NAT and ACL Notes

Here are some NAT and ACL notes I’ve been taking from my studies. Want to use them for yours? Go ahead. These are just random notes however, not much context to go off of.


 

ACLs have an implicit deny at the end of each ACL.
Rules of ACLs: 1 ACL Per Interface Per Direction

Named ACL: router(config)#ip access-list <(extended)(standard)> <(1-99)(100-199)(WORD)>
router(conig-ext-nacl)#
Modify Numbers (lines) in ACLs:
router(config-ext-nacl)# <1-2147483647> [statement]
At the end for your ACL, to negate the implicit deny:
Standard: access-list (1-99) permit any
Extended: access-list (100-199) permit ip any any
-----------------------------------------------------------------------------------------------------------------
Standard (1-99) - permit or deny based on source. Apply standard ACLs as far from the source/as close to the destination as possible.
access-list (1-00) <(permit)(deny)(remark)> <Source(any)(host)(A.B.C.D)> <(cr)(wildcard)(log)>
Apply IN or OUT at router(config-if)#ip access-group (1-99) <(in)(out)>
Prevent telnet or ssh:
router(config-line)#access-class <(1-99)> <(in)(out[not reccomended btw])>
-----------------------------------------------------------------------------------------------------------------
Extended (100 - 199) - more powerful, based on port, protocol, source to destination. For efficiency, (not required) place as close to the source as possible/as far from the destination as possible. (Place INBOUND on the host's default gateway, this prevents the packet from even being routed in the first place)
access-list (100-199)
<(permit)(deny)(remark)> 
<protocol(ip)(tcp)(udp)(icmp)>
<source(any)(host)(A.B.C.D)><(wildcard)> 
<destination(any)(host)(A.B.C.D><(wildcard)>
Based on protocol:
access-list (100-199)
<(permit)(deny)(remark)>
<(tcp)(udp)(icmp)>
<source(A.B.C.D)(any)(eq)(host)(range)>
<eq(port#/name)SOURCE PORT - usually ANY since the host rolls a source itself>
<eq(port#/name)DESTINATION PORT>
examples:
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 23 - deny 192.168.1.0 /24 telnet
access-list 100 deny tcp 172.16.0.0 0.0.0.255 any eq 80 - deny 172.16.0.0 /24 http
access-list 100 deny udp host 10.1.2.3 any eq 69 - deny host 10.1.2.3 tftp
access-list 100 deny tcp any any eq 3724 - deny any host from World of Warcraft
access-list 100 deny udp any any eq 3724 - deny any host from World of Warcraft

Apply IN or OUT at router(config-if)#ip access-group (100-199) <(in)(out)>
-----------------------------------------------------------------------------------------------------------------
Reflexive:
router(config)#ip access-list extended WAN_FILTER
router(config-ext-nacl)# permit tcp any any established
router(config)#int WAN INTERFACE
router(config-if)#ip access-group WAN_FILTER in
-----------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------
(EXAMPLE ISP IP address: 11.22.33.44)
NAT:
Dynamic NAT - Internal IP to WAN UP - One to One Translation
as well as WAN to Internal
Least common use form of NAT

router(config-if)#ip nat inside - identifies your INTERNAL facing interface (into your network)
router(config-if)#ip nat outside - identifies your EXTERNAL facing interface (outside your network boundary to isp)
example 68.241.96.172
router(config)#ip access-list standard (name)
router(config-std-nacl)#deny 192.168.3.0 0.0.0.255 - this line denies 192.168.3.0 /24 from being translated to the internet. Will stop the host at the exiting infterface and will not reach the internet.
permit 192.168.0.0 0.0.255.255 - this line is what tells the router to translate 192.168.0.0 /16 out to the internet. This will translate an internal private IP address to an external routeable IP address onto the internet as 11.22.33.44:port number)
NAT STATEMENT:
router(config)#ip nat inside source list NAME int (external interface) overload - adding overload adds the port number to the external IP.
router#show ip nat translations will show your nat translations
-----------------------------------------------------------------------------------------------------------------
NAT Overload - Internal IP to external IP+port (commonly called PAT)
EX:<192.168.5.32:(s)[random]5634 (d)http://www.cisco.com:80> goes out WAN interface (ip 11.22.33.44), and a NAT session is created and entered from t, it is overloaded to <11.22.33.44:5634(s) http://www.cisco.com:80(d)>, packets from cisco.com come back as <11.22.33.44:5634(d)>
example(this is not a real translation table):
Web Browser checks www.cisco.com:
Inside Source _ _ _ _ _ _ _ | _ _ _ _ Outside Source _ _ _ _ _ | _ _ _ _Destination _ _ _
____________________________|__________________________________|_________________________
172.16.245.11:8523 - - - - -|- - - - -11.22.33.44:8523 - - - - | - - - 198.133.219.25:80
[HOST] [WAN] [www.cisco.com]
-------------------------------------------------------------------------------------------
A reply FROM cisco.com:
Inside Destin _ _ _ _ _ _ _ | _ _ _ _ Outside Source _ _ _ _ _ | _ _ _ _Destination _ _ _
____________________________|__________________________________|_________________________
172.16.245.11:8523- - - - - | - - - 198.133.219.25:80 - - - - -| - - 11.22.33.44:8523
[HOST] [www.cisco.com] [WAN]

-----------------------------------------------------------------------------------------------------------------
Static NAT: Create 1 to 1 IP Mappings. 1 internal IP, to 1 external IP.
or, multiple internal IPs to one external IP with unique port numbers.
Used commonly for outside IPs to access your internal ips. 
(like a webserver for example)
router(config)#ip nat inside source static 192.168.1.10 11.22.33.44 
192.168.1.10 would be seen on the internet as 11.22.33.44
router(config)#ip nat inside source static 192.168.1.10 tcp 80 WAN INTERFACE 80
any http requests (tcp 80) to 11.22.33.44 would be forwarded to 192.168.1.10
port static nat mapping is the best way to use an IP address given to you by an ISP.
-----------------------------------------------------------------------------------------------------------------
For large organizations that could use up all their ports:
router(config)#ip nat pool INTERNET_ADDRESS (list your public IP addresses) 11.22.33.44 11.22.33.45 prefix-length
router(config)#ip nat inside source list WAN_FILTER pool INTERNET_ADDESSES overload
this allows all your hosts in the network to use 11.22.33.44 and 11.22.33.45 for their nat translations.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s