- News & Tools
- Stateful Firewall
- Network Address Translation (NAT)
- NAT Address Designations
- Troubleshooting NAT with Cisco IOS Commands
- Here’s a simple example of a basic static NAT configuration:
- Here is a sample output of a dynamic NAT configuration:
- Here is a sample output of a PAT configuration:
- More on NAT…
- Hands-On Lab-10: Network Address Translation (NAT)
- Cisco Discovery Protocol (CDP)
- Link Layer Discovery Protocol (LLDP)
- Network Time Protocol (NTP)
- SNMP (Simple Network Management Protocol)
- SSH (Secure SHell)
- Read / Watch / Do
- Study for Exam 3
News & Tools
- Scamming the scammers – catching the virus call centre scammers red-handed
- Video: Scamming the scammers — catching the virus call centre scammers red-handed (Skip to 18 minutes)
- Microsoft drops partner accused of cold-call scam. India-based Comantra, alleged to be involved in telephone support scam, ejected from Microsoft’s Gold Partner membership scheme
- Nurdles: the worst toxic waste you’ve probably never heard of. Billions of these tiny plastic pellets are floating in the ocean, causing as much damage as oil spills, yet they are still not classified as hazardous
- Stateful vs. Stateless Firewall Differences
- Understanding Firewalls Through the Lens of Stateful Protocol Inspection
What does a NAT router do? A NAT router creates a local area network (LAN) of private IP addresses and interconnects that LAN to the wide area network (WAN) known as the Internet. The “Network Address Translation” (NAT) performed by the router allows multiple computers (devices) connected to the LAN behind the router to communicate with the external Internet.1
- Network Address Translation (NAT) allows many inside IP addresses to be represented by some smaller number of outside/public IP addresses.
- Static NAT
- Dynamic NAT
- Port Address Translation (PAT) a.k.a. Dynamic NAT with Overload
NAT Address Designations
|Inside Local||Source host inside address before translation.|
|Outside Local||An IP address from which source host is known on the Internet. |
This is usually the address of the router interface connected to ISP—the actual Internet address.
|Inside Global||Source host address used after translation to get onto the Internet.|
This is also the actual Internet address.
|Outside Global||Address of outside destination host and, again, the real Internet address.|
Troubleshooting NAT with Cisco IOS Commands
- show ip nat translations
- clear ip nat translation *
- show ip nat statistics
- debug ip nat
Here’s a simple example of a basic static NAT configuration:
ip nat inside source static 10.1.1.1 22.214.171.124 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0 ip address 126.96.36.199 255.255.255.0 ip nat outside !
Here is a sample output of a dynamic NAT configuration:
ip nat pool todd 188.8.131.52 184.108.40.206 netmask 255.255.255.0 ip nat inside source list 1 pool todd ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0 ip address 220.127.116.11 255.255.255.0 ip nat outside ! access-list 1 permit 10.1.1.0 0.0.0.255 !
Here is a sample output of a PAT configuration:
ip nat pool globalnet 18.104.22.168 22.214.171.124 netmask 255.255.255.0 ip nat inside source list 1 pool globalnet overload ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0/0 ip address 126.96.36.199 255.255.255.0 ip nat outside ! access-list 1 permit 10.1.1.0 0.0.0.255
More on NAT…
- How Network Address Translation Works
- Cisco IOS Network Address Translation Overview
- CCNA CCNP Training – No confusion with IP NAT Inside Outside Local Global
- Set up Port Address Translation (PAT) in the Cisco IOS
- How to Change the Dynamic NAT Configuration
- RIP Passive Interface
- NAT Router Security Solutions – Tips & Tricks You Haven’t Seen Before
- GRC’s Link Farm
Hands-On Lab-10: Network Address Translation (NAT)
- Use Cisco Packet Tracer v8.x
- You must be present for this class, and submit your 100% Packet Tracer file, to get full credit for this lab.
- This lab consists of four parts.
- Log into Cisco Packet Tracer
- Download the Lab Assets zip file (contains 4 parts)
- Unzip/extract the Lab Packet Tracer files
- Rename the Labs files with YourLastName, YourFirstName
- Open the Lab pka file in Packet Tracer
- Read the instructions!!!!!
