Troubleshooting and Configuring FTP / RTSP / DNS / DHCP ALG in MAS

Aruba Employee

Tested in 7.4.0.0 version and this article is based on that testing

Application Level Gateway
    - NAT Traversal Filters
    - Need to know the address/port number combination

Firewall Pinhole
    - Need for Pinholes
    - Firewall performing NAT
    - Temporary and Permanent Pinhole
    - Pinhole age out and artificial traffic

 

Network Topology :

 

rtaImage.jpg

 

Configurations – FTP ALG

Check for the available Netservice for FTP, using the following command
(ArubaS3500-48P) #show netservice | include ftp
svc-ftp               tcp       21
svc-tftp              udp       69
sys-svc-ftp           tcp       21               System (not editable)
sys-svc-tftp          udp       69               System (not editable)
(ArubaS3500-48P) #

Use that Netservice name for creating a session ACL
ip access-list session my_ftp
any any svc-ftp  permit
any any svc-icmp  permit*
!

Attach this session ACL to the user role.
user-role enable-alg
access-list session my_ftp


svc-icmp is added to allow the ping packets

Configurations – RTSP ALG

Check for the available Netservice for RTSP, using the following command
(ArubaS3500-24P) #show netservice | include rtsp
svc-rtsp              tcp       554        rtsp
(ArubaS3500-24P) #

Use the Netservice name for creating a Session ACL.
ip access-list session my_rtsp
  any any svc-rtsp  permit
  any any svc-icmp  permit*
!

Attach the Session ACL to the user role.
user-role enable-alg
 access-list session my_rtsp
!

svc-icmp is added to allow the ping packets


Configurations – DNS ALG

Check for the available Netservice for DNS, using the following command
(ArubaS1500-24P) #show netservice | include dns
svc-dns               udp       53
sys-svc-dns           udp       53               System (not editable)
(ArubaS1500-24P) #

Use the Netservice name for creating a Session ACL.
ip access-list session my_dns
  any any svc-dns  permit
  any any svc-icmp  permit*
!

Attach the Session ACL to the user role.
user-role enable-alg
 access-list session my_dns
!


svc-icmp is added to allow the ping packets

Configurations – DNS ALG – For Non Standard Ports


For Non Standard Ports, use the following command.
(ArubaS1500-24P) (config) #netservice my-dns1 udp 5300 alG dns
(ArubaS1500-24P) (config) #

Checking the created Netservice
(ArubaS1500-24P) #show netservice | include dns
svc-dns               udp       53
my-dns1               udp       5300       dns
sys-svc-dns           udp       53          System (not editable)
(ArubaS1500-24P) #

Now use this Netservice name  “my-dns1” for creating a Session ACL.


Configurations – DHCP ALG

Check for the available Netservice for RTSP, using the following command
(ArubaS1500-24P) #show netservice | include dhcp
svc-dhcp              udp       67-68
sys-svc-dhcp          udp       67          System (not editable)
(ArubaS1500-24P) #

Use the Netservice name for creating a Session ACL.
ip access-list session my_dhcp
  any any svc-dhcp  permit
  any any svc-icmp  permit*
!

Attach the Session ACL to the user role.
user-role enable-alg
 access-list session my_dhcp
!


svc-icmp is added to allow the ping packets


Configurations – DHCP ALG – For Non Standard Ports

For Non Standard Ports, use the following command.
(ArubaS1500-24P) (config) #netservice my-dhcp1 udp 6700 6701 alG dhcp
(ArubaS1500-24P) (config) #end

Checking the created Netservice
(ArubaS1500-24P) #show netservice | include dhcp
svc-dhcp              udp       67-68
my-dhcp1              udp       6700-6701  dhcp
sys-svc-dhcp          udp       67          System (not editable)
(ArubaS1500-24P) #

Now use this Netservice name  “my-dhcp1” for creating a Session ACL.


Configurations – Common to FTP / RTSP / DNS / DHCP

Attach the User Role to the Authentication profile.
aaa profile "mac_aaa1"
   authentication-mac "MAC_AUTH"
   mac-default-role "enable-alg"
   mac-server-group "INTERNAL_SERVER"
!

