Shulou(Shulou.com)06/01 Report--

one。 Overview:

After listening to the ASA course of teacher Qin Ke of yeslab, he talked about the random initialization sequence number disturbance function of TCP by ASA, so he set up an environment to test and found that not only the initialization sequence number of TCP was disturbed, but also the sequence number of subsequent TCP package was disturbed.

-postscript: after listening to the later tutorial, I know that the reason why it is called initialization sequence number disturbance is that the subsequent changes are based on the initial sequence number, for example, the ISN sequence number of the first SYN package before the disturbance is A, the sequence number of the fourth package is B, the ISN sequence number of the first SYN package after disturbance is A, and the sequence number of the fourth package after disturbance is B'. Then the difference between them is always the same.

two。 Basic ideas and conclusions: A. Build the environment to grab the package on both sides of ASA and test B. The relative random number displayed by the package software, the actual data is the real sequence number C.ASA not only disturbs the sequence number of the TCP initialization package, but also disturbs the sequence number of other packages D. Through policy-map, you can prohibit ASA from disturbing the serial number. Test the topology:

four。 Basic configuration: A.Outside router: interface Ethernet0/0

Ip address 202.100.1.1 255.255.255.0

No shutline vty 0 4

Password cisco

Loginip route 0.0.0.0 0.0.0.0 202.100.1.10B.ASA842 Firewall: interface GigabitEthernet0

Nameif Outside

Security-level 0

Ip address 202.100.1.10 255.255.255.0

Interface GigabitEthernet1

Nameif DMZ

Security-level 50

Ip address 192.168.1.10 255.255.255.0

Interface GigabitEthernet2

Nameif Inside

Security-level 100

Ip address 10.1.1.10 255.255.255.0 C.Inside Router: interface Ethernet0/0

Ip address 10.1.1.1 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.105.TCP sequence number scrambling test: a. Without NAT, the Inside router Telnet Outside router:

The first packet of the Inside router TCP:

-from the annotation relative sequence number of the grab package, you can see that seq 0 is actually a relative value, and the real value is D6D2CFDC.

The first packet of the Outside router TCP:

-from the comparison of the two figures, it is easy to see that the sequence numbers of the syn packages on both sides are different, although the relative values are 0. Fourth packet of Inside router TCP: fourth packet of outside router TCP:

-the value of the sequence number of the four screenshots: the D6D2CFDC of the first packet before the disturbance, the D6D2CFDD of the fourth packet before the disturbance, the added value of 1, the 2F67830F of the first packet after the disturbance, the 2F678310 of the last four packets, and the added value of 1, which is why the package capture software displays a relative value of 1.

In the case of B.NAT, Inside router Telnet Outside router:

① PAT configuration:

Object network Inside_net

Subnet 10.1.1.0 255.255.255.0

Nat (Inside,Outside) dynamic interface

② packet capture test: it is found that it is the same as without NAT. Not only TCP initialization disturbs the sequence number, but other packets also disturb the sequence number. 6. TCP sequence number disturbance to avoid:

a. Configure policy-map and apply:

Access-list telnet extended permit tcp any any eq telnetclass-map noseqrandom

Match access-list telnetpolicy-map noseqrandom

Class noseq

Set connection random-sequence-numberdisableservice-policy noseqrandom interface InsideB.Inside router telnet Outside router and grab the packet on both sides for testing:-grab the packet and find that the serial numbers on both sides are the same (screenshot)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.