labunix's blog

labunixのラボUnix

FortigateのInternal->DMZのDNATを試してみる。 

■FortigateのInternal->DMZのDNATを試してみる。
 Fortigate-80Cを使用して確認。

# get system status | grep ^Ver
Version: FortiGate-80C v5.2.3,build0670,150318 (GA)

■送信元NATをIPプールで指定する場合の想定

   172.31.31.254[Client] -> 172.31.31.252[internal]
-> 172.31.31.250[VIP]    -> 192.168.102.252[DMZ]
-> 192.168.102.250[SNAT] -> 192.168.102.254[VIP/Cisco]

■コンフィグ

# show | grep -f [DS]NAT
config firewall ippool
    edit "VDMZ_SNAT" <---
        set type one-to-one
        set startip 192.168.102.250
        set endip 192.168.102.250
    next
end
config firewall vip
    edit "VDMZ_DNAT" <---
        set extip 172.31.31.250
        set extintf "internal"
        set mappedip "192.168.102.254"
    next
end
config firewall policy
    edit 3
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "VDMZ_DNAT" <---
        set action accept
        set schedule "always"
        set service "ALL_TCP"
        set nat enable
        set ippool enable
        set poolname "VDMZ_SNAT" <---
    next
end

■DMZ側のCiscoの解放ポートを確認

$ sudo nmap -sT 172.31.31.250

Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-24 00:05 JST
Nmap scan report for 172.31.31.250
Host is up (0.00083s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
53/tcp   open  domain
2000/tcp open  cisco-sccp
5060/tcp open  sip
MAC Address: 00:09:0F:D4:94:AF (Fortinet)

Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds

■CiscoにTelnetでログインしてみる。

$ telnet 172.31.31.250
Trying 172.31.31.250...
Connected to 172.31.31.250.
Escape character is '^]'.

User Access Verification

Username: labunix
Password: 
Router>show version  | include IOS  
Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.3(3)M1, RELEASE SOFTWARE (fc1)

■セッションフィルタを設定

# diag sys session filter proto 6
    diag sys session filter dport 23
    diag sys session filter
session filter:
	vd: any
	sintf: any
	dintf: any
	proto: 6-6
	proto-state: any
	source ip: any
	NAT'd source ip: any
	dest ip: any
	source port: any
	NAT'd source port: any
	dest port: 23-23
	policy id: any
	expire: any
	duration: any

■セッションリストの確認

# diagnose sys session list | grep "act"
hook=pre dir=org act=noop 172.31.31.254:54567->172.31.31.252:23(0.0.0.0:0)
hook=post dir=reply act=noop 172.31.31.252:23->172.31.31.254:54567(0.0.0.0:0)
hook=pre dir=org act=dnat 172.31.31.254:37082->172.31.31.250:23(192.168.102.254:23)
hook=post dir=org act=snat 172.31.31.254:37082->192.168.102.254:23(192.168.102.250:37082)
hook=pre dir=reply act=dnat 192.168.102.254:23->192.168.102.250:37082(172.31.31.254:37082)
hook=post dir=reply act=snat 192.168.102.254:23->172.31.31.254:37082(172.31.31.250:23)

■パケットキャプチャの確認

# diagnose sniffer packet dmz 'tcp port 23'
interfaces=[dmz]
filters=[tcp port 23]
4.268188 192.168.102.250.37082 -> 192.168.102.254.23: psh 1019940800 ack 3541167463 
4.268811 192.168.102.254.23 -> 192.168.102.250.37082: psh 3541167463 ack 1019940802 
4.269037 192.168.102.250.37082 -> 192.168.102.254.23: ack 3541167465 
4.269046 192.168.102.254.23 -> 192.168.102.250.37082: psh 3541167465 ack 1019940802 
4.269181 192.168.102.250.37082 -> 192.168.102.254.23: ack 3541167472 

# diagnose sniffer packet internal 'tcp port 23'
interfaces=[internal]
filters=[tcp port 23]
1.733956 172.31.31.254.54567 -> 172.31.31.252.23: ack 1529724834 
1.734058 172.31.31.252.23 -> 172.31.31.254.54567: psh 1529724834 ack 2091165519 
1.734206 172.31.31.254.54567 -> 172.31.31.252.23: ack 1529724983 
1.734349 172.31.31.252.23 -> 172.31.31.254.54567: psh 1529724983 ack 2091165519 
1.734455 172.31.31.254.54567 -> 172.31.31.252.23: ack 1529725132 
1.734642 172.31.31.252.23 -> 172.31.31.254.54567: psh 1529725132 ack 2091165519 

■SNATはFortigateのIPで十分。IPを節約する[送信インターフェイスのアドレスを使用]に変更

   172.31.31.254[Client] -> 172.31.31.252[internal]
-> 172.31.31.250[VIP]    -> 192.168.102.252[DMZ]
-> 192.168.102.254[VIP/Cisco]

■コンフィグ

# show | grep -f [SD]NAT
config firewall vip
    edit "VDMZ_DNAT" <---
        set extip 172.31.31.250
        set extintf "internal"
        set mappedip "192.168.102.254"
    next
end
config firewall policy
    edit 3
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "VDMZ_DNAT" <---
        set action accept
        set schedule "always"
        set service "ALL_TCP"
        set nat enable
    next
end

■セッションリストの確認

# diagnose sys session list | grep "act"
hook=pre dir=org act=dnat 172.31.31.254:39223->172.31.31.250:23(192.168.102.254:23)
hook=post dir=org act=snat 172.31.31.254:39223->192.168.102.254:23(192.168.102.252:39223)
hook=pre dir=reply act=dnat 192.168.102.254:23->192.168.102.252:39223(172.31.31.254:39223)
hook=post dir=reply act=snat 192.168.102.254:23->172.31.31.254:39223(172.31.31.250:23)
hook=pre dir=org act=noop 172.31.31.254:56706->172.31.31.252:23(0.0.0.0:0)
hook=post dir=reply act=noop 172.31.31.252:23->172.31.31.254:56706(0.0.0.0:0)

■パケットキャプチャの確認

# diagnose sniffer packet dmz 'tcp port 23'
interfaces=[dmz]
filters=[tcp port 23]
5.096063 192.168.102.252.39223 -> 192.168.102.254.23: psh 2752062705 ack 3315246893 
5.096647 192.168.102.254.23 -> 192.168.102.252.39223: psh 3315246893 ack 2752062707 
5.096786 192.168.102.252.39223 -> 192.168.102.254.23: ack 3315246895 
5.096900 192.168.102.254.23 -> 192.168.102.252.39223: psh 3315246895 ack 2752062707 
5.097056 192.168.102.252.39223 -> 192.168.102.254.23: ack 3315246902 

# diagnose sniffer packet internal 'tcp port 23'
interfaces=[internal]
filters=[tcp port 23]
10.341891 172.31.31.254.56706 -> 172.31.31.252.23: ack 252525460 
10.341928 172.31.31.252.23 -> 172.31.31.254.56706: psh 252525460 ack 802023145 
10.342143 172.31.31.254.56706 -> 172.31.31.252.23: ack 252525608 
10.342244 172.31.31.252.23 -> 172.31.31.254.56706: psh 252525608 ack 802023145 
10.342396 172.31.31.254.56706 -> 172.31.31.252.23: ack 252525756 
10.342536 172.31.31.252.23 -> 172.31.31.254.56706: psh 252525756 ack 802023145