Attach the Authentication Profile to the Untrusted Interface.
interface gigabitethernet "0/0/23"
   aaa-profile "mac_aaa1"
   switching-profile "sw-30"
   no trusted port
!
interface gigabitethernet "2/0/0"
   aaa-profile "mac_aaa2"
   switching-profile "sw-20"
   no trusted port
!


Enable Session Processing on the Routed VLAN Interface.
interface vlan "30"
   session-processing
   ip address 30.30.30.10 255.255.255.0
!
interface vlan "20"
   session-processing
   ip address 20.20.20.10 255.255.255.0
!

Client is Connected to the Port 0/0/23
Server is Connected to the Port 2/0/0

 

Use the Command "show netservice" to check whether the services like FTP, RTSP, DNS and DHCP are running.

(ArubaS3500-24P) #
(ArubaS3500-24P) #show netservice | include ftp
svc-ftp               tcp       21
svc-ftp-data          tcp       20
svc-tftp              udp       69
sys-svc-ftp           tcp       21               System (not editable)
sys-svc-tftp          udp       69               System (not editable)

(ArubaS3500-24P) #
(ArubaS3500-24P) #show netservice | include rtsp
svc-rtsp              tcp       554        rtsp

(ArubaS3500-24P) #
(ArubaS3500-24P) #show netservice | include dns
svc-dns               udp       53
sys-svc-dns           udp       53               System (not editable)

(ArubaS3500-24P) #
(ArubaS3500-24P) #show netservice | include dhcp
svc-dhcp              udp       67-68
sys-svc-dhcp          udp       67               System (not editable)

Use the Command "show datapath session" to check whether the Pinholes are opened properly.
Check for the "Flags" field to see whether the Traffic is allowed (or) denied.

(ArubaS3500-24P) #show datapath session

Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       u - User Index
 Src IP/Dest MAC Dest IP      Prot SPort DPort  Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- ------ ------ ---
20.20.20.25     30.30.30.25     6    554   52290  0/0     0 0   0   tunnel 67   8    b      b      I
30.30.30.25     20.20.20.25     6    52290 554    0/0     0 0   1   tunnel 67   8    0      0      C
20.20.20.25     30.30.30.25     17   6970  59428  0/0     0 0   0   tunnel 67   8    b      b      F
20.20.20.25     30.30.30.25     17   6971  59429  0/0     0 0   1   tunnel 67   8    b      b      F
30.30.30.25     20.20.20.25     17   59428 6970   0/0     0 0   1   tunnel 67   8    0      0      FC
30.30.30.25     20.20.20.25     17   59429 6971   0/0     0 0   1   tunnel 67   8    0      0      FC

You can configure the session idle timeout using the following command.

(ArubaS3500-24P) (config) #firewall session-idle-timeout ?
<0,16-300>              Timeout value in seconds. Range 0,16-300 secs.
                        Default value is 0

Use the command "show firewall" to check whether specific things are Denied.

(ArubaS3500-24P) #show firewall
Global firewall policies
------------------------
Policy                                      Action    Rate      Port
------                                      ------    ----      ----
Enforce TCP handshake before allowing data  Disabled
Prohibit RST replay attack                  Disabled
Deny all IP fragments                       Disabled
Prohibit IP Spoofing                        Enabled
Log all received ICMP errors                Disabled
Per-packet logging                          Disabled
Session mirror destination                  Disabled
Stateful SIP Processing                     Disabled
Session Idle Timeout                        Disabled


Trouble shooting steps – commands handy

show netservice
show datapath session
show firewall
show log system all
show user
show rights <role_name>
The capture should have the below items added to the real packet
FTP
Check for Active IP address and Active port in the PORT Command.
Check for Passive IP address and Passive port in Response: 227
RTSP
In 253 SETUP Message, check for client_port.
In 271 Reply Message, check for client_port and server_port.

Note: 

Pausing for more than 300 seconds is not supported in RTSP.
RTSP with NAT is not supported.

Version history
Revision #:
1 of 1
Last update:
‎04-09-2015 08:09 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: