----
This is the main step in the NAT configuration. No other router in our
network knows how to reach R4�s Loopback 4 network, yet according to this step
we need to be able to source a ping from R4�s Loopback 4 network, destined for
any one of the networks interfaces, and have it be successful.
R4(config)#int lo4
R4(config-if)#ip add 172.16.1.4 255.255.255.0
R4(config-if)#^Z
The best way to look at this is that R4�s Lo4 (172.16.1.4/24) network is our
local network. It is our inside network that will be the source of the ping.
No one in the outside network (all other routers) knows about our inside
address. So our inside source address is what we will need to translate into
an address that the outside network understands and knows how to reach.
We have f0/0 that has an outside network address on it, 211.1.114.4/24 this
network is reachable by all other routers in the network. We only have a
single inside address that we need to translate. We need to translate our
172.16.1.4 Loopback 4 address into an IP that is routable in the rest of the
outside network. Since we have only a single address that needs to be
translated we are going to do a static NAT translation. We will translate our
172.16.1.4 inside source address to the outside address of 211.1.114.4.
To set up the NAT we need to specify an inside interface, an outside
interface, and configure our translation statement. The NAT translation will
only occur if the packet is sourced from the inside interface and is going out
the outside interface.
First we will assign our inside NAT interface. Our inside network is on
Loopack 0, so that will be our inside NAT interface.
R4#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#interface Loopback4
R4(config-if)# ip nat inside
We then need to specify our outside NAT interface. We are going to translate
our inside source address to f0/0 IP address of 211.1.114.4. Our translation
will only occur if the packet sourced from our inside NAT interface, Loopback
4, is going out this interface. So our f0/0 interface is going to be our
outside NAT interface.
R4(config-if)#interface f0/0
R4(config-if)#ip nat outside
Finally we need to do our static NAT translation. We are going to translate
our inside source address of 172.16.1.4 to the outside address of 211.1.114.4,
this is a one to one translation.
ip nat inside source static 172.16.1.4 211.1.114.4
We can check that our static translation is taking place by issuing the show
ip nat translations command on R4
R4#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 211.1.114.4 172.16.1.4 --- ---
We can then test our NAT by doing an extended PING on R4, sourcing the PING
from the Loopback 4 address.
R4#ping 211.1.114.1 so lo4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 211.1.114.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R4#
*Aug 12 01:21:31.441: NAT: i: icmp (172.16.1.4, 4) -> (211.1.114.1, 4) [20]
*Aug 12 01:21:31.441: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [20]
*Aug 12 01:21:31.445: NAT*: o: icmp (211.1.114.1, 4) -> (211.1.114.4, 4) [20]
*Aug 12 01:21:31.445: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [20]
*Aug 12 01:21:31.445: NAT: i: icmp (172.16.1.4, 4) -> (211.1.114.1, 4) [21]
*Aug 12 01:21:31.445: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [21]
*Aug 12 01:21:31.445: NAT*: o: icmp (211.1.114.1, 4) -> (211.1.114.4, 4) [21]
*Aug 12 01:21:31.445: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [21]
*Aug 12 01:21:31.445: NAT: i: icmp (172.16.1.4, 4) -> (211.1.114.1, 4) [22]
*Aug 12 01:21:31.449: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [22]
*Aug 12 01:21:31.449: NAT*: o: icmp (211.1.114.1, 4) -> (211.1.114.4, 4) [22]
*Aug 12 01:21:31.449: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [22]
*Aug 12 01:21:31.449: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [23]
*Aug 12 01:21:31.453: NAT*: o: icmp (211.1.114.1, 4) -> (211.1.114.4, 4) [23]
*Aug 12 01:21:31.453: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [23]
*Aug 12 01:21:31.453: NAT: i: icmp (172.16.1.4, 4) -> (211.1.114.1, 4) [24]
*Aug 12 01:21:31.453: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [24]
*Aug 12 01:21:31.453: NAT*: o: icmp (211.1.114.1, 4) -> (211.1.114.4, 4) [24]
*Aug 12 01:21:31.453: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [24]
** Lo4 would be use as an DMZ, your pod network would be considered internal
network and the connection to BB1 external, configure content-based access
control (CBAC) to secure an internal network and allow limited outside access
to a DMZ.
-----
you need to implement a rock-solid firewall on its border router (R4) You are
to secure its internal segment, 128.1.0.0/16, so that outside hosts cannot
initiate a session with inside hosts. Furthermore, you are to secure the DMZ
so that outside hosts can access the public services there, but only if
outside hosts initiate the session. To prevent sophisticated attacks, no
connections should be allowed to initiate from the DMZ.
