tag:blogger.com,1999:blog-54294222297147483982024-03-25T21:57:44.403-07:00Jordan's Cisco BlogAnonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-5429422229714748398.post-38616840458824894962015-09-28T18:05:00.002-07:002015-09-28T18:05:21.727-07:00Scheduling a reload of a router using cronMaybe you have a dodgy router in the fleet, or a memory leak on one of them. This little snippet as bought me some time in some situations. Scheduling a reload is very simple. The below will reload the router every night at midnight.<br />
<br />
<span style="color: orange;">event manager applet daily-reload</span><br />
<span style="color: orange;"> event timer cron name daily-reload cron-entry "0 0 * * *"</span><br />
<span style="color: orange;"> action 1.0 syslog msg "Automated Reload Triggered"</span><br />
<span style="color: orange;"> action 1.1 reload</span>Anonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com15tag:blogger.com,1999:blog-5429422229714748398.post-43630360192746494032015-09-18T01:21:00.001-07:002015-09-18T23:02:47.122-07:00Configuring IPv6 Prefix Delegation on a Cisco router for Ethernet or Dialer interfacesThis post shows an example of how to configure IPv6 on Ethernet or Dialer delivered services. This might come in handy if you want to configure IPv6 on Telstra TBiz on the NBN or pretty much any IPv6 delivered service.<br />
<br />
So let's say for example, your ISP has given you a PD (Prefix Delegation) of 2001:1111:2222:333::/56 and you'd like to give a couple of your attached VLAN's onsite their own /64 subnets for eating up the new IPv6 space in the internet.<br />
<br />
It's actually pretty easy to do, but you're going to have to forget everything you ever knew about IPv4 because the game has changed slightly.<br />
<br />
Firstly, let's pick up that nice new prefix delegation your ISP has given you. Login, enable and go to configuration terminal. Let's enable ipv6 routing and cisco express forwarding (cef).<br />
<br />
<span style="color: orange;">router(config)# ipv6 cef</span><br />
<span style="color: orange;">router(config)# </span><span style="color: orange;">ipv6 unicast-routing</span><br />
<br />
First things first, the best thing to do is make a new IPv6 ACL to keep all the script kiddies out of your network. Everything on IPv6 is publicly routable. Goodbye NAT and sitting safely behind private IP addresses. This is no more. Once you're IPv6 configured, everything on your local LAN sits on the public internet, so security is a big player. Let's create an ACL to allow things to happen.<br />
<br />
<span style="color: orange;">router(config)# </span><span style="color: orange;">ipv6 access-list IPV6-IN</span><br />
<span style="color: orange;">router(config-ipv6-acl)# permit icmp any any</span><br />
<span style="color: orange;">router(config-ipv6-acl)# permit tcp any any established</span><br />
<span style="color: orange;">router(config-ipv6-acl)# permit udp any any eq 546</span><br />
<br />
Note the udp port 546. This is used for autoconfiguration and will need to be allowed for your ISP to give you a prefix delegation. Once we have our new ACL, we're ready to configure our first interface.<br />
<br />
Type in the interface facing your ISP. In this example, it's GigabitEthernet0/0. I'll assume you already have all the normal IPv4 things in here, so I won't show them in the below example.<br />
<br />
I recommend that you configure a "link-local" address. It is normally generated from the interface's MAC address, however if you're using any subinterfaces or using port-channels, you can get duplicate link-local addresses and IPv6 simply won't work. For our internet facing interface, we'll give it a link-local address on FE80::1.<br />
<br />
<span style="color: orange;">router(config)# interface GigabitEthernet0/0</span><br />
router(config-if)# ! configure a link-local address<br />
<span style="color: orange;">router(config-if)# ipv6 address FE80::1 link-local</span><br />
router(config-if)# ! assign the first /64 of our new prefix delegation<br />
<span style="color: orange;">router(config-if)#</span><span style="color: orange;"> ipv6 address IPV6-PD ::1/64</span><br />
router(config-if)# ! enable ipv6 on the interface<br />
<span style="color: orange;">router(config-if)#</span><span style="color: orange;"> ipv6 enable</span><br />
router(config-if)# ! enable the router to find the default route<br />
<span style="color: orange;">router(config-if)#</span><span style="color: orange;"> ipv6 nd autoconfig default-route</span><br />
router(config-if)# ! enable the DHCP client and assign a name of IPV6-PD to your prefix delegation<br />
<span style="color: orange;">router(config-if)#</span><span style="color: orange;"> ipv6 dhcp client pd IPV6-PD</span><br />
router(config-if)# ! Assign our ACL to the interface<br />
<span style="color: orange;">router(config-if)#</span><span style="color: orange;"> ipv6 traffic-filter IPV6-IN in</span><br />
<br />
Now is a good time to check whether or not you have received your prefix delegation. Because IPv6 is new, it's not uncommon for ISP's to stuff it up.<br />
<br />
<span style="color: orange;">router# </span><span style="color: orange;">sh ipv6 dhcp int</span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrN9iZvzpqs1iTJu2uUCoDbtux3uioNUOJig42kynrLnqSgxB6LT_Zm22NazAoSchPcSv3Kt8mKUoktfy6A2HyLmDeQd5v_sOrEThGmm7u52lFJNpzTC-_r62P7eLw5RyuTfORNeLgw9I1/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrN9iZvzpqs1iTJu2uUCoDbtux3uioNUOJig42kynrLnqSgxB6LT_Zm22NazAoSchPcSv3Kt8mKUoktfy6A2HyLmDeQd5v_sOrEThGmm7u52lFJNpzTC-_r62P7eLw5RyuTfORNeLgw9I1/s320/Capture.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It should output what your assigned prefix is. If this is all good, then carry on. Otherwise, something isn't right with your ISP.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In this example, I have two VLAN's which I want to divide up the next two /64's to. VLAN 2 is on GigabitEthernet0/1.2 and VLAN 3 is on GigabitEthernet0/1.3</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Unfortunately there is an issue with how Windows processes ICMPv6 Router Advertisements (RA's) within its NDIS drivers. It's an issue which has long plagued many network administrators, and a quick Google search will show you that.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
