how-to block ads
|
| | | | FAQ Revisions | Editors: skj  , Covenant , aryoba , Phraxos
Last modified on 2008-07-17 16:04:07
| |
|
|
40.1 NAT/VPN/ACL/CBAC/Firewall·NAT and PAT; Introduction and Implementations
·NAT (RFC 1631)
·Minimum and Maximum NAT Timeouts
·Generic NAT configuration
·How do I NAT a TCP/UDP port range without entering a seperate NAT for each port?
·ACLs and wildcard mask syntax
·How can I insert a line into an existing ACL on Routers?
·How do I configure VPN on a router to support Microsoft VPN Client?
| | | Following is short introduction of NAT and PAT; and how Cisco equipments implement such technology. Please note that some info could be misleading without proper understanding of background conditions. However most of the answers are straight-forward that should not lead to any misinterpretations.
Network Address Translation (NAT) Frequently Asked Questions
Introduction
NAT is short of Network Address Translation. Its purpose is to change one host IP address within one subnet to another IP address within different subnet. This translation is called one-to-one translation.
WIth NAT, you can also change the entire or at least several host IP addresses within one subnet to another IP addresses within different subnet. This translation is called many-to-many translation. In other word, many-to-many translation can be viewed as a group of one-to-one translation.
Following is an illustration. Let's say you have five different IP addresses within one subnet. There are outbound traffic from these five IP addresses to remote subnet or host. In order to be able to reach the remote host or subnet, let's say the five IP addresses need to change to different IP address within different subnet.
Let's say for the change, there are seven available IP addresses within the different subnet. One way of the IP address change is to take five of them, assign one IP address to the original one IP address, and proceed the outbound traffic with their new IP addresses. This NAT process is 1-to-1 relationship.
Another way of the IP address change is to take only one of them, assign this one IP address to all five original IP addresses, and proceed the outbound traffic with their new IP addresses. This NAT process is 1-to-many relationship.
Most people refer the 1-to-1 relationship as NAT and refer the 1-to-many relationship as PAT (Port Address Translation).
Public and Private Subnet
In IP world, there is a concept of Internet-routable IP addresses. This concept refers to IP addresses that are reachable via the Internet. Those IP addresses are generally the non Private Subnet; or not within the 10.0.0.0/8, 172.16.0.0/12, nor 192.168.0.0/16. IP addresses that are not within those subnet are in general considered Public Subnet or Public IP addresses.
As you may note, Private Subnet or Private IP addresses are not Internet-routable IP addresses. Any PC or server that are using IP address within the Private Subnet will not be able to reach Internet directly. Similarly, public within the Internet are unable to directly reach those PC and server that are using Private Subnet.
If you need to have Internet access, then you need to have Internet-routable IP address. When there is an ISP that provide you the Internet access, the ISP is usually assigning IP address to you in the form of Public IP address; which is something like 3.12.62.154 IP address.
When Private Subnet is used within local network, there would be a need to bridge the local network to the Internet should the local network need Internet access. The ISP in the case acts as the bridge to provide Internet access for local network and to have public within the Internet able to reach the local network. To make this bridging work, there would be NAT/PAT in place within local network between the Private IP addresses and the ISP Public IP addresses.
Let's review the following situation. Let's say there are multiple hosts within your local network (i.e. multiple PC, servers). There are probably a need to have some kind of file sharing between these hosts. For this file sharing, the activity should be considered local or internal to the local network and should not involve Internet at all. When this is the case, then local network has option to use Private Subnet. When there comes time for local network to access the Internet, or to permit file sharing with public on the Internet; then ISP Public IP address is used by utilizing NAT/PAT.
NAT and Internet Access
Now let's review this situation. Say you have ISP that provide the Internet access. The ISP only provides you with one IP address. When you only have single host within your network (i.e. one PC or one server), then you can then assign the ISP-provided one IP address to the host to access the Internet.
When you have multiple hosts within your network that all need Internet access, then you need to have more than one IP address for all hosts. In order to have all hosts able to have Internet access, there are several ways to choose.
