Cisco IOS Security Configuration Guide, Release 12.2 - Configuring TCP Intercept (Preventing Denial-of-Service Attacks) [Cisco IOS Software Releases 12.2 Mainline] - Cisco Systems: "Configuring TCP Intercept (Preventing Denial-of-Service Attacks)"
More on this shortly
Saturday, December 10, 2005
Cisco - Port Forwarding On Cisco Routers (inbound NAT)
A lot of other router manufacturers use the term Port Forwarding. In Cisco terminology, this is known as Inbound Network Address Translation (Inbound NAT). It is pretty easy to set up once you know how.
Lets assume you want to 'forward' tcp port 666 on your outside interface (ie your Internet accessible interface) to port 777 on a machine behind the router that has the address 192.168.1.10.
If you had a static public IP address, you would bind it to that address. But in our case, the IP address we get is dynamicly assigned by the ISP, so we instead bind it to our Dialer interface.
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
! We define the FE interface as inside
ip nat inside
!
interface Dialer0
! This address is assigned by the ISP
ip address negotiated
! We define the dialer interface as outside
ip nat outside
!
! This is for outbound NAT (actually PAT)
ip nat inside source list 1 interface Dialer0 overload
! This binds outbound 192.168.1.10:777 to the public IP address on port 666 for TCP
! It also does the opposite (implied): This binds the public IP address on port 666 to 192.168.1.10:777
ip nat inside source static tcp 192.168.1.10 777 interface Dialer0 666
Info:
Cisco IOS Network Address Translation Overview
Configuring Network Address Translation: Getting Started
NAT Order of Operation
Lets assume you want to 'forward' tcp port 666 on your outside interface (ie your Internet accessible interface) to port 777 on a machine behind the router that has the address 192.168.1.10.
If you had a static public IP address, you would bind it to that address. But in our case, the IP address we get is dynamicly assigned by the ISP, so we instead bind it to our Dialer interface.
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
! We define the FE interface as inside
ip nat inside
!
interface Dialer0
! This address is assigned by the ISP
ip address negotiated
! We define the dialer interface as outside
ip nat outside
!
! This is for outbound NAT (actually PAT)
ip nat inside source list 1 interface Dialer0 overload
! This binds outbound 192.168.1.10:777 to the public IP address on port 666 for TCP
! It also does the opposite (implied): This binds the public IP address on port 666 to 192.168.1.10:777
ip nat inside source static tcp 192.168.1.10 777 interface Dialer0 666
Info:
Cisco IOS Network Address Translation Overview
Configuring Network Address Translation: Getting Started
NAT Order of Operation
Cisco - Configuring DHCP Reservations (manual bindings)
You can configure DHCP reservations (or manual bindings as Cisco calls them) on a router by creating a unique DHCP pool for each host that requires a reservation.
It is a hassle ... but it can be done:
Cisco Documentation
Couple of pointers I have found:
Steps Required:
Router(config)# ip dhcp pool name
Router(dhcp-config)# host address [mask | /prefix-length]
Router(dhcp-config)# hardware-address hardware-address type
Router(dhcp-config)# client-identifier unique-identifier
Router(dhcp-config)# client-name name
Example (including my other DHCP pool). Note that my mac address is 0020.ed6d.####:
!
ip dhcp pool homepool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 0 2
!
ip dhcp pool mypc
host 192.168.1.138 255.255.255.0
client-identifier 0100.20ed.6d##.##
client-name mypc
It is a hassle ... but it can be done:
Cisco Documentation
Couple of pointers I have found:
- Make sure the pools don't overlap (see my example below)
- Remember Windows machines use client-identifier not hardware-address
- Client-identifier is the type (01 for ethernet) plus the mac address
- You must make a unique pool for each reservation
Steps Required:
Router(config)# ip dhcp pool name
Router(dhcp-config)# host address [mask | /prefix-length]
Router(dhcp-config)# hardware-address hardware-address type
Router(dhcp-config)# client-identifier unique-identifier
Router(dhcp-config)# client-name name
Example (including my other DHCP pool). Note that my mac address is 0020.ed6d.####:
!
ip dhcp pool homepool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 0 2
!
ip dhcp pool mypc
host 192.168.1.138 255.255.255.0
client-identifier 0100.20ed.6d##.##
client-name mypc
Thursday, December 08, 2005
Cicso Routers - Logging Considerations
Important Information on Debug Commands [ISDN/Channel Associated Signalling (ISDN/CAS)] - Cisco Systems: "Warning: Excessive debugs to the console port of a router can cause it to hang. This is because the router automatically prioritizes console output ahead of other router functions. Hence if the router is processing a large debug output to the console port, it may hang. Hence, if the debug output is excessive use the vty (telnet) ports or the log buffers to obtain your debugs. More information is provided below.
Note: By default, logging is enabled on the console port. Hence, the console port always processes debug output even if you are actually using some other port or method (such as Aux, vty or buffer) to capture the output. Hence, we recommend that, under normal operating conditions, you have the command no logging console enabled at all times and use other methods to capture debugs. In situations where you need to use the console, temporarily turn logging console back on."
Note: By default, logging is enabled on the console port. Hence, the console port always processes debug output even if you are actually using some other port or method (such as Aux, vty or buffer) to capture the output. Hence, we recommend that, under normal operating conditions, you have the command no logging console enabled at all times and use other methods to capture debugs. In situations where you need to use the console, temporarily turn logging console back on."
Subscribe to:
Posts (Atom)