What happens is, for example you have two VLAN's, one is a General use VLAN and another might be for VOIP. Frames are tagged on the VOIP VLAN for example. If you want to enable IPv6 for both VLAN's, Windows (in its wisdom) will untag the RA frame from the router and pass it through to the operating system. What you essentially end up with is a Windows client with an IPv6 address and gateway on the tagged VLAN as well as the untagged causing weird disconnection issues with Windows clients.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There is a workaround, but it involves some hackery which the router will complain about, but I'll show you how here. What you need to do is set the same Link-Local address on each subinterface. This includes things like port-channels. To do this however, you'll need to disable a feature called Duplicate Address Detection, or "DAD" for short.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Under configuration terminal, type the following:</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: orange;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: orange;">router(config)# </span><span style="color: orange;">ipv6 nd dad time 1</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This makes duplicate address detections only last 1ms. Otherwise if it see's the same Link-Local address configured on different interfaces, it'll disable IPv6 on that interface.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So here's what we do....</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
<span style="color: orange;">router(config)# </span><span style="color: orange;">interface GigabitEthernet0/1.2</span></div>
<div class="separator" style="clear: both;">
router(config-subif)# ! configure a link-local address of FE80::2 for VLAN 2</div>
<div class="separator" style="clear: both;">
<span style="color: orange;">router(config-subif)# ipv6 address FE80::2 link-local</span></div>
<div class="separator" style="clear: both;">
router(config-subif)# ! Delegate the second /64 increment to this VLAN</div>
<div class="separator" style="clear: both;">
<span style="color: orange;">router(config-subif)# ipv6 address </span><span style="color: orange;">IPV6-PD</span><span style="color: orange;"> ::2:0:0:0:1/64</span></div>
<div class="separator" style="clear: both;">
router(config-subif)# ! enable IPv6 on this interface</div>
<div class="separator" style="clear: both;">
<span style="color: orange;">router(config-subif)# ipv6 enable</span></div>
<div class="separator" style="clear: both;">
router(config-subif)# !</div>
<div class="separator" style="clear: both;">
<span style="color: orange;">router(config-subif)# interface GigabitEthernet0/1.3</span></div>
<div class="separator" style="clear: both;">
router(config-subif)# ! configure a link-local address of FE80::2 for VLAN 3 as well</div>
<div class="separator" style="clear: both;">
<span style="color: orange;">router(config-subif)# ipv6 address FE80::2 link-local</span></div>
<div class="separator" style="clear: both;">
router(config-subif)# ! Delegate the third /64 increment in this VLAN</div>
<div class="separator" style="clear: both;">
<span style="color: orange;">router(config-subif)# ipv6 address </span><span style="color: orange;">IPV6-PD</span><span style="color: orange;"> ::3:0:0:0:1/64</span></div>
<div class="separator" style="clear: both;">
router(config-subif)# ! enable IPv6 on this interface</div>
<div class="separator" style="clear: both;">
<span style="color: orange;">router(config-subif)# ipv6 enable</span></div>
<br />
You may be wondering by this point. What about a static default route? Well the good news is, you don't need one. It is learned from your ISP by the "ipv6 nd autoconfig default-route" command we entered earlier on your Internet facing interface.<br />
<br />
Everything should now be good to go. A refresh of your local LAN adapter should mean you receive an IPv6 address. Yup, you don't even need to configure DHCP! Your clients will learn their IP's off the router. Pretty cool huh?<br />
<br />
Note: Some Dialer interfaces fail to refresh their Prefix Delegations after the Dialer interface comes back up. Perhaps it's ADSL and it performs a resync, forcing the Dialer interface to reauthenticate.<br />
<br />
The below is a workaround for the problem. I have not had this issue, however if you do, this could come in handy. Thanks to Internode for this gem.<br />
<br />
<span style="color: orange;">event manager applet MONITOR-IPV6-DHCP-APP</span><br />
<span style="color: orange;"> event syslog pattern "DIALER-6-BIND"</span><br />
<span style="color: orange;"> action 1.0 cli command "enable"</span><br />
! Replace the Dialer interface with the correct number...<br />
<span style="color: orange;"> action 1.1 cli command "clear ipv6 dhcp client Dialer1"</span><br />
<span style="color: orange;"> action 2.0 syslog priority debugging msg "Refreshed IPv6 DHCP PD lease (Dialer rebind)"</span><br />
<span style="color: orange;">!</span>Anonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com14tag:blogger.com,1999:blog-5429422229714748398.post-24033527651642850472013-09-07T02:35:00.005-07:002013-09-07T02:35:51.166-07:00Configuring Conditional DNS forwarding on a Cisco routerFor whatever reason, you may wish to use your Cisco router as a primary DNS server. If you're stuck in a situation where you need to send certain DNS domain names to different DNS servers then this post is for you!<br />
<br />
Firstly we must set our default DNS servers:<br />
<br />
<span style="color: orange;">ip name-server 203.50.2.71</span><br />
<span style="color: orange;">ip name-server 139.130.4.4</span><br />
<br />
Secondly, now we need to configure our different DNS servers as "views"<br />
<br />
<span style="color: orange;">ip dns view default</span><br />
<span style="color: orange;"> dns forwarder 203.50.2.71</span><br />
<span style="color: orange;"> dns forwarder 139.130.4.4</span><br />
<span style="color: orange;"><br /></span>
<span style="color: orange;">ip dns view internal_dns</span><br />
<span style="color: orange;"> dns forwarder 192.168.0.10</span><br />
<span style="color: orange;"> dns forwarder 192.168.0.11</span><br />
<br />
Now we match our DNS views into a "view-list"<br />
<br />
<span style="color: orange;">ip dns view-list conditional</span><br />
<span style="color: red;">! give the internal_dns view a priority of 10 and bind it to name-group 1</span><br />
