Geek.Like.Todd

6 YEARS? —

It’s really been 6 years since I’ve posted last, way back when I was working for an colo/cloud company as a Level 3 support engineer. I’m a sysadmin who works in the sports industry now, and my life is now more.. cloud centric, although I still live with virtualized servers running on hypervisors I have to manage. I’ll try to update every once in a while, maybe with some AWS or Azure tips but with being gone for 6 years.. I’m not making any promises 😀


Simple Cisco NAT Concepts – Nat Pools and Static Nat —

I thought I’d go over these two concepts really quickly.

NAT Pools – When you are overloading a single IP, the truth is that you are using the ports available on that IP to send and recieve traffic and that’s translating to IP’s on the inside.

Once you have even a few pc’s you can see from the translation table that many many ports are used, and while these connections tend to get torn down quickly, it’s still quite possible to run out. It really just depends on how many active clients you have to nat.

To overcome this, you can create a pool of external IP’s to overload. The router will simply move to the next IP when the first has too many ports full.

Lets use the same lab as our last NAT example. NATLAB01

Router0 is using 128.128.129.2 as it’s interface. It’s gateway is 128.128.129.1, which is on Router1.

If we are using that same lab.. we need to remove the nat command we issued earlier.

WORKRTR(config)#no ip nat inside source list INSIDE_NAT_ADDRESSES interface GigabitEthernet0/1 overload

if you have active connections you will be asked to kill those connections, and nat will of course.. stop.

to nat overload, first we need to create a nat pool. In this example, I want to make ip’s 128.128.129.50 thru 128.128.129.100 available in my pool.

WORKRTR(config)#ip nat pool OUTSIDE_PUBLIC 128.128.129.50 128.128.129.100 netmask 255.255.255.0

and now we simply create our nat using the same ACL we made in our last example.

WORKRTR(config)#ip nat inside source list INSIDE_NAT_ADDRESSES pool OUTSIDE_PUBLIC overload

We can now see in in the translations tables the nats being created.

WORKRTR#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 128.128.129.50:102410.0.0.101:7 128.128.128.10:7 128.128.128.10:1024
icmp 128.128.129.50:102510.0.0.101:8 128.128.128.10:8 128.128.128.10:1025
icmp 128.128.129.50:102610.0.0.101:9 128.128.128.10:9 128.128.128.10:1026
icmp 128.128.129.50:102710.0.0.101:10 128.128.128.10:10 128.128.128.10:1027
icmp 128.128.129.50:102810.0.0.101:11 128.128.128.10:11 128.128.128.10:1028
icmp 128.128.129.50:102910.0.0.101:12 128.128.128.10:12 128.128.128.10:1029
icmp 128.128.129.50:103010.0.0.101:13 128.128.128.10:13 128.128.128.10:1030
icmp 128.128.129.50:103110.0.0.101:14 128.128.128.10:14 128.128.128.10:1031
icmp 128.128.129.50:103210.0.0.101:15 128.128.128.10:15 128.128.128.10:1032
icmp 128.128.129.50:103310.0.0.101:16 128.128.128.10:16 128.128.128.10:1033
icmp 128.128.129.50:103410.0.0.101:17 128.128.128.10:17 128.128.128.10:1034
icmp 128.128.129.50:103510.0.0.101:18 128.128.128.10:18 128.128.128.10:1035
icmp 128.128.129.50:103610.0.0.101:19 128.128.128.10:19 128.128.128.10:1036
icmp 128.128.129.50:103710.0.0.101:20 128.128.128.10:20 128.128.128.10:1037
icmp 128.128.129.50:103810.0.0.101:21 128.128.128.10:21 128.128.128.10:1038
icmp 128.128.129.50:103910.0.0.101:22 128.128.128.10:22 128.128.128.10:1039
icmp 128.128.129.50:104010.0.0.101:23 128.128.128.10:23 128.128.128.10:1040
icmp 128.128.129.50:104110.0.0.101:24 128.128.128.10:24 128.128.128.10:1041
icmp 128.128.129.50:104210.0.0.101:25 128.128.128.10:25 128.128.128.10:1042
icmp 128.128.129.50:104310.0.0.101:26 128.128.128.10:26 128.128.128.10:1043

I can’t really create the traffic in my lab to make this jump to the next IP however 😀

Static Nat

This is also really useful to you, if you have an IP that it’s internal and you want to map that IP completley 1 to 1 to another ip on the other side of the router (publicly, for example) you may follow the next example to accomplish this.

