Powered by Blogger.
Home » Archives for February 2013

Network Address Translation III

Posted by Unknown Thursday, February 21, 2013 0 comments

In this part we are going to configure Dynamic NAT on our gateway router ( R2). We will following the previously mentioned three steps to achieve this task like: 
  • Labeling the interfaces
  • Configuring the ACL for hosts
  • Implementing the NAT from global config mode


So here we go, and you will see it’s not that difficult to implement it practically:

Dynamic NAT Configurations:

Suppose we want to configure Dynamic NAT on R2. For this purpose, we need a pool of global IP addresses that would be dynamically mapped with our local hosts. So we need to buy these addresses from our ISP J just assume, we bought the following IP pool form our ISP:

171.16.10.52 - 171.16.10.56

We will follow above mentioned three steps to implement dynamic NAT on our current network topology:
Step 1:

Labeling the interfaces:

interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 ip nat inside

interface Serial1/0
 ip address 171.16.10.1 255.255.255.0
 ip nat outside

Step 2:
An ACL needed to be created for local hosts IPs that we want to translate:

ip access-list standard NAT_IPs
 permit 192.168.3.0 0.0.0.255
 permit 192.168.2.0 0.0.0.255
 permit 192.168.4.0 0.0.0.255

Step 3:
Once ACL is created, we need to configure our IP pool and dynamic NAT from global configuration like:

ip nat pool Global_IP_Pool 171.16.10.52 171.16.10.56 netmask 255.255.255.0
ip nat inside source list NAT_IPs pool Global_IP_Pool

Our pool name is: Global_IP_Pool
ACL name is: NAT_IPs

Some of the other things done on R2 are: static route to ISP and RIP:

!
router rip
 passive-interface Serial1/0 ( this commands is configured to stop RIP advertisements to our emulated ISP)
 network 171.16.0.0
 network 192.168.1.0
!
ip route 171.16.0.0 255.255.0.0 171.16.10.2
!
!

And we are done with our Dynamic NAT! that was quite easy and simple. Now some other fun commands. In order to check the IP NAT translations going on in the network, we just issue show ip nat translations command on R2 and see the result:

From R1 we ping our ISP:

R1#ping 171.16.10.2 source 192.168.3.1
We get successful ping results to 171.16.10.2. The source IP was changed on R2 during the process of pinging as we have configured NAT on R2.

Now let’s see what’s happening on R2:












Our ping request was originated from inside local: 192.168.3.1 and has been translated into 171.16.10.52 inside global address.  One other interesting command for your geek mind:


I hope after going through all of the above commands, you will have confidence in yourself and will see how interesting it is to implement.  Just remember one thing: if dynamic NAT is used, we can’t access our local hosts from outside the network, as the router will not be sure to where it has to route the packets and for this purpose Static NAT is recommended, which we will discuss shortly.

Okay, as an example, please perform some practice of dynamic NAT with following requirements:

  • The routing protocol running is EIGRP with AS # 4
  • The IP Pool Name is CORP-IP pool
  • ACL is allows only 192.168.3.0/24 network to translate
--to be continued--

Network Address Translation II

Posted by Unknown Tuesday, February 19, 2013 1 comment


Static NAT: static NAT is a one to one mapping of internal addresses with the global IP addresses. In network design, static NAT is best if we are going to host some server inside our network and want it to be accessible from global internet.

Some of the terminology of NAT worth remembering:

  • Inside Local: the host address inside the network that we want to translate
  • Outside Local: translated address of the outside hosts, as seen inside their network
  • Inside Global: the addresses used to translate the inside addresses
  • Outside Global: addresses of outside hosts as seen on the outside
A few more terminologies of NAT:

  • Policy based NAT
  • Port redirection (one to one mapping for a single port, also called Static PAT)
  • NVIs or NAT virtual interfaces (a newer method of NAT configuration in which there is no need for inside/outside definition on an interface. NAT table is maintained on per interface basis)

I think we have covered enough of the terminology regarding Network Address translation, now it’s time to practically implement all of the above concepts for getting a strong technical grasp of above concepts.

For practical implementation of NAT on a Cisco router, follow the following three steps:

  • Designate the interfaces for inside/outside NAT
  • Define an ACL for the local host IPs
  • Implemented NAT from the global configuration mode
In VoIP packets, as it’s not possible to modify the source header, for this we had to enable some special services of NAT to support SIP or Skinny protocols etc. there are also some other issues that might arise by changing the IP in a packet as it will change the packet checksum value, encapsulated data and hence breaking the meaning of the application.

