Junos Cup 2014
Junos Cup 2014

Tournament 2: Netherlands Challenge & Solution: SRX Network Address Translation #1

[ Edited ]
‎06-19-2014 07:40 AM

Country Flag: Netherlands

 

Author: Iria Varela

 

Title: SRX Network Address Translation #1

 

Type: Security

 

Difficulty: High (2 points).

 

Technical Description: With one set command, ensure that you can connect to the public IP of the Host from the FTP Server without using Destination NAT.

 

NOTE:
In the NAT router, there is a typo in the Server address in the address-book of "untrust" zone. It should be 172.16.0.2/32 instead of 172.16.0.0/32

So:
juniper@NAT# show | compare
[edit security zones security-zone untrust address-book]
-      address Server 172.16.0.0/32;
+      address Server 172.16.0.2/32;


 

Topology:

15-Netherlands-Topology.jpg

Challenge Instructions:

For this challenge, you need to start the topology: “NETHERLANDS – SRX NAT #1”.

 

Challenge Definitions:

- HOST is a VM that simulates a LAN user

- NAT is a firewall that performs NAT operations

- DC-FIREWALL is a firewall protecting the datacenter

- SERVER is a FTP server

 

You need to figure out a way to achieve the following packet exchange:

 

  1. The FTP server sends a TCP SYN packet to the public IPv4 address of the HOST (192.168.0.1). You need to find the appropriate TCP port at each time.
  2. The HOST MUST receive it and send a TCP RST packet back. If in doubt, run monitor traffic interface ge-0/0/1.0 at the HOST.

 

The outcome of this dialog is a Connection refused message shown here:

juniper@SERVER> telnet 192.168.0.1 port <a-TCP-port>    

Trying 192.168.0.1...

telnet: connect to address 192.168.0.1: Connection refused

telnet: Unable to connect to remote host

 

 

Your solution must adhere to the following conditions:

-You can execute as many operational commands as you wish.

- You can execute only one configuration set command, in one device only.

- You must not use Destination NAT feature.

 

Once you choose the device, this is the configuration sequence:

configure

set <command>

commit-and quit

 

To solve this challenge, submit the full procedure including all the commands (operational and configuration) needed.  TIP:  There are at least four steps to the right procedure.

 

NOTE: If you see a license error upon commit (JNX_LICENSE_TMP), you can safely ignore it.

 

NOTE: If you have issues connecting to the Junosphere topology please check Junosphere Technical documentation, or request assistance in the Junosphere forum 

 

Send an email with your proposed solution to junos-cup@juniper.net:

  •  The subject should be “<country-name-of-the-challenge> -  <your-full-name>”. For example: “Brazil – Wolfgang Amadeus Mozart”.
  • In the email body, please include your proposed solution, along with your first and last name and complete mailing address including zip/postal code and your shirt size (S, M, L, XL, XXL, XXXL) (Only if you haven’t already submitted your address/shirt size on a previous submission)

 

Deadline to Respond: Tuesday, 24th of June 23:59:59 Pacific Daylight Time (PDT)

Timezone Converter


Some additional notes:

  • You can try to solve and submit answers for as many active challenges as you wish
  • The answers will be read by the organization right after the deadline
  • The challenge instructions are final, and no additional information or tips will be provided before the publication of the solution and the winner list. Please don’t expect a reply from junos-cup@juniper.net.
  • If you feel that your initial solution is wrong or incomplete, you can send up to three messages for the same challenge, but please note that only your last message (received before the deadline) will be read.
  • If you think there is an error in the definition of the challenges, please send us an email with subject (“<country-name> ERROR”); if there is no reply, then it’s likely an intentional condition of the challenge, rather than an error.

OFFICIAL SOLUTION:

This is the step-by-step procedure:

(1) Configure the following at the NAT device:

juniper@NAT> configure

juniper@NAT# set security nat source rule-set nat1 rule r1 then source-nat pool mypool persistent-nat permit target-host   

juniper@NAT# commit and-quit

 

(2) Next, start a telnet session from the HOST to the SERVER, and leave it open:

juniper@HOST> telnet 172.16.0.2

Trying 172.16.0.2...

Connected to 172.16.0.2.

Escape character is '^]'.

Welcome to the cloud

password is Clouds

SERVER (ttyp1)

login: juniper

Password:

juniper@SERVER>

 

Don’t close the telnet session established above.

(3) At the NAT, execute:

juniper@NAT> show security flow session destination-prefix 172.16.0.2

Session ID: 23, Policy name: default-policy-00/2, Timeout: 1794, Valid

  In: 10.0.0.2/60840 --> 172.16.0.2/23;tcp, If: ge-0/0/1.0, Pkts: 29, Bytes: 1786

  Out: 172.16.0.2/23 --> 192.168.0.1/8330;tcp, If: ge-0/0/2.0, Pkts: 20, Bytes: 1370

Total sessions: 1

The port numbers 60840 and 8330 are dynamic, so you will likely get different numbers in your case. Write down the second number or, in other words, the translated port number at the public side. In this example, it is 8330.

(4) Open another terminal and connect it to HOST, then launch:

juniper@HOST> monitor traffic interface ge-0/0/1.0 no-resolve

 

Let it run until the procedure finishes.

(5) At the SERVER, execute:

juniper@SERVER> telnet 192.168.0.1 port <public-side-port>    

 

In our example, the <public-side-port> is 8330:

juniper@SERVER> telnet 192.168.0.1 port 8330    

Trying 192.168.0.1...

telnet: connect to address 192.168.0.1: Connection refused

telnet: Unable to connect to remote host

 

(6) Verify at the HOST that the TCP exchange is actually taking place end-to-end:

juniper@HOST> monitor traffic interface ge-0/0/1.0 no-resolve

verbose output suppressed, use <detail> or <extensive> for full protocol decode

Address resolution is OFF.

Listening on ge-0/0/1.0, capture size 96 bytes

01:01:00.466976  In IP 172.16.0.2.60020 > 10.0.0.2.60840: S 1496642640:1496642640(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 238378 0,sackOK,eol>

01:01:00.467030 Out IP 10.0.0.2.60840 > 172.16.0.2.60020: R 0:0(0) ack 1496642641 win 0

 

Steps (4) and (6) are optional, so a solution with (1)+(2)+(3)+(5) is considered as valid.

 

 

Julie Wider
Advocacy Manager
Twitter: @JNetCommunity & @jawider