Archive for February 2017

Cisco Router NAT Overload (PAT)

8:45 PM Add Comment
1. Router KCM

====================ROUTER KCM:

hostname ROUTER-KCM

interface fa0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
 exit

interface se0/0
 ip address 192.168.1.2 255.255.255.252
 no shutdown

--------Default Route:

ip route 0.0.0.0 0.0.0.0 192.168.1.1


--------Static Route:

ip route 10.0.1.0 255.255.255.0 192.168.1.1
ip route 10.2.1.0 255.255.255.0 192.168.1.1
ip route 10.3.1.0 255.255.255.0 192.168.1.1

2. Router BTB

====================ROUTER BTB:

hostname ROUTER-BTB

interface fa0/0
 ip address 192.168.1.10 255.255.255.248
 no shutdown
 exit

interface fa0/1
 ip address 10.2.1.1 255.255.255.0
 no shutdown


--------Static & Default Route:

ip route 10.3.1.0 255.255.255.0 192.168.1.11
ip route 0.0.0.0 0.0.0.0 192.168.1.9

3. Router SRP

====================ROUTER SRP:

hostname ROUTER-SRP

interface fa0/0
 ip address 192.168.1.11 255.255.255.248
 no shutdown
 exit

interface fa0/1
 ip address 10.3.1.1 255.255.255.0
 no shutdown

--------Static & Default Route:

ip route 10.2.1.0 255.255.255.0 192.168.1.10

option a:
ip route 0.0.0.0 0.0.0.0 192.168.1.9

option b:
ip route 10.0.1.0 255.255.255.0 192.168.1.9
ip route 10.1.1.0 255.255.255.0 192.168.1.9

4. Router HQ

====================ROUTER HQ:
hostname ROUTER-HQ

interface fa0/0
 ip address 10.0.1.1 255.255.255.0
 no shutdown

interface fa0/1
 ip address 192.168.1.9 255.255.255.248
 no shutdown

interface serial0/1/0
 ip address 192.168.1.1 255.255.255.252
 clock rate 2000000
 no shutdown

--------Static Route:

ip route 10.1.1.0 255.255.255.0 192.168.1.2 : option 1
ip route 10.1.1.0 255.255.255.0 se0/1/0     : option 2

ip route 10.2.1.0 255.255.255.0 192.168.1.10
ip route 10.3.1.0 255.255.255.0 192.168.1.11

5. Router ISP

hostname ROUTERISP

interface fa0/0
 ip address 8.8.8.1 255.255.255.0
 no shutdown

interface fa0/1
 ip address 9.9.9.1 255.255.255.0
 no shutdown

interface serial0/0/0
 ip address 11.11.11.1 255.255.255.252
 clock rate 4000000
 no shutdown
 exit

------provide 1 more public ip address to customer

ip route 2.2.2.2 255.255.255.255 11.11.11.2

6.  Router HQ Nat Overload (PAT) Configuration

interface serial0/1/1
 ip address 11.11.11.2 255.255.255.252
 no shutdown
 exit

ip route 0.0.0.0 0.0.0.0 11.11.11.1

interface fa0/0
 ip nat inside
interface fa0/1
 ip nat inside
interface serial0/1/0
 ip nat inside

interface serial0/1/1
 ip nat outside

access-list 9 permit 10.0.1.0 0.0.0.255
access-list 9 permit 10.1.1.0 0.0.0.255
access-list 9 permit 10.2.1.0 0.0.0.255
access-list 9 permit 10.3.1.0 0.0.0.255

ip nat inside source list 9 interface serial0/1/1 overload
==========

Verify NAT :
# show ip nat translations : show NAT table
# clear ip nat translation * : clear log from NAT table


********** Or via Extended Access-List*************************************

access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 10.2.1.0 0.0.0.255 any
access-list 100 permit ip 10.3.1.0 0.0.0.255 any
ip nat inside source list 100 interface serial0/1/1 overload

===========static nat

ip nat inside souce static 10.0.1.3 2.2.2.2


===========static nat port forwarding

ip nat inside source static tcp 10.0.1.3 80 2.2.2.2 80
ip nat inside source static tcp 10.2.1.100 443 2.2.2.2 443


*********** Lesson ********************

Data packet can be traveled over internet unless its source and destination
ip address are public ip addresses.


NAT : Network Address Translation
PAT : Port Address Translation

3 types of NAT:

1) Static NAT : translate from 1 private ip address to 1 public ip address.
    (Use in: Server )
2) Dynamic NAT: translate from multiple private ip address to multiple public ip address.
   
