Adventures in Cisco IOS Land: NAT and WAN

 Cisco  No Responses »
Jan 192011
 

This is probably of less interest than most of my blog postings about Cisco routers, as it concerns something less commonly configured in the way I have done it – specifically a WAN link with a single IPv4 address and NATting to that address. However writing up my notes here is convenient to me, so you’ll have to put up with it. It is also very definitely worth bearing in mind the disclaimer here.

Basic NAT

First of all the “outside” interface needs to be configured as such from the NAT point of view :-

router#configure terminal
router(config)#interface fastethernet 4
router(config-if)#ip nat outside

This marks the interface in a way that lets the router know how addresses need to be NATted. Of course it is also necessary to configure the “inside” interfaces too :-

router#configure terminal
router(config)#interface vlan 101
router(config-if)#ip nat inside

And repeat for each VLAN of course.

In most instructions you will see that it is normal to create a pool of addresses for use by NAT which is perfectly valid for a number of addresses to NAT to, and even when there is a single address. But there is an easier way … NAT to the address of the interface.

router#configure terminal
router(config)#ip nat inside source list 7 interface FasterEthernet4 overload

The next task is to specify an access list to match the addresses that need to be NATted.

router#configure terminal
router(config)#access-list 7 permit 10.0.0.0 /8

Port Forwarding or Static NAT (for Servers)


If you run your own servers you will need to arrange for incoming connections to certain tcp or udp ports to be ‘forwarded’ to a specified address. This is known in the domestic router scene as “port forwarding” which is as good a term for anything – given that the concept of NAT is fundamentally broken.

This is done quite simply by the following :-

router#configure terminal
router(config)#ip nat inside source static tcp 10.0.0.14 80 interface FastEthernet4 80

This of course says that there should be a static rule to map tcp/80 (http for the web) on the server with the address 10.0.0.14 to tcp/80 on the ‘outside’.

A Basic Firewall

Next task is to bring up the WAN connection to check it works ? Not at all; whilst it may be somewhat unhelpful to connect things up after having made multiple changes, it is important to have some kind of firewall running. If you happen to have the IOS firewall feature, there is little point in bothering with the ordinary ACL feature – it sucks in comparison.

But strangely it seems we do need a basic ACL in place to :-

  1. Allow server traffic into the network.
  2. Deny all other traffic.
  3. And to allow the inspect engine to extend the ACL to allow session specific rules.
router#configure terminal
router(config)#ip access-list extended AllowIn
router(config-ext-nacl)#permit tcp any any eq www
router(config-ext-nacl)#deny ip any any log DenyIn

The use of a named ACL here is to allow for greater self-documentation – it is easier to see what an ACL should be used for when it is named. This becomes more important the more ACLs are in use.

We then need to create a set of inspect rules to allow traffic out. This is a very open set of rules, and will dynamically create temporary rules to allow the inbound replies to the allowed outbound traffic. The ordering of this is very important as we need to most specific inspections first – so “inspect tcp”, etc should appear at the end.

router(config)#ip inspect name allow-out bittorrent
router(config)#ip inspect name allow-out ftp
router(config)#ip inspect name allow-out ftps
router(config)#ip inspect name allow-out gnutella
router(config)#ip inspect name allow-out h323
router(config)#ip inspect name allow-out http audit-trail on
router(config)#ip inspect name allow-out https audit-trail on
router(config)#ip inspect name allow-out icmp router-traffic
router(config)#ip inspect name allow-out tcp
router(config)#ip inspect name allow-out udp

The ‘router-traffic’ on the icmp rule is to allow the router to send ICMP traffic to the outside interface and for it to be inspected. For some strange reason, Cisco configured the default to not allow it – leading to any number of network administrators having a nasty panic attack. Perhaps Cisco have a nasty sense of humour?

Next, because it’s fun to see what people may be doing, we need to log whatever the inspection engine drops :-

router(config)#ip inspect log drop-pkt

Finally we apply the new rules to the WAN interface :-

router#(config)#interface fastethernet 4
router#(config-if)#ip access-group AllowIn in
router#(config-if)#ip inspect allow-out out
router#(config-if)#end

This just touches on the capabilities of firewalling with a Cisco and is well worth checking in greater depth. For instance, it is clearly possible to inspect incoming traffic as well as outgoing traffic, but if you do the obvious you end up with a non-working firewall

Bringing Up The WAN

Fortunately I am in the situation where my ADSL line is bridged to Ethernet using an ADSL ‘modem’ so that I merely have to configure the external WAN interface on my router with an external address, a netmask, etc. This is so trivial it seems strange to include it here, but …

router#configure terminal
router(config)#interface FastEthernet4
router(config-if)#ip address 192.168.1.1 255.255.248.0
router(config-if)#ip nat outside
router(config-if)#ip virtual-reassembly
router(config-if)#duplex auto
router(config-if)#speed auto
router(config-if)#end

Perhaps the only oddity there is the use of ‘ip virtual-reassembly’ which is essentially used to protect the router (and in effect the rest of the network) from fragmented packet attacks. And if you prefer to leave CDP enabled, you may also want to stop that on the external interface with “no cdp enable” as well.

