CBac + NAT

Owr Goal is to Create the Loopback 4 interface on a router (lets call it R4) with the IP address of 172.16.1.4/24. And we should not advertise this network into any routing protocol.

This is the main step in the NAT configuration. No other router in our network knows how to reach R4’s Loopback 4 network, yet according to this step we need to be able to source a ping from R4’s Loopback 4 network, destined for any one of the networks interfaces, and have it be successful.

R4(config)#int lo4

R4(config-if)#ip add 172.16.1.4 255.255.255.0

R4(config-if)#^Z

The best way to look at this is that R4’s Lo4 (172.16.1.4/24) network is our local network. It is our inside network that will be the source of the ping. No one in the outside network (all other routers) knows about our inside address. So our inside source address is what we will need to translate into an address that the outside network understands and knows how to reach.

We have f0/0 that has an outside network address on it, 211.1.114.4/24 this network is reachable by all other routers in the network. We only have a single inside address that we need to translate. We need to translate our 172.16.1.4 Loopback 4 address into an IP that is routable in the rest of the outside network. Since we have only a single address that needs to be translated we are going to do a static NAT translation. We will translate our 172.16.1.4 inside source address to the outside address of 211.1.114.4.

To set up the NAT we need to specify an inside interface, an outside interface, and configure our translation statement. The NAT translation will only occur if the packet is sourced from the inside interface and is going out the outside interface.

First we will assign our inside NAT interface. Our inside network is on Loopack 0, so that will be our inside NAT interface.

R4#conf ter

Enter configuration commands, one per line. End with CNTL/Z.

R4(config)#interface Loopback4

R4(config-if)# ip nat inside

We then need to specify our outside NAT interface. We are going to translate our inside source address to f0/0 IP address of 211.1.114.4. Our translation will only occur if the packet sourced from our inside NAT interface, Loopback 4, is going out this interface. So our f0/0 interface is going to be our outside NAT interface.

R4(config-if)#interface f0/0

R4(config-if)#ip nat outside

Finally we need to do our static NAT translation. We are going to translate our inside source address of 172.16.1.4 to the outside address of 211.1.114.4, this is a one to one translation.

ip nat inside source static 172.16.1.4 211.1.114.4

We can check that our static translation is taking place by issuing the show ip nat translations command on R4

R4#show ip nat translations

Pro Inside global Inside local Outside local Outside global

— 211.1.114.4 172.16.1.4 — —

We can then test our NAT by doing an extended PING on R4, sourcing the PING from the Loopback 4 address.

R4#ping 211.1.114.1 so lo4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 211.1.114.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.4

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R4#

*Aug 12 01:21:31.441: NAT: i: icmp (172.16.1.4, 4) -> (211.1.114.1, 4) [20]

*Aug 12 01:21:31.441: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [20]

*Aug 12 01:21:31.445: NAT*: o: icmp (211.1.114.1, 4) -> (211.1.114.4, 4) [20]

*Aug 12 01:21:31.445: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [20]

*Aug 12 01:21:31.445: NAT: i: icmp (172.16.1.4, 4) -> (211.1.114.1, 4) [21]

*Aug 12 01:21:31.445: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [21]

*Aug 12 01:21:31.445: NAT*: o: icmp (211.1.114.1, 4) -> (211.1.114.4, 4) [21]

*Aug 12 01:21:31.445: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [21]

*Aug 12 01:21:31.445: NAT: i: icmp (172.16.1.4, 4) -> (211.1.114.1, 4) [22]

*Aug 12 01:21:31.449: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [22]

*Aug 12 01:21:31.449: NAT*: o: icmp (211.1.114.1, 4) -> (211.1.114.4, 4) [22]

*Aug 12 01:21:31.449: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [22]

*Aug 12 01:21:31.449: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [23]

*Aug 12 01:21:31.453: NAT*: o: icmp (211.1.114.1, 4) -> (211.1.114.4, 4) [23]

*Aug 12 01:21:31.453: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [23]

*Aug 12 01:21:31.453: NAT: i: icmp (172.16.1.4, 4) -> (211.1.114.1, 4) [24]

*Aug 12 01:21:31.453: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [24]

*Aug 12 01:21:31.453: NAT*: o: icmp (211.1.114.1, 4) -> (211.1.114.4, 4) [24]

*Aug 12 01:21:31.453: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [24]

We would use the Lo4 as an DMZ, your pod network would be considered internal network and the connection to BB1 external, configure content-based access control (CBAC) to secure an internal network and allow limited outside access to a DMZ. You need to implement a rock-solid firewall on its border router (R4) You are to secure its internal segment, 128.1.0.0/16, so that outside hosts cannot initiate a session with inside hosts. Furthermore, you are to secure the DMZ so that outside hosts can access the public services there, but only if outside hosts initiate the session. To prevent sophisticated attacks, no connections should be allowed to initiate from the DMZ.

Configure access lists on R4 to protect the internal network.

