stevepedwards.com/DebianAdmin linux mint IT admin tips info

Cisco Setup – NAT Connections (LAN to WAN), ACLs, DNS and DHCP Server

Home routers use Network Address Translation as a method to maximise finite IPv4 address space on the Internet by allowing LAN only IP address ranges on private networks to have Web access by sharing the external WAN IP address(es) and ports, so have an effective basic firewall as part of the process, as WAN devices cannot access internal IPs unless a channel is opened by an internal device first - "established". This may be clearer later in the ACL section of the conf file.

This is achieved by the unit tracking LAN device web service requests from their internal LAN IP and service port number (socket) and replacing the IP/port with an Internet legal IP address and random port number. This secures the unit to a large degree from unsolicited requests from the Internet TO the LAN but not from the LAN outwards. It is used in conjunction with an Access Control List to further restrict individual users/LAN devices to select sites and services as required.

This translation will be seen later once set up.

There are 2 main protocols that are required to be active on today's Internet to allow web pages to function fully - TCP and UDP. These have to be allowed through the unit from the WAN and/or LAN sides when a LAN device requests a page.

ACLs are lists of access/restriction parameters that operate on various IP packet types such as UDP, TCP, ICMP etc. by the unit passing, dropping or altering them in some form according to what services are allowed or not to pass through the unit from one side to the other in either direction across the "centre" of the unit. The unit can create packets from it's centre also, such as when a ping is made from the command line to be sent to the WAN or LAN.

The combination of all these elements in a router/switch/firewall allows IP traffic to cross the unit in a controlled and - hopefully - secure manner yet allow full service requirements to be achieved.

The 877 was left in the last Post with LAN device ping access to the hub Vlan1 interface, and IPCP/other requested protocol access to the WAN interface - enough to have an ISP allocated external IP address, but no other functionality.

The DHCP server section to be added - this allocates an IP address POOL named CLIENTS to LAN devices above 192.168.1.20 only.

cisco877# conf t

ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20

ip dhcp pool CLIENTS
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.100
ip name-server 8.8.8.8

ip domain name workgroup

These two ACLs are as simple as it gets for web page access to work - a non restrictive bidirectional ACL for the LAN hosts called LAN2WEB, and a restricted WAN traffic ACL called BLOCKWAN with the key term "established" that only allows a path INTO the WAN interface from outside IF a LAN device has requested traffic of that type initially. UDP is a "connectionless" protocol so cannot be tracked in the same way as TCP, so cannot be "established" which makes it much more dangerous and difficult to protect against:

cisco877#conf t

ip access-list extended BLOCKWAN
permit tcp any any established
permit udp any any
permit udp host 91.189.89.198 eq ntp any
deny ip any any
ip access-list extended LAN2WEB
permit ip any any
permit udp any any

The problem with understanding Cisco confs is that many functions and hardware parts are inter related/reliant so single commands are not usually understood in isolation - they may require other seemingly isolated areas to be functional also - an ACL in conjunction with NAT conf entries for example. This is why even a simple config can be missing just one key line to prevent the device working as intended at all, so it's hard to build up a working conf in strict sections and have each enabled AND working fully. For example, the overload below is a key command that causes NAT translation of LAN IP adresses/ports to occur at the WAN/Dialer1 interface. But, the ACL called LAN2WEB is also required to be invoked to enable traffic from the LAN to be processed and allowed into the unit first, for NAT to translate:

ip nat pool CLIENT 192.168.1.20 192.168.1.25 netmask 255.255.255.0
ip nat inside source list LAN2WEB interface Dialer1 overload

Some extra settings required for Vlan1 to be translated over Dialer1 are:

cisco877#conf t
cisco877(config)#interface Vlan1

cisco877(config-if)#ip access-group LAN2WEB in
cisco877(config-if)#ip nat inside
cisco877(config-if)#ip nat enable

Some extra settings required for Dialer1 NAT are:

cisco877(config-if)#interface Dialer1
cisco877(config-if)#ip access-group BLOCKWAN in
cisco877(config-if)#ip nat outside
cisco877(config-if)# ip nat enable

Above you see the concept of INSIDE and OUTSIDE interfaces.

Is this enough to get a DHCP address allocated to a LAN device; NAT translated Web Access; A firewall on the WAN sufficient to pass at grc.com Sheild's Up or is stuff missing? Note the Google and Plusnet name server IPs.

The running conf - with my added bold commands - at this point is:

cisco877#sh run

Current configuration : 2619 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco877
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$e/g3$ceiyt
enable password 7 0314540
!
no aaa new-model
ip cef
!
!
ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool CLIENTS
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.100
dns-server 8.8.8.8
!
!
ip domain name workgroup
ip name-server 8.8.8.8
ip name-server 212.159.13.49
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
logging event atm pvc state
logging event atm pvc autoppp
no atm ilmi-keepalive
dsl operating-mode auto adsl2 adsl2+
dsl enable-training-log
!
interface ATM0.1 point-to-point
ip address dhcp
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
atm pppatm link reset
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
ip addr inarp
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
ip address 192.168.1.100 255.255.255.0
ip access-group LAN2WEB in
ip nat inside
ip nat enable
ip virtual-reassembly
!
interface Dialer1
ip address negotiated previous
ip access-group BLOCKWAN in
ip nat outside
ip nat enable
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
autodetect encapsulation ppp
ppp authentication chap pap callin
ppp chap hostname user@plus.net
ppp chap password 7 071C3549580C1C
ppp ipcp wins request
ppp ipcp mask request
ppp ipcp route default
ppp ipcp address accept
!
ip default-gateway 195.166.130.250
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat pool CLIENTS 192.168.1.20 192.168.1.25 netmask 255.255.255.0
ip nat inside source list LAN2WEB interface Dialer1 overload
!
ip access-list extended BLOCKWAN
permit tcp any any established
permit udp any any
permit udp host 91.189.89.198 eq ntp any
deny ip any any
ip access-list extended LAN2WEB
permit ip any any
!
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 051B090031
login
!
scheduler max-task-time 5000
end

Sometimes, a router needs a reload to connect properly - as any OS may, so the above did not work fully until rebooted.

Now I have connected my laptop and got an IP address of 192.168.1.21 as per the DHCP pool settings:

stevee@AMDA8 ~ $ ifconfig
eth0 Link encap:Ethernet HWaddr 38:63:bb:ca:cf:2c
inet addr:192.168.1.21 Bcast:192.168.1.255 Mask:255.255.255.0

I can also telnet to the 877 and login.

I have Internet access to grc.com which shows a full stealth pass:

This shows the BLOCKWAN ACL on the WAN interface functions well, and that this LAN client has sufficient protocol access to fully load required web pages also, via the LAN2WEB ACL on the Vlan1 interface.

DNS must be working to access web pages.

So what does NAT show?

You can see all the IP/port translations between the WAN IP and the LAN IP requests.

 

Comments are closed.

Post Navigation