For an interesting demonstration of NAT, please check http://www.cisco.com/image/gif/paws/6450/nat.swf URL.

--to be continued-- 

Network Address Translation Part I

Posted by Unknown Sunday, February 17, 2013 0 comments

NAT (Network Address translation):

In simple words NAT is about IP address translation or conversion. This translation could be for two purposes
  • Translation of Private addresses into Public addresses
  • Translation of internal addresses to avoid duplication or for Topology hiding

As you know private IP addresses are not routable on the internet, that’s why we need to configure NAT on our gateways to talk to public internet domain.  The duplication of addresses can take place if we merge two organizations and they both have the same IP plan, in such case NAT is used to avoid such issues via a DNS server. As discussed in VLSM and CIDR, IP address preservation was also one of the main causes behind the induction of NAT.


NAT working:



The above diagram explains NAT in its simple form. NAT is configured on the Gateway and address translation or mapping take place here. The Global Network is unaware of the internal local addresses of our network, that’s why it’s helpful in hiding our network topology.



Types of NAT:

There are three types of NAT, mostly used in network design. 

  • Dynamic NAT
  • Dynamic NAT with overload (also called PAT: Port Address Translation)
  • Static NAT
While implementing NAT on a router, we first define an ACL (normally standard Access Control list) to define the internal IPs that we are going to translate. These addresses are technically called Inside Local addresses.  Then we apply our NAT commands in global configuration mode, specifying the list of addresses in our ACL and the public addresses in which we want to translate it. These public addresses are technically called Inside Global.

Dynamic NAT: In dynamic NAT, as the name suggest the address translation take place by allocating available Public IPs from a pool dynamically. We define a pool of global IP addresses for NAT and then this pool is associated with address local IPs for translation. The address translation works, until all of the addresses in pool are consumed and network established via it.

Dynamic NAT with overload or PAT: overloading is used to enhance the addressing capability of NAT and for this magic, PAT is used. PAT stands for Port address translation, so as the name implies, port numbers are used with local hosts. At the same time, port numbers are also used with the global inside IP. Via this association, a single global IP can be used for around 65000 addresses! This could be better explained via below chart:


Protocol
Inside Local IP : Port
Inside Global IP : Port
TCP
192.168.3.2:1723
170.16.3.2:1456
TCP
192.168.3.1:1744
170.16.3.2:1098
TCP
192.168.3.10:1764
170.16.3.2:4432

As you can see we have a single global IP, but with different port numbers. This table is maintained by router and it forwards the packet accordingly. Suppose if IP 192.168.3.2:1723 has established global connection via 170.16.3.2:1456, once any packet is received on this IP (170.16.3.2) with relevant port number, its forwarded according to the above table to 192.168.3.2:1723. You must be aware of the fact that port numbers are used by a host to establish different connections to the outside world and keep track of each established connection. Suppose a connection to web server port 80 would be like:

Inside Global IP : Port
Outside Global IP address: Port
170.16.3.2:1456
173.194.23.4:80
170.16.3.2:1098
173.194.23.4:80
170.16.3.2:4432
173.194.23.4:80





--To be continued--

Network Security, A short overview

Posted by Unknown Thursday, February 14, 2013 0 comments

Introduction


There is no such thing as a secure network! Once we are connected to some network, we are not 100 % safe! There is no such thing as 100 % security. Each year Million of Dollars are lost to different sorts of network exploits and vulnerabilities. The attackers and attacking technologies have become so sophisticated that at any instant we can become a victim of identity theft, our sensitive information could be stolen, our credit card could be hacked or someone can use our social security number.

