Cisco IOS Security Configuration Guide, Release 12.2 - Configuring TCP Intercept (Preventing Denial-of-Service Attacks) [Cisco IOS Software Releases 12.2 Mainline] - Cisco Systems: "Configuring TCP Intercept (Preventing Denial-of-Service Attacks)"
More on this shortly
Saturday, December 10, 2005
Cisco - Port Forwarding On Cisco Routers (inbound NAT)
A lot of other router manufacturers use the term Port Forwarding. In Cisco terminology, this is known as Inbound Network Address Translation (Inbound NAT). It is pretty easy to set up once you know how.
Lets assume you want to 'forward' tcp port 666 on your outside interface (ie your Internet accessible interface) to port 777 on a machine behind the router that has the address 192.168.1.10.
If you had a static public IP address, you would bind it to that address. But in our case, the IP address we get is dynamicly assigned by the ISP, so we instead bind it to our Dialer interface.
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
! We define the FE interface as inside
ip nat inside
!
interface Dialer0
! This address is assigned by the ISP
ip address negotiated
! We define the dialer interface as outside
ip nat outside
!
! This is for outbound NAT (actually PAT)
ip nat inside source list 1 interface Dialer0 overload
! This binds outbound 192.168.1.10:777 to the public IP address on port 666 for TCP
! It also does the opposite (implied): This binds the public IP address on port 666 to 192.168.1.10:777
ip nat inside source static tcp 192.168.1.10 777 interface Dialer0 666
Info:
Cisco IOS Network Address Translation Overview
Configuring Network Address Translation: Getting Started
NAT Order of Operation
Lets assume you want to 'forward' tcp port 666 on your outside interface (ie your Internet accessible interface) to port 777 on a machine behind the router that has the address 192.168.1.10.
If you had a static public IP address, you would bind it to that address. But in our case, the IP address we get is dynamicly assigned by the ISP, so we instead bind it to our Dialer interface.
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
! We define the FE interface as inside
ip nat inside
!
interface Dialer0
! This address is assigned by the ISP
ip address negotiated
! We define the dialer interface as outside
ip nat outside
!
! This is for outbound NAT (actually PAT)
ip nat inside source list 1 interface Dialer0 overload
! This binds outbound 192.168.1.10:777 to the public IP address on port 666 for TCP
! It also does the opposite (implied): This binds the public IP address on port 666 to 192.168.1.10:777
ip nat inside source static tcp 192.168.1.10 777 interface Dialer0 666
Info:
Cisco IOS Network Address Translation Overview
Configuring Network Address Translation: Getting Started
NAT Order of Operation
Cisco - Configuring DHCP Reservations (manual bindings)
You can configure DHCP reservations (or manual bindings as Cisco calls them) on a router by creating a unique DHCP pool for each host that requires a reservation.
It is a hassle ... but it can be done:
Cisco Documentation
Couple of pointers I have found:
Steps Required:
Router(config)# ip dhcp pool name
Router(dhcp-config)# host address [mask | /prefix-length]
Router(dhcp-config)# hardware-address hardware-address type
Router(dhcp-config)# client-identifier unique-identifier
Router(dhcp-config)# client-name name
Example (including my other DHCP pool). Note that my mac address is 0020.ed6d.####:
!
ip dhcp pool homepool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 0 2
!
ip dhcp pool mypc
host 192.168.1.138 255.255.255.0
client-identifier 0100.20ed.6d##.##
client-name mypc
It is a hassle ... but it can be done:
Cisco Documentation
Couple of pointers I have found:
- Make sure the pools don't overlap (see my example below)
- Remember Windows machines use client-identifier not hardware-address
- Client-identifier is the type (01 for ethernet) plus the mac address
- You must make a unique pool for each reservation
Steps Required:
Router(config)# ip dhcp pool name
Router(dhcp-config)# host address [mask | /prefix-length]
Router(dhcp-config)# hardware-address hardware-address type
Router(dhcp-config)# client-identifier unique-identifier
Router(dhcp-config)# client-name name
Example (including my other DHCP pool). Note that my mac address is 0020.ed6d.####:
!
ip dhcp pool homepool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 0 2
!
ip dhcp pool mypc
host 192.168.1.138 255.255.255.0
client-identifier 0100.20ed.6d##.##
client-name mypc
Thursday, December 08, 2005
Cicso Routers - Logging Considerations
Important Information on Debug Commands [ISDN/Channel Associated Signalling (ISDN/CAS)] - Cisco Systems: "Warning: Excessive debugs to the console port of a router can cause it to hang. This is because the router automatically prioritizes console output ahead of other router functions. Hence if the router is processing a large debug output to the console port, it may hang. Hence, if the debug output is excessive use the vty (telnet) ports or the log buffers to obtain your debugs. More information is provided below.