Palin – Take Your Foot Out Of Your Mouth !

 Media, Politics  No Responses »
Jan 132011
 

Sarah Palin has recently made a speech on the recent shooting spree in Arizona where a congressperson was shot (and probably targeted by the shooter) in relation to the media noise about the aggressive and combative attitudes in US politics at the moment. In it she claimed the media was launching a ‘blood libel‘ against the right-wing in US politics in its criticism of the political debate.

Whether or not she has a point to make, the use of the phrase ‘blood libel’ here is grossly inaccurate and an example of exactly what the media is talking about. Blood libel is the phrase used to describe the hysterical accusations of anti-semites accusing Jews of sacrificing Christian children and draining the blood for some religious purposes – if it hadn’t been used as the excuse for slaughtering Jews throughout history, it would be ridiculous. I am hardly an expert on the US media, but I find it extremely unlikely that anyone from the US media is likely to hunt down any right-wingers, kill them, and drink their blood.

Sarah Palin’s remarks are merely a hysterical over-reaction to a perceived attack on the right-wing. To be fair I should point out that apparently others have used the phrase in US politics recently. Which just goes to show that US politics is little over-heated. Interestingly a conservative commentator has pointed out that the use of this phrase is an indication that Sarah Palin just isn’t of presidential material – presumably presidents are expected to behave and talk in a slightly more dignified fashion.

Did the US media attack the right-wing ?

The US media did comment after the shootings that there is a considerable level of aggression in US politics today, and used an example showing certain US congressional areas targeted with rifle cross-hairs which was published by the right-wing. This could be said to be unfairly criticising the right-wing except that the reason that example was used was that the congressperson who was shot (Gabrielle Giffords) had previously complained about that very publication in which she was targeted.

Personally I don’t believe the right-wing was specifically targeted in the various suggestions that US politics can be a little aggressive. There is a lot to be said for lowering the temperature in US politics – opposition, criticism, discussion and debate are all a part of politics and essential in any healthy democracy. But there’s no need to go too far, and throwing around inappropriate phrases like “blood libel” is certainly an example of that.

I have no doubt that there are Democrats who go too far too.

We have no way of knowing how much the current atmosphere in US politics had an effect on the shooter, and will probably never know. After all he is clearly a deranged individual and he probably doesn’t know himself. The naysayers who claim it had no effect have no way of knowing that. If it did have an effect, it does not make those making inflammatory comments responsible for these shootings – not even to the extent of inciting murder.

But the current state of US politics could have an effect on deranged individuals even if it did not in this case. As such it is worth considering whether toning it down is worthwhile. Say “she’s an idiot” rather than “she’s a traitor”, say “he should be fired” rather than “he should be put in the chair and the switch thrown”. It doesn’t ruin the debate and it might just save someone’s life – isn’t that worth it ?

Signs Of The Sea

 Photography  No Responses »
Jan 112011
 

This one is from a while back during the mid-winter break, and made on the beach at Southsea.

Signs Of The Sea

Signs Of The Sea

Turns out on this trip to the seafront, I could only get one image I was happy with but again battery life was limiting me although I’ve recently fixed that by rescuing some elderly batteries.

Adventures in Cisco IOS Land: Tweaks

 Cisco  1 Response »
Jan 112011
 

First of all, read the disclaimer.

This section is all about small changes that are not important or tricky enough for a blog posting on their own. As such it is likely to grow as I encounter things.

Turning Off Spanning Tree

STP is kind of a noisy protocol, and on small and simple networks it probably is not really needed. To make packet sniffing easier, it may be worth turning off the protocol on all the interfaces … or VLANs :-

router# configure terminal
router(config)#no spanning tree vlan 101
router(config)#no spanning tree vlan 102

Turning Off Cisco Discovery Protocol

For security reasons, or simply because it is unnecessary noise on a network with very little in the way of Cisco devices, you may want to turn off CDP :-

router#configure terminal
router(config)#no cdp run

Autotuning Buffers

According to the documents out there, there is a dark and mysterious art of tuning buffers to optimise performance of your routers. It also says that it isn’t recommended in most situations which must disappoint aspiring übergeeks. However what is less often said is that there is a little option to instruct the router to automatically tune the buffers for optimal performance.

It is likely that it will not make a dramatic improvement, but it is worth turning on :-

router#configure terminal
router(config)#buffers tune automatic

Warm Reboots

Normally when a Cisco router reboots it goes through the whole process of starting up as if it were just powered on (a cold start). This can take quite some time so any option to speed it up is worth considering. Turns out that there is such an option, which instructs the router “just” to reload IOS and restart that way.

It takes effect under two conditions – when the router restarts because of a fault, or when you restart the router manually with the “warm” option (reload warm). To enable this simply turn it on with :-

router#configure terminal
router(config)#warm-reboot
 Older Entries  Newer Entries