3) PAT or NAT Overload: translate from multiple private ip address to one public ip address.

--------Sample config of Static NAT   ( configure camera-security )
step 1: Define Inside Interfaces
(config)# interface nameofinsidelan
(config-if)# ip nat inside

step 2: Define Outside Interfaces
(config)# interface nameofoutside
(config-if)# ip nat outside

step 3: Perform NAT Action
(config)# ip nat inside source static private-ip public-ip
===========================================================================
--------Sample config of Dynamic NAT
step 1: Define Inside Interfaces
(config)# interface nameofinsidelan
(config-if)# ip nat inside

step 2: Define Outside Interfaces
(config)# interface nameofoutside
(config-if)# ip nat outside

step 3: Define Standard Access Control List
(config)# access-list acl-id permit source-ip wildcard-mask

step 4: Define NAT Pool 1 range of public ip address
(config)# ip nat pool pool-name start-public-ip end-public-ip netmask subnet-mask

step 5: Perform Dynamic NAT Action
(config)# ip nat inside source list acl-id pool pool-name
=============================================================================
--------Sample config of NAT Overload (PAT)
step 1: Define Inside Interfaces
(config)# interface nameofinsidelan
(config-if)# ip nat inside

step 2: Define Outside Interfaces
(config)# interface nameofoutside
(config-if)# ip nat outside

step 3: Define Standard Access Control List
(config)# access-list acl-id permit source-ip wildcard-mask

step 4: Perform NAT Overload Action
(config)# ip nat inside source list acl-id interface nameofoutside overload

Router Extended Acess Control List

8:30 PM Add Comment

1. Router HQ

====================ROUTER HQ:
hostname ROUTER-HQ

interface fa0/0
 ip address 10.0.1.1 255.255.255.0
 no shutdown

interface fa0/1
 ip address 192.168.1.9 255.255.255.248
 no shutdown

interface serial0/1/0
 ip address 192.168.1.1 255.255.255.252
 clock rate 2000000
 no shutdown

--------Static Route:

ip route 10.1.1.0 255.255.255.0 192.168.1.2 : option 1
ip route 10.1.1.0 255.255.255.0 se0/1/0     : option 2

ip route 10.2.1.0 255.255.255.0 192.168.1.10
ip route 10.3.1.0 255.255.255.0 192.168.1.11


show ip route : check routing table on this router

2. Router KCM

====================ROUTER KCM:

hostname ROUTER-KCM

interface fa0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
 exit

interface se0/0
 ip address 192.168.1.2 255.255.255.252
 no shutdown

--------Default Route:

ip route 0.0.0.0 0.0.0.0 192.168.1.1


--------Static Route:

ip route 10.0.1.0 255.255.255.0 192.168.1.1
ip route 10.2.1.0 255.255.255.0 192.168.1.1
ip route 10.3.1.0 255.255.255.0 192.168.1.1


3. Router BTB

====================ROUTER BTB:

hostname ROUTER-BTB

interface fa0/0
 ip address 192.168.1.10 255.255.255.248
 no shutdown
 exit

interface fa0/1
 ip address 10.2.1.1 255.255.255.0
 no shutdown


--------Static & Default Route:

ip route 10.3.1.0 255.255.255.0 192.168.1.11
ip route 0.0.0.0 0.0.0.0 192.168.1.9

4. Router SRP

====================ROUTER SRP:

hostname ROUTER-SRP

interface fa0/0
 ip address 192.168.1.11 255.255.255.248
 no shutdown
 exit

interface fa0/1
 ip address 10.3.1.1 255.255.255.0
 no shutdown

--------Static & Default Route:

ip route 10.2.1.0 255.255.255.0 192.168.1.10

option a:
ip route 0.0.0.0 0.0.0.0 192.168.1.9

option b:
ip route 10.0.1.0 255.255.255.0 192.168.1.9
ip route 10.1.1.0 255.255.255.0 192.168.1.9


5. Extended Access Control List Configuration

Requirement 1:
Block laptop 1 (10.0.1.2) in LAN HQ from accessing all laptops
in LAN SRP (10.3.1.0/24). But other laptops in LAN HQ allowed.