Note: By default, logging is enabled on the console port. Hence, the console port always processes debug output even if you are actually using some other port or method (such as Aux, vty or buffer) to capture the output. Hence, we recommend that, under normal operating conditions, you have the command no logging console enabled at all times and use other methods to capture debugs. In situations where you need to use the console, temporarily turn logging console back on."
Note: By default, logging is enabled on the console port. Hence, the console port always processes debug output even if you are actually using some other port or method (such as Aux, vty or buffer) to capture the output. Hence, we recommend that, under normal operating conditions, you have the command no logging console enabled at all times and use other methods to capture debugs. In situations where you need to use the console, temporarily turn logging console back on."
Monday, November 21, 2005
Configuration of a drop-in bridged CISCO Router / Firewall
Configuration of a drop-in bridged CISCO Router / Firewall: "Configuration of a drop-in bridged CISCO Router"
Often, you have a given network layout which cannot be changed. For example, you own only a few routable IP-Addresses and therefore must use the same Network-ID for the DMZ (Demilitarized Zone) and your Internet connection. Some modern Firewalls / Routers allows to "drop-in" in such a network configuration. That means, no network changes have to be made and only one IP-Address is used for the router / firewall. If you use a Cisco Router, this can be difficult, because usually each interface on a Cisco Router must have one IP-Address assigned to it. But there is a trick - so called bridging - using this feature you can overcome these difficulties.
Often, you have a given network layout which cannot be changed. For example, you own only a few routable IP-Addresses and therefore must use the same Network-ID for the DMZ (Demilitarized Zone) and your Internet connection. Some modern Firewalls / Routers allows to "drop-in" in such a network configuration. That means, no network changes have to be made and only one IP-Address is used for the router / firewall. If you use a Cisco Router, this can be difficult, because usually each interface on a Cisco Router must have one IP-Address assigned to it. But there is a trick - so called bridging - using this feature you can overcome these difficulties.
Friday, November 18, 2005
iTunes Pops & Crackles, Poor Playback on PC
Hi All,
"I have a fairly large MP3 collection on a decent machine that is no where near at full capacity, but whenever I play MP3 tracks via iTunes, the sounds crackles and pops. The same tracks played via Windows Media Player and WinAmp do not make the same noises." Sound familiar? Then try the following:
_______________________
http://docs.info.apple.com/article.html?artnum=93610
If audio doesn't sound right when you play a song in iTunes or QuickTime Player, the Sound Out setting in the QuickTime control panel may be set to the wrong option, or there may be a conflict between the audio enhancing effects of the sound card and iTunes' Sound Enhancer feature. Things you might notice include:
* A song or audiobook may play too fast or too slow.
* The audio playback may sound scratchy or muffled.
* There is no sound when playing.
* The playhead does not progress.
Try changing the QuickTime Sound Out Setting to improve the quality:
QuickTime 6
1. Click the Start button and point to Control Panel.
2. From the menu at the top of the QuickTime Settings window, choose Sound Out.
3. Select a different option in the "Choose a device for playback" menu.
QuickTime 7
1. Click the Start button and point to Control Panel.
2. Open the QuickTime control panel.
3. Click the "Safe mode (waveOut only)" checkbox.
Some PC audio hardware has audio-enhancing effects that can conflict with iTunes' Sound Enhancer feature.
To resolve these conflicts, do one of the following:
* Turn off the effects for your PC's audio hardware using the configuration software that came with your hardware.
* Disable the Sound Enhancer feature in iTunes:
1. Open iTunes.
2. From the Edit menu, choose Preferences.
3. Click the Effects tab.
4. Deselect Sound Enhancer.
"I have a fairly large MP3 collection on a decent machine that is no where near at full capacity, but whenever I play MP3 tracks via iTunes, the sounds crackles and pops. The same tracks played via Windows Media Player and WinAmp do not make the same noises." Sound familiar? Then try the following:
_______________________
http://docs.info.apple.com/article.html?artnum=93610
If audio doesn't sound right when you play a song in iTunes or QuickTime Player, the Sound Out setting in the QuickTime control panel may be set to the wrong option, or there may be a conflict between the audio enhancing effects of the sound card and iTunes' Sound Enhancer feature. Things you might notice include:
* A song or audiobook may play too fast or too slow.
* The audio playback may sound scratchy or muffled.
* There is no sound when playing.
* The playhead does not progress.