<span style="color: orange;"> view internal_dns 10</span><br />
<span style="color: orange;"> restrict name-group 1</span><br />
<span style="color: red;">! give the default view a highest priority</span><br />
<span style="color: orange;"> view default 99</span><br />
<br />
Define the domains you wish to forward internally by "name-list"<br />
<br />
<span style="color: orange;">ip dns name-list 1 permit 10\.IN-ADDR</span><br />
<span style="color: orange;">ip dns name-list 1 permit .*.LOCAL</span><br />
<br />
Enable the DNS server to the view-group "conditional"<br />
<br />
<span style="color: orange;">ip dns server view-group conditional</span><br />
<br />
Lastly, enable the DNS server<br />
<br />
<span style="color: orange;">ip dns server</span>Anonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com2tag:blogger.com,1999:blog-5429422229714748398.post-65666071501874445962013-06-30T19:02:00.000-07:002015-07-14T03:36:07.353-07:00Capturing Packets from a Cisco Router for Wireshark pcapIn case you wish to troubleshoot issues and view specific packet flow traversing your routers, you will need a tftp server setup so that you can export your captures.<br />
<br />
I use tftpd64 or tftpd32. It's a nice free, simple tftp daemon that runs on Windows: <a href="http://www.jounin.net/tftpd32.html">http://www.jounin.net/tftpd32.html</a><br />
<br />
In this example, my tftp server is on 10.0.0.55.<br />
<br />
First off, we need to create an access-list the matches the traffic you wish to capture. I am wanting to capture traffic traversing my router, destined to and from 32.55.55.32<br />
<br />
<span style="color: orange;">Router(config)# access-list 140 permit ip host 32.55.55.32 any</span><br />
<span style="color: orange;">Router(config)# access-list 140 permit ip any host 32.55.55.32</span><br />
<br />
This ACL will capture all traffic to and from this IP address.<br />
<br />
Next we need to enable the Cisco packet monitoring service:<br />
<br />
<span style="color: orange;">Router# monitor capture buffer holdpackets</span><br />
<span style="color: orange;"><br /></span>
Now we can filter the monitored traffic by filtering it through our access-list:<br />
<span style="color: orange;"><br /></span>
<span style="color: orange;">Router# monitor capture buffer holdpackets filter access-list 140</span><br />
<span style="color: orange;"><br /></span>
Now for some tweaks so that we actually get complete packet data for inspection in Wireshark<br />
<br />
<span style="color: orange;">Router# monitor capture buffer holdpackets size 10240 max-size 9500</span><br />
<span style="color: orange;"><br /></span>
Now we need to name our particular packet capture. I have called mine "testcap"<br />
<span style="color: orange;"><br /></span>
<span style="color: orange;">Router# monitor capture point ip cef </span><span style="color: red;">testcap</span><span style="color: orange;"> all both</span><br />
<span style="color: orange;">Router# monitor capture point associate </span><span style="color: red;">testcap</span><span style="color: orange;"> holdpackets</span><br />
<span style="color: orange;"><br /></span>
Now we can start our capture!<br />
<span style="color: orange;"><br /></span>
<span style="color: orange;">Router# monitor capture point start </span><span style="color: red;">testcap</span><br />
<span style="color: orange;"><br /></span>
Once you think you have acquired enough packets, to stop the capture, type:<br />
<span style="color: orange;"><br /></span>
<span style="color: orange;">Router# monitor capture point stop </span><span style="color: red;">testcap</span><br />
<span style="color: orange;"><br /></span>
Now you can export your data to your tftp server by typing in the following command. You can then open the .pcap file in Wireshark for viewing<br />
<br />
<span style="color: orange;">Router# monitor capture buffer holdpackets export tftp://</span><span style="color: red;">10.0.0.55</span><span style="color: orange;">/testcap.pcap</span><br />
<span style="color: orange;"><br /></span>
Once uploaded you can clear your capture buffer by typing the following:<br />
<br />
<span style="color: orange;">Router# no monitor capture buffer holdpackets</span><br />
<span style="color: orange;"></span><br />
<span style="color: orange;">Router# no monitor capture point ip cef testcap all both</span><br />
<span style="color: orange;"><br /></span>
To check if there are any current captures or parameters configured, you can use the following command:<br />
<br />
<span style="color: orange;">Router# sh monitor capture point all</span><br />
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com2tag:blogger.com,1999:blog-5429422229714748398.post-91958440407307407982013-06-19T18:28:00.004-07:002015-07-14T03:42:55.778-07:00Example of CBWFQ QoS and Shaping<h3>
Shaping to 30mbps Maximum:</h3>
ip access-list extended ShapeMe<br />
permit ip 172.16.0.0 0.0.0.255 any<br />
<div>
permit ip any 172.16.0.0 0.0.0.255</div>
!<br />
class-map match-any ShapeMe<br />
match access-group name ShapeMe<br />
!<br />
policy-map ShapeMe<br />
class ShapeMe<br />
shape average 30m<br />
<span style="color: orange;">! Will shape at 30mbps maximum</span><br />
!<br />
int g0/0<br />
service-policy output ShapeMe<br />
<span style="color: orange;">! Apply to output interface. If needed in both ingress and egress, apply to both inside and outside interfaces</span><br />
<br />
<br />
<h3>
Priority for SQL Traffic?</h3>
<br />
ip access-list extended SQL<br />
permit tcp 10.113.32.0 0.0.3.255 10.113.176.0 0.0.3.255 range 1433 1434<br />
permit tcp 10.113.176.0 0.0.3.255 10.113.32.0 0.0.3.255 range 1433 1434<br />
<br />
class-map match-any SQL<br />
match access-group name SQL<br />
<br />
policy-map SQL<br />
class SQL<br />
priority 1024<br />
<span style="color: orange;">! Guarantees 1mbps at all times</span><br />
<br />
int g0/0<br />
service-policy output SQL<br />
<span style="color: orange;">! Apply to output interface. If needed in both ingress and egress, apply to both inside and outside interfaces</span><br />
<br />
<h3>
What is I just want to shape traffic by the interface that it enters? Eg an internet or WAN interface?</h3>
<div>
<span style="color: orange;">! Since you can only shape on output, not input, in this example I will shape the Upstream and Downstream CIR rate to 100mbps down and 40mbps up. The inbound or internet interface is GigabitEthernet0/1. GigabitEthernet0/0 is the LAN side.</span></div>