Configure access lists on R4 to protect the internal network. Issue the
following
commands
R4#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#access-list 101 permit ip 128.1.0.0 0.0.255.255 any
R4(config)#access-list 101 deny ip any any
R4(config)#interface fastethernet 0/1
R4(config-if)#ip access-group 101 in
this Access list 101 might first appear unnecessary. But in a secure network
that uses CBAC, it is important to explicitly specify what traffic an
interface should accept. In this case, you expect FastEthernet 0/1 to accept
traffic sourced from the internal network (128.1.0.0/24). Although the deny
any any is implicit, many administrators find it useful to include an explicit
entry so that this statement will show up in the running configuration and
show ip access-lists command output.
Next, you must configure an outbound access list on FastEthernet 0/1. Traffic
leaving this interface will be traffic originating from either the DMZ or the
External network, so this access list must protect the internal network.
Start configuring this list by allowing ICMP traffic, which internal hosts
will require to make network management and troubleshooting easier. By
permitting ICMP echo replies and other select traffic, you let your internal
hosts receive important ICMP error messages from beyond their local network.
R4#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#access-list 102 permit icmp any any administratively-prohibited
R4(config)#access-list 102 permit icmp any any echo-reply
R4(config)#access-list 102 permit icmp any any packet-too-big
R4(config)#access-list 102 permit icmp any any time-exceeded
R4(config)#access-list 102 permit icmp any any unreachable
R4(config)#access-list 102 deny ip any any
R4(config)#interface fastethernet 0/1
R4(config-if)#ip access-group 102 out
R4(config-if)#^Z
Access list 102 effectively blocks all traffic from exiting FastEthernet 0/1
onto the internal network, except for the ICMP messages. Verify that the
access lists have taken effect.
lets configure the DMZ�s inbound access list. On R4
R4#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)# access-list 116 permit ip 211.1.114.0 0.0.0.255 any
R4(config)# access-list 116 deny ip any any log
R4(config)# interface lo4
R4(config-if)# ip access-group 116 in
A good way to troubleshoot firewall in the implementation is to log every
denied packet to see what could be good or wrong, again, you have used this
simple list to specify the only permissible traffic that can enter R4
FastEthernet 0/0.
Now configure the outbound access list for FastEthernet 0/0. This list will
filter traffic originating from the internal network and the Internet. Assume
for this lab that the loopback of R4 is a Internet Server that provides Web,
FTP, and SMTP (mail) into the DMZ.
R4(config)#access-list 112 permit tcp any host 211.1.114.4 eq ftp
R4(config)#access-list 112 permit tcp any host 211.1.114.4 eq smtp
R4(config)#access-list 112 permit tcp any host 211.1.114.4 eq www
R4(config)#interface lo4
R4(config-if)#ip access-group 112 out
After you configure the DMZ and internal access lists, you can now focus on
the external interface (f0/0), which represents the greatest security threat.
access-list 151 deny ip 211.1.114.4 0.0.0.0 any
access-list 151 permit ip any any
interface f0/0
ip access-group 151 in
Now configure the outbound list for R4 F0/0.
R4(config)#access-list 151 deny ip 211.1.114.4 0.0.0.0 any
R4(config)#access-list 151 permit ip any any
R4(config)#
R4(config)#interface f0/0
R4(config-if)#ip access-group 151 in
R4(config-if)#exit
R4(config)#access-list 152 permit icmp any any echo-reply
R4(config)#access-list 152 permit icmp any any time-exceeded
R4(config)#access-list 152 deny ip 128.1.0.0 0.0.255.255 any
R4(config)#access-list 152 permit ip any any
R4(config)#
R4(config)#interface f0/0
R4(config-if)#ip access-group 152 out
CBAC on R4:
R4(config)#ip inspect name SATURNVIII ftp
R4(config)#ip inspect name SATURNVIII http
R4(config)#ip inspect name SATURNVIII smtp
R4(config)#ip inspect name SATURNVIII sqlnet
R4(config)#ip inspect name SATURNVIII tcp
R4(config)#ip inspect name SATURNVIII icmp
here we are creating a CBAC inspect list called SATURNVIII
The main work of this inspect list is to match on sessions for common
application protocols.
