Geek.Like.Todd

Simple Cisco NAT Concepts – Nat Overload —

Hey howdy. Yeah another one of these.. This is sort of a quick Natting guide for Cisco Routers.

In the Cisco world you have 3 basic types of NAT, Static, Dynamic and Overload. Obviously these are more for me than you 😀 and you should look to cisco for documentation.

Nat Overload – this you are familiar with, and the concept is easy, if you are given a small or a single public IP and you want to use NAT to allow access to the public internet from your local IPs that are not public addresses, you can generally accomplish this with NAT Overload.

To accomplish this we start with identifying which interface is “inside” and which is “outside” on our router.

Here is my diagram I made:

NATLAB01

The blue on the left is the “inside” (int gi0/0) and the right is considered “outside” (int gi0/1) and our router0 is considered your gateway to the internet. The other Router in play here is merely to simulate the internet. I’ve placed a webserver behind it, and that server is also running DNS.

On Router 0 we need to configure the interfaces as Inside or Outside.

WORKRTR#conf t
WORKRTR(config)#int gi 0/0
WORKRTR(config-if)#ip nat inside
WORKRTR(config-if)#exit
WORKRTR(config)#int gi 0/1
WORKRTR(config-if)#ip nat outside
WORKRTR(config-if)#exit

Now we need to create a Standard Access List to specify which IP ranges we want to allow from the “inside”.

WORKRTR(config)#ip access-list standard INSIDE_NAT_ADDRESSES
WORKRTR(config-std-nacl)#permit 10.0.0.0 0.0.0.255
WORKRTR(config-std-nacl)#exit

We now use that access list with the following command to start the process.

WORKRTR(config)#ip nat inside source list INSIDE_NAT_ADDRESSES interface GigabitEthernet0/1 overload

We can check our work from the router

WORKRTR#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 128.128.129.2:1 10.0.0.101:1 128.128.128.10:1 128.128.128.10:1
icmp 128.128.129.2:2 10.0.0.101:2 128.128.128.10:2 128.128.128.10:2
icmp 128.128.129.2:3 10.0.0.101:3 128.128.128.10:3 128.128.128.10:3
icmp 128.128.129.2:4 10.0.0.101:4 128.128.128.10:4 128.128.128.10:4

And one of the PC’s

PC>ping 128.128.128.10
Pinging 128.128.128.10 with 32 bytes of data:
Reply from 128.128.128.10: bytes=32 time=0ms TTL=126
Reply from 128.128.128.10: bytes=32 time=0ms TTL=126
Reply from 128.128.128.10: bytes=32 time=0ms TTL=126
Reply from 128.128.128.10: bytes=32 time=0ms TTL=126


Cisco Extended ACL’s —

I used to be mystified by Access Lists on Cisco devices.. but I’m feeling pretty comfy with them now.

Essentially an Access Lists is a Matching Filter List. It’s got two options, Permit and Deny.

Here is my Lab. It’s actually similar to something I’m already working on but the names have been changed to protect the innocent.

I have 3 VLANS, 85, 86 and 87. The vlans I do not want talking to each other, except for a single Server on 85 I want 86 to see.

ACLEXTLAB

Access lists are actually really easy to set up. First you configure, then you apply to an interface, and you specify in what directions you want to match your traffic to the ACL, either in or out.

Lets start with our configuration with VLAN 86.

I’ve made interfaces on the router for each vlan, and while i could have made a trunk and some sub interfaces I didn’t bother here, since it’s a lab.

ROUTER#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.85.1 YES manual up up
GigabitEthernet0/1 192.168.86.1 YES manual up up
FastEthernet0/0/0 unassigned YES unset up up
FastEthernet0/0/1 unassigned YES unset up down
FastEthernet0/0/2 unassigned YES unset up down
FastEthernet0/0/3 unassigned YES unset up down
Vlan1 unassigned YES unset administratively down down
Vlan85 unassigned YES unset down down
Vlan87 192.168.87.1 YES manual up up

I’ve made some vlans on the switch and have applied static IPs to the various workstations and a single server.

The goal is to not allow traffic from any vlan to any other vlan, except for a single server.

ACL’s are processed from the top down, and once packets meet any criteria as they are processed thru the list they are sent along according to the rule they matched. So as an example. If sequence 5 tells the router to allow packets from 192.168.1.20 to reach network 192.168.20.0/24 then those are allowed if the next sequence tells it to deny 192.168.1.0/24 from 192.168.20.0/24 which would match up with the rest of the source IPs on that subnet.  Also.. if you had those sequences switched this rule would be ignored.

To create an access list first you configure and then you apply.

Lets start with VLAN 87.

We simply want to block any IP from 192.168.87.0/24 from reaching any 192.168.86.0 address or 192.168.89.0 address.

on our cli we need to start with giving the acl a name, and specifying that it’s an extended list.