<div>
<br /></div>
class-map match-any QoS_DOWN<br />
match input-interface GigabitEthernet0/1<br />
<br />
class-map match-any QoS_UP<br />
match any<br />
<br />
policy-map QoS_DOWN<br />
class QoS_DOWN<br />
shape average 100m<br />
<br />
policy-map QoS_UP<br />
class QoS_UP<br />
shape average 40m<br />
<br />
interface GigabitEthernet0/0<br />
description LAN Interface<br />
service-policy output QoS_DOWN<br />
<br />
interface GigabitEthernet0/1<br />
description Internet Interface<br />
service-policy output QoS_UPAnonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com1tag:blogger.com,1999:blog-5429422229714748398.post-3388710873663330562013-05-19T04:09:00.002-07:002013-05-19T04:13:06.716-07:00Configuration Example for Cisco 857/877W Config for Bigpond or Telstra Internet Direct<br />
<div class="MsoNormal">
This config is straight out of a Cisco 857W router running on Bigpond. It has Wifi enabled with WPA2 AES encription. The Cisco is running IOS version 12.4.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: orange;">service
password-encryption<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">service
internal<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">hostname
</span><span style="color: red;"><b><hostname></b></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">enable
secret </span><span style="color: red;"><b><your enable password></b></span><span style="color: orange;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no
aaa new-model</span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">dot11
ssid </span><span style="color: red;"><b><Your SSID></b></span><span style="color: orange;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
vlan 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
authentication open<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
authentication key-management wpa<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
guest-mode<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
wpa-psk ascii </span><span style="color: red;"><b><Your Wireless Key></b></span><span style="color: orange;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no
ip dhcp use vrf connected<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
dhcp excluded-address 10.0.0.138 10.0.0.254<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
dhcp pool LocalNet<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
network 10.0.0.0 255.255.255.0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
default-router 10.0.0.138<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
domain-name internet.local<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
dns-server 10.0.0.138<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
lease 365</span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
cef<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
domain name internet.local<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
name-server </span><span style="color: red;"><b><nameserver 1></b></span><span style="color: orange;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
name-server </span><span style="color: red;"><b><nameserver 2></b></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">username
admin secret </span><span style="color: red;"><b><admin password></b></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">bridge
irb<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!</span></div>
<div class="MsoNormal">
<span style="color: orange;">interface
ATM0<o:p></o:p></span><br />
<span style="color: orange;">no shutdown</span></div>
<div class="MsoNormal">
<span style="color: orange;">no
ip address<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">atm
ilmi-keepalive<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">pvc
8/35<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
encapsulation aal5mux ppp dialer<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">
dialer pool-member 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">dsl
operating-mode auto</span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">interface
FastEthernet0<o:p></o:p></span><br />
<span style="color: orange;">no shutdown</span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">interface
FastEthernet1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no shutdown</span><br />
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">interface
FastEthernet2</span></div>
<div class="MsoNormal">
<span style="color: orange;">no shutdown</span><br />
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">interface
FastEthernet3<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no shutdown</span><br />
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">interface
Dot11Radio0<o:p></o:p></span><br />
<span style="color: orange;">no shutdown</span></div>
<div class="MsoNormal">
<span style="color: orange;">no
ip address<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">encryption
vlan 1 mode ciphers aes-ccm<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ssid
</span><span style="color: red;"><b><Your SSID></b></span><span style="color: orange;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">speed
basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">channel
2462<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">station-role
root<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">world-mode
dot11d country AU both<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">interface
Dot11Radio0.1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">encapsulation
dot1Q 1 native<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
virtual-reassembly<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no
cdp enable<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">bridge-group
1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">bridge-group
1 subscriber-loop-control<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">bridge-group
1 spanning-disabled<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">bridge-group
1 block-unknown-source<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no
bridge-group 1 source-learning<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no
bridge-group 1 unicast-flooding<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">interface
Vlan1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no
