Chapter 7
Implement, Verify, and Troubleshoot NAT and ACLs in a Medium-Sized Enterprise Branch Office Network
The Cisco CCNA exam objectives covered in this chapter include the following:
- Describe the purpose and types of ACLs.
- Configure and apply ACLs based on network filtering requirements (including CLI/SDM).
- Configure and apply ACLs to limit Telnet and SSH access to the router using (including SDM/CLI).
- Verify and monitor ACLs in a network environment.
- Troubleshoot ACL issues.
- Explain the basic operation of NAT.
- Configure NAT for given network requirements using (including CLI/SDM).
- Troubleshoot NAT issues.
The proper use and configuration of access lists is a vital part of router configuration because access lists are such versatile networking accessories. Contributing mightily to the efficiency and operation of your network, access lists give network managers a huge amount of control over traffic flow throughout the enterprise. With access lists, managers can gather basic statistics on packet flow and security policies can be implemented. Sensitive devices can also be protected from unauthorized access.
In this chapter, we’ll look more closely at ACLs, Network Address Translation (NAT), Dynamic NAT, and Port Address Translation (PAT), also known as NAT Overload.
Describe the Purpose and Types of ACLs
For information on this objective, please see the section titled “Implement Basic Router Security” in Chapter 4, “Configure, Verify, and Troubleshoot Basic Router Operation and Routing on Cisco Devices.”
Configure and Apply ACLs Based on Network Filtering Requirements (Including CLI/SDM)
In this section, configuring standard and extended access lists will be covered. This will include a look at a technique for specifying ranges of addressing called wildcard masking that can be used with all three types of access lists. First, let’s look at how standard ALs are configured and applied.
Configuring Standard IP Access Lists
As you learned in Chapter 4, standard IP access lists filter network traffic by examining the source IP address in a packet. You create a standard IP access list by using the access-list numbers 1–99 or 1300–1999 (expanded range). Access-list types are generally differentiated using a number. Based on the number used when the access list is created, the router knows which type of syntax to expect as the list is entered. By using numbers 1–99 or 1300–1999, you’re telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address in the test lines.
The following is an example of the many access-list number ranges that you can use to filter traffic on your network (the protocols for which you can specify access lists depend on your IOS version):
Corp(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
compiled Enable IP access-list compilation
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
Let’s take a look at the syntax used when creating a standard access list:
Corp(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
As I said, by using the access-list numbers 1–99 or 1300–1999, you’re telling the router that you want to create a standard IP access list.
After you choose the access-list number, you need to decide whether you’re creating a permit or deny statement. For this example, you will create a deny statement:
Corp(config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
The next step requires a more detailed explanation. Three options are available. You can use the any parameter to permit or deny any host or network, you can use an IP address to specify either a single host or a range of them, or you can use the host command to specify a specific host only. The any command is pretty obvious—any source address matches the statement, so every packet compared against this line will match. The host command is relatively simple, as you can see in the following example:
Corp(config)#access-list 10 deny host ? Hostname or A.B.C.D Host address Corp(config)#access-list 10 deny host 172.16.30.2
This tells the list to deny any packets from host 172.16.30.2. The default parameter is host. In other words, if you type access-list 10 deny 172.16.30.2, the router assumes that you mean host 172.16.30.2.
But there’s another way to specify either a particular host or a range of hosts—you can use wildcard masking. In fact, to specify any range of hosts, you have to use wildcard masking in the access list.
Wildcard Masking
Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks. To understand a wildcard, you need to understand what a block size is. A block size is used to specify a range of addresses. Some of the different block sizes available are 64, 32, 16, 8, and 4.
When you need to specify a range of addresses, you choose the next-largest block size for your needs. For example, if you need to specify 34 networks, you need a block size of 64. If you want to specify 18 hosts, you need a block size of 32. If you specify only two networks, then a block size of 4 would work.
Wildcards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this:
172.16.30.5 0.0.0.0
The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As an example, here’s how a /24 subnet is specified with a wildcard:
172.16.30.0 0.0.0.255
This tells the router to match up the first three octets exactly, but the fourth octet can be any value.
That was the easy part. What if you want to specify only a small range of subnets? This is where the block sizes come into play. You have to specify the range of values in a block size. In other words, you can’t choose to specify 20 networks. You can only specify the exact amount as the block size value. For example, the range would have to be either 16 or 32, but not 20.
Let’s say you want to block access to part of the network that is in the range from 172.16.8.0 through 172.16.15.0. That is a block size of 8. Your network number would be 172.16.8.0, and the wildcard would be 0.0.7.255. The 7.255 is what the router uses to determine the block size. The network and wildcard tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0.