One way is to request more IP addresses from your ISP where you can assign each ISP-provided IP address to each of your host respectively. Keep in mind that that this choice might not be financially feasible or might introduce technical limitation.
Another way is to keep using the single ISP-provided IP address for all hosts. Note that in IP world, each host must have its own IP address. To overcome this limitation, the concept of PAT can be applied. By using PAT, basically you can share the single ISP-provided IP address for all hosts where there are needs for Internet access.
In addition, NAT/PAT technique can be seen as "firewall" since users in the Internet cannot directly access any machines within local LAN and vice versa. Further, all local LAN machines are seen as their Public IP address on the Internet and not the Private IP address due to NAT/PAT. Therefore traffic coming from all local LAN machines that use PAT are seen on the Internet coming only from one IP address (the Public IP address) and not from multiple IP addresses (not the various Private IP addresses).
Here is the PAT application breakdown
* Assign specific subnet to all hosts
* This subnet should only be meaningful locally to your network
* For each host, assign one IP address off the subnet
* When any host needs Internet access, you will utilize PAT to change the local IP address to the ISP-provided single IP address
Typically the local subnet is within the Private Subnet (the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). The ISP-provided IP address is typically coming from the Public Subnet.
As illustration, let's say you have 3.12.62.154 IP address as the ISP-assigned IP address. This IP address is your Public IP address. For local LAN machines, you can use something like 10.10.10.0/24 (which is a subnet of 10.0.0.0/8) as your Private IP subnet. When you use PAT for local LAN machines to go out to the Internet, all of your local LAN machines are seen as 3.12.62.154 IP address on the Internet eventhough each local LAN machines has its own (Private) IP address of (let's say) 10.10.10.2, 10.10.10.242, or 10.10.10.123.
Outbound Traffic, Inbound Traffic, and NAT
The NAT/PAT situation described previously is considered "outbound traffic". In this context, this outbound traffic refers to traffic originating from local (inside) network going out to outside network. The outside network here is the Internet. The local or inside network here is the local users that need to access the Internet.
With similar situation, NAT is applicable to "inbound traffic"; which mean traffic originating from outside network coming into inside network. Following is the illustration.
Let's say the local network is running servers that are accessible from the Internet, such as public web servers for file sharing. The local network is running Private Subnet for internal connectivity. The local network has the ISP Public Subnet for the Internet access. Both public reside on the Internet and local users need access to the public web servers.
To have the servers accessible by both public and local users, there should be NAT in place. For the public access, the server Private Subnet is NAT/PAT-ed to the ISP Public IP Address or Subnet. In other words, all servers or machines in local LAN that are accessible from the Internet are seen on the Internet as a single IP address (which is the single ISP Public IP address) when all of those machines use PAT. When those machines use NAT, then each machine is seen on the Internet as individuals (as their respective ISP Public IP addresses).
For the local user access, there should be no NAT nor PAT occur since both the servers and local users are within the same local/internal network. The local users can just access the server using the server Private Subnet directly.
Following is an illustration. Let's say the ISP Public IP address is 3.12.62.154. The objective is to run public-accessible web server that run on standard TCP port 80 (the web port). The local network Private Subnet is 10.0.0.0/24 where the server IP address is 10.0.0.10. For the public access, the 10.0.0.10 will be PAT-ed to the 3.12.62.154 on TCP port 80.
When users on the Internet try to connect to the public web server, those users connect to the 3.12.62.154 IP address and not to the 10.0.0.10 IP address. The reason is that on the Internet, the web server is seen as the 3.12.62.154 IP address. The 10.0.0.10 IP address is only seen within local LAN.
In other words, the 3.12.62.154 IP address is the PAT-ed IP address of 10.0.0.10 IP address. Local users would just access the 10.0.0.10 directly and should never access the PAT-ed IP address.
Let's review similar illustration. The objective is now to run public-accessible web server and mail server which share the same ISP Public IP address of 3.12.62.154. The web server and mail server will be on their own dedicated local machines; one machine for web server and another machine for mail server. The web server application run on standard TCP port 80 and port 443 (the web/HTTP port and HTTPS/SSL port). The mail server application also run on standard TCP port 25 (the mail port).
