[Dr.WoW] [No.22] Function of Blackhole Routes in NAT Scenarios Highlighted

Latest reply: Apr 10, 2018 15:48:32 2830 2 0 0
In previous sections, I have mentioned multiple times that a blackhole route must be configured for NAT to prevent routing loops. Why should we do this? I will tell you the cause in this section.

1 Blackhole Route in a Source NAT Scenario

First, let's establish a typical Source NAT network, as shown in Figure 1-1.
Figure 1-1 Networking diagram 1 for Source NAT

[Dr.WoW] [No.22] Function of Blackhole Routes in NAT Scenarios-1332891-1

 

The NAT configuration on the firewall is as follows:

Configure a NAT address pool.

[FW] nat address-group 1 202.1.1.10 202.1.1.10

Configure a NAT policy.

[FW] nat-policy interzone trust untrust outbound

[FW-nat-policy-interzone-trust-untrust-outbound] policy 1

[FW-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-nat-policy-interzone-trust-untrust-outbound-1] action source-nat

[FW-nat-policy-interzone-trust-untrust-outbound-1] address-group 1

[FW-nat-policy-interzone-trust-untrust-outbound-1] quit

[FW-nat-policy-interzone-trust-untrust-outbound] quit

Configure a security policy.

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy 1

[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-1] action permit

[FW-policy-interzone-trust-untrust-outbound-1] quit

[FW-policy-interzone-trust-untrust-outbound] quit

In addition, configure a default route with the next hop pointing to the address of the router interface.

[FW] ip route-static 0.0.0.0 0 202.1.1.2

The address in the NAT address pool is 202.1.1.10. The address of the interface connecting the firewall to the router is 202.1.1.1 with a 30-bit mask. The two addresses are not in the same network segment.

In normal conditions, when the intranet PC accesses the Web server on the Internet, a session table is generated, and the source address is translated.

[FW] display firewall session table

Current Total Sessions : 1

  http  VPN:public --> public 192.168.0.2:2050[202.1.1.10:2049]-->210.1.1.2:80

If a PC on the Internet proactively accesses the NAT address pool on the firewall, as shown in Figure 1-2, what will happen?
Figure 1-2 Networking diagram 2 for Source NAT
[Dr.WoW] [No.22] Function of Blackhole Routes in NAT Scenarios-1332891-2

 

Run the ping 202.1.1.10 command on the Internet PC. The ping fails.

PC> ping 202.1.1.10

Ping 202.1.1.10: 32 data bytes, Press Ctrl_C to break

Request timeout!

Request timeout!

Request timeout!

Request timeout!

Request timeout!

 

--- 202.1.1.10 ping statistics ---

  5 packet(s) transmitted

  0 packet(s) received

  100.00% packet loss

Obviously, this is the expected result. The NAT address pool is used only for private address translation. In other words, the firewall translates the address in the request packet only when the intranet PC initiates an access request. The NAT address pool does not provide other services. Therefore, when the Internet PC initiates an access request to the NAT address pool, the request packet cannot traverse the firewall to reach the intranet PC. Consequently, the ping fails.

The actual situation is much more complicated. If we enable packet capture at GE1/0/2 on the firewall and run the ping 202.1.1.10 -c 1command on the Internet PC to send only one packet, the command output is as follows:

PC> ping 202.1.1.10 -c 1

Ping 202.1.1.10: 32 data bytes, Press Ctrl_C to break

Request timeout!

 

--- 202.1.1.10 ping statistics ---

  1 packet(s) transmitted

  0 packet(s) received

  100.00% packet loss

Then, check information about the packets captured on GE1/0/2.

[Dr.WoW] [No.22] Function of Blackhole Routes in NAT Scenarios-1332891-3

 

Wow! The result shocks me. So many ICMP packets! I ***yze these packets and find that the TTL values of the packets decrease by 1 and finally become 1. We know that the TTL stands for Time to Live. The TTL value of a packet reduces 1 whenever the packet is forwarded by a device. When the TTL value becomes 0, the packet will be discarded. This means that the packet from the Internet PC to the NAT address pool is repeatedly forwarded between the firewall and router until the TTL value of the packet becomes 0 and the packet is discarded.

Let's go through the process:

1.         The router receives a packet from the Internet PC to the NAT address pool and finds the destination address is not in the directly connected network segment. Then, the router searches its routing table and forwards the packet to the firewall.