All you have to do is remember that the wildcard is always one number less than the block size. So, in this example, the wildcard would be 7 because the block size is 8. If you used a block size of 16, the wildcard would be 15.
The following example tells the router to match the first three octets exactly but that the fourth octet can be anything:
Corp(config)#access-list 10 deny 172.16.10.0 0.0.0.255
The next example tells the router to match the first two octets and that the last two octets can be any value:
Corp(config)#access-list 10 deny 172.16.0.0 0.0.255.255
Try to figure out the next line:
Corp(config)#access-list 10 deny 172.16.16.0 0.0.3.255
This configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would be 172.16.16.0 through 172.16.19.255.
The following example shows an access list starting at 172.16.16.0 and going up a block size of 8 to 172.16.23.255:
Corp(config)#access-list 10 deny 172.16.16.0 0.0.7.255
The next example starts at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.255:
Corp(config)#access-list 10 deny 172.16.32.0 0.0.15.255
The next example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.255:
Corp(config)#access-list 10 deny 172.16.64.0 0.0.63.255
The last example starts at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255:
Corp(config)#access-list 10 deny 192.168.160.0 0.0.31.255
Here are two more things to keep in mind when working with block sizes and wildcards:
- Each block size must start at 0 or a multiple of the block size. For example, you can’t say that you want a block size of 8 and then start at 12. You must use 0–7, 8–15, 16–23, and so on. For a block size of 32, the ranges are 0–31, 32–63, 64–95, and so on.
- Using the command any does the same thing as writing out the wildcard 0.0.0.0 255.255.255.255.
Wildcard masking is a crucial skill to master when you are creating IP access lists. It’s used identically when you are creating standard and extended IP access lists.
Using a Standard Access List
In this section, you’ll learn how to use a standard access list to stop specific users from gaining access to the Finance Department LAN.
In Figure 7-1, a router has three LAN connections and one WAN connection to the Internet. Users on the Sales LAN should not have access to the Finance LAN, but they should be able to access the Internet and the Marketing Department. The Marketing LAN needs to access the Finance LAN for application services.
Figure 7-1: Three LANs and a WAN connection
On the router in the figure, the following standard IP access list is configured:
Lab_A#config t Lab_A(config)#access-list 10 deny 172.16.40.0 0.0.0.255 Lab_A(config)#access-list 10 permit any
It’s very important to know that using the any command is the same thing as saying the following using wildcard masking:
Lab_A(config)#access-list 10 permit 0.0.0.0 255.255.255.255
Because the wildcard mask says that none of the octets is to be evaluated, every address matches the test condition. So, this is functionally the same as using the any keyword.
At this point, the access list is configured to deny source addresses from the Sales LAN access to the Finance LAN and allow everyone else. Don’t forget that no action will be taken until the access list is applied on an interface in a specific direction. Where should this access list be placed? If you place it as an incoming access list on E0, you might as well shut down the Ethernet interface because all of the Sales LAN devices will be denied access to all networks attached to the router. The best place to apply this access list is on the E1 interface as an outbound list:
Lab_A(config)#int e1 Lab_A(config-if)#ip access-group 10 out
This completely stops traffic from 172.16.40.0 from getting out Ethernet 1. It has no effect on the hosts from the Sales LAN accessing the Marketing LAN and the Internet because traffic to those destinations doesn’t go through interface E1. Any packet trying to exit out E1 will have to go through the access list first. If an inbound list were to be placed on E0, then any packet trying to enter interface E0 would have to go through the access list before being routed to an exit interface.
Let’s take a look at another example of a standard access list. Figure 7-2 shows an internetwork of two routers with three LANs and one serial WAN connection.
Figure 7-2: Two routers with three LANs and one serial WAN connection
You need to stop the Accounting users from accessing the Human Resources server attached to the Lab_B router but allow all other users access to that LAN. What standard access list would you create and where would you place it?
Standard access lists, by rule of thumb, are placed closest to the destination—in this example, Ethernet 0 outbound on the Lab_B router. Here is the access list that should be placed on the Lab_B router:
Lab_B#config t Lab_B(config)#access-list 10 deny 192.168.10.128 0.0.0.31 Lab_B(config)#access-list 10 permit any Lab_B(config)#interface Ethernet 0 Lab_B(config-if)#ip access-group 10 out
Before we move on to restricting Telnet access on a router, let’s take a look at one more standard access list example, but it will require some thought. This example begins with a router that has four LAN connections and one WAN connection to the Internet, as shown in Figure 7-3.
