Network Address Translation

Private IP Addresses: RFC 1918

The following table lists the address ranges as specified in RFC 1918 that can be used by anyone as internal private addresses. These will be your “inside-the-LAN” addresses that will have to be translated into public addresses that can be routed across the Internet. Any network is allowed to use these addresses; however, these addresses are not allowed to be routed onto the public Internet.



Configuring Dynamic NAT: One Private to One Public Address Translation




Configuring PAT: Many Private to One Public Address Translation

All private addresses use a single public IP address and numerous port numbers for translation.




NOTE: You can have an IP NAT pool of more than one address, if needed. The syntax for this is as follows:

Corp(config)#ip nat pool scott 64.64.64.70 74.64.64.128 netmask 255.255.255.128

You would then have a pool of 63 addresses (and all of their ports) available for translation.


Configuring Static NAT: One Private to One Permanent Public Address Translation


CAUTION: Make sure that you have in your router configurations a way for packets to travel back to your NAT router. Include a static route on the ISP router advertising your NAT pool and how to travel back to your internal network. Without this in place, a packet can leave your network with a public address, but it will not be able to return if your ISP router does not know where the pool of public addresses exists in the network. You should be advertising the pool of public addresses, not your private addresses.


Verifying NAT and PAT Configurations



Troubleshooting NAT and PAT Configurations

Basic Troubleshooting

Viewing the Routing Table


Determining the Gateway of Last Resort


NOTE: The ip default-network command is for use with the deprecated Cisco proprietary Interior Gateway Routing Protocol (IGRP). Although you can use it with Enhanced Interior Gateway Routing Protocol (EIGRP) or RIP, it is not recommended. Use the ip route 0.0.0.0 0.0.0.0 command instead.

Routers that use the ip default-network command must have either a specific route to that network or a 0.0.0.0 /0 default route.


Determining the Last Routing Update



OSI Layer 3 Testing



Interpreting the show interface Command


The traceroute Command



The show controllers Command


debug Commands


CAUTION: Turning all possible debugging on is extremely CPU intensive and will probably cause your router to crash. Use extreme caution if you try this on a production device. Instead, be selective about which debug commands you turn on.

Do not leave debugging turned on. After you have gathered the necessary information from debugging, turn all debugging off. If you want to turn off only one specific debug command and leave others on, issue the no debug x command, where x is the specific debug command you want to disable.


Using Time Stamps


TIP: Make sure you have the date and time set with the clock command at privileged mode so that the time stamps are more meaningful.


Operating System IP Verification Commands

The following are commands that you should use to verify what your IP settings are. Different operating systems have different commands.

• ipconfig (Windows 2000/XP):
Click Start > Run > Command > ipconfig or ipconfig/all.

• winipcfg (Windows 95/98/Me):
Click Start > Run > winipcfg.

• ifconfig (Mac/Linux):
#ifconfig


The ip http server Command


CAUTION: The HTTP server was introduced in Cisco IOS Software Release 11.0 to extend router management to the web. You have limited management capabilities to your router through a web browser if the ip http server command is turned on.

Do not turn on the ip http server command unless you plan to use the browser interface for the router. Having it on creates a potential security hole because another port is open.


The netstat Command

SNMP and Syslog

Configuring SNMP


NOTE: A community string is like a password. In the case of the first command, the community string grants you access to SNMP.


Configuring Syslog



There are eight levels of severity in logging messages, as follows:



Setting a level means you will get that level and everything below it. Level 6 means you
will receive level 6 and 7 messages. Level 4 means you will get levels 4 through 7.

The ping and traceroute Commands

ICMP Redirect Messages


The ping Command


The following table describes the possible ping output characters.



Examples of Using the ping and the Extended ping Commands




The traceroute Command

Telnet and SSH

Using Telnet to Remotely Connect to Other Devices

The following five commands all achieve the same result: the attempt to connect remotely to the router named Paris at IP address 172.16.20.1.


Any of the preceding commands lead to the following configuration sequence:



CAUTION: The following configuration creates a big security hole. Never use it in a live production environment. Use it in the lab only!


NOTE: A device must have two passwords for a remote user to be able to make changes to your configuration:

• Line vty password (or have it explicitly turned off; see the preceding Caution)

• Enable or enable secret password

Without the enable or enable secret password, a remote user will only be able to get to user mode, not to privileged mode. This is extra security.


Configuring the Secure Shell Protocol (SSH)

CAUTION: SSH Version 1 implementations have known security issues. It is recommended to use SSH Version 2 whenever possible.

NOTE: To work, SSH requires a local username database, a local IP domain, and an RSA key to be generated.

The Cisco implementation of SSH requires Cisco IOS Software to support Rivest- Shamir-Adleman (RSA) authentication and minimum Data Encryption Standard (DES) encryption—a cryptographic software image.

Cisco Discovery Protocol (CDP)

Cisco Discovery Protocol



CAUTION: Although CDP is necessary for some management applications, CDP should still be disabled in some instances.

Disable CDP globally if

• CDP is not required at all.

• The device is located in an insecure environment.

Use the command no cdp run to disable CDP globally:

RouterOrSwitch(config)#no cdp run

Disable CDP on any interface if

• Management is not being performed.

• The switch interface is a nontrunk interface.

• The interface is connected to a nontrusted network.

Use the interface configuration command no cdp enable to disable CDP on a specific interface:

RouterOrSwitch(config)#interface fastethernet 0/1
RouterOrSwitch(config-if)#no cdp enable

Configuration Example: DHCP

Figure 24-1 illustrates the network topology for the configuration that follows, which shows how to configure DHCP services on a Cisco IOS router using the commands covered in this post.


Edmonton Router



Gibbons Router

DHCP

Configuring DHCP




Verifying and Troubleshooting DHCP Configuration



Configuring a DHCP Helper Address


NOTE: The ip helper-address command will forward broadcast packets as a unicast to eight different UDP ports by default:

• TFTP (port 69)
• DNS (port 53)
• Time service (port 37)
• NetBIOS name server (port 137)
• NetBIOS datagram server (port 138)
• Boot Protocol (BOOTP) client and server datagrams (ports 67 and 68)
• TACACS service (port 49)

If you want to close some of these ports, use the no ip forward-protocol udp x command at the global configuration prompt, where x is the port number you want to close. The following command stops the forwarding of broadcasts to port 49:

Router(config)#no ip forward-protocol udp 49

If you want to open other UDP ports, use the ip forward-helper udp x command, where x is the port number you want to open:

Router(config)#ip forward-protocol udp 517


DHCP Client on a Cisco IOS Software Ethernet Interface

Configuration Example: PAT

ISP Router



Company Router