My Network Security Journal: Configure Static and Dynamic (PAT) on a Cisco IOS Router

Task 1: Configure Static NAT

Configure NAT outside on interface Gig1 (WAN) and NAT inside on Loopback1 (LAN).

CSRv#show ip interface brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet1 192.168.1.140 YES NVRAM up up

GigabitEthernet2 unassigned YES NVRAM administratively down down

Loopback1 10.1.1.200 YES manual up up

CSRv#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

CSRv(config)#interface g1

CSRv(config-if)#ip nat ?

allow-static-host Allow static-ip clients

inside Inside interface for address translation

outside Outside interface for address translation

CSRv(config-if)#ip nat outside

CSRv(config-if)#interface loopback1

CSRv(config-if)#ip nat inside

Configure a Static NAT (one-to-one) translation for the internal host 10.1.1.200 (web server) to the mapped/translated IP address 192.168.1.200.

CSRv(config)#ip nat ?

create Create flow entries

inside Inside address translation

log NAT Logging

name Rule name

outside Outside address translation

pool Define pool of addresses

service Special translation for application using non-standard port

settings NAT general settings

switchover NAT datapath switchover

translation NAT translation entry configuration

CSRv(config)#ip nat inside ?

destination Destination address translation

source Source address translation

CSRv(config)#ip nat inside source ?

list Specify access list describing local addresses

route-map Specify route-map

static Specify static local->global mapping

CSRv(config)#ip nat inside source static ?

A.B.C.D Inside local IP address

esp IPSec-ESP (Tunnel mode) support

network Subnet translation

tcp Transmission Control Protocol

udp User Datagram Protocol

CSRv(config)#ip nat inside source static 10.1.1.200 ?

A.B.C.D Inside global IP address

interface Specify interface for global address

CSRv(config)#ip nat inside source static 10.1.1.200 192.168.1.200

Configure HTTP (web) server on the CSRv router.

CSRv(config)#ip http ?

HSTS-Header Enable HTTP secure server HSTS header

access-class Restricted http server access by access-class

active-session-modules Set up active http server session modules

auth-retry Maximum number of authentication retry attempt

authentication Set http server authentication method

banner Enable http server banner

banner-path HTML Banner Path

client Set http client parameters

digest Set http digest parameters

help-path HTML help root URL

max-connections Set maximum number of concurrent http server connections

path Set base path for HTML

port Set http server port

secure-active-session-modules Set up active http secure server session modules

secure-ciphersuite Set http secure server ciphersuite

secure-client-auth Set http secure server with client authentication

secure-port Set http secure server port number for listening

secure-server Enable HTTP secure server

secure-trustpoint Set http secure server certificate trustpoint

server Enable http server

session-idle-timeout Set http server session idle timeout

session-module-list Set up a http(s) server session module list

timeout-policy Set http server time-out policy parameters

tls-version Set TLS version for HTTP secure server

upload File upload

CSRv(config)#ip http server

Access the web server (10.1.1.200) from the management PC (192.168.1.100).

Verify active NAT translations and statistics on the using the show ip nat translations and show ip nat statistics commands.

CSRv#show ip nat ?

bpa Bulk Port Allocation information

limits Limit statistics

pool Pool and port statistics

portblock TCP/UDP port blocks allocated for NAT

statistics Translation statistics

translations Translation entries

CSRv#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 192.168.1.200 10.1.1.200 --- ---

tcp 192.168.1.200:80 10.1.1.200:80 192.168.1.100:52285 192.168.1.100:52285

Total number of translations: 2

CSRv#show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 1 extended)

Outside interfaces:

GigabitEthernet1

Inside interfaces:

Loopback1

Hits: 650 Misses: 14

Expired translations: 13

Dynamic mappings:

nat-limit statistics:

max entry: max allowed 0, used 0, missed 0

In-to-out drops: 0 Out-to-in drops: 0

Pool stats drop: 0 Mapping stats drop: 0

Port block alloc fail: 0

IP alias add fail: 0

Limit entry add fail: 0

Task 2: Configure Dynamic NAT (with PAT)

Configure a Standard Named ACL for the source/interesting traffic from the 10.1.1.0/24 LAN subnet.

CSRv(config)#ip access-list ?

extended Extended Access List

helper Access List acts on helper-address

log-update Control access list log updates

logging Control access list logging

match-local-traffic Enable ACL matching for locally generated traffic

persistent enable persistency across reload

resequence Resequence Access List

role-based Role-based Access List

standard Standard Access List

CSRv(config)#ip access-list standard ?

<1-99> Standard IP access-list number

<1300-1999> Standard IP access-list number (expanded range)

WORD Access-list name

CSRv(config)#ip access-list standard DYNAMIC_NAT

CSRv(config-std-nacl)#?

Standard Access List configuration commands:

<1-2147483647> Sequence Number

default Set a command to its defaults

deny Specify packets to reject

exit Exit from access-list configuration mode

no Negate a command or set its defaults

permit Specify packets to forward

remark Access list entry comment

CSRv(config-std-nacl)#permit ?

Hostname or A.B.C.D Address to match

any Any source host

host A single host address

CSRv(config-std-nacl)#permit 10.1.1.0 ?

A.B.C.D Wildcard bits

log Log matches against this entry

<cr>

CSRv(config-std-nacl)#permit 10.1.1.0 0.0.0.255

Configure a NAT pool that will use a single translated IP address of 192.168.1.201.

