{"id":5949,"date":"2017-01-10T16:50:32","date_gmt":"2017-01-10T16:50:32","guid":{"rendered":"https:\/\/stevepedwards.today\/DebianAdmin\/?p=5949"},"modified":"2017-01-10T16:50:32","modified_gmt":"2017-01-10T16:50:32","slug":"cisco-setup-nat-connections-lan-to-wan","status":"publish","type":"post","link":"https:\/\/stevepedwards.today\/DebianAdmin\/cisco-setup-nat-connections-lan-to-wan\/","title":{"rendered":"Cisco Setup NAT Connections (LAN to WAN), ACLs, DNS and DHCP Server"},"content":{"rendered":"
<\/div>\n

<\/path><\/svg><\/i> \"Loading\"<\/p>\n

<\/div>\n

Home routers use Network Address Translation as a method to maximise finite IPv4 address space on the Internet by allowing LAN only IP address ranges on private networks to have Web access by sharing the external WAN IP address(es) and ports, so\u00a0have an effective basic firewall as part of the process, as WAN devices cannot access internal IPs unless a channel is opened by an internal device first - \"established<\/span>\". This may be clearer later in the ACL\u00a0section of the conf file.<\/p>\n

This is achieved by the unit tracking LAN device web service requests from their internal LAN IP and service port number (socket) and replacing the IP\/port with an Internet legal IP address and random port number. This secures the unit to a large degree from unsolicited requests from the Internet TO the LAN but not from the LAN outwards. It is used in conjunction with an Access Control List to further restrict individual users\/LAN devices to select sites and services as required.<\/p>\n

This translation will be seen later once set up.<\/p>\n

There are 2 main protocols that are required to be active on today's Internet to allow web pages to function fully - TCP and UDP. These have to be allowed through\u00a0the unit from the WAN and\/or LAN sides when a LAN device requests a page.<\/p>\n

ACLs are lists of access\/restriction parameters that operate on various IP packet types such as UDP, TCP, ICMP etc. by the unit passing, dropping or altering them in some form according to what services are allowed or not to pass through the unit from one side to the other in either direction across the \"centre\" of the unit. The unit can create packets from it's centre also, such as when a ping is made from the command line to be sent to the WAN or LAN.<\/p>\n

The combination of all these elements in a router\/switch\/firewall allows IP traffic to cross the unit in a controlled and - hopefully - secure manner yet allow full service requirements to be achieved.<\/p>\n

The 877 was left in the last Post with LAN device ping access to the hub Vlan1 interface, and IPCP\/other requested protocol access to the WAN interface - enough to have an ISP allocated external IP address, but no other functionality.<\/p>\n

The DHCP server section to be added - this allocates an IP address POOL named CLIENTS to LAN devices above 192.168.1.20 only.<\/p>\n

cisco877# conf t<\/span><\/p>\n

ip dhcp use vrf connected<\/span>
\nip dhcp excluded-address 192.168.1.1 192.168.1.20<\/span><\/p>\n

ip dhcp pool CLIENTS<\/span>
\n import all<\/span>
\n network 192.168.1.0 255.255.255.0<\/span>
\n default-router 192.168.1.100<\/span>
\nip name-server 8.8.8.8<\/span><\/p>\n

ip domain name workgroup<\/span><\/p>\n

These two ACLs are as simple as it gets for web page access to work - a non restrictive bidirectional ACL for the LAN hosts called\u00a0LAN2WEB, and a restricted WAN traffic ACL called BLOCKWAN with the key term \"established\" that only allows a path INTO the WAN interface from outside IF a LAN device has requested traffic of that type initially. UDP is a \"connectionless\" protocol so cannot be tracked in the same way as TCP, so cannot be \"established\" which makes it much more dangerous and difficult to protect against:<\/p>\n

cisco877#conf t<\/span><\/p>\n

ip access-list extended BLOCKWAN<\/span>
\n permit tcp any any established<\/strong><\/span>
\n permit udp any any<\/span>
\n permit udp host 91.189.89.198 eq ntp any<\/span>
\n deny ip any any<\/span>
\nip access-list extended LAN2WEB<\/span>
\n permit ip any any<\/span>
\n permit udp any any<\/span><\/p>\n