You need to write an access list that will stop access from each of the four LANs shown in the diagram to the Internet. Each of the LANs shows a single host’s IP address, and from that you need to determine the subnet and use wildcards to configure the access list.
Figure 7-3: A router with four LAN connections and one WAN connection to the Internet
Here is an example of what your answer should look like (starting with the network on E0 and working through to E3):
Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255 Router(config)#access-list 1 deny 172.16.48.0 0.0.15.255 Router(config)#access-list 1 deny 172.16.192.0 0.0.63.255 Router(config)#access-list 1 deny 172.16.88.0 0.0.7.255 Router(config)#access-list 1 permit any Router(config)#interface serial 0 Router(config-if)#ip access-group 1 out
Controlling VTY (Telnet) Access
For information on this subobjective, see the section titled “Configure and Apply ACLs to Limit Telnet and SSH Access to the Router Using (Including SDM/CLI)” later in this chapter.
Extended Access Lists
In the previous standard IP access list example, you had to block all access from the Sales LAN to the Finance Department. What if you needed Sales to gain access to a certain server on the Finance LAN but not to other network services for security reasons? With a standard IP access list, you can’t allow users to get to one network service and not another. Said another way, when you need to make decisions based on both source and destination addresses, a standard access list won’t allow you to do that because it only makes decisions based on the source address.
However, an extended access list will hook you up because extended access lists allow you to specify the source and destination addresses as well as the protocol and port number that identify the upper-layer protocol or application. By using extended access lists, you can effectively allow users access to a physical LAN and stop them from accessing specific hosts—or even specific services on those hosts.
Here’s an example of an extended IP access list:
Corp(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
compiled Enable IP access-list compilation
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
The first command shows the access-list numbers available. You’ll use the extended access-list range from 100 to 199. Be sure to notice that the range 2000–2699 is also available for extended IP access lists.
At this point, you need to decide what type of list entry you are making. For this example, you’ll choose a deny list entry.
Corp(config)#access-list 110 ?
deny Specify packets to reject
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
remark Access list entry comment
Once you choose the access-list type, you’ll need to select a protocol field entry.
Corp(config)#access-list 110 deny ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
If you want to filter by Application layer protocol, you have to choose the appropriate layer 4 transport protocol after the permit or deny statement. For example, to filter Telnet or FTP, you should specify TCP because both Telnet and FTP use TCP at the Transport layer. If you were to choose IP, you wouldn’t be allowed to specify a specific application protocol later.
Here, you’ll choose to filter an Application layer protocol that uses TCP by selecting TCP as the protocol. You’ll specify the specific TCP port later. Next, you will be prompted for the source IP address of the host or network (you can choose the any command to deny any source address):
Corp(config)#access-list 110 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
After the source address is selected, the destination address will be chosen:
Corp(config)#access-list 110 deny tcp any ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
In the following example, any source IP address that has a destination IP address of 172.16.30.2 has been denied.
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
You can press Enter here and leave the access list as is—but if you do that, all TCP traffic to host 172.16.30.2 will be denied, regardless of the destination port. You can be even more specific: Once you have the host addresses in place, you can just specify the type of service you are denying. The help screen shown in the following example displays the available options. You can choose a port number or use the application or protocol name:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
drip Dynamic Routing Information Protocol (3949)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
At this point, let’s block Telnet (port 23) to host 172.16.30.2 only. The log parameter that I added is used to log messages every time the access list is hit and can be used to monitor inappropriate access attempts as follows:
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
You need to keep in mind that the next line is an implicit deny any by default. If you apply this access list to an interface, you might as well shut the interface down, because by default there is an implicit deny all at the end of every access list. You’ve got to close the access list with the following command:
Corp(config)#access-list 110 permit ip any any
Remember, the 0.0.0.0 255.255.255.255 is the same command as any, so the command could look like this:
Corp(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Once the access list is created, you need to apply it to an interface (it’s the same command as the IP standard list):
Corp(config-if)#ip access-group 110 in
Or this:
Corp(config-if)#ip access-group 110 out
In the following section, we’ll look at an example of how to use an extended access list.
Extended Access List Example 1
Using Figure 7-1 from the IP standard access list example, let’s use the same network and deny access to a host at 172.16.30.5 on the Finance Department LAN for both Telnet and FTP services. All other services on this and all other hosts are acceptable for the Sales and Marketing departments to access.