2.         After receiving the packet, the firewall forwards it based on the default route because the packet is not the return packet from the intranet to the Internet and does not match the session table. What's more, the destination address is not in the directly connected network segment (the firewall is unaware that the destination address is its NAT address pool address). As the packet comes in to and goes out of the firewall through the same interface, it flows within one security zone, and therefore the packet is not controlled by security policies by default. Consequently, the firewall forwards the packet through GE1/0/2 to the router.

3.         After receiving the packet, the router searches the routing table again and then sends the packet back to the firewall. The process repeats. This poor packet is like a ball kicked between the devices and finally discarded, leaving the network with pity.

Well, what will happen if a blackhole route is configured? First, let's configure a blackhole route with the destination address being the NAT address pool address. To prevent the blackhole route from affecting services, set its mask to 32-bit to exactly match 202.1.1.10.

[FW] ip route-static 202.1.1.10 32 NULL 0

Then, enable packet capture at GE1/0/2 on the firewall and run the ping 202.1.1.10 -c 1 command on the Internet PC. This time we also send only one packet. View information about the captured packet.

[Dr.WoW] [No.22] Function of Blackhole Routes in NAT Scenarios-1332891-4

 

You can see that only one ICMP packet is captured, indicating that the packet matches the blackhole route on the firewall and the firewall directly discards the packet. The blackhole route prevents routing loops between the firewall and router. The firewall sends such packets to the black hole, instead of repeatedly forwarding them. Moreover, the blackhole route does not affect services. The intranet PC can still access the Web server on the Internet.

You may say that the packet will be finally discarded even if I do not configure the blackhole route. So the blackhole route is not necessary. In the preceding example, we use only one ping packet to demonstrate the process. Try to imagine, if a malicious user on the Internet manipulates thousands of PCs to initiate access to the NAT address pool, numerous packets will be repeatedly forwarded between the firewall and router, consuming link bandwidth resources and exhausting the system resources on the devices for processing such packets, probably affecting normal services.

Therefore, when the NAT address pool and the public interface address are in different network segments, you must configure a blackhole route to prevent loops.

Does the problem persist if the NAT address pool and the public interface address are in the same network segment? Let's verify the process.

First, change the mask to 24-bit for the interface connecting the firewall to the router. In this way, the NAT address pool and interface address are in the same network segment. Then, delete the blackhole route configuration, enable packet capture on GE/1/0/2, run the ping 202.1.1.10 -c 1 command on the Internet PC, and view information about the captured packets.

[Dr.WoW] [No.22] Function of Blackhole Routes in NAT Scenarios-1332891-5

 

The result shows that only three ARP packets and one ICMP packet are captured. The packets from the Internet PC to the NAT address pool are not forwarded between the firewall and router. Let's look at the process:

1.         After receiving a packet requesting to access the NAT address pool from the Internet PC, the router finds that the destination address of the packet belongs to a directly connected network segment and sends an ARP request. The firewall then replies to the ARP request. The first two captured packets complete this interaction process. Then, the router encapsulates the MAC address notified by the firewall into a packet and sends the packet to the firewall.

2.         After receiving the packet, the firewall finds that the destination address belongs to the same network segment as its GE1/0/2 and sends an ARP request (the third captured ARP packet) to search for the MAC address corresponding to this IP address (the firewall is still unaware that the destination address is its NAT address pool address). No device replies because this address is configured only on the firewall. Finally, the firewall discards the packet.

So, no routing loop occurs in this situation. But if malicious users on the Internet initiate a large number of access requests, the firewall has to send the corresponding number of ARP requests, exhausting system resources. Therefore, a blackhole route is recommended even if the NAT address pool and the public interface address are in the same network segment, saving system resources on the firewall.

The following screenshot shows information about the captured packet after a blackhole route is configured. You can see that the firewall does not send ARP requests.

[Dr.WoW] [No.22] Function of Blackhole Routes in NAT Scenarios-1332891-6

 

There is an extreme case that the public interface address is configured as the post-NAT address (in Easy-IP mode) or the NAT address pool. Do I still need to configure a blackhole route?

Let's ***yze the process. The firewall receives a packet from the Internet PC and finds that the firewall itself is the destination of the packet. How the firewall processes the packet is determined by the security policy applying to the interzone between the public interface's zone and the Local zone. If the action for the matching condition is permit, the firewall processes the packet; if the action is deny, the firewall discards the packet. In this process, no routing loop occurs, and no blackhole route is required.

