Sunday, April 17, 2011

Lesson 51 - Network Address Translation Part 1

Why NAT?
In 90s we observed an exponential growth of users connecting to a global network called the Internet. As of today, there are billions of people in this global village. The problem is that the designers of TCP/IP protocol suite did not realize this would happen. With the 32 bit IP address that was used originally we could allocate more than 4 billions unique identifiers. Apparently, this is not enough today having billions of devices using public network.

In February 1996 RFC 1918 document has been published. In it, some IP address reservations have been made known as PRIVATE ADDRESS SPACE. The ranges have been reserved as follows:
  • 10.0.0.0 - 10.255.255.255  (10/8 prefix)
  • 172.16.0.0 - 172.31.255.255  (172.16/12 prefix)
  • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Private Address Space is used in our local networks (home, work etc.) and cannot be used as public IP address range. This scope is sometimes referred to as non-routable addresses. This does NOT mean the routers cannot use them to route the packets. It means, that these addresses should never appear as source or destination on the Internet (unless this is some form of attack or misconfiguration).

What is NAT?
Network Address Translation is a technique in which the EDGE router (the one that is connected to ISP (Internet Service Provider) and your LAN, removes the original SOURCE address in the IP header (private range - RFC 1918) and replaces with legitimate, unique, public one leased to us by ISP while sending packets towards the Internet. However it is smart enough to keep this information in the special database called: NAT table. When the reply comes back, the SOURCE and DESTINATION addresses are reversed in the IP header. Once the packet reaches our EDGE router, it uses the right entry in the NAT table to swap the destination IP PUBLIC address (that represented our computer) back to its PRIVATE address.

If it sounds a little vague right now, do not worry since in my next post I will show you this operation step by step using some graphics.

NAT Terminology
If you want to fully understand this technique, you must understand the terminology that is used by it first. The official terms can be found on Cisco web site:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094837.shtml

Look at the below picture I'm going to use in the NAT section of this tutorial.

Pic. 1 - NAT Topology
Icons designed by: Andrzej Szoblik - http://www.newo.pl

What you are looking at is two companies (ABC and XYZ) connected to the Internet represented by R3 here. In real life this cloud consists of many routers belonging to different ISPs.

Computers are connected to the LAN and in both cases (I did this on purpose), use the same range of Private Address (192.168.1.0/24). Of course they can use any of addresses listed in RFC 1918.

R1's Serial0/1 interface uses 1.1.13.1, and R2 uses 1.1.12.2 address. Both are NOT described as the PRIVATE so they are PUBLIC or legitimate ones (my apologies if I used somebody's real, public addresses here. They are only used for educational purposes).

Using NAT technique you must be able to properly name them as per Cisco article above. Let's assume that we work for ABC company and we look at all addresses from this standpoint (this is critical). Here's what they are as per Pic. 1:

ABC Company
  • INSIDE LOCAL - address (inside your LAN, before translation). In our example this would be our 192.168.1.0 (ABC) address.
  • INSIDE GLOBAL - address used on the router's interface facing the Internet. GLOBAL means that is is legitimate, globally unique address. These are provided by ISP or Network Information Center (RIPE in Europe, ARIN in the US, etc.). For instance, in the example this would be 1.1.13.1 address.
  • OUTSIDE GLOBAL - address which is also globally unique (like inside global), but is leased to another company, not us (remember? We're ABC here). In this example this would be 1.1.12.2 for instance.
  • OUTSIDE LOCAL - address of the outside host as it appears to our local hosts. Typically in the NAT table we see them as OUTSIDE GLOBAL addresses. Our R1 router will never see XYZ company's 192.168.1.0 scope since it will be translated into a public IP before they send packets towards the Internet.

If you want to read more in-depth description of the terminology please, read the Cisco article I included in this post.

This concludes the introduction to NAT. In my next post, we will inspect step-by-step the process of NAT on the router.

Sunday, April 3, 2011

Lesson 50 - Extended ACL Examples

Try to think of this post as your opportunity to put the extended ACLs into practice. Do not look at the solutions which are presented at the end of this post. Try to accomplish the tasks using IOS help '?' If you have found this difficult, you can look at the solutions and watch my videos I posted on Youtube. ACL related video links can be found at the bottom of this post.

The last video shows the syntax and benefits of using Named ACLs. Once you get to know named ACLs, you will not want to use numbered ones.

Look at this simple topology below first. Then

Pic. 1 - Topology Diagram.