- E-mail your 100% Lab to me. (All four parts)
Subject: CST3607 Lab-10 YourLastName, YourFirstName
- The passwords are included in the lab instructions. Read!!!!
- 1st password to log into a switch or router is the “console” password
- 2nd password to get into privileged mode is the “secret” password
Cisco Discovery Protocol (CDP)
- Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help us collect information about locally attached devices.
- Using CDP, we can gather hardware and protocol information about neighbor devices—vital information for documenting and troubleshooting the network!
SW-3# sh cdp neighbors detail
- Layer Discovery Protocol (LLDP) is another dynamic discovery protocol is Link, but it’s not proprietary.
- The IEEE created a new standardized discovery protocol called 802.1AB for Station and Media Access Control Connectivity Discovery.
- LLDP defines basic discovery capabilities, but it was also enhanced to specifically address voice applications. This version is called LLDP-MED (Media Endpoint Discovery).
- An important factor to remember is LLDP and LLDP-MED are not compatible!
- LLDP has the following configuration guidelines and limitations:
- LLDP must be enabled on the device before you can enable or disable it on any interface.
- LLDP is supported only on physical interfaces.
- LLDP can discover up to one device per port.
- LLDP can discover Linux servers.
- You can turn off LLDP completely with the no lldp run command from global configuration mode and enable it with the lldp run command.
Doing this enables it on all interfaces:
SW-3(config)# no lldp run SW-3(config)# lldp run
To turn LLDP off or on for an interface, use the lldp transmit and lldp receive commands:
SW-3(config-if)# no lldp transmit SW-3(config-if)# no lldp receive SW-3(config-if)# lldp transmit SW-3(config-if)# lldp receive
Network Time Protocol (NTP)
- NTP synchronizes clocks of computer systems/devices over packet-switched, variable-latency data networks.
- Typically you’ll have an NTP server that connects through the Internet to an atomic clock. This time can then be synchronized throughout the network to keep all routers, switches, servers, etc., receiving the same time information and in sync.
- Correct network time within the network is important because:
- It allows the tracking of events in the network in the correct order.
- Clock synchronization is critical for the correct interpretation of events within the syslog data.
- Clock synchronization is critical for digital certificates.
- Authentication like SAML SSO.
- e.g. If there’s time difference of 5 minutes or more, between the client PC and the IdP server, no one will be able to authenticate. The IdP would throw and error and refuse the attempt.
- For redundancy, you can set your switches to sync with the primary time source, and PC and other devices sync their times with the switch they’re connected to.
Reading system messages from a switch’s or router’s internal buffer is a popular and efficient method of seeing what’s going on with your network at a particular time.
The best way is to log messages to a syslog server, which stores time-stamped messages from your devices.
- Adverse events affecting the network usually occur when you’re not watching.
- You may need to have historical logs, to go back through, to determine what and when an event occurred.
Network devices can be configured to generate a syslog message and forward it to various destinations.
These four examples are popular ways to gather messages from Cisco devices:
- Logging buffer (on by default)
- Console line (on by default)
- Terminal lines (using the terminal monitor command)
- syslog server
By default, all messages generated by Cisco IOS go to the console port:
- Those console messages can be directed to a syslog server.
A syslog server saves copies of console messages and can time-stamp them so you can view them later. Here would be your configuration on the SF router:
SNMP (Simple Network Management Protocol)
- SNMP is an Application layer protocol that provides a message format for agents on a variety of devices to communicate with network management stations (NMSs).
- SNMP was created in 1988 (RFC 1065)
- Use SNMP v3 in the “authenticated and privacy protected” mode
- Servers being monitored must be reachable on port 161, TCP and UDP
SSH (Secure SHell)
- Use Secure Shell (SSH) instead of Telnet to connect to your devices because it creates a more secure session.
- Telnet uses an unencrypted data stream, where SSH uses encryption keys to send data, so your username and password aren’t sent in the clear.
- CORP(config)# crypto key generate rsa
- PuTTY is a very popular SSH client.
- Ansible is an open-source software provisioning, configuration management, and application-deployment tool enabling infrastructure as code.
- Use SSH for more secure management of hosts
Read / Watch / Do
Study for Exam 3
- Chapters 10, 11, 12, etc. see the summary the class notes for 2022-05-05