Sunday, 13 August 2017

6 - Proving Why Trace Fails Using Wireshark

Proving Why Trace Fails Using Wireshark

Intro
With the current lab setup (review below), trace from the virtual PC to the internet will not. The ASAv works with stateful packet inspection by default to only allow incoming external traffic if it was first requested from an internal source. Lower security levels (Outside Interface Security-Level 0) will allow incoming traffic if the higher security level (Inside Interface Security-Level 100) has first requested for it. A trace from the virtual PC to the WAN, looks like this is the case. But, a deeper look of analyzing the traffic's protocol, ASAv denies the return traffic because it is unrecognizable - to the ASAv, it doesn't look like the traffic was internally requested.

Before continuing the proof, below is a summary of the current state of the lab environment:
  • Cloud1 represents the WAN.
  • ASAv has an outside interface of 192.168.14.130 (pretending this is our public IP)
  • ASAv has an inside interface of 10.1.0.250
  • ASDM is successfully built with reachability using the outside interface 192.168.14.130
  • The network behind the ASAv is designed with 10.0.0.0/24 
  • The router is configured to route traffic with a default gateway to the ASAv
  • The virtual PC is configured with the router as the default gateway
  • The virtual PC can successfully the ASAv's inside IP 10.1.0.250.
  • The virtual PC is configured with 8.8.8.8 DNS Server
  • The ASAv is configured with dynamic PAT to allow internal IP address to translate to a public IP for communication

STEP 1
Wireshark integrates with GNS3. It can be downloaded separately, if your initial GNS3 setup didn't. This tool will allow us to capture traffic to see what's going on with the trace failing from the virtual PC to the outside world.

Write click the line outside of the ASAv and click start capture.


A pop up will show that allows you to name your packet capture. I've named mine Proving Failed Traces.


Once you've named the file, Wireshark will open up and start capturing traffic.


STEP 2
Let's place some traffic to analyze with Wireshark by forcing the fail from PC1.

trace google.com


As you can see, the fail shows when tracing google.com

STEP 3
Let's analyze the traffic back in Wireshark. 



As seen, the traffic starts with querying the 8.8.8.8 DNS Server to resolve Google's IP address. Once we have that the trace begins with the PAT'd address of the virtual PC, which is the ASAv's outside interface (faux public IP 192.168.14.130). The protocol going out from the PC out to Google is UDP. When traffic returns from the router (faux public IP 192.168.14.2) the incoming protocol is ICMP. Because ASAv uses stateful packet inspection, ICMP is unrecognized since it was not a protocol initiated from a higher level security (or the internal network).











Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)