In our diagram you see on the Inside a Server which is IP 10.0.0.254 and we want to make this server publicly available as 128.128.129.254. On our router we as seen before specify on the interface which is inside and which is outside. And then we pass the following command:

WORKRTR(config)#ip nat inside source static 10.0.0.254 128.128.129.254

Now on our other server on the outside we can test access via ping.

SERVER>ping 128.128.129.254

Pinging 128.128.129.254 with 32 bytes of data:

Reply from 128.128.129.254: bytes=32 time=1ms TTL=126
Reply from 128.128.129.254: bytes=32 time=0ms TTL=126
Reply from 128.128.129.254: bytes=32 time=11ms TTL=126
Reply from 128.128.129.254: bytes=32 time=12ms TTL=126

Ping statistics for 128.128.129.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 12ms, Average = 6ms

Also if you wanted to only do certain ports, for example, just port 80, you can do so in this way:

WORKRTR(config)#ip nat inside source static tcp 10.0.0.254 80 128.128.129.254 80

Or perhaps I wanted to send traffic that would normally go to port 3389 to some wild port so that it would mitigate an attack directed towards rdp:

WORKRTR(config)#ip nat inside source static tcp 10.0.0.254 3389 128.128.129.254 12658


Simple Cisco NAT Concepts – Nat Overload —

Hey howdy. Yeah another one of these.. This is sort of a quick Natting guide for Cisco Routers.

In the Cisco world you have 3 basic types of NAT, Static, Dynamic and Overload. Obviously these are more for me than you 😀 and you should look to cisco for documentation.

Nat Overload – this you are familiar with, and the concept is easy, if you are given a small or a single public IP and you want to use NAT to allow access to the public internet from your local IPs that are not public addresses, you can generally accomplish this with NAT Overload.

To accomplish this we start with identifying which interface is “inside” and which is “outside” on our router.

Here is my diagram I made:

NATLAB01

The blue on the left is the “inside” (int gi0/0) and the right is considered “outside” (int gi0/1) and our router0 is considered your gateway to the internet. The other Router in play here is merely to simulate the internet. I’ve placed a webserver behind it, and that server is also running DNS.

On Router 0 we need to configure the interfaces as Inside or Outside.

WORKRTR#conf t
WORKRTR(config)#int gi 0/0
WORKRTR(config-if)#ip nat inside
WORKRTR(config-if)#exit
WORKRTR(config)#int gi 0/1
WORKRTR(config-if)#ip nat outside
WORKRTR(config-if)#exit

Now we need to create a Standard Access List to specify which IP ranges we want to allow from the “inside”.

WORKRTR(config)#ip access-list standard INSIDE_NAT_ADDRESSES
WORKRTR(config-std-nacl)#permit 10.0.0.0 0.0.0.255
WORKRTR(config-std-nacl)#exit

We now use that access list with the following command to start the process.

WORKRTR(config)#ip nat inside source list INSIDE_NAT_ADDRESSES interface GigabitEthernet0/1 overload

We can check our work from the router

WORKRTR#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 128.128.129.2:1 10.0.0.101:1 128.128.128.10:1 128.128.128.10:1
icmp 128.128.129.2:2 10.0.0.101:2 128.128.128.10:2 128.128.128.10:2
icmp 128.128.129.2:3 10.0.0.101:3 128.128.128.10:3 128.128.128.10:3
icmp 128.128.129.2:4 10.0.0.101:4 128.128.128.10:4 128.128.128.10:4

And one of the PC’s

PC>ping 128.128.128.10
Pinging 128.128.128.10 with 32 bytes of data:
Reply from 128.128.128.10: bytes=32 time=0ms TTL=126
Reply from 128.128.128.10: bytes=32 time=0ms TTL=126
Reply from 128.128.128.10: bytes=32 time=0ms TTL=126
Reply from 128.128.128.10: bytes=32 time=0ms TTL=126