The local network Private Subnet is 10.0.0.0/24 where the web server IP address is 10.0.0.10 and the mail server IP address is 10.0.0.11. For the public access, the 10.0.0.10 will be PAT-ed to the 3.12.62.154 on TCP port 80 and 443. Similarly, the 10.0.0.11 will be PAT-ed to the 3.12.62.154 on TCP port 25.
When users on the Internet try to connect to the public web server, those users connect to the 3.12.62.154 IP address on TCP port 80 and 443 and not to the 10.0.0.10 IP address. The reason is that on the Internet, the web server is seen as the 3.12.62.154 IP address. The 10.0.0.10 IP address is only seen within local LAN. Similarly, Internet users connect to the 3.12.62.154 IP address on TCP port 25 and not to the 10.0.0.11 IP address.
In other words, the 3.12.62.154 IP address is the PAT-ed IP address of 10.0.0.10 and 10.0.0.11 IP addresses simultaneously. Local users would just access the 10.0.0.10 and 10.0.0.11 directly and should never access the PAT-ed IP address.
In implementation, a network device such as router or firewall could be used to do the NAT/PAT between Private and Public Subnet. Such device usually have two connections; one is to connect to the ISP and another is to connect to the local network.
Note that from the local users' perspective (the PC, servers, etc.); such NAT/PAT process is transparent. The same NAT/PAT process is also transparent to the outside network (i.e. the Internet). All the NAT/PAT complexity process is taken care of by the router or firewall.
Static and Dynamic NAT/PAT
As mentioned earlier, one advantage of using NAT/PAT is to use single Public IP address for multiple local machines. Within the NAT device itself (either router or firewall), there is a NAT table that keep associations between the Public and Private IP address. This way the NAT device understand which local machine (that uses Private IP address) associates with which Public IP address.
When you run Internet or public-accessible server using NAT device, you need to maintain constant NAT/PAT association between Public and Private IP address. When there are only workstations within the local machines, dynamic NAT/PAT association is desirable.
Keep in mind that with constant (static) NAT/PAT association, the Public and Private IP address one-on-one relationship is fixed (never changed) even though the local machine is powered off or is not connected to the local network. With dynamic NAT/PAT association, the Public and Private IP address one-on-one relationship is changing, especially when the local machine is powered off or is not connected to the local network. This static NAT/PAT association between Public and Private IP addresses is called static NAT/PAT where the dynamic NAT/PAT association is called dynamic NAT/PAT.
Following is some discussion on NAT and PAT implementation using Cisco router
»[Config] NAT routing
Outside and Inside Network
From local network perspective, the Internet from the previous illustration is considered outside network and the local network is considered inside network. Note that outside network is not limited only to the Internet. Basically any network that is not within local network is considered outside network.
Let's review the following situation. Consider there are two organizations A and B. Both A and B have their own local network. From A perspective, A network is considered inside network and B network is considered outside network. Similarly; from B perspective, B network is considered inside network and A network is considered outside network. Both A and B consider the Internet as outside network, where the Internet consider both A and B as outside network as well.
NAT and Overlap Network
As mentioned previously, Private Subnet is established to provide local traffic network connectivity. Anybody or any organization can use the Private Subnet in anyway they like within local network.
Let's revisit the previous illustration of two organizations A and B. Consider A and B need to inter-communicate; where there are servers within A need to be accessible by B and there are servers within B need to be accessible by A. To provide this communication, there is a private connection between the A and B.
Each organization utilizes 10.0.0.0/16 Private Subnet within their local network. Since the traffic between A and B is internal to them over private connection, both A and B decide to use Private Subnet to communicate.
Note that there will be a problem connecting. Let's say there is a server with 10.0.0.10 IP address exist on both A and B networks. There is a host with 10.0.0.9 IP address within A need to communicate with the 10.0.0.10 server within B. The traffic will not go to 10.0.0.10 within B but go to the one within A instead since there is no mechanism to distinguish between 10.0.0.10 within A and 10.0.0.10 within B. This situation is referred as overlap network where both networks use the same subnet.