The following access list should be created:
Lab_A#config t Lab_A(config)#access-list 110 deny tcp any host 172.16.30.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.30.5 eq 23 Lab_A(config)#access-list 110 permit ip any any
The access-list 110 tells the router you are creating an extended IP access list. The tcp is the protocol field in the Network layer header. If the list doesn’t say tcp here, you cannot filter by port numbers 21 and 23 as shown in the example. (These are FTP and Telnet, and they both use TCP for connection-oriented services.) The any command is the source, which means any IP address, and the host is the destination IP address.
Instead of using the host 172.16.30.5 command when you created the extended access list, you could have entered 172.16.30.5 0.0.0.0 and there would be no difference in the result—other than the router would change the command to host 172.16.30.5 in the running-config.
After the list is created, it needs to be applied to the Ethernet 1 interface outbound. This applies the policy you created to all hosts and effectively blocks all FTP and Telnet access to 172.16.30.5 from outside the local LAN. If this list were created to only block access from the Sales LAN, then you’d have put this list closer to the source, or on Ethernet interface 0. So, in this situation, you’d apply the list to inbound traffic.
Go ahead and apply the list to interface E1 and block all outside FTP and Telnet access to the host:
Lab_A(config-if)#ip access-group 110 out
Extended Access List Example 2
In this example, we’ll again use Figure 7-3, which has four LANs and a serial connection. We need to stop Telnet access to the networks attached to the Ethernet 1 and Ethernet 2 interfaces. If we used only one access list, it would not be a very effective one because of the latency that would be caused on the Ethernet 1 and 2 interfaces (because every packet going out those interfaces must be looked at), but if we used two lists, the latency could be less on each interface if configured correctly. However, because you’re studying the CCNA objectives and not working in a real-world environment, we’re going to look at this with only one access list.
The configuration on the router would look something like this, although the answer can vary:
Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out
The important information you need to understand from this list is as follows: First, you need to verify that the number range is correct for the type of access list you are creating—in this example, it’s extended, so the range must be 100–199. Second, you need to verify that the protocol field matches the upper-layer process or application—in this example, port 23 (Telnet).
The protocol parameter must be TCP because Telnet uses TCP. If the question stated to use TFTP, for example, then the protocol parameter would have to be UDP because TFTP uses UDP. Third, verify that the destination port number matches the application you are filtering for—in this case, port 23 matches Telnet, which is correct. Finally, the test statement permit ip any any is important to have at the end of the list to enable all packets other than Telnet packets destined for the LANs connected to Ethernet 1 and Ethernet 2.
The SDM objectives are covered on the CD of the CCNA Cisco Certified Network Associate Study Guide, 7th Edition (Sybex, 2011).
Exam Essentials
Understand the standard IP access list configuration command. To configure a standard IP access list, use the access-list numbers 1–99 or 1300-1999 in global configuration mode. Choose permit or deny, and then choose the source IP address you want to filter on using one of the three techniques covered earlier.
Understand the extended IP access list configuration command. To configure an extended IP access list, use the access-list numbers 100–199 or 2000-2699 in global configuration mode. Choose permit or deny, the Network layer protocol, the source IP address you want to filter on, the destination address you want to filter on, and finally the Transport layer protocol (if selected).
Use wildcard masks effectively to filter the IP addresses to which an ACL applies. Wildcards are used with the host or network address to tell the router a range of available addresses to filter.
Contrast standard and extended ACLs. Standard access lists can only filter based on the source IP address. Extended access lists allow you to specify the source and destination address as well as the protocol and port number that identify the upper-layer protocol or application.
Configure and Apply ACLs to Limit Telnet and SSH Access to the Router Using (Including SDM/CLI)
You’ll probably have a difficult time trying to stop users from telnetting to a large router, because any active interface on a router is fair game for VTY access. You could try to create an extended IP access list that limits Telnet access to every IP address on the router. But if you did that, you’d have to apply it inbound on every interface, and that really wouldn’t scale well to a large router with dozens, or even hundreds, of interfaces. Here’s a much better solution: Use a standard IP access list to control access to the VTY lines themselves.
When you apply an access list to the VTY lines, you don’t need to specify the Telnet protocol because access to the VTY implies terminal access. You also don’t need to specify a destination address, because it really doesn’t matter which interface address the user used as a target for the Telnet session. You really only need to control where the user is coming from—their source IP address.
To create and apply an ACL to the VTY line(s), follow these steps:
1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.
2. Apply the access list to the VTY line with the access-class command.
Here is an example of allowing only host 172.16.10.3 to telnet into a router:
Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in
Because of the implied deny any at the end of the list, the access list stops any host from telnetting into the router except the host 172.16.10.3, regardless of which individual IP address on the router is used as a target.
Cisco recommends that you use Secure Shell (SSH) instead of Telnet on the VTY lines of a router.