ip address<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">bridge-group
1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">bridge-group
1 spanning-disabled<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">interface
Dialer1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
address negotiated<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
nat outside<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
virtual-reassembly<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">encapsulation
ppp<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">dialer
pool 1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">dialer-group
1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ppp
authentication chap callin<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ppp
chap hostname </span><span style="color: red;"><b><ISP Username></b></span><span style="color: orange;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ppp
chap password </span><span style="color: red;"><b><ISP Password></b></span><span style="color: orange;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">interface
BVI1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">description
LAN & WLAN Bridge<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
address 10.0.0.138 255.255.255.0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
nat inside<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
virtual-reassembly<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no
ip forward-protocol nd<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
route 0.0.0.0 0.0.0.0 Dialer1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no
ip http server<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">no
ip http secure-server<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
dns server<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">ip
nat inside source list 1 interface Dialer1 overload<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">access-list
1 permit 10.0.0.0 0.0.0.255<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">access-list
23 permit 10.0.0.0 0.0.0.255<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">dialer-list
1 protocol ip permit<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">control-plane<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">bridge
1 protocol ieee<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">bridge
1 route ip<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!</span></div>
<div class="MsoNormal">
<span style="color: orange;">line
vty 0 4<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">access-class
23 in<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">privilege
level 15<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">login
local<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">transport
input telnet ssh<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: orange;">!</span></div>
<div class="MsoNormal">
<span style="color: orange;">end</span><o:p></o:p></div>
Anonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com0tag:blogger.com,1999:blog-5429422229714748398.post-89877033989002200892013-05-15T17:21:00.000-07:002015-09-28T18:17:35.638-07:00Enabling SNMP and Netflow for Solarwinds NPM and NTA on Cisco ISR, ASR and ASA firewallsThis assumes that your Solarwinds collector and Netflow analyser are on 192.168.0.55.<br />
<br />
<h2>
For Cisco ASR's or ISR's with Flexible Netflow:</h2>
<h2>
<div style="font-size: medium; font-weight: normal;">
Firstly, lets create an ACL for our Solarwinds Server:<br />
<br />
<span style="color: orange;">ip access-list standard Solarwinds</span><br />
<span style="color: orange;"> permit host 192.168.0.55</span><br />
<span style="color: orange;">!</span><br />
<br />
Now we can enable SNMP:<br />
<br />
<span style="color: orange;">snmp-server community tceo RO Solarwinds</span><br />
<span style="color: orange;">snmp-server location Mario's Pizza Shop</span><br />
<span style="color: orange;">snmp-server contact Mario Bros</span><br />
<br />
Now to enable NetFlow:<br />
<br />
<span style="color: orange;">flow record NETFLOW_RECORD</span><br />
<span style="color: orange;"> match ipv4 tos</span><br />
<span style="color: orange;"> match ipv4 protocol</span><br />
<span style="color: orange;"> match ipv4 source address</span><br />
<span style="color: orange;"> match ipv4 destination address</span><br />
<span style="color: orange;"> match transport source-port</span><br />
<span style="color: orange;"> match transport destination-port</span><br />
<span style="color: orange;"> match interface input</span><br />
<span style="color: orange;"> collect interface output</span><br />
<span style="color: orange;"> collect counter bytes</span><br />
<span style="color: orange;"> collect counter packets</span><br />
<span style="color: orange;">!</span><br />
<span style="color: orange;">flow exporter NETFLOW_EXPORT</span><br />
<span style="color: orange;"> destination 192.168.0.55</span><br />
<span style="color: orange;"> transport udp 2055</span><br />
<span style="color: orange;">!</span><br />
<span style="color: orange;">flow monitor NETFLOW_MONITOR</span><br />
<span style="color: orange;"> exporter NETFLOW_EXPORT</span><br />
<span style="color: orange;"> record NETFLOW_RECORD</span><br />
<span style="color: orange;"><br /></span>
<br />
<div>
Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking GigabitEthernet0/0/0</div>
<div>
<br /></div>
<div>
<span style="color: orange;">interface GigabitEthernet0/0/0</span></div>
<div>
<span style="color: orange;"> ip flow monitor NETFLOW_MONITOR input</span><br />
<span style="color: orange;"> ip flow monitor NETFLOW_MONITOR output</span></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<span style="color: orange;"><br /></span>
To check if all is working as expected, you can type the following command:<br />
<br />
<br />
<span style="color: orange;">sh flow monitor</span><br />
<span style="font-size: large;"><br /></span>
<h2>
<span style="font-size: large;">For Cisco ISR's without Flexible Netflow:</span></h2>
<br />
Firstly, lets create an ACL for our Solarwinds Server:</div>
</div>
</h2>
<br />
<span style="color: orange;">ip access-list standard Solarwinds</span><br />
<span style="color: orange;"> permit host 192.168.0.55</span><br />
<span style="color: orange;">!</span><br />
<br />