To provide A-B inter-communication, you can implement NAT. There will be subnet that both A and B agree to utilize as a bridge for inter-communication. This subnet bridge must be something that is not and will not used within A or B locally to make it work.
Let's say both A and B agree to utilize 192.168.0.0/16 subnet. A 192.168.1.0/24 is assigned to A and a 192.168.2.0/24 is assigned to B. Any A hosts that need to communicate with B hosts will be NAT to IP address within 192.168.1.0/24. Similarly, any B hosts that need to communicate with A hosts will be NAT to IP address within 192.168.2.0/24.
With this setup, A hosts will appear distinct from B hosts' perspective and vice versa. A hosts can distinguish properly when there is a need to reach B hosts. This NAT setup is called Double NAT, where NAT process takes place on both networks to provide connectivity between the two networks.
NAT and Internal Communication between multiple organizations
In previous illustration, it was described that NAT was used to avoid routing confusion due to overlap network between multiple organizations. It was decided that both A and B used 192.168.0.0/16 subnet to inter-communicate.
Now let's say there is a 3rd organization which is C that also need to inter-communicate with A and B. Unfortunately C uses 192.168.0.0/16 internally where present another overlap network with the NAT network of A and B.
One way to make 192.168.0.0/16 to still be the NAT network between the three organizations is to "force" C to internally NAT their 192.168.0.0/16 into different subnet; i.e. 10.0.0.0/16. After the C internal subnet of 192.168.0.0/16 is NAT-ed to 10.0.0.0/16, the 10.0.0.0/16 is NAT-ed to 192.168.0.0/24 to be able to inter-communicate with A and B.
Note that A and B internally only NAT once (from the 10.0.0.0/16 to 192.168.1.0/24 for A and to 192.168.2.0/24 for B). However C is "forced" to do internal Double NAT (from 192.168.0.0/16 to 10.0.0.0/16 to 192.168.0.0/24).
You should be able to see that the decision A and B made of using Private Subnet as NAT network was a mistake; or at least it was not scalable. Keep in mind that Private Subnet is something that anybody or any organization can use for any purpose. Therefore Private Subnet should only be used internally within one organization and should never be used as NAT network for multiple organization inter-communication.
For NAT, it is suggested that Public Subnet (Internet-routable subnet) is used; even though the inter-communication takes place over private connection and not over public connection (not over the Internet). Public Subnet is unique (is assigned to only single organization), hence unnecessary NAT process won't take place for multiple organization inter-communication.
Another advantage using Public Subnet as NAT network is the following. From previous illustration, it was mentioned that A, B, and C were inter-communicating over private connection. Let's say the private connection fails or goes down. When that is the case, either one of the three organizations could use the public connection (Internet connection) to keep the inter-communication flowing when the organization uses Public Subnet as the NAT network.
The Internet and DMZ
If you notice, the Double NAT implementation is similar to the previous illustration of local network running public web server for users within the Internet. Here are the perspectives.
From A network perspective, B users are "within the Internet" (the A's outside network). From B perspective, A users are "within the Internet" (the B's outside network). Note that the 192.168.0.0/16 from both A and B perspective is outside network, eventhough the subnet is within Private Subnet.
Of course, neither A nor B are the actual users within the Internet since there is private connection between two organizations. This where the concept of DMZ is applied. From A perspective, B users are within the DMZ. From B perspective, A users are within the DMZ.
To be precise, the 192.168.0.0/16 is the DMZ network from both A and B perspectives. Both A and B users consider the Internet as "the real" outside (public) network.
In some organizations, public servers for users within the Internet reside within the DMZ. In other word, there is a distinct separation between local network and public servers within the DMZ. From network security perspective, this distinct separation is considered more secure.
NAT Expected Behavior
Let's review the previous illustration of local network running servers to be accessible from outside network. The servers are in fact using two different IP addresses from two different subnets; one IP address is within the outside network and another IP address is within the inside network. The outside IP address is the NAT/PAT-ed IP address of the internal IP address.