Secure Shell (SSH)
Instead of Telnet, you can use Secure Shell (SSH), which creates a more secure session than the Telnet application, which uses an unencrypted data stream. SSH uses encrypted keys to send data so that your username and password are not sent in the clear.
Here are the steps to setting up SSH:
1. Set your hostname:
Router(config)#hostname Todd
2. Set the domain name (both the hostname and domain name are required for the encryption keys to be generated):
Todd(config)#ip domain-name Lammle.com
3. Generate the encryption keys for securing the session:
Todd(config)#crypto key generate rsa general-keys modulus ? <360-2048> size of the key modulus [360-2048] Todd(config)#crypto key generate rsa general-keys modulus 1024 The name for the keys will be: Todd.Lammle.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] *June 24 19:25:30.035: %SSH-5-ENABLED: SSH 1.99 has been enabled
4. Set the maximum idle timer for a SSH session:
Todd(config)#ip ssh time-out ? <1-120> SSH time-out interval (secs) Todd(config)#ip ssh time-out 60
5. Set the maximum failed attempts for an SSH connection:
Todd(config)#ip ssh authentication-retries ? <0-5> Number of authentication retries Todd(config)#ip ssh authentication-retries 2
6. Connect to the VTY lines of the router:
Todd(config)#line vty 0 1180
7. Configure SSH and then Telnet as access protocols:
Todd(config-line)#transport input ssh telnet
If you do not use the keyword telnet at the end of the command string, only SSH will work on the router. I am not suggesting you use either way. Just understand that SSH is more secure than Telnet.
Exam Essentials
Remember the command on a VTY line that enables you to use SSH on a Cisco router. The command to set SSH on a VTY line is transport input ssh telnet, although the command telnet at the end of the line is optional.
Control telnet access to a router by applying ACLs to the VTY lines. To create and apply an ACL to the VTY line(s), follow these steps:
1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.
2. Apply the access list to the VTY line with the access-class command.
Configure SSH on a VTY line. To configure SSH on a VTY line, follow these steps:
1. Set your hostname.
2. Set the domain name (both the hostname and domain name are required for the encryption keys to be generated).
3. Generate the encryption keys for securing the session.
4. Set the maximum idle timer for a SSH session.
5. Set the maximum failed attempts for an SSH connection.
6. Connect to the VTY lines of the router.
7. Configure SSH and then Telnet as access protocols.
Verify and Monitor ACLs in a Network Environment
Again, it’s always good to be able to verify a router’s configuration. Table 7-1 lists the commands that can be used to verify the configuration.
Table 7-1: Commands Used to Verify Access List Configuration
| Command | Effect |
| show access-list | Displays all access lists and their parameters configured on the router. This command does not show you the list on which the interface is set. |
| show access-list 110 | Shows only the parameters for the access list 110. This command does not show you the list on which the interface is set. |
| show ip access-list | Shows only the IP access lists configured on the router. |
| show ip interface | Shows which interfaces have access lists set. |
| show running-config | Shows the access lists and which interfaces have access lists set. |
| show mac access-group | Displays MAC access lists applied to all layer 2 interfaces or the specified layer 2 interface (used on layer 2 switches only). |
You’re already somewhat familiar with the show running-config command, so let’s take a look at the output from some of the other commands.
The show access-list command will list all access lists on the router, whether they’re applied to an interface or not:
Lab_A#show access-list
Standard IP access list 10
deny 172.16.40.0, wildcard bits 0.0.0.255
permit any
Standard IP access list BlockSales
deny 172.16.40.0, wildcard bits 0.0.0.255
permit any
Extended IP access list 110
deny tcp any host 172.16.30.5 eq ftp
deny tcp any host 172.16.30.5 eq telnet
permit ip any any
Lab_A#
First, notice that access lists 10 and 110, as well as a named access list (BlockSales), appear on this list. Second, when I created access list 110 that is shown in the output, I entered actual numbers for TCP ports (23), but for readability the show command generates the protocol names rather than TCP ports.
Here’s the output of the show ip interface command:
Lab_A#show ip interface e1 Ethernet1 is up, line protocol is up Internet address is 172.16.30.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is BlockSales Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is disabled IP fast switching on the same interface is disabled IP Null turbo vector IP multicast fast switching is disabled IP multicast distributed fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled Web Cache Redirect is disabled BGP Policy Mapping is disabled Lab_A#
Be sure to notice the bold line indicating that the outgoing list on this interface is BlockSales but the inbound access list isn’t set. Let’s discuss one more verification command and then we’ll move on.