Router(config)#ip access-list extended VLAN87
Router(config-ext-nacl)#

Note, if you start putting in rules with no sequence number, you will simply start at 10 and then increment to the next 10, so 10, 20, so on.

However, if you specify the sequence number first, you can choose where your entry lands on your list. I personally like separating them to give me room for later changes.

The command is simple, it’s
Sequence# – the numbers are always observed as 10, 20, 30 and so one in increments of 10, but if you put one in as 31 then it will become 40 and 40 will move down.
deny or allow
protocol, ip means everything.. otherwise port number or name if it’s recognized.
Source IP network or host or any
Destination network or host or any

It’s also work noting that the item that looks like a subnet there is actually wildcard bits, which.. is a curve, but you will learn fast, essentially if it changes how many bits can change.

Router(config-ext-nacl)#10 deny ip 192.168.87.0 0.0.0.255 192.168.85.0 0.0.0.255
Router(config-ext-nacl)#20 deny ip 192.168.87.0 0.0.0.255 192.168.86.0 0.0.0.255
Router(config-ext-nacl)#30 permit ip any any

Note that I’ve placed an “any any” at the end. If your access list is only made of denials, it will simply deny everything because of the explicit and hidden “deny deny” that is at the end. If you only need to allow certain address then please of course do that.

Once completed we can see it and my two other ACL’s I’ve created:

Router(config)#do sho ip access-lists
Extended IP access list VLAN86
10 permit ip 192.168.86.0 0.0.0.255 host 192.168.85.5
20 deny ip 192.168.86.0 0.0.0.255 192.168.85.0 0.0.0.255
30 deny ip 192.168.86.0 0.0.0.255 192.168.87.0 0.0.0.255
40 permit ip any any
Extended IP access list VLAN87
10 deny ip 192.168.87.0 0.0.0.255 192.168.85.0 0.0.0.255
20 deny ip 192.168.87.0 0.0.0.255 192.168.86.0 0.0.0.255
30 permit ip any any
Extended IP access list VLAN85
10 permit ip host 192.168.85.5 any
20 deny ip 192.168.85.0 0.0.0.255 192.168.86.0 0.0.0.255
30 deny ip 192.168.85.0 0.0.0.255 192.168.87.0 0.0.0.255
40 permit ip any any

Now we need to apply the ACL’s to our interfaces. You have to specify whether or not this filter should be applied on an interface on traffic that the router is sending to (out) or receiving from (in) other devices.

This is how we apply the VLAN86 acl to int gi0/1

Router(config)#int gi 0/1
Router(config-if)#ip access-group VLAN86 in
Router(config-if)#

We repeat as necessary for our other ACL’s


Simple Cisco DHCP —

I’m doing a little labwork and wanted to post this really for nothing other than to assist with my remembering it, and hey.. maybe you might find it helpful. Typically whenever I need DHCP I turn to an OS to do that for me, if AD is involved, I’m using Windows, if it’s not I’ll use Linux.  But if you have neither, but do have a Cisco Router, never fear it can do that for you.  Here is our lab, consisting of a single router, a switch, and 3 workstations:

DHCPLAB

Our IP address range for this lab is 192.168.1.0/24 and we want to reserve ip range 192.168.1.1 – 192.168.1.49 but allow the rest be available for our pool.

My fake PC clients are all set to DHCP.

Step one: Assign an interface on the router for the network.
dhcptest(config)#int fa 0/0
dhcptest(config-if)#description inside
dhcptest(config-if)#ip address 192.168.1.1 255.255.255.0
dhcptest(config-if)#no shut

Step two: Reserve your IP’s that you wish to exclude from your pool.

dhcptest(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.49

Step three: Create your pool, in our test we are naming our pool “inside” but you may name yours whatever you want.

dhcptest(config)#ip dhcp pool inside
dhcptest(dhcp-config)# network 192.168.1.0 255.255.255.0
dhcptest(dhcp-config)#default-router 192.168.1.1
dhcptest(dhcp-config)#dns-server 8.8.8.8 8.8.4.4

Step four: check your dhcp binding

dhcptest#sho ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
192.168.1.50 0060.7098.9145 -- Automatic
192.168.1.51 00D0.BCA1.3A33 -- Automatic
192.168.1.52 0060.2F5A.3953 -- Automatic
192.168.1.53 000A.4143.6916 -- Automatic

Enjoy!
Here is a link to Cisco’s Guide on DHCP, with cooler options than mine..
Cisco DHCP

Note, I used packet tracer, and in my version, I couldn’t set a second DNS server, but the documentation tells me I can set 8.  😀

Here is a Link to the Packet Tracer File I used:

DHCP LAB