R4(config)#interface fastethernet 0/1
R4(config-if)#ip inspect SATURNVIII in
R4(config-if)#interface f0/0
R4(config-if)#ip inspect SATURNVIII in
R4# show ip inspect al
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name SATURNVIII
ftp alert is on audit-trail is off timeout 3600
http alert is on audit-trail is off timeout 3600
smtp max-data 20000000 alert is on audit-trail is off timeout 3600
sqlnet alert is on audit-trail is off timeout 3600
tcp alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
Interface Configuration
Interface FastEthernet0/1
Inbound inspection rule is SATURNVIII
ftp alert is on audit-trail is off timeout 3600
http alert is on audit-trail is off timeout 3600
smtp max-data 20000000 alert is on audit-trail is off timeout 3600
sqlnet alert is on audit-trail is off timeout 3600
tcp alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
Outgoing inspection rule is not set
Inbound access list is 101
Outgoing access list is 102
Interface FastEthernet0/0
Inbound inspection rule is SATURNVIII
ftp alert is on audit-trail is off timeout 3600
http alert is on audit-trail is off timeout 3600
smtp max-data 20000000 alert is on audit-trail is off timeout 3600
sqlnet alert is on audit-trail is off timeout 3600
tcp alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
Outgoing inspection rule is not set
Inbound access list is 151
Outgoing access list is 152
So lets test out little beast here
R4#deb ip nat de
IP NAT detailed debugging is on
R4#deb ip inspect icmp
INSPECT ICMP Inspection debugging is on
R4#deb ip nat de
IP NAT detailed debugging is on
R4#deb ip inspect icmp
INSPECT ICMP Inspection debugging is on
R4#
rack9>11
[Resuming connection 11 to bb1 ... ]
BB1#ping 211.1.114.4 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 211.1.114.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/3/4 ms
BB1#
rack9>4
[Resuming connection 4 to R4 ... ]
*Aug 12 02:02:24.996: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3)
[16811]
*Aug 12 02:02:24.996: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3)
[16811]
*Aug1, 3) -> (211.1.114.4, 3) [16812]
*Aug 12 02:02:25.000: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [16812]
*Aug 12 02:02:25.000: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4
*Aug 12 02:02:25.000: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16812]
*Aug 12 02:02:25.000: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16812]
*Aug 12 02:02:25.000: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3)
[16813]
*Aug 12 02:02:25.000: NAT*: s=211.1.114.1, d=2
R4#
R4#11.1.114.4->172.16.1.4 [16813]
*Aug 12 02:02:25.004: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4
*Aug 12 02:02:25.004: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16813]
*Aug 12 02:02:25.004: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16813]
*Aug 12 02:02:25.004: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3)
[16814]
*Aug 12 02:02:25.004: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [16814]
*Aug 12 02:02:25.004: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4
*Aug 12 02:02:25.004: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16814]
*Aug 12 02:02:25.004: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16814]
*Aug 12 02:02:25.008: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3)
[16815]
*Aug 12 02:02:25.008: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [16815]
*Aug 12 02:02:25.008: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4
*Aug 12 02:02:25.008: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16815]
*Aug 12 02:02:25.008: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16815]
*Aug 12 02:02:25.008: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3)
[16816]
*Aug 12 02:02:25.012: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [16816]
*Aug 12 02:02:25.012: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4
*Aug 12 02:02:25.012: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16816]
*Aug 12 02:02:25.012: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16816]
*Aug 12 02:02:25.012: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3)
[16817]
*Aug 12 02:02:25.012: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [16817]
*Aug 12 02:02:25.012: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4
*Aug 12 02:02:25.016: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16817]
*Aug 12 02:02:25.016: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16817]
*Aug 12 02:02:25.016: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3)
[16818]
*Aug 12 0
rack9>
rack9>11
[Resuming connection 11 to bb1 ... ]
.U.U.
Success rate is 0 percent (0/42)
BB1#show ip route rip
R* 0.0.0.0/0 [120/1] via 211.1.114.14, 00:00:21, FastEthernet0/1
BB1#deb ip icmp
ICMP packet debugging is on
BB1#ping 128.1.45.5 rep 12
Type escape sequence to abort.
Sending 12, 100-byte ICMP Echos to 128.1.45.5, timeout is 2 seconds:
U
*Aug 12 01:59:26.696: ICMP: dst (211.1.114.1) administratively prohibited
unreachable rcv from 211.1.114.14.U
rack9>4
[Resuming connection 4 to R4 ... ]
*Aug 12 02:04:53.684: CBAC: ICMP Unreachable pkt 211.1.114.14 => 211.1.114.1
R4#
R4#
R4#
*Aug 12 02:05:09.108: CBAC: ICMP Unreachable pkt 211.1.114.14 => 211.1.114.1
R4#
rack9>
I hope this helps
thanks,
Victor Cappuccio.-
- CCSI# 31452
CCBOOTCAMP - A Cisco Sponsored Organization (SO)
email: vcappuccio@ccbootcamp.com
Toll Free: 877-654-2243
Direct: +1-702-968-5100 = Outside the USA
FAX: +1-702-446-8012
YES! We take Cisco Learning Credits!
Training And Remote Racks: http://www.ccbootcamp.com
Register to win a free iPhone! http://www.ccbootcamp.com/iphone.html
-----Original Message-----
From: nobody@groupstudy.com on behalf of Bit Gossip
Sent: Sat 11-Aug-07 10:25 AM
To: ccielab@groupstudy.com
Subject: CBAC and NAT
Group,
is it true that CBAC is NAT aware, meaning that if I put the inspection rule
on an interface that is nat outside and I have the blocking ACL on an
interface that is nat inside, CBAC will add entries to this ACL using local
addresses even if it inspect traffic that are global?
Thanks,
bit.