Now we can enable SNMP:<br />
<br />
<span style="color: orange;">snmp-server community public RO Solarwinds</span><br />
<span style="color: orange;">snmp-server location Marios Pizza Shop</span><br />
<span style="color: orange;">snmp-server contact Mario Bros</span><br />
<span style="color: orange;">snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart</span><br />
<br />
Now to enable NetFlow:<br />
<br />
<span style="color: orange;">ip flow-export version 9</span><br />
<span style="color: orange;">ip flow-export destination 192.168.0.55 2055</span><br />
<div>
<br /></div>
<div>
Choose which interface to monitor traffic on for both ingress and egress. In this case I'm picking Gi0/0</div>
<div>
<br /></div>
<div>
<span style="color: orange;">interface GigabitEthernet0/0</span></div>
<div>
<span style="color: orange;"> ip flow ingress</span></div>
<div>
<span style="color: orange;"> ip flow egress</span></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<span style="color: orange;"><br /></span>
To check if all is working as expected, you can type the following command:<br />
<br />
<br />
<span style="color: orange;">sh ip cache flow</span><br />
<br />
If you just want to use Netflow without the export to a Netflow collector, just negate the "ip flow-export" commands.<br />
<span style="font-size: large;"><br /></span>
<h2>
<span style="font-size: large;">For ASA Firewalls:</span></h2>
</div>
<div>
<br /></div>
<div>
This process is a bit more complicated on a Cisco ASA firewall that the above Cisco configuration.</div>
<div>
<br /></div>
<div>
Firstly we name our Solarwinds Server:</div>
<div>
<br /></div>
<div>
<div>
<span style="color: orange;">name 192.168.0.55 Solarwinds</span></div>
</div>
<div>
<br /></div>
<div>
Enable SNMP:</div>
<div>
<br /></div>
<div>
<div>
<span style="color: orange;">snmp-server host dmz Solarwinds community public</span></div>
<div>
<span style="color: orange;">snmp-server location Marios Pizza Shop</span></div>
<div>
<span style="color: orange;">snmp-server contact Mario Bros</span></div>
<div>
<span style="color: orange;">snmp-server community public</span></div>
<div>
<span style="color: orange;">snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart</span></div>
</div>
<div>
<br /></div>
<div>
Now to enable Netflow - first we create an ACL for what traffic you wish to monitor - typically everything:</div>
<div>
<br /></div>
<div>
<div>
<span style="color: orange;">access-list netflow-export extended permit ip any any</span></div>
</div>
<div>
<br /></div>
<div>
Now we set the Netflow parameters:</div>
<div>
<br /></div>
<div>
<div>
<span style="color: orange;">flow-export destination </span><b><span style="color: red;"><output interface name></span></b><span style="color: orange;"> Solarwinds 2055</span></div>
<div>
<span style="color: orange;">flow-export template timeout-rate 3</span></div>
<div>
<span style="color: orange;">flow-export delay flow-create 10</span></div>
</div>
<div>
<br /></div>
<div>
Configure our Netflow Classes:</div>
<div>
<br /></div>
<div>
<div>
<span style="color: orange;">class-map netflow-export-class</span></div>
<div>
<span style="color: orange;"> match access-list netflow-export<br />!</span></div>
</div>
<div>
<br /></div>
<div>
Configure our Policies:</div>
<div>
<br /></div>
<div>
<div>
<span style="color: orange;">policy-map global_policy</span></div>
</div>
<div>
<div>
<span style="color: orange;"> class netflow-export-class</span></div>
<div>
<span style="color: orange;"> flow-export event-type all destination Solarwinds</span></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<br /></div>
</div>
<div>
<h2>
</h2>
</div>
<br />Anonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com16tag:blogger.com,1999:blog-5429422229714748398.post-8719670801358676232013-05-15T03:01:00.001-07:002015-09-23T21:10:35.900-07:00The simplest way to setup a Cisco router for Australian ADSL using PPPOAThis tutorial assumes that you are using an ISP which supports PPPOA. Bigpond and Telstra Internet Direct support this.<br />
<br />
In this example I am configuring a Cisco 2811 with a HWIC-1ADSL WIC in Slot 0. This gives it an interface of "atm0/0/0".<br />
<br />
<br />
<span style="color: orange;">interface ATM0/0/0</span><br />
<span style="color: orange;"> description ADSL Physical Interface</span><br />
<span style="color: orange;"> no ip address</span><br />
<span style="color: orange;"> pvc 8/35</span><br />
<span style="color: orange;"> encapsulation aal5mux ppp dialer</span><br />
<span style="color: orange;"> dialer pool-member 1</span><br />
<span style="color: orange;"> !</span><br />
<span style="color: orange;">!</span><br />
<span style="color: orange;"><br /></span>
Next we can configure our Dialer interface. This is used to initiate authentication to your ISP.<br />
<div>
<br /></div>
<div>
<div>
<span style="color: orange;">interface Dialer0</span></div>
<div>
<span style="color: orange;"> description ADSL Dialer Interface</span></div>
<div>
<span style="color: orange;"> ip address negotiated</span></div>
<div>
<span style="color: orange;"> ip nat outside</span></div>
<div>
<span style="color: orange;"> encapsulation ppp</span></div>
<div>
<span style="color: orange;"> dialer pool 1</span></div>
<div>
<span style="color: orange;"> ppp authentication chap callin</span></div>
<div>
<span style="color: orange;"> ppp chap hostname </span><b><span style="color: red;">username@bigpond.com</span></b></div>
<div>
<span style="color: orange;"> ppp chap password </span><b><span style="color: red;">your_password</span></b></div>
<div>
<span style="color: orange;">!</span></div>
</div>
<div>
<br /></div>
<div>
Now we can configure our internal LAN interface</div>
<div>
<br /></div>
<div>
<div>
<span style="color: orange;">interface FastEthernet0/0</span></div>
<div>
<span style="color: orange;"> description LAN Interface</span></div>
<div>
<span style="color: orange;"> ip address 192.168.0.1 255.255.255.0</span></div>
<div>
<span style="color: orange;"> ip nat inside</span></div>
<div>
<span style="color: orange;"> duplex auto</span></div>
<div>
<span style="color: orange;"> speed auto</span></div>
<div>
<span style="color: orange;">!</span></div>
</div>
<div>
<span style="color: orange;"><br /></span></div>
<div>
Create a standard ACL ready for NAT</div>
<div>
<br /></div>
<div>
<span style="color: orange;">ip access-list standard LAN</span></div>