Icons designed by: Andrzej Szoblik - http://www.newo.pl

Extended ACL Lab

Assumptions
You are in charge of R1 and R2 routers. R3 belongs to your Service Provider network (SP) and simulates Internet in our examples. If you want to enable HTTP access on the router, type in the 'config' mode:
ip http server

Static routing has been configured between routers.

Task 1
Configure an access-list disabling anyone TELNET to R1 and all devices behind it (R2) if the traffic is originated from Internet (here: SP). All other traffic should be permitted.

Task 2
On R1 remove the previous ACL and configure a new one allowing only HTTP access to 172.16.102.0/24 if the traffic is originated from Internet (here: SP). All other traffic should be discarded.

Task 3
On R1 remove previously configured access-list. Instead, allow the returning traffic from HTTP (172.16.102.0/24) towards any destination. All other traffic from 172.16.102.0/24 should be discarded.

Task 4
Remove previously configured ACL. Configure an access-list that blocks the TELNET/SSH traffic to R1 if the traffic is originated by 10.1.13.3 address. Use a standard ACL.

Extended ACL Lab


Task 1
Configure an access-list disabling anyone TELNET to R1 and all devices behind it (R2) if the traffic is originated from Internet (here: SP). All other traffic should be permitted.

R1 Configuration:
!
R1(config)#access-list 100 deny tcp  any any eq telnet
R1(config)#access-list 100 permit ip any any
R1(config)#int s0/1
R1(config-if)#ip access-group 100 in
R1(config-if)#end
R1#
!

Verification:
Pic. 2 - Ping from R3.

Pic. 3 - Telnet Test from R3.

Pic. 4 - ACL Statistics.

Task 2
On R1 remove the previous ACL and configure a new one allowing only HTTP access to 172.16.102.0/24 if the traffic is originated from Internet (here: SP). All other traffic should be discarded.

R1 Configuration:
!
R1(config)#no access-list 100
R1(config)#int s0/1
R1(config-if)#no ip access-group 100 in
R1(config-if)#exit
R1(config)#
R1(config)#access-list 101 permit tcp any host 172.16.102.2 eq www
R1(config)#int s0/1
R1(config-if)#ip access-group 101 in
R1(config-if)#
!

Notice!
There is an 'implicit' deny all at the end of the ACL that is why I do not have to use: 'deny ip any any' statement.

Verification:
Pic. 5 - ACL Test.

Notice!
I got the connection to port 80 and terminated session using GET command. In order for the router to accept incoming connection to TCP 80 (WWW), you must type in the following command in the 'config' mode:
ip http server


Task 3
On R1 remove previously configured access-list. Instead, allow the returning traffic from HTTP (172.16.102.0/24) towards any destination. All other traffic from 172.16.102.0/24 should be discarded.

R1 Configuration (one way of accomplishing the goal):
!
R1(config)#int s0/1
R1(config-if)#no ip access-group 101 in
R1(config-if)#exit
R1(config)#no access-list 101
R1(config)#
R1(config)#access-list 102 permit tcp 172.16.102.0 0.0.0.255 eq 80 any
R1(config)#int f1/0
R1(config-if)#ip access-group 102 in
R1(config-if)#
!

Task 4
Remove previously configured ACL. Configure an access-list that blocks the TELNET/SSH traffic to R1 if the traffic is originated by 10.1.13.3 address. Use a standard ACL.
R2 Configuration:
!
R1(config)#int f1/0
R1(config-if)#no ip access-group 102 in
R1(config-if)#exit
R1(config)#no access-list 102
R1(config)#
R1(config)#access-list 1 deny host 10.1.13.3
R1(config)#access-list 1 permit any        
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#access-class 1 in
R1(config-line)#exit
R1(config)#
!

Notice!
Because I forgot to mention this little contraption in my Standard ACL post, here it is. A standard ACL can be used to block traffic to ports VTY (remote access). The ACL is applied using the: access-class statement.

Pic. 6 - Verification.


Notice!
Changing the source of my TELNET (lo0=172.16.103.3) allows me to login.

If you want a guided tour through the solutions please click the below links. The two last videos will add extra tools to your toolbelt. I hope you'll find them useful as well.



In my next post, I'll attempt to explain Network Address Translation (NAT) which you must be familiar at CCNA level (as of the time of posting it).

Cisco Is Easy - Main

  Cisco Basics (CCNA level)  Lessons: Watch Video Tutorials on Youtube 01 - Connecting to Cisco Console Port with MINICOM 02 - Navigatin...