside router TCP fourth package:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06303010G-4.jpg "title =" 5.JPG" alt = "223933997.jpg"/>

--- Value of Four serial numbers: the first package D6D2CFDC is not disrupted, the first package D6D2CFDD is not disrupted, the added value is 1, the first package 2F67830F is disrupted, and the last four packages 2F678310 are disrupted, the added value is also 1, which is the reason why the relative value of the packet capture software is 1.

B. In the case of NAT, the Inside router Telnet the Outside router:

① PAT Configuration:

Object network Inside_net
Subnet 10.1.1.0 255.255.255.0
Nat (Inside, Outside) dynamic interface

② Packet capture test:---- It is found that the situation is the same as that without NAT, not only the serial number is disrupted during TCP initialization, but also the serial number of other packets.

6. Avoid TCP serial number disruption:

A. configure policy-map and apply it:

Access-list telnet extended permit tcp any eq telnetclass-map noseqrandom
Match access-list telnetpolicy-map noseqrandom
Class noseq
Set connection random-sequence-number DisableService-policy noseqrandom interface Inside B. Inside vrotelnet telnet the Outside vro and test packet capture on both sides:---- Capture packets and check that the serial numbers on both sides are consistent)

This article is from the "httpyuntianjxxll. spac..." blog, please be sure to keep this source http://333234.blog.51cto.com/323234/1303915