<div>
<span style="color: orange;"> permit 192.168.0.0 0.0.0.255</span></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<span style="color: orange;"><br /></span></div>
<div>
Allow NAT for the above ACL</div>
<div>
<br /></div>
<div>
<div>
<span style="color: orange;">ip nat inside source list LAN interface Dialer0 overload</span></div>
</div>
<div>
<br /></div>
<div>
Finally we set our default route out of the Dialer0 interface</div>
<div>
<br /></div>
<div>
<span style="color: orange;">ip route 0.0.0.0 0.0.0.0 Dialer0</span></div>
<div>
<span style="color: orange;"><br /></span></div>
<div>
Now with any luck you should have a working internet connection.</div>
<div>
<br /></div>
<div>
To configure DNS and DHCP services on the router please refer to my blog about enabling DHCP and DNS services.</div>
Anonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com1tag:blogger.com,1999:blog-5429422229714748398.post-30450241974280706252013-05-15T02:42:00.004-07:002013-05-15T03:03:46.296-07:00Setting up DHCP and DNS services on Cisco Routers<br />
In this blog I will explain how to setup a DHCP and DNS server on your Cisco router.<br />
<br />
The network subnet is as follows:<br />
<br />
<span style="color: orange;">Network Address: 192.168.0.0</span><br />
<span style="color: orange;">Subnet Mask: 255.255.255.0</span><br />
<span style="color: orange;">Router: 192.168.0.1</span><br />
<span style="color: orange;">Dynamic Range: 192.168.0.10 - 192.168.0.254</span><br />
<span style="color: orange;">ISP DNS Server: 8.8.8.8</span><br />
<span style="color: orange;">Subnet Domain Name: mylan.local</span><br />
<br />
These commands specify the DNS server and local domain to the router:<br />
<br />
<br />
<span style="color: orange;">ip domain name mylan.local</span><br />
<span style="color: orange;">ip name-server 8.8.8.8</span><br />
<div>
<br /></div>
<div>
This command enables the Cisco DNS Service</div>
<div>
<br /></div>
<div>
<span style="color: orange;">ip dns server</span></div>
<br />
<br />
Before we create our DHCP server, we should specify which IP's are not to be assigned. This being 192.168.0.1 to 192.168.0.9<br />
<br />
<span style="color: orange;">ip dhcp excluded-address 192.168.0.1 192.168.0.9</span><br />
<br />
Now we specify our DHCP Pool:<br />
<br />
<span style="color: orange;">ip dhcp pool MyLAN</span><br />
<span style="color: orange;"> network 192.168.0.0 255.255.255.0</span><br />
<span style="color: orange;"> default-router 192.168.0.1</span><br />
<span style="color: orange;"> dns-server 192.168.0.1</span><br />
<span style="color: orange;"> domain-name mylan.local</span><br />
<span style="color: orange;"> lease 7</span><br />
<span style="color: orange;">!</span><br />
<br />
You may now wish to assign statically assigned IP addresses to various hosts on your network. You can do this by creating another DHCP pool<br />
<br />
<span style="color: orange;">ip dhcp pool MyLaptop</span><br />
<span style="color: orange;"> host 192.168.0.10 255.255.255.0</span><br />
<span style="color: orange;"> client-identifier 0100.0430.52c7.88</span><br />
<span style="color: orange;">!</span><br />
<br />
<div>
Note: The client identifier is NOT the MAC address of the client. The easiest way to find the client identifier is to connect the machine to the network and wait for it to be assigned an IP by the router.</div>
<div>
<br /></div>
<div>
In enable mode, type in:</div>
<div>
<br /></div>
<div>
<span style="color: orange;">show ip dhcp binding</span></div>
<div>
<span style="color: orange;"><br /></span></div>
<div>
Match the client identifier with the IP address you were dynamically assigned then create your static pool like the one mentioned above.</div>
Anonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com0tag:blogger.com,1999:blog-5429422229714748398.post-4755265645384744122013-05-15T02:17:00.002-07:002013-05-15T16:43:09.467-07:00Bi-directional NAT/SNAT with Cisco RoutersSome of you may be familiar with either Microsoft Forefront TMG or ISA Server.<br />
<br />
It had an option when publishing ports to the outside world of "Requests appear to come from the ISA Server computer" or "Requests appear to come from the Forefront TMG computer".<br />
<br />
This was handy for instance if you were publishing ports to the internet on WAN servers/local servers which didn't have that particular ISA or TMG box as it's default gateway.<br />
<br />
This can be particularly handy if you wanted to load balance traffic across two links or simply as a backup way of getting into your network remotely if your primary link fails.<br />
<br />
It basically modified the source address of any incoming connections so that it appears to the internal client as coming from the routers internal side IP.<br />
<br />
This guide below shows exactly how to achieve this with a Cisco router running IOS 12.4.<br />
<br />
In a typical scenario, you might have a router configured with ADSL and a Dialer interface with "ip nat outside" and a "Fa0/0" or "G0/0" LAN interface with "ip nat inside"<br />
<br />
It may look like the following:<br />
<br />
<br />
<span style="color: orange;">interface Dialer0</span><br />
<span style="color: orange;"> description ISP ADSL2+ Interface</span><br />
<span style="color: orange;"> ip address negotiated</span><br />
<span style="color: orange;"> ip nat outside</span><br />
<span style="color: orange;"> encapsulation ppp</span><br />
<span style="color: orange;"> dialer pool 1</span><br />
<span style="color: orange;"> dialer-group 1</span><br />
<span style="color: orange;"> ppp authentication chap callin</span><br />
<span style="color: orange;"> ppp chap hostname username@isp.com</span><br />
<span style="color: orange;"> ppp chap password 7 06675F141A1F064F25</span><br />
<span style="color: orange;">!</span><br />
<div>
<span style="color: orange;">interface FastEthernet0/0</span></div>
<div>
<div>
<span style="color: orange;"> description LAN Interface</span></div>
<div>
<span style="color: orange;"> ip address 192.168.0.1 255.255.255.0</span></div>
<div>
<span style="color: orange;"> ip nat inside</span></div>
<div>
<span style="color: orange;"> duplex auto</span></div>
<div>
<span style="color: orange;"> speed auto</span></div>
</div>
<div>
<span style="color: orange;">!</span></div>
<div>
<div>
<span style="color: orange;">access-list 1 permit 192.168.0.0 0.0.0.255</span></div>