R4#conf ter

Enter configuration commands, one per line. End with CNTL/Z.

R4(config)#access-list 101 permit ip 128.1.0.0 0.0.255.255 any

R4(config)#access-list 101 deny ip any any

R4(config)#interface fastethernet 0/1

R4(config-if)#ip access-group 101 in

this Access list 101 might first appear unnecessary. But in a secure network that uses CBAC, it is important to explicitly specify what traffic an interface should accept. In this case, you expect FastEthernet 0/1 to accept traffic sourced from the internal network (128.1.0.0/24). Although the deny any any is implicit, many administrators find it useful to include an explicit entry so that this statement will show up in the running configuration and show ip access-lists command output.

Next, you must configure an outbound access list on FastEthernet 0/1. Traffic leaving this interface will be traffic originating from either the DMZ or the External network, so this access list must protect the internal network.

Start configuring this list by allowing ICMP traffic, which internal hosts will require to make network management and troubleshooting easier. By permitting ICMP echo replies and other select traffic, you let your internal hosts receive important ICMP error messages from beyond their local network.

R4#conf ter

Enter configuration commands, one per line. End with CNTL/Z.

R4(config)#access-list 102 permit icmp any any administratively-prohibited

R4(config)#access-list 102 permit icmp any any echo-reply

R4(config)#access-list 102 permit icmp any any packet-too-big

R4(config)#access-list 102 permit icmp any any time-exceeded

R4(config)#access-list 102 permit icmp any any unreachable

R4(config)#access-list 102 deny ip any any

R4(config)#interface fastethernet 0/1

R4(config-if)#ip access-group 102 out

R4(config-if)#^Z

Access list 102 effectively blocks all traffic from exiting FastEthernet 0/1 onto the internal network, except for the ICMP messages. Verify that the access lists have taken effect.

lets configure the DMZ’s inbound access list. On R4

R4#conf ter

Enter configuration commands, one per line. End with CNTL/Z.

R4(config)# access-list 116 permit ip 211.1.114.0 0.0.0.255 any

R4(config)# access-list 116 deny ip any any log

R4(config)# interface lo4

R4(config-if)# ip access-group 116 in

A good way to troubleshoot firewall in the implementation is to log every denied packet to see what could be good or wrong, again, you have used this simple list to specify the only permissible traffic that can enter R4 FastEthernet 0/0.

Now configure the outbound access list for FastEthernet 0/0. This list will filter traffic originating from the internal network and the Internet. Assume for this lab that the loopback of R4 is a Internet Server that provides Web, FTP, and SMTP (mail) into the DMZ.

R4(config)#access-list 112 permit tcp any host 211.1.114.4 eq ftp

R4(config)#access-list 112 permit tcp any host 211.1.114.4 eq smtp

R4(config)#access-list 112 permit tcp any host 211.1.114.4 eq www

R4(config)#interface lo4

R4(config-if)#ip access-group 112 out

After you configure the DMZ and internal access lists, you can now focus on the external interface (f0/0), which represents the greatest security threat.

access-list 151 deny ip 211.1.114.4 0.0.0.0 any

access-list 151 permit ip any any

interface f0/0

ip access-group 151 in

Now configure the outbound list for R4 F0/0.

R4(config)#access-list 151 deny ip 211.1.114.4 0.0.0.0 any

R4(config)#access-list 151 permit ip any any

R4(config)#

R4(config)#interface f0/0

R4(config-if)#ip access-group 151 in

R4(config-if)#exit

R4(config)#access-list 152 permit icmp any any echo-reply

R4(config)#access-list 152 permit icmp any any time-exceeded

R4(config)#access-list 152 deny ip 128.1.0.0 0.0.255.255 any

R4(config)#access-list 152 permit ip any any

R4(config)#

R4(config)#interface f0/0

R4(config-if)#ip access-group 152 out

CBAC on R4:

R4(config)#ip inspect name SATURNVIII ftp

R4(config)#ip inspect name SATURNVIII http

R4(config)#ip inspect name SATURNVIII smtp

R4(config)#ip inspect name SATURNVIII sqlnet

R4(config)#ip inspect name SATURNVIII tcp

R4(config)#ip inspect name SATURNVIII icmp

here we are creating a CBAC inspect list called SATURNVIII

The main work of this inspect list is to match on sessions for common application protocols.