From outside users perspective, the servers are located within outside network using their outside IP address. From inside users perspective, the servers are located within inside network using their inside IP address. Let's say a local user's network device are using the server outside IP address instead to access the server. In general, the connection will fail since the local user's network device is unable to determine the server location, whether the server is located within outside or inside network. This is the reason why the local network should use the internal IP addresses to access the servers and why the outside users would then use the outside IP address.
Note that by using some network devices, local users are still able to access the server using the server outside IP address. However this situation applies only to those specific network device internetworking. In addition, this internetworking is non-standard (read: against the IETF RFC) and may create unexpected behavior in multi-vendor inter-connectivity or in any other situations. The suggested approach is not to deploy such network devices. Instead it is suggested to exercise the proper practise that comply with RFC.
NAT and DNS/WINS
When there are servers that need to be accessible by both outside and inside users, a proper practise is using some kind of name resolving mechanism to access the servers. This name resolving mechanism here is performed by DNS (and/or WINS in Microsoft Network).
Basically the DNS provides relationship between a name and IP addresses. When users (either local or outside) access the server, the users use the server name to access. The DNS then will translate (resolve) the name into the server IP address and forward the users' access request to the server.
Let's revisit the previous situation where the server has inside IP address and outside IP address (the NAT-ed inside IP address). When the users are within outside network, then DNS should resolve the name into outside IP address. When the users are within inside network, then DNS should resolve the name into inside IP address. This way, no inside nor outside users' network device will be confused in accessing the server.
Note that the server name is exactly the same (verbatim) from outside and inside users' perspective. As illustration, the server name is always www.publicserver.com, either the server is accessed from outside or from inside network. However the DNS will resolve www.publicserver.com into its outside IP address when the users are within outside network. Similarly, the DNS will resolve www.publicserver.com into its inside IP address when the users are within inside network.
DNS and ASA/PIX Firewall NAT DNS feature
As mentioned previously, DNS name resolving should be able to choose the proper IP address for specific users; where outside users will be receiving outside IP address when accessing the public server, and inside users will be receiving inside IP address when accessing the same server.
In general, your system administrator need to configure the DNS BIND to be able to do such resolving. Fortunately there is a nice DNS feature on Cisco ASA and PIX Firewall where the DNS need only to resolve names to inside IP address, and still have the outside users able to access the server.
The key is to use static command followed by the dns parameter. Here is the official Cisco command reference
ASA/PIX Firewall Static command description
Using the static dns command, the ASA or PIX will rewrite the inside IP address to the proper outside IP address of all necessary devices for outside users server access need. Usually the DNS server and the public server IP addresses are both included in the static dns command. When there is Microsoft network involved; then WINS and/or Domain Controller IP addresses would also be included as well. The DNS, WINS, and/or Domain Controller in Microsoft network (or just DNS in non-Microsoft network) will then be used by outside users transparently as if the users are within inside network.
NAT/PAT Sample Implementations
»PIX 515 - Private T1, Public IP
 show feedback form
 close
by aryoba
last modified: 2008-07-17 16:04:07 | | | Prerequisite reading:
»Cisco Forum FAQ »NAT and PAT; Introduction and Implementations
Network Address Translation or NAT is an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box (e.g. a router) located where the LAN meets the Internet makes all necessary IP address translations.
NAT:
- Hides internal IP addresses.
- Enables a company to use more internal IP addresses. Since they're used internally only, there's no possibility of conflict with IP addresses used by other companies and organisations.
The links below provide NAT information in greater detail:
An introduction to NAT
NAT FAQ @ Cisco.com
How to configure NAT?
NAT and route maps.