As I’ve already mentioned, you can use the show running-config command to see any and all access lists. However, on a layer 2 switch, you can verify your interface configurations with the show mac access-group command:
S1#sh mac access-group
Interface FastEthernet0/1:
Inbound access-list is not set
Outbound access-list is not set
Interface FastEthernet0/2:
Inbound access-list is not set
Outbound access-list is not set
S1#
Depending on how many interfaces you set your MAC access lists on, you can use the interface command to view individual interfaces:
S1#sh mac access-group interface f0/6
Interface FastEthernet0/6:
Inbound access-list is Todd_MAC_List
Outbound access-list is not set
Exam Essentials
Remember the command to verify an access list on an interface. To see whether an access list is set on an interface and in which direction it is filtering, use the show ip interface command. This command will not show you the contents of the access list, merely which access lists are applied on the interface.
Remember the command to verify the access lists configuration. To see the configured access lists on your router, use the show access-list command. This command will not show you which interfaces have access lists set.
When you’re troubleshooting ACL problems, the first thing you should do is make sure an access list is not blocking traffic. It is crucial that you be able to quickly view the contents of access lists as well as where they are.
For more information concerning this objective, please see the previous section, “Verify and Monitor ACLs in a Network Environment.”
Explain the Basic Operation of NAT
NAT was originally designed to slow the depletion of available IP address space by allowing many private IP addresses to be represented by some smaller number of public IP addresses. In this regard, its original intent was similar to Classless Inter-Domain Routing (CIDR).
Since then, NAT has also become a useful tool for network migrations and mergers, server load sharing, and creating “virtual servers.” So, in this section, I’m going to describe the basics of NAT functionality and the terminology common to NAT.
Here’s a list of situations when it’s best to have NAT on your side:
- You need to connect to the Internet and your hosts don’t have globally unique IP addresses
- You change to a new ISP that requires you to renumber your network
- You need to merge two intranets with duplicate addresses
You typically use NAT on a border router, such as the corporate router in Figure 7-4.
Figure 7-4: Where to configure NAT
For all of its benefits, NAT has some drawbacks as well. For the pros and cons linked to using NAT, check out Table 7-2.
Table 7-2: Advantages and Disadvantages of Implementing NAT
| Advantages | Disadvantages |
| Conserves legally registered addresses | Translation introduces switching path delays |
| Reduces address overlap occurrences | Loss of end-to-end IP traceability |
| Increases flexibility when connecting to the Internet | Certain applications will not function with NAT enabled |
| Eliminates address renumbering as the network changes |
The most obvious advantage associated with NAT is that it allows you to conserve your legally registered address scheme. This is why we haven’t run out of IPv4 addresses.
Types of Network Address Translation
In this section, I’m going to go over the three types of NAT:
Static NAT This type of NAT is designed to allow one-to-one mapping between local and global addresses. Keep in mind that the static version requires you to have one real Internet IP address for every host on your network.
Dynamic NAT This version gives you the ability to map an unregistered IP address to a registered IP address from out of a pool of registered IP addresses. You don’t have to statically configure your router to map an inside to an outside address as you do when using static NAT, but you do have to have enough real, bona fide IP addresses for everyone who’s going to be sending packets to and receiving them from the Internet.
Overloading This is the most popular type of NAT configuration. Overloading really is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address—many-to-one—by using different ports. Because of that, it’s also known as Port Address Translation (PAT). By using PAT (NAT Overload), you get to have thousands of users connect to the Internet using only one real global IP address.
Exam Essentials
Remember the best advantage to using Network Address Translation. The largest advantage to using NAT on your network is that it conserves legally registered addresses.
Remember the three types of NAT. The three types of NAT are static, dynamic, and NAT overload.
Configure NAT for Given Network Requirements Using (Including CLI/SDM)
In this section, I’ll show you how to configure static, dynamic, and NAT overload on a Cisco router using the command line interface (CLI).
Static NAT Configuration
Let’s take a look at a simple basic static NAT configuration:
ip nat inside source static 10.1.1.1 170.46.2.2 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0 ip address 170.46.2.1 255.255.255.0 ip nat outside
In this example, the first command specifies static nat and the public IP address (10.1.1.1) to be mapped to the private IP address (172.46.2.2).
The second and third commands indicate which router interface is considered to be the private network (ip nat inside) and which will be the public network (ip nat outside).
Dynamic NAT Configuration
Dynamic NAT maps a pool of public addresses to the private IP addresses on the inside. Port numbers are not used, so there must be a public IP address for every user trying to get outside the local network.