According to FORTINET recent report of Cyber Crimes for 2013, “Gone are the days when when cybercrime was tantamount to teenage miscreants causing mischief in their parents’ basement. Today, as any commercial enterprise, cybercrime has evolved into a complex, highly organized hierarchy involving leaders, engineers, infantry, and hired money mules”. So Network Engineers are facing more complex challenges as the problems and systems are evolving in complexity. With each year, the number of security breaches into high profile networks are increasing, one of the recent example is in the form of Stuxnet, which attacked Iran Atomic power plant SCADA systems. Viruses like Suxnet/Duqu (a Stuxnet like virus) are so sophisticated that they can take control of the automatic industrial systems and Power Grids, hence can cause unimaginable damage. In this research paper we will cover the following areas of Network Security:
  •          Critical Infrastructure Protection
  •          Wireless Sensor Network Security
  •          Secure and Trustworthy Composite Services

A comprehensive overview of different approaches is given regarding above mentioned security methodologies. Our major focus is on Critical infrastructure Protection. In the modern world, no company can afford creating a network like Fort Knox, but if proper precautions are taken, real damage could be avoided.

 

Critical Infrastructure Protection

According to US Homeland Security Presidential Directive HSPD-7 CIP ( Critical Infrastruction Protection) covers all the systems that are “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.” Critical Infrastructure includes all the physical and virtual systems which are like backbone for a country survival, protection and progress. These are such critical elements, which are usually attacked during wars to cripple a country. A virus attack on an Atomic power plant can cause a blazing impact on a country, enough to kick back a nation in the stone age. Critical Infrastructure includes:

  • Atomic Assets
  • Banking/Finance
  • Department of Energy
  • Emergency Services/Fire departments
  • Transportation
  • Space/Logistics/Defense Industries

In the past most of the physical infrastructures were totally isolated, but advancements in technology and communications have increased the interconnectednes. This interconnectedenes has opened many new frontiers of cyber attacks and vulnerabilities never seen before. The famous DoD critical infrastructure protection model is :

  1. Analysis and Assessment
  2. Remediation
  3. Indications and Warning
  4. Mitigation
  5. Incident response
  6. Reconstitution


 to be continued... 




Static to Dynamic IPsec configuration

Posted by Unknown 0 comments

!
ip subnet-zero
!

!--- These are the IKE policies.

crypto isakmp policy 1

!--- Defines an Internet Key Exchange (IKE) policy.
!--- Use the crypto isakmp policy command
!--- in global configuration mode.
!--- IKE policies define a set of parameters to be used
!--- during the IKE phase I negotiation.

 hash md5
authentication pre-share

!--- Specifies pre-shared keys as the authentication method.

crypto isakmp key Chris123 address 165.228.212.83

!--- Configures a pre-shared authentication key,
!--- used in global configuration mode.

!

!--- These are the IPSec policies.

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!--- A transform set is an acceptable combination
!--- of security protocols and algorithms.
!--- This command defines a transform set
!--- that has to be matched on the peer router.

!
crypto map rtp 1 ipsec-isakmp

!--- Creates a crypto map and indicates that IKE will be used
!--- to establish the IPSec SAs for protecting
!--- the traffic specified by this crypto map entry.


set peer 165.228.212.83

!--- Use the set peer command to specify an IPSec peer in a crypto map entry.

set transform-set rtpset

!--- Configure IPSec to use the transform set "rtpset"
!--- that was defined previously.

 match address 115
 exit

!--- Include the private-network-to-private-network traffic
!--- in the encryption process.

interface Ethernet 0
 description --- Ethernet LAN ---
 ip address 192.168.0.254 255.255.255.0

 ip virtual-reassembly
 ip tcp adjust-mss 1420

!
!
ip dhcp excluded-address 192.168.0.251 192.168.0.254
!
ip dhcp pool lan
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.254
lease infinite

interface ATM0
 description --- Telsra ADSL ---
 no ip address
 no shutdown
 no atm ilmi-keepalive
 pvc 8/35
  tx-ring-limit 3
  encapsulation aal5snap
  pppoe-client dial-pool-number 1


interface Dialer0
 description --- Telsra ADSL ---
 ip address negotiated
 ip mtu 1460
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1420
 dialer pool 1
 dialer-group 1
 ppp chap hostname tareet0@direct.telsra.net
 ppp chap password 233981
 crypto map rtp

ip nat inside source list NAT interface Dialer0 overload

ip nat inside source route-map nonat interface Dialer0 overload

MY CCNA LAB in GNS3

Posted by Unknown Sunday, February 3, 2013 5 comments
 Above lab is created in GNS3 to practice almost all the concepts. I have used C2691 and 7200 series routers. To get the topology files, please drop me your email id in the comments box, i will reply as soon as possible. Thanks

Copyright © My CISCO Journal . All rights reserved.