NAT Implementation: Sample Configurations
1. Basic Internet Access (Outbound Traffic Only) - No Public Servers
Various Cisco Router, PIX/ASA NAT/PAT Sample Configurations
2. Basic Internet Access and Public Servers (Inbound and Outbound Traffic)
Running Servers using Cisco Router, PIX/ASA NAT/PAT Technology
If you would like to add any more links or information to this FAQ, please do not hesitate to contact the FAQ Editors who's avatars are present at the top of the Cisco FAQ forum page or click the feedback link which can be found at the bottom right hand corner of the page.
show feedback form
close
by Covenant edited by aryoba
last modified: 2008-02-20 16:12:06 | | | Moving the default NAT timers has benefits, such as the utilisation of a small timer, will clean the table and flush translations that are not active. It will free memory within the router for other purposes. I know that sounds great, but if for some reason one of your applications needs a large timeout to finish the session, the router if configured with a small timer will flush them and new sessions would need to be established. The cpu utilization will be lower in general, but there will be an increase in cpu processing (occurs in peaks) when the table gets flushed and new sessions are established. After that, it will resort again back to its low level, hence my use of the word peaks.
These timeouts will count individually for each NAT session, and after the session has been inactive for the time specified the router will flush it, if the session is active (some traffic is passing through it) the router won't start the timer. For some connections like FTP and telnet the TCP session is established and traffic start passing through, if the router sees a TCP-FIN packet it will flush the NAT connection, and if not, it will wait for the timeout, but for SMTP and HTTP, the session is established, but the applications won't send traffic unless you click on a link or download an email, so for that, the session is flushed by the router as soon as the timeout is reached. So the timeout of a session depends more on the application than the NAT timeout.
There are some applications like SQL, Citrix and other databases and thin clients that are really sensitive, and if the session is flushed and a process has not being finished the application would need to restart the process. Some others like MSN, HTTP and normal applications are not so sensitive and if the NAT session is flushed it will establish a new one and nothing will be noticed by the user.
At the other extreme, we have maximal timeouts and that brings with it a whole range of problems. A large, really large NAT timeout will impact the router's memory and result in latency in most of cases and in extreme scenarios the router can crash per a lack of memory. This is because all sessions that for any reason were not finished by a TCP-FIN packet, will stay in the router forever and ever and spend memory and CPU. Maybe one day the timer would be reached, but maybe not and the router crashes first.
So playing with NAT timouts is not condoned unless undertaken or supervised by someone experienced with NAT and its impact on various protocols. Cisco's default timeouts are adequate for most needs and do not need adjusting for any reason. It's only in extreme circumstances will the timeouts be evaluated and a test run with the protocols and sessions involved undertaken to determine its effect on the application(s) in question and its impact on router resources.
Derived from this thread:
»[HELP] Minimal NAT TCP/UDP timeouts?
show feedback form
close
by Covenant edited by aryoba
last modified: 2006-06-26 18:56:27 | | | This configuration was worked up on a cisco 831 with 12.2(13)ZH2 software but should work on any cisco router with a modern version of IOS, just adjust the interfaces accordingly.
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
logging queue-limit 100
!
ip subnet-zero
ip dhcp excluded-address 192.168.4.1 192.168.4.10
!
ip dhcp pool LOCALPOOL
import all
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description Inside private interface
ip address 192.168.4.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface Ethernet1
description Outside public interface
ip address dhcp
ip nat outside
duplex auto
!
ip nat inside source list 1 interface Ethernet1 overload
ip classless
ip http server
no ip http secure-server
!
access-list 1 permit 192.168.4.0 0.0.0.255
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
scheduler max-task-time 5000
!
end
show feedback form
close
by PA23 edited by aryoba
last modified: 2005-11-12 08:07:21 | | | The general answer to this question is that it can't be done.
However it is possible using a technique that was actually designed for a different purpose, an IP NAT pool. Using a NAT pool means you can specify an ACL (in this case with the port range) but you use a "pool" of a single address and specify the rotary method.
In the example below the IP address 192.168.1.10 is the internal address that you wish to forward the range of TCP ports to:
If you wish to forward UDP port range instead, you can simply replace the tcp parameter on ACL 100 with udp.
show feedback form
close
by Phraxos edited by nozero
last modified: 2007-12-31 13:44:23 | | | Suggested prerequisite reading
»Cisco Forum FAQ »The Wildcard (Inverse) Subnet Mask
Using Masks
Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks to configure IP addresses on interfaces start with 255 and have the large values on the left side (for example, IP address 209.165.202.129 with a 255.255.255.224 mask). Masks for IP ACLs are the reverse (for example, mask 0.0.0.255). This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care". The following table further explains this concept.