Here is a sample output of a dynamic NAT configuration:
ip nat pool todd 170.168.2.2 170.168.2.254 netmask 255.255.255.0 ip nat inside source list 1 pool todd ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0 ip address 170.168.2.1 255.255.255.0 ip nat outside ! access-list 1 permit 10.1.1.0 0.0.0.255
In this example, the first command specifies a nat pool named todd that ranges from 17.168.2.2 to 17.168.2.254.
The second command specifies that the pool named todd will be used for translation on the inside interface and that access list number 1 will be used to determine the private ip addresses allowed to use the single public IP address.
The third and fourth commands indicate which router interface is considered to be the private network (ip nat inside) and which will be the public network (ip nat outside).
The final command creates an access list that determines which IP addresses on the private network are allowed to be mapped to the single public IP address.
PAT (Overloading) Configuration
This last example shows how to configure inside global address overloading. This is the typical NAT in use today. It is rare that you would use static or dynamic NAT unless you were statically mapping a server, for example.
Here is a sample output of a PAT configuration:
ip nat pool globalnet 170.168.2.1 170.168.2.1 netmask 255.255.255.0 ip nat inside source list 1 pool globalnet overload ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0/0 ip address 170.168.2.1 255.255.255.0 ip nat outside ! access-list 1 permit 10.1.1.0 0.0.0.255
In this example, the first command specifies a nat pool named globalnet that ranges from 17.168.2.1 to 17.168.2.1.
The second command specifies that the pool named globalnet will be used for translation on the inside interface, with the overload parameter indicating that the address will be used multiple times.
The third and fourth commands indicate which router interface is considered to be the private network (ip nat inside) and which will be the public network (ip nat outside).
The final command creates an access list that determines which IP addresses on the private network are allowed to be mapped to the single public IP address.
Exam Essentials
Remember the command to enable NAT on your inside network. On your inside interface(s), use the command ip nat inside.
Remember the command to enable NAT on your outside network. On your outside interface(s), use the command ip nat outside.
Configure static NAT, dynamic NAT, and PAT. Specify a nat pool (dynamic and NAT and PAT) or specify a public IP address (statics).
For dynamic and NAT and PAT, specify the name of the pool to be used for translation on the inside interface, using the overload parameter if the address will be used multiple times.
Indicate which router interface is considered to be the private network (ip nat inside) and which will be the public network (ip nat outside).
For dynamic and NAT and PAT, create an access list that determines which IP addresses on the private network are allowed to be mapped to the single public IP address.
Let’s go through a couple of NAT examples and see if you can figure out the configuration that needs to be used. To start, look at Figure 7-5 and ask yourself two things: Where would you implement NAT in this design, and what type of NAT would you configure to use the fewest public IP addresses?
Figure 7-5: Where to implement NAT
In Figure 7-5, the NAT configuration would be placed on the corporate router and the configuration will be dynamic NAT with overload (PAT). In the following NAT example, what type of NAT is being used?
ip nat pool todd-nat 170.168.10.10 170.168.10.20 netmask 255.255.255.0
This command uses dynamic NAT. The pool in the command gives the answer away, plus there is more than one address in the pool, which means PAT is probably not being used. In the next NAT example, you’ll use Figure 7-6 to see if you can figure out the configuration needed.
The example in Figure 7-6 shows a border router that needs to be configured with NAT and that will allow the use of six public IP addresses, 192.1.2.109 through 114. However, on the inside network, you have 63 hosts that use the private addresses of 192.168.10.65 through 126. What would your NAT configuration be on the border router?
Two different answers would work here, but the following would be my first choice:
ip nat pool Todd 192.1.2.109 192.1.2.109 netmask 255.255.255.248 access-list 1 permit 192.168.10.64 0.0.0.63 ip nat inside source list 1 pool Todd overload
Figure 7-6: Configuring PAT
The command ip nat pool Todd 192.1.2.109 192.1.2.109 netmask 255.255.255.248 sets the pool name as Todd and creates a dynamic pool of addresses for the NAT to use address 192.1.2.109. Instead of the netmask command, you can use the prefix-length 29 statement. The second answer would end up with the same result of having only 192.1.2.109 as your inside global, but you can type this in and have it work too: ip nat pool Todd 102.1.2.109 192.1.2.114 netmask 255.255.255.248. This is a waste because the second through sixth addresses would only be used if there were a conflict with a TCP port number.
The ip nat inside source list 1 pool Todd overload command sets the dynamic pool to use PAT by using the overload command.
Be sure to add the ip nat inside and ip nat outside statements on the appropriate interfaces.
Exam Essentials
Remember to always check your interface configurations when troubleshooting NAT. Be sure to add the ip nat inside and ip nat outside statements on the appropriate interfaces.