2 Blackhole Route in a NAT Server Scenario

Now, you may ask me "Does NAT Server have the same problem?" Yes, NAT Server may also encounter routing loops, but the prerequisites are special and determined by the NAT Server configuration. In the typical NAT Server networking shown in Figure 1-3, the Global address of NAT Server and public interface address are in different network segments. The following description is based on the assumption that the interface addresses, security zones, security policies, and routes have been configured.
Figure 1-3 NAT Server networking
[Dr.WoW] [No.22] Function of Blackhole Routes in NAT Scenarios-1332891-7

 

If we configure imprecise NAT Server on the firewall to advertise the intranet Web server to the Internet as follows:

[FW] nat server global 202.1.1.20 inside 192.168.0.20

The firewall translates the destination addresses of all packets from the Internet PC to 202.1.1.20 into 192.168.0.20 and then sends the packets to the intranet Web server. No loop occurs.
If we configure refined NAT Server to advertise only the port number used by the intranet Web server to the Internet as follows:

[FW] nat server protocol tcp 202.1.1.20 9980 inside 192.168.0.20 80

But the Internet PC uses the ping command to access 202.1.1.20, instead of accessing port 9980 for 202.1.1.20 as we expected, the packet does not match the server map or session table on the firewall. Finally, the firewall searches the routing table and forwards the packet through GE1/0/2. After receiving the packet, the router sends it back to the firewall, causing a routing loop.

[Dr.WoW] [No.22] Function of Blackhole Routes in NAT Scenarios-1332891-8

 

Therefore, when NAT Server with the specified protocol and port number is configured on the firewall, and the Global address for NAT Server and the public interface address are in different network segments, you must configure a blackhole route to prevent loops.

If the Global address for NAT Server and the public interface address are in the same network segment, after the firewall receives a ping packet, it sends an ARP request, and the following process is the same as that described above. Likewise, a blackhole route is recommended when the specified protocol and port number for NAT Server are configured and the Global address for NAT Server and the public interface address are in the same network segment, saving system resources on the firewall.

Also, we can set the public interface address as the Global address when configuring NAT Server. In this case, after receiving a packet from the Internet PC, if the packet matches the server map, the firewall translates the destination address of the packet and forwards the packet to the intranet; if the packet does not match the server map, the firewall considers itself as the destination of the packet. How the firewall processes the packet is determined by the security zone applying to the interzone between the public interface's zone and the Local zone. No routing loop occurs, and no blackhole route is required.

3 Summary

Now, I believe you have understood why we need to configure a blackhole route. Do you feel your "internal strength" has improved? Let's sum up.

For Source NAT:

  • If the NAT address pool and public interface address are in different network segments, a blackhole route is required.
  • If the NAT address pool and public interface address are in the same network segment, a blackhole route is required.

For NAT Server with the specified protocol and port number:

  • If the Global address and public interface address are in different network segments, a blackhole route is required.
  • If the Global address and public interface address are in the same network segment, a blackhole route is recommended.

Besides the advantages described above, a blackhole route has another function: to advertise the blackhole route on the firewall (OSPF route) to the router.

When the NAT address pool (or Global address) and the address of the interface connecting the firewall to the router are in different network segments, a static route must be configured on the router to the NAT address pool or Global address, so that the router can forward the packets destined for the NAT address pool or Global address to the firewall.

If the firewall and router run OSPF, they can automatically learn OSPF routes, reducing manual configuration workloads. However, unlike interface addresses, the NAT address pool and Global address cannot be advertised using the network command as OSPF routes. Well, how can the router learn such routes?

The blackhole route helps resolve the problem. We can import the blackhole route as a static route to the OSPF routing table on the firewall and advertise this OSPF route to the router. In this manner, the router forwards the packets destined for the NAT address pool or Global address to the firewall (NOT to the black hole).

The NAT Server networking is used as an example. The Global address and public interface address are in different network segments. Both the firewall and router run OSPF. Import the following static route to the OSPF routing table on the firewall:

[FW] ospf 100

[FW-ospf-100] import-route static

[FW-ospf-100] area 0.0.0.0

[FW-ospf-100-area-0.0.0.0] network 202.1.1.0 0.0.0.3

[FW-ospf-100] quit

Now, the router can learn the route to the Global address for NAT Server:

[Router] display ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 7        Routes : 7       

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

      202.1.1.0/30  Direct  0    0           D   202.1.1.2       Ethernet0/0/0

      202.1.1.2/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/0

     202.1.1.20/32  O_ASE   150  1          D   202.1.1.1       Ethernet0/0/0

      210.1.1.0/30  Direct  0    0           D   210.1.1.1       Ethernet0/0/1

      210.1.1.1/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/1

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jun 16, 2015 03:35:59 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

wissal
MVE Created Apr 10, 2018 15:48:32 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login