Mask Example
network address (traffic that is to be processed)
10.1.1.0
mask
0.0.0.255
network address (binary)
00001010.00000001.00000001.00000000
mask (binary)
00000000.00000000.00000000.11111111
Based on the binary mask, you can see that the first three sets (octets) must match the given binary network address exactly (00001010.00000001.00000001). The last set of numbers are "don't cares" (.11111111). Therefore, all traffic beginning with 10.1.1. will match since the last octet is "don't care". So, with this mask, network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) will be processed.
The ACL inverse mask can also be determined by subtracting the normal mask from 255.255.255.255. In the following example, the inverse mask is determined for network address 172.16.1.0 with a normal mask of 255.255.255.0.
255.255.255.255 - 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask)
Note the following ACL equivalents.
The source/source-wildcard of 0.0.0.0/255.255.255.255 means "any".
The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host 10.1.1.2".
Summarizing ACLs
Note: Subnet masks can also be represented as a fixed length notation. For example, 192.168.10.0/24 would represent 192.168.10.0 255.255.255.0.
The following describes how to summarize a range of networks into a single network for ACL optimization. Consider the following networks.
192.168.32.0/24
192.168.33.0/24
192.168.34.0/24
192.168.35.0/24
192.168.36.0/24
192.168.37.0/24
192.168.38.0/24
192.168.39.0/24
The first two octets and the last octet are the same for each network. The following is an explanation of how to summarize these into a single network.
The third octet for the above networks can be written as follows, according to the octet bit position and address value for each bit.
Decimal 128 64 32 16 8 4 2 1
32 0 0 1 0 0 0 0 0
33 0 0 1 0 0 0 0 1
34 0 0 1 0 0 0 1 0
35 0 0 1 0 0 0 1 1
36 0 0 1 0 0 1 0 0
37 0 0 1 0 0 1 0 1
38 0 0 1 0 0 1 1 0
39 0 0 1 0 0 1 1 1
M M M M M D D D
Since the first five bits match, the above eight networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0 255.255.248.0); all eight possible combinations of the three low-order bits are relevant for the network ranges in question. The following command defines an ACL that permits this network. Subtracting 255.255.248.0 (normal mask) from 255.255.255.255 yields 0.0.7.255.
access-list acl_permit permit ip 192.168.32.0 0.0.7.255
For further explanation, consider the following set of networks.
192.168.146.0/24
192.168.147.0/24
192.168.148.0/24
192.168.149.0/24
The first two octets and the last octet are the same for each network. The following is an explanation of how to summarize these.
The third octet for the above networks can be written as follows, according to the octet bit position and address value for each bit.
Decimal 128 64 32 16 8 4 2 1
146 1 0 0 1 0 0 1 0
147 1 0 0 1 0 0 1 1
148 1 0 0 1 0 1 0 0
149 1 0 0 1 0 1 0 1
M M M M M ? ? ?
Unlike previous example, you cannot summarize these networks into a single network—you need a minimum of two networks. The above networks can be summarized into two networks, as shown below.
For networks 192.168.146.x and 192.168.147.x, all bits match except for the last one, which is a "don't care". This can be written as 192.168.146.0/23 (or 192.168.146.0 255.255.254.0).
For networks 192.168.148.x and 192.168.149.x, all bits match except for the last one, which is a "don't care". This can be written as 192.168.148.0/23 (or 192.168.148.0 255.255.254.0).
The following defines a summarized ACL for the above networks.
access-list 10 permit ip 192.168.146.0 0.0.1.255
access-list 10 permit ip 192.168.148.0 0.0.1.255
show feedback form
close
by nozero edited by aryoba
last modified: 2007-07-23 13:50:58 | | | Most books say this can't be done....well that shows you shouldn't believe everything you read :)
Option 1: IOS image supports ACL line number
If the IOS image running on the router supports ACL line number, then following is the procedure you can follow.