Remember to check for the overload command when using Port Address Translation (PAT). The command ip nat inside source list list-number pool pool-name overload command sets the dynamic pool to use PAT by using the overload command.
1. Which of the following commands connect access list 110 inbound to interface ethernet0?
A. Router(config)#ip access-group 110 in
B. Router(config)#ip access-list 110 in
C. Router(config-if)#ip access-group 110 in
D. Router(config-if)#ip access-list 110 in
2. What command will permit SMTP mail only to host 1.1.1.1.?
A. access-list 10 permit smtp host 1.1.1.1
B. access-list 110 permit ip smtp host 1.1.1.1
C. access-list 10 permit tcp any host 1.1.1.1 eq smtp
D. access-list 110 permit tcp any host 1.1.1.1 eq smtp
3. You configure the following access list:
access-list 110 deny tcp 10.1.1.128 0.0.0.63 any eq smtp access-list 110 deny tcp any eq 23 int ethernet 0 ip access-group 110 out
What will the result of this access list be?
A. Email and Telnet will be allowed out E0.
B. Email and Telnet will be allowed in E0.
C. Everything but email and Telnet will be allowed out E0.
D. No IP traffic will be allowed out E0.
4. Which of the following series of commands will restrict Telnet access to the router?
A. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line con0
Lab_A(config-line)#ip access-group 10 in
B. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 out
C. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 10 in
D. Lab_A(config)#access-list 10 permit 172.16.1.1
Lab_A(config)#line vty 0 4
Lab_A(config-line)#ip access-group 10 in
5. Which of the following is true regarding access lists applied to an interface?
A. You can place as many access lists as you want on any interface until you run out of memory.
B. You can apply only one access list on any interface.
C. One access list may be configured, per direction, for each layer 3 protocol configured on an interface.
D. You can apply two access lists to any interface.
6. You are working on a router that has established privilege levels that restrict access to certain functions. How can you view and confirm the access lists that have been applied to the Ethernet 0 interface on your router?
A. show access-lists
B. show interface Ethernet 0
C. show ip access-lists
D. show ip interface Ethernet 0
7. Which command would you place on an interface connected to a private network?
A. ip nat inside
B. ip nat outside
C. ip outside global
D. ip inside local
8. Which command would you place on interface connected to the Internet?
A. ip nat inside
B. ip nat outside
C. ip outside global
D. ip inside local
9. Which of the following is another term for Port Address Translation (PAT)?
A. NAT Fast
B. NAT Static
C. NAT Overload
D. Overloading Static
10. Which of the following are disadvantages of using NAT? (Choose three.)
A. Translation introduces switching path delays.
B. Conserves legally registered addresses
C. Causes loss of end-to-end IP traceability
D. Increases flexibility when connecting to the Internet
E. Certain applications will not function with NAT enabled.
F. Reduces address overlap occurrence
1. C. To place an access list on an interface, use the ip access-group command in interface configuration mode.
2. D. When trying to find the best answer to an access-list question, always check the access-list number and then the protocol. When filtering to an upper-layer protocol, you must use an extended list, numbers 100–199 and 2000–2699. Also, when you filter to an upper-layer protocol, you must use either tcp or udp in the protocol field. If it says ip in the protocol field, you cannot filter to an upper-layer protocol. SMTP uses TCP.
3. D. If you add an access list to an interface and you do not have at least one permit statement, then you will effectively shut down the interface because of the implicit deny any at the end of every list.
4. C. Telnet access to the router is restricted by using either a standard or extended IP access list inbound on the VTY lines of the router. The command access-class is used to apply the access list to the VTY lines.
5. C. A Cisco router has rules regarding the placement of access lists on a router interface. You can place one access list per direction for each layer 3 protocol configured on an interface.
6. D. The only command that shows which access lists have been applied to an interface is show ip interface Ethernet 0. The command show access-lists displays all configured access lists, and show ip access-lists displays all configured IP access lists, but neither command indicates whether the displayed access lists have been applied to an interface.
7. A. As with access lists, you must configure your interfaces before NAT will provide any translations. On the inside networks, you would use the command ip nat inside. On the outside interface, you will use the command ip nat outside.
8. B. As with access lists, you must configure your interfaces before NAT will provide any translations. On the inside networks, you would use the command ip nat inside. On the outside interface, you will use the command ip nat outside.
9. C. Another term for Port Address Translation is NAT Overload because that is the command used to enable Port Address Translation.
10. A, C, E. NAT is not perfect and can cause some issues in some networks, but most networks work just fine. NAT can cause delays and troubleshooting problems, and some applications just won’t work.