The problem with understanding Cisco confs is that many functions and hardware parts are inter related\/reliant so single commands are not usually\u00a0understood in isolation - they may require other seemingly isolated areas to be functional also - an ACL in conjunction with NAT conf entries for example. This is why even a simple config can be missing just one key line to prevent the device working as intended at all, so it's hard to build up a working conf in strict sections and have each enabled AND working fully. For example, the overload<\/strong><\/span> below is a key command that causes NAT translation of LAN IP adresses\/ports to occur at the WAN\/Dialer1 interface. But, the ACL called LAN2WEB\u00a0is also required to be invoked to enable traffic from the LAN to be processed and allowed into the unit first,\u00a0for\u00a0NAT to translate:<\/p>\n

ip nat pool CLIENT 192.168.1.20 192.168.1.25 netmask 255.255.255.0<\/span>
\nip nat inside source list LAN2WEB interface Dialer1 overload<\/span><\/strong><\/p>\n

Some extra settings required for Vlan1 to be translated over Dialer1 are:<\/p>\n

cisco877#conf t<\/span>
\ncisco877(config)#interface Vlan1<\/span><\/p>\n

cisco877(config-if)#ip access-group LAN2WEB in<\/span>
\ncisco877(config-if)#ip nat inside<\/span>
\ncisco877(config-if)#ip nat enable<\/span><\/p>\n

Some extra settings required for Dialer1 NAT are:<\/p>\n

cisco877(config-if)#interface Dialer1<\/span>
\ncisco877(config-if)#ip access-group BLOCKWAN in<\/span>
\ncisco877(config-if)#ip nat outside<\/span>
\ncisco877(config-if)# ip nat enable<\/span><\/p>\n

Above you see the concept of INSIDE and OUTSIDE interfaces.<\/p>\n

Is this enough to get a DHCP address allocated to a LAN device; NAT translated Web Access; A firewall on the WAN sufficient to pass at grc.com Sheild's Up or is stuff missing? Note the Google and Plusnet name server IPs.<\/p>\n

The running conf - with my added bold commands - at this point is:<\/p>\n

cisco877#sh run<\/span><\/p>\n

Current configuration : 2619 bytes<\/span>
\n!<\/span>
\nversion 12.4<\/span>
\nno service pad<\/span>
\nservice timestamps debug datetime msec<\/span>
\nservice timestamps log datetime msec<\/span>
\nservice password-encryption<\/span><\/strong>
\n!<\/span>
\nhostname cisco877<\/span><\/strong>
\n!<\/span>
\nboot-start-marker<\/span>
\nboot-end-marker<\/span>
\n!<\/span>
\nenable secret 5 $1$e\/g3$ceiyt<\/span><\/strong>
\n enable password 7 0314540<\/span><\/strong>
\n !<\/span><\/strong>
\nno aaa new-model<\/span>
\nip cef<\/span><\/strong>
\n!<\/span>
\n!<\/span>
\nip dhcp use vrf connected<\/span><\/strong>
\n ip dhcp excluded-address 192.168.1.1 192.168.1.20<\/span><\/strong>
\n!<\/span>
\nip dhcp pool CLIENTS<\/span><\/strong>
\n import all<\/span><\/strong>
\n network 192.168.1.0 255.255.255.0<\/span><\/strong>
\n default-router 192.168.1.100 <\/span><\/strong>
\n dns-server 8.8.8.8<\/strong> <\/span>
\n!<\/span>
\n!<\/span>
\nip domain name workgroup<\/span><\/strong>
\n ip name-server 8.8.8.8<\/span><\/strong>
\n ip name-server 212.159.13.49<\/span><\/strong>
\n!<\/span>
\nmultilink bundle-name authenticated<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\n! <\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\ninterface ATM0<\/span><\/strong>
\n no ip address<\/span><\/strong>
\n ip nat outside<\/span><\/strong>
\n ip virtual-reassembly<\/span><\/strong>
\n logging event atm pvc state<\/span><\/strong>
\n logging event atm pvc autoppp<\/span><\/strong>
\n no atm ilmi-keepalive<\/span><\/strong>
\n dsl operating-mode auto adsl2 adsl2+ <\/span><\/strong>
\n dsl