( can be use with standard access-list (router-SRP applying )
    ans:    access-list 10 deny host 10.0.1.2
        access-list 10 permit any
        int f0/1 
        ip access-group 10 out
)

Extended Access-List

ROUTER HQ:

(formula: access-list acl-id permit/deny protocol1 src-ip dst-ip)



access-list 100 deny ip     host 10.0.1.2     10.3.1.0 0.0.0.255
access-list 100 permit ip     any         any

======= filter inbound (apply)
interface fa0/0
 ip access-group 100 in

======= filter inbound (remove)

no access-list 100

interface fa0/0
 no ip access-group 100 in

------------------------------

======= filter outbound (apply)

access-list 100 deny ip host 10.0.1.2 10.3.1.0 0.0.0.255
access-list 100 permit ip any any

interface fa0/1
 ip access-group 100 out
==============================================================================

+( + add-1 more block webserver 10.0.1.3 access to Lan SRP(10.3.1.0/24) into acl-id 100 )

-->
    RouterHQ(config)# do show access-list
    RouterHQ(config)#ip access-list extended 100
    RouterHQ(config-ext-nacl)#15 deny ip host 10.0.1.3 10.3.1.0 0.0.0.255
==============================================================================
****Remove index(15) from acl-id 100 *********************
--> RouterHQ(config)# do show access-list
    RouterHQ(config)#ip access-list extended 100
    RouterHQ(config-ext-nacl)#no 15
==============================================================================
+( Remove acl-id 100)

--> RouterHQ(config)#no ip access-list extended 100

######################################################

Requirement 2:

Block laptop 2 (10.1.1.2) in LAN KCM from ping to web server (10.0.1.3)
But it can use web browser to access web server
and ping laptop 6 (10.3.1.2).
Other traffic from laptop 2 denied.

Must apply ACL into ROUTER KCM.
protocol1 are: ip, icmp, rip, ospf, eigrp, tcp, udp

ROUTER KCM:

access-list 110 deny icmp host 10.1.1.2 host 10.0.1.3
access-list 110 permit tcp host 10.1.1.2 host 10.0.1.3 eq 80
access-list 110 permit tcp host 10.1.1.2 host 10.0.1.3 eq 443
access-list 110 permit icmp host 10.1.1.2 host 10.3.1.2
access-list 110 deny ip host 10.1.1.2 any
access-list 110 permit ip any any

======= filter outbound (apply)

interface se0/0
 ip access-group 110 out


---------SPLIT NEW ACL STATEMENT INTO THE EXISTING ACL ID 110

Allow laptop 2 (10.1.1.2) in LAN KCM can use web browser & ping to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

ip access-list extended 110
 41 permit icmp host 10.1.1.2 host 10.3.1.3
 42 permit tcp host 10.1.1.2 host 10.3.1.3 eq 80
 no 40


######################################################
Requirement 2:
Block laptop 2 (10.1.1.2) in LAN KCM from ping to web server (10.0.1.3)
But it can use web browser to access web server and ping laptop 6 (10.3.1.2).
Other traffic from laptop 2 denied.

Named ACL: For Requirement 2
(checklaptop2: is acl-name=acl-id)

(config#) ip access-list extended checklaptop2
       deny icmp host 10.1.1.2 host 10.0.1.3
       permit tcp host 10.1.1.2 host 10.0.1.3 eq 80
       permit tcp host 10.1.1.2 host 10.0.1.3 eq 443
      permit icmp host 10.1.1.2 host 10.3.1.2
      deny ip host 10.1.1.2 any

======= filter outbound (apply)

interface se0/0
 ip access-group checklaptop2 out

---------SPLIT NEW ACL STATEMENT INTO THE EXISTING NAMED ACL:

Allow laptop 2 (10.1.1.2) in LAN KCM can use web browser & ping to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

(config#) ip access-list extended checklaptop2
      41 permit icmp host 10.1.1.2 host 10.3.1.3
      42 permit tcp host 10.1.1.2 host 10.3.1.3 eq 80
      no 40



*************** Lesson ********************


Apply Extended Access Control List (ACL):
- Permit or deny traffic of data flow
- Check Source, Destination, and Protocol
- acl-id = 100 ---> 199 or 2000 --->2699
- apply it into router near to the source

Sample config:

Step 1A: create Extended acl statements:

(config)# access-list acl-id permit/deny protocol1 src-ip dst-ip

if protocol1 are: ip, icmp, rip, ospf, eigrp, tcp, udp

-icmp: command for ping (ex: ping 1.1.1.1 )
-rip : command for routing

==========
Step 1B: create Extended acl statements:

(config)# access-list acl-id permit/deny protocol2 src-ip dst-ip eq port-number

if protocol2 are: tcp, udp

(tcp: application of web that have (ftp,ssh,telnet,smtp,imap4,pop3,http, https ....)
(udp: application of server like (DNS,SNMP,TFTP,DHCP)

port-number:
3 type of Port Number:
1) Well-known Port: 1     ---> 1023  : for server used (80: web server,
2) Register Port:   1024  ---> 49151
3) Dynamic Port:    49152 ---> 65535 : for client used

Application Protocol: TCP : Transmission Control Protocol
- FTP (File Transfer Protocol) : 20/tcp (for download/upload file) & 21/tcp (for establish connection)
- SSH (Secure SHell Protocol) OR SFTP (Secure File Transfer Protocol) : 22/tcp
- Telnet (Telnet Protocol)     : 23/tcp
- SMTP (Simple Mail Transfer Protocol) : 25/tcp (use for send email)
- IMAP4 (Internet Message Access Protcol) : 143/tcp (use for recieve email)
- POP3 (Post Office Protocol)  : 110/tcp (use for recieve email)
- HTTP (Hyper Text Transfer Protocol) : 80/tcp
- HTTPS (Hyper Text Transfer Protocol for Secure) : 443/tcp

Application Protocol: UDP : User Datagram Protocol
- DNS (Domain Name System)  : 53/udp
- SNMP (Simple Network Management Protocol) : 161/udp
- TFTP (Trivial File Transfer Protocol) : 69/udp
- DHCP (Dymanic Host Configuration Protocol) : 67/udp & 68/udp

Register-Port and Dynamic-Port
- RDP (Remote Desktop Protocol) : 3389/tcp
- Lotusnote email              : 1352/tcp
- TightVNC                     : 5900/tcp

Step 2: apply standard acl into interface

(config)# interface name
(config-if)# ip access-group acl-id in/out


******************* Exercise *********************


Requirement 1:

Block laptop X (10.0.1.150) in LAN HQ from accessing all laptops
in LAN BTB (10.2.1.0/24). But other laptops in LAN HQ allowed.

ROUTER HQ:
????
access-list 100 deny ip host 10.0.1.150 10.2.1.0 0.0.0.255
access-list 100 permit ip any any

======= filter inbound (apply)
???
int f0/0
ip access-group 100 in

======= filter inbound (remove)

???

no access-list 100
int f0/0
no ip access-group 100 in

------------------------------

======= filter outbound (apply)

????

int f0/1
ip access-group 100 out
exit


######################################################

Requirement 2:

Block laptop 5 (10.2.1.3) in LAN BTB from ping to web server (10.0.1.3) in lan HQ
But it can use web browser to access web server and can ping laptop 6 (10.3.1.2).
Other traffic from laptop 5 denied.

Must apply ACL into ROUTER BTB.

ROUTER BTB:

???

access-list 199 deny icmp host 10.2.1.3 host 10.0.1.3
access-list 199 permit tcp host 10.2.1.3 host 10.0.1.3 eq 80
access-list 199 permit tcp host 10.2.1.3 host 10.0.1.3 eq 443
access-list 199 permit icmp host 10.2.1.3 host 10.3.1.2
access-list 199 deny ip host 10.2.1.3     any
access-list 199 permit ip any any

======= filter inbound (apply)

???

int f0/1
ip access-group 199 in

---------SPLIT NEW ACL STATEMENT INTO THE EXISTING ACL ID 199

Allow laptop 5 (10.2.1.3) in LAN BTB can use web browser to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

???

RouterBTB(config)#ip access-list extended 199
        45 permit tcp host 10.2.1.3 host 10.3.1.3 eq 80
        46 permit tcp host 10.2.1.3 host 10.3.1.3 eq 443
         no 40


######################################################
Requirement 2:
Block laptop 5 (10.2.1.3) in LAN BTB from ping to web server (10.0.1.3)
But it can use web browser to access web server and ping laptop 6 (10.3.1.2).
Other traffic from laptop 5 denied.

Named ACL: For Requirement 2: we have to remove access number above first.

???

======= filter outbound (apply)

???

---------SPLIT NEW ACL STATEMENT INTO THE EXISTING NAMED ACL:

Allow laptop 5 (10.2.1.3) in LAN BTB can use web browser to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

???

Subscribe to: Posts (Atom)

Kategori

Kategori