Try changing the QuickTime Sound Out Setting to improve the quality:
QuickTime 6
1. Click the Start button and point to Control Panel.
2. From the menu at the top of the QuickTime Settings window, choose Sound Out.
3. Select a different option in the "Choose a device for playback" menu.
QuickTime 7
1. Click the Start button and point to Control Panel.
2. Open the QuickTime control panel.
3. Click the "Safe mode (waveOut only)" checkbox.
Some PC audio hardware has audio-enhancing effects that can conflict with iTunes' Sound Enhancer feature.
To resolve these conflicts, do one of the following:
* Turn off the effects for your PC's audio hardware using the configuration software that came with your hardware.
* Disable the Sound Enhancer feature in iTunes:
1. Open iTunes.
2. From the Edit menu, choose Preferences.
3. Click the Effects tab.
4. Deselect Sound Enhancer.
Tuesday, November 15, 2005
EIGRP does not support secondary addresses
EIGRP Frequently Asked Questions [IP Routing] - Cisco Systems: "Does EIGRP support secondary addresses?
A. EIGRP does support secondary addresses. Since EIGRP always sources data packets from the primary address, Cisco recommends that you configure all routers on a particular subnet with primary addresses that belong to the same subnet. Routers do not form EIGRP neighbors over secondary networks. Therefore, if all routers' primary IP addresses do not agree, problems can arise with neighbor adjacencies."
A. EIGRP does support secondary addresses. Since EIGRP always sources data packets from the primary address, Cisco recommends that you configure all routers on a particular subnet with primary addresses that belong to the same subnet. Routers do not form EIGRP neighbors over secondary networks. Therefore, if all routers' primary IP addresses do not agree, problems can arise with neighbor adjacencies."
Sunday, November 13, 2005
Configuring a 'router on a stick' or a 'one-armed router'
Designing High Performance Campus Intranets [Campus Switching Solution] - Cisco Systems: "Router X is typically referred to as a 'router on a stick' or a 'one-armed router.' More routers can be used to distribute the load, and each router attaches to several or all VLANs. Traffic between workgroups must traverse the campus in the source VLAN to a port on the gateway router, then back out into the destination VLAN."
Why would you want to do this? Imagine that you have 2 subnets that you need to route between (10.1.1.x and 10.1.2.x). Normally, you would place on interface in each subnet and everything would be fine. But what if the router you are using only has one free interface? In this case, using one-armed routing would be one solution.
To do this, you set up the interface on the router and the interface on the switch that it is conencted to as trunking ports. You can now route between both subnetsvia the single routed interface.
Things to remember:
1. You need to ensure that the trunking protocol between the router and the switch is the same.
2. The older Cisco 1900 switches only support ISL.
3. The newer Cisco 2900 switches only support 802.1q
4. Cisco 1700 routers only support 802.1q
Why would you want to do this? Imagine that you have 2 subnets that you need to route between (10.1.1.x and 10.1.2.x). Normally, you would place on interface in each subnet and everything would be fine. But what if the router you are using only has one free interface? In this case, using one-armed routing would be one solution.
To do this, you set up the interface on the router and the interface on the switch that it is conencted to as trunking ports. You can now route between both subnetsvia the single routed interface.
Things to remember:
1. You need to ensure that the trunking protocol between the router and the switch is the same.
2. The older Cisco 1900 switches only support ISL.
3. The newer Cisco 2900 switches only support 802.1q
4. Cisco 1700 routers only support 802.1q
Wednesday, November 02, 2005
Checkpoint Firewall - Troubleshooting Dropped Connections
When trying to troubleshot unexplained connection drops, try running the following script on the Checkpoitn firewall command line interface (you will need to be in active mode first). This script will take a list of all of the active connections in a human readable format (fw tab -t connections -f -u), then remove any errors (2 /dev/null) and then search only for the host you are interested in (grep 192.168.64.1).
while [ 1 ] ; do echo "***********************************************************************" ; clock ; echo "**********************************************************************" ; fw tab -t connections -f -u 2 /dev/null | grep 192.168.64.1 ; echo ; sleep 1 ; done
Thursday, October 20, 2005
Untitled
opbar
With Flock, blogging Flickr pictures is easy. You can drag and drop pictures from our integrated Flickr topbar right into yon (that looks like a feather pen).
Click the Topbar icon and select the Flickr topbar.
Type your Flickr user name and click Get Photos.
Drag your pictures into your blog post our blog post.
Example:on (that looks like a feather pen).
Click the Topbar icon and select the Flickr topbar.
Type your Flickr user name and click Get Photos.
Drag your pictures into your blog post on (that looks like a feather pen).
Click the Topbar icon and select the Flickr topbar.
Type your Flickr user name and click Get Photos.
Drag your pictures into your blog post
Subscribe to:
Posts (Atom)