CSRv(config)#ip nat pool ?

WORD Pool name

CSRv(config)#ip nat pool NAT_POOL ?

A.B.C.D Start IP address

netmask Specify the network mask

prefix-length Specify the prefix length

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 ?

A.B.C.D End IP address

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 ?

netmask Specify the network mask

prefix-length Specify the prefix length

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 netmask ?

A.B.C.D Network mask

CSRv(config)#ip nat pool NAT_POOL 192.168.1.201 192.168.1.201 netmask 255.255.255.0

Configure Dynamic NAT (NAT overload) for the inside network.

This would allow multiple inside hosts using a dynamic high number (ephemeral) source ports to be translated to a pool of global IP address.

CSRv(config)#ip nat inside ?

destination Destination address translation

source Source address translation

CSRv(config)#ip nat inside source ?

list Specify access list describing local addresses

route-map Specify route-map

static Specify static local->global mapping

CSRv(config)#ip nat inside source list ?

<1-2699> Access list number for local addresses

WORD Access list name for local addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT ?

interface Specify interface for global address

pool Name pool of global addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool ?

WORD Pool name for global addresses

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool NAT_POOL ?

oer Use with vtemplate only. On new translation, if OER BR is UP, OER will select IP from

outgoing Interface. All packets matching translation are forwarded over Interface for

duration of translation.

overload Overload an address translation

redundancy NAT redundancy operation

vrf Specify vrf

<cr>

CSRv(config)#ip nat inside source list DYNAMIC_NAT pool NAT_POOL overload

Remove the Static NAT policy and clear previous NAT translations and statistics.

Notice the global or translated IP address is now 192.168.1.201.

CSRv(config)#no ip nat inside source static 10.1.1.200 192.168.1.200

CSRv(config)#end

CSRv#

Dec 14 15:00:47.837: %SYS-5-CONFIG_I: Configured from console by admin on vty2 (192.168.1.100)

CSRv#clear ip nat ?

statistics Clear translation statistics

translation Clear dynamic translation

CSRv#clear ip nat translation ?

* Delete all dynamic translations

esp Encapsulating Security Payload

forced Delete all dynamic translations (forcefully)

inside Inside addresses (and ports)

outside Outside addresses (and ports)

redundancy Delete all dynamic translation in an RG instance (forcefullly)

tcp Transmission Control Protocol

udp User Datagram Protocol

vrf Delete all dynamic translation in a VRF instance

CSRv#clear ip nat translation *

CSRv#ping 8.8.8.8 source 10.1.1.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.200

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/14 ms

CSRv#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 192.168.1.201:1 10.1.1.200:1 8.8.8.8:1 8.8.8.8:1

Total number of translations: 1

CSRv#show ip nat statistics

Total active translations: 1 (0 static, 1 dynamic; 1 extended)

Outside interfaces:

GigabitEthernet1

Inside interfaces:

Loopback1

Hits: 1361 Misses: 34

Expired translations: 17

Dynamic mappings:

-- Inside Source

[Id: 2] access-list DYNAMIC_NAT pool NAT_POOL refcount 1

pool NAT_POOL: id 1, netmask 255.255.255.0

start 192.168.1.201 end 192.168.1.201

type generic, total addresses 1, allocated 1 (100%), misses 0

nat-limit statistics:

max entry: max allowed 0, used 0, missed 0

In-to-out drops: 0 Out-to-in drops: 0

Pool stats drop: 0 Mapping stats drop: 0

Port block alloc fail: 0

IP alias add fail: 0

Enable NAT debug.

CSRv#debug ip nat ?

<1-99> Access list forced

WORD Access list name

ha High Availability debugging

CSRv#debug ip nat DYNAMIC_NAT ?

alg NAT ALG events

bind NAT dynamic translation create/delete events

detailed NAT detailed events for ACL based debugging

drop NAT Drop events

ipsec NAT IPSec events

limit NAT max-limit policy events

mapping NAT mapping create/delete events

pap NAT Paired-address-pooling events

pool NAT pool events

port NAT PORT events

route NAT Static route events

session NAT session events

wlan-nat WLAN NAT events

<cr>

CSRv#debug ip nat DYNAMIC_NAT detailed

IP NAT detailed debugging is on for access list DYNAMIC_NAT

CSRv#ping 8.8.8.8 source 10.1.1.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.200

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms

Dec 14 15:11:58.398: NAT: attempting to setup alias for 192.168.1.201 (redundancy_name , idb GigabitEthernet1, flags 0x2), rg_id 0 tableid 0 use_tableid 0

Dec 14 15:11:58.398: NAT: installing alias for address 192.168.1.201, addr_flags 0x2, tableid 0

Dec 14 15:11:58.398: NAT: insert dynamic alias 192.168.1.201, addr_flags 0x2

Dec 14 15:11:58.398: NAT: Checking for aliases needed for IPAD list update, IDB(Gi1) address(192.168.1.201) mask(255.255.255.255) type(4) tableid(0) is_delete(FALSE)

Dec 14 15:11:58.398: NAT: IPAD type(4) is not an interface(1)

Dec 14 15:11:58.399: NAT: Notify platform for ipalias address 192.168.1.201 route download

My Network Security Journal

Saturday, December 28, 2019

Configure Static and Dynamic (PAT) on a Cisco IOS Router

No comments:

Post a Comment