First do a show access-list at the exec prompt
Note the line numbering in the required access-list e.g.:
Then enter config mode and insert the line you want to add, prefixing it with the appropriate number to position it where you want in the list (substitute standard for extended in the example below if you are working with a standard ACL):
If you repeat the show access-list you should find the deny just where you want it ;)
Below is a full example with a named extended ACL
The suggested next step is to renumber the access-list starting from 10 by step of 10 using the following command
This method has been tested with both IOS 12.3 and 12.4 and works with standard, extended, numbered and named ACLs.
Note that on older IOS image version, you may have to issue service linenumber command to activate the ACL line numbering. In newer IOS image version, this command is already activated by default; therefore there is no need to reissue the command.
Option 2: IOS image does not support ACL line number
When the router IOS image does not support ACL line number, then following is the procedure you can follow.
1. Copy the ACL into a text editor (i.e. Notepad).
2. On the text editor, insert the ACL line.
3. Verify that your work is correct and will not bring down production time.
4. On router, unapply the ACL temporarily off the router.
5. Remove the ACL off the router.
6. Copy the updated ACL from the text editor into the router.
7. Verify that the router already have the updated ACL.
8. When the router does have the updated ACL, reapply the ACL as existing condition.
Illustration
You have the following on your router
You need to have the ACL 100 to look like the following
Following the above steps, here are what you should do
1. Copy the existing ACL 100 to your text editor
Tips:
Let's say your Notepad as the text editor. On the router, highlight the access list. Copy the highlighted and paste to Notepad.
2. On the text editor, insert the ACL line (the "access-list 100 permit tcp any any eq 80")
access-list 100 permit tcp any any eq 80
access-list 100 permit udp any eq 53 any
access-list 100 permit tcp any any established
access-list 100 deny ip any any
3. Verify that the updated ACL 100 on the text editor is correct and will not bring down production time.
4. On router, unapply the ACL temporarily off the router.
5. Remove the ACL off the router
6. Copy the updated ACL from the text editor into the router.
Tips:
Let's say you use Notepad as the text editor. On the Notepad, you should have the following
Have the router to be at global configuration mode, like following
Router#
Highlight all of the above command lines on the Notepad (from "conf t" to "end"), select copy of the highlighted and paste to the router.
7. Verify that the router already have the updated ACL.
8. When the router does have the updated ACL, reapply the ACL as existing condition back to the interface
Important Note:
The illustration assumes that the ACL 100 is only applied to a single interface. When the same ACL is applied to multiple interfaces, you need to unapply and reapply the ACL on all interfaces.
When the ACL is applied under specific interface or specific line terminal (i.e. line vty), then the above procedure should be applicable during the router production time. When the ACL is relating to NAT or routing process, then there would be some down time. If the down time is unavoidable, verify that the ACL modification process is being done after hours or off-hours.
Don't forget that you can lock yourself out of a router by making a mistake when working with ACLs. Worse, your ACL work could bring production time down. If you are working remotely and it is possible to reload the router afterward, it is particularly important that you consider issuing a reload in x command where x is the number of minutes that will pass before the router will reload itself. Then if you lock yourself out you know the router will be reset within x minutes. When you are happy the changes are correct you can write the new config and cancel the reload with reload cancel.
When it it not possible to reload and you are working remotely, then you should have out-of-band access as alternate access. This out-of-band access is a dedicated line that goes directly to the router console port. A lot of out-of-band access is setup using analog dialup modem via POTS line; although many organizations also use Frame Relay, DSL, or cable modem for faster access.
show feedback form
close
by Phraxos edited by aryoba
last modified: 2008-06-14 11:52:15 | | | If you want to setup your router to accept VPN connections from the standard Microsoft VPN client built into all current Windows operating systems, see this FAQ under PPTP and/or MPPE
»Cisco Forum FAQ »Configure router as both Internet router and VPN Concentrator
»Cisco Forum FAQ »Remote User VPN Connection To Office Network
show feedback form
close
by Phraxos edited by aryoba
last modified: 2008-05-29 10:46:34 |
|
