CST3607 Class Notes 2022-05-03

News & Tools

Stateful Firewall

Network Address Translation (NAT)

What does a NAT router do? A NAT router creates a local area network (LAN) of private IP addresses and interconnects that LAN to the wide area network (WAN) known as the Internet. The “Network Address Translation” (NAT) performed by the router allows multiple computers (devices) connected to the LAN behind the router to communicate with the external Internet.1

  • Network Address Translation (NAT) allows many inside IP addresses to be represented by some smaller number of outside/public IP addresses.
    • Static NAT
    • Dynamic NAT
    • Port Address Translation (PAT) a.k.a. Dynamic NAT with Overload

NAT Address Designations

Inside LocalSource host inside address before translation.
Outside LocalAn IP address from which source host is known on the Internet. 
This is usually the address of the router interface connected to ISP—the actual Internet address.
Inside GlobalSource host address used after translation to get onto the Internet.
This is also the actual Internet address.
Outside GlobalAddress of outside destination host and, again, the real Internet address.

Troubleshooting NAT with Cisco IOS Commands

  • show ip nat translations
  • clear ip nat translation *
  • show ip nat statistics
  • debug ip nat

Here’s a simple example of a basic static NAT configuration:

ip nat inside source static 10.1.1.1 170.46.2.2
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.46.2.1 255.255.255.0
ip nat outside
!

Here is a sample output of a dynamic NAT configuration:

ip nat pool todd 170.168.2.3 170.168.2.254
netmask 255.255.255.0
ip nat inside source list 1 pool todd
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!

interface Serial0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!

Here is a sample output of a PAT configuration:

ip nat pool globalnet 170.168.2.1 170.168.2.1 netmask 255.255.255.0
ip nat inside source list 1 pool globalnet overload
!
interface Ethernet0/0
    ip address 10.1.1.10 255.255.255.0
    ip nat inside
!
interface Serial0/0
    ip address 170.168.2.1 255.255.255.0
    ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255

More on NAT…

Hands-On Lab-10: Network Address Translation (NAT)

  • Use Cisco Packet Tracer v8.x
  • You must be present for this class, and submit your 100% Packet Tracer file, to get full credit for this lab.
  • This lab consists of four parts.
  1. Log into Cisco Packet Tracer
  2. Download the Lab Assets zip file (contains 4 parts)
  3. Unzip/extract the Lab Packet Tracer files
  4. Rename the Labs files with YourLastName, YourFirstName
  5. Open the Lab pka file in Packet Tracer
  6. Read the instructions!!!!!
  7. E-mail your 100% Lab to me. (All four parts)
    Subject: CST3607 Lab-10 YourLastName, YourFirstName
  8. The passwords are included in the lab instructions. Read!!!!
  • 1st password to log into a switch or router is the “console” password
  • 2nd password to get into privileged mode is the “secret” password

Cisco Discovery Protocol (CDP)

  • Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help us collect information about locally attached devices.
  • Using CDP, we can gather hardware and protocol information about neighbor devices—vital information for documenting and troubleshooting the network!
SW-3# sh cdp neighbors detail

Link Layer Discovery Protocol (LLDP)

  • Layer Discovery Protocol (LLDP) is another dynamic discovery protocol is Link, but it’s not proprietary.
  • The IEEE created a new standardized discovery protocol called 802.1AB for Station and Media Access Control Connectivity Discovery.
  • LLDP defines basic discovery capabilities, but it was also enhanced to specifically address voice applications. This version is called LLDP-MED (Media Endpoint Discovery).
    • An important factor to remember is LLDP and LLDP-MED are not compatible!
  • LLDP has the following configuration guidelines and limitations:
    • LLDP must be enabled on the device before you can enable or disable it on any interface.
    • LLDP is supported only on physical interfaces.
    • LLDP can discover up to one device per port.
    • LLDP can discover Linux servers.
  • You can turn off LLDP completely with the no lldp run command from global configuration mode and enable it with the lldp run command.

Doing this enables it on all interfaces:

SW-3(config)# no lldp run
SW-3(config)# lldp run

To turn LLDP off or on for an interface, use the lldp transmit and lldp receive commands:

SW-3(config-if)# no lldp transmit
SW-3(config-if)# no lldp receive
SW-3(config-if)# lldp transmit
SW-3(config-if)# lldp receive

Network Time Protocol (NTP)

  • NTP synchronizes clocks of computer systems/devices over packet-switched, variable-latency data networks.
  • Typically you’ll have an NTP server that connects through the Internet to an atomic clock. This time can then be synchronized throughout the network to keep all routers, switches, servers, etc., receiving the same time information and in sync.
  • Correct network time within the network is important because:
    • It allows the tracking of events in the network in the correct order.
    • Clock synchronization is critical for the correct interpretation of events within the syslog data.
    • Clock synchronization is critical for digital certificates.
    • Authentication like SAML SSO.
      • e.g. If there’s time difference of 5 minutes or more, between the client PC and the IdP server, no one will be able to authenticate.  The IdP would throw and error and refuse the attempt.
  • For redundancy, you can set your switches to sync with the primary time source, and PC and other devices sync their times with the switch they’re connected to.

syslog

Reading system messages from a switch’s or router’s internal buffer is a popular and efficient method of seeing what’s going on with your network at a particular time.

The best way is to log messages to a syslog server, which stores time-stamped messages from your devices.

  • Adverse events affecting the network usually occur when you’re not watching.
  • You may need to have historical logs, to go back through, to determine what and when an event occurred.

Network devices can be configured to generate a syslog message and forward it to various destinations.

These four examples are popular ways to gather messages from Cisco devices:

  • Logging buffer (on by default)
  • Console line (on by default)
  • Terminal lines (using the terminal monitor command)
  • syslog server

By default, all messages generated by Cisco IOS go to the console port:

  • Those console messages can be directed to a syslog server.

A syslog server saves copies of console messages and can time-stamp them so you can view them later. Here would be your configuration on the SF router:

SNMP (Simple Network Management Protocol)

  • SNMP is an Application layer protocol that provides a message format for agents on a variety of devices to communicate with network management stations (NMSs).
  • SNMP was created in 1988 (RFC 1065)
  • Use SNMP v3 in the “authenticated and privacy protected” mode
  • Servers being monitored must be reachable on port 161, TCP and UDP

SSH (Secure SHell)

  • Use Secure Shell (SSH) instead of Telnet to connect to your devices because it creates a more secure session.
  • Telnet uses an unencrypted data stream, where SSH uses encryption keys to send data, so your username and password aren’t sent in the clear.
  • CORP(config)# crypto key generate rsa
  • PuTTY is a very popular SSH client.

Automation

  • Ansible is an open-source software provisioning, configuration management, and application-deployment tool enabling infrastructure as code.
  • Use SSH for more secure management of hosts

Read / Watch / Do

Study for Exam 3

CCNA Certification Study Guide, Volume 2