</div>
<div>
<span style="color: orange;">dialer-list 1 protocol ip permit</span></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<span style="color: orange;">ip nat inside source list 1 interface Dialer0 overload</span></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<div>
<span style="color: orange;">ip nat inside source static tcp 192.168.0.15 25 interface Dialer0 25</span></div>
</div>
<div>
<span style="color: orange;">!</span></div>
<div>
<span style="color: orange;">ip route 0.0.0.0 0.0.0.0 Dialer0</span></div>
<div>
<br /></div>
<div>
The problem with the above configuration is that the NAT only travels one way. What we want to achieve is a bi-directional NAT.</div>
<div>
<br /></div>
<div>
We need to remove the "ip nat inside" and "ip nat outside" lines from both the Dialer0 and FastEthernet0/0 interfaces and replace with "ip nat enable". This means now that we can configure NAT to work both inbound and outbound.</div>
<div>
<br /></div>
<div>
For the below example, we assume that my ISP has assigned me a static IP of 200.200.200.200.</div>
<div>
<br /></div>
<div>
The server I want to publish is a Web Server on IP 192.168.0.55</div>
<div>
<br /></div>
<div>
Assuming that your current configuration is like the above, we would type the following:</div>
<div>
<br /></div>
<div>
<span style="color: orange;"><br /></span></div>
<div>
<span style="color: orange;">interface FastEthernet0/0</span></div>
<div>
<span style="color: red;"> <b>no ip nat inside</b></span></div>
<div>
<span style="color: orange;"> ip nat enable</span></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<span style="color: orange;">interface Dialer0</span></div>
<div>
<b><span style="color: red;"> no ip nat outside</span></b></div>
<div>
<span style="color: orange;"> ip nat enable</span></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<b><span style="color: red;">no ip nat inside source list 1 interface Dialer0 overload</span></b></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<b><span style="color: red;">no access-list 1 permit 192.168.0.0 0.0.0.255</span></b></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<div>
<span style="color: orange;">ip access-list extended NAT_OUT</span></div>
<div>
<span style="color: orange;"> permit ip 192.168.0.0 0.0.0.255 any</span></div>
<div>
<span style="color: orange;">!</span></div>
<div>
<span style="color: orange;">ip access-list extended NAT_IN</span></div>
<div>
<span style="color: orange;"> permit ip any host 200.200.200.200</span></div>
<div>
<span style="color: orange;">!</span></div>
</div>
<div>
<div>
<span style="color: orange;">ip nat source list NAT_IN interface FastEthernet0/0 overload</span></div>
<div>
<span style="color: orange;">ip nat source list NAT_OUT interface Dialer0 overload</span></div>
</div>
<div>
<span style="color: orange;">!</span></div>
<div>
<div>
<span style="color: orange;">ip nat source static tcp 192.168.0.55 80 interface Dialer0 80</span></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
And that's it! Now when connections are made to the public IP, they are translated internally to the web server but the source address appears as 192.168.0.1 - the IP address bound the the Fa0/0 interface.</div>
Anonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com0tag:blogger.com,1999:blog-5429422229714748398.post-68816629664534528262013-05-10T18:59:00.000-07:002013-05-10T19:12:36.081-07:00Policy Based Source Routing over two WAN Links with NATThe scenario is that I have two Internet links. One over Ethernet and the other over ADSL. I want to push particular hosts on my internal LAN out through the ADSL and the others out through the Ethernet link.<br />
<br />
192.168.0.0/24 = LAN Subnet<br />
FastEthernet0/0 = LAN Interface<br />
FastEthernet0/1 = Internet Connection 1 (Fibre/Cable)<br />
Dialer1 = Internet Connection 2 (ADSL)<br />
<br />
<br />
interface FastEthernet0/0<br />
<div>
ip policy route-map PBR<br />
<span style="color: orange;">The above defines the internal LAN interface to be assigned to the "PBR" route-map which we will define below.</span><br />
ip nat inside</div>
<div>
!</div>
<div>
<div>
ip nat inside source route-map ADSL-Only interface Dialer1 overload<br />
<span style="color: orange;">Specifies that all NAT must adhere to the ADSL-Only and LAN route-maps defined later</span></div>
<div>
ip nat inside source route-map LAN interface FastEthernet0/1 overload</div>
</div>
<div>
!</div>
<div>
<div>
ip access-list extended ADSL-Only<br />
<span style="color: orange;">My two hosts that I want to go out over ADSL</span></div>
<div>
permit ip host 192.168.0.15 any</div>
<div>
permit ip host 192.168.0.10 any</div>
<div>
!</div>
<div>
ip access-list extended LAN<br />
<span style="color: orange;">My LAN subnet</span></div>
<div>
permit ip 192.168.0.0 0.0.0.255 any</div>
</div>
<div>
!</div>
<div>
<div>
route-map ADSL-Only permit 10<br />
<span style="color: orange;">Match this Route-Map to the ADSL-Only ACL above and match it to outbound interface Dialer1. This is for the NAT aspect of routing.</span></div>
<div>
match ip address ADSL-Only</div>
<div>
match interface Dialer1</div>
<div>
!</div>
</div>
<div>
<div>
route-map LAN permit 20<br />
<span style="color: orange;">Match this Route-Map to the LAN ACL above and match it to outbound interface F0/1. </span><span style="color: orange;">This is for the NAT aspect of routing.</span></div>
<div>
match ip address LAN</div>
<div>
match interface FastEthernet0/1</div>
<div>
!</div>
</div>
<div>
<div>
route-map PBR permit 10<br />
<span style="color: orange;">Our PBR route-map bound to our internal LAN interface to match ADSL-Only ACL and pump all traffic out thought Dialer1. Since my ADSL does not have a static default or next-hop IP, the "set interface Dialer1" is used instead of "set ip next-hop <ip>"</span></div>
<div>
match ip address ADSL-Only</div>
<div>
set interface Dialer1</div>
<div>
!</div>
<div>
route-map PBR permit 20</div>
<div>
match ip address LAN</div>
<div>
set ip next-hop 10.112.8.1</div>
<div>
!</div>
</div>
<div>
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10.112.8.1<br />
<span style="color: orange;">Route Maps dont apply to the router itself. Specifying an ip route here means that the router itself has a default route to use.</span></div>
Anonymoushttp://www.blogger.com/profile/14745475602177300078noreply@blogger.com1