R4(config)#interface fastethernet 0/1

R4(config-if)#ip inspect SATURNVIII in

R4(config-if)#interface f0/0

R4(config-if)#ip inspect SATURNVIII in

R4# show ip inspect al

Session audit trail is disabled

Session alert is enabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec — tcp finwait-time is 5 sec

tcp idle-time is 3600 sec — udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name SATURNVIII

ftp alert is on audit-trail is off timeout 3600

http alert is on audit-trail is off timeout 3600

smtp max-data 20000000 alert is on audit-trail is off timeout 3600

sqlnet alert is on audit-trail is off timeout 3600

tcp alert is on audit-trail is off timeout 3600

icmp alert is on audit-trail is off timeout 10

Interface Configuration

Interface FastEthernet0/1

Inbound inspection rule is SATURNVIII

ftp alert is on audit-trail is off timeout 3600

http alert is on audit-trail is off timeout 3600

smtp max-data 20000000 alert is on audit-trail is off timeout 3600

sqlnet alert is on audit-trail is off timeout 3600

tcp alert is on audit-trail is off timeout 3600

icmp alert is on audit-trail is off timeout 10

Outgoing inspection rule is not set

Inbound access list is 101

Outgoing access list is 102

Interface FastEthernet0/0

Inbound inspection rule is SATURNVIII

ftp alert is on audit-trail is off timeout 3600

http alert is on audit-trail is off timeout 3600

smtp max-data 20000000 alert is on audit-trail is off timeout 3600

sqlnet alert is on audit-trail is off timeout 3600

tcp alert is on audit-trail is off timeout 3600

icmp alert is on audit-trail is off timeout 10

Outgoing inspection rule is not set

Inbound access list is 151

Outgoing access list is 152

So lets test out little beast here

R4#deb ip nat de

IP NAT detailed debugging is on

R4#deb ip inspect icmp

INSPECT ICMP Inspection debugging is on

R4#deb ip nat de

IP NAT detailed debugging is on

R4#deb ip inspect icmp

INSPECT ICMP Inspection debugging is on

R4#

BB1#ping 211.1.114.4 rep 100

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 211.1.114.4, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (100/100), round-trip min/avg/max = 1/3/4 ms

*Aug 12 02:02:24.996: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3) [16811]

*Aug 12 02:02:24.996: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3) [16811]

*Aug1, 3) -> (211.1.114.4, 3) [16812]

*Aug 12 02:02:25.000: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [16812]

*Aug 12 02:02:25.000: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4

*Aug 12 02:02:25.000: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16812]

*Aug 12 02:02:25.000: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16812]

*Aug 12 02:02:25.000: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3) [16813]

*Aug 12 02:02:25.000: NAT*: s=211.1.114.1, d=2

R4#

R4#11.1.114.4->172.16.1.4 [16813]

*Aug 12 02:02:25.004: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4

*Aug 12 02:02:25.004: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16813]

*Aug 12 02:02:25.004: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16813]

*Aug 12 02:02:25.004: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3) [16814]

*Aug 12 02:02:25.004: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [16814]

*Aug 12 02:02:25.004: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4

*Aug 12 02:02:25.004: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16814]

*Aug 12 02:02:25.004: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16814]

*Aug 12 02:02:25.008: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3) [16815]

*Aug 12 02:02:25.008: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [16815]

*Aug 12 02:02:25.008: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4

*Aug 12 02:02:25.008: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16815]

*Aug 12 02:02:25.008: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16815]

*Aug 12 02:02:25.008: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3) [16816]

*Aug 12 02:02:25.012: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [16816]

*Aug 12 02:02:25.012: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4

*Aug 12 02:02:25.012: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16816]

*Aug 12 02:02:25.012: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16816]

*Aug 12 02:02:25.012: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3) [16817]

*Aug 12 02:02:25.012: NAT*: s=211.1.114.1, d=211.1.114.4->172.16.1.4 [16817]

*Aug 12 02:02:25.012: CBAC: ICMP Echo pkt 211.1.114.1 => 172.16.1.4

*Aug 12 02:02:25.016: NAT: i: icmp (172.16.1.4, 3) -> (211.1.114.1, 3) [16817]

*Aug 12 02:02:25.016: NAT: s=172.16.1.4->211.1.114.4, d=211.1.114.1 [16817]

*Aug 12 02:02:25.016: NAT*: o: icmp (211.1.114.1, 3) -> (211.1.114.4, 3) [16818]

Verification

rack9>11

[Resuming connection 11 to bb1 … ]

.U.U.

Success rate is 0 percent (0/42)

BB1#show ip route rip

R* 0.0.0.0/0 [120/1] via 211.1.114.14, 00:00:21, FastEthernet0/1

BB1#deb ip icmp

ICMP packet debugging is on

BB1#ping 128.1.45.5 rep 12

Type escape sequence to abort.

Sending 12, 100-byte ICMP Echos to 128.1.45.5, timeout is 2 seconds:

U

*Aug 12 01:59:26.696: ICMP: dst (211.1.114.1) administratively prohibited unreachable rcv from 211.1.114.14.U

rack9>4

[Resuming connection 4 to R4 … ]

*Aug 12 02:04:53.684: CBAC: ICMP Unreachable pkt 211.1.114.14 => 211.1.114.1

R4#

R4#

R4#

*Aug 12 02:05:09.108: CBAC: ICMP Unreachable pkt 211.1.114.14 => 211.1.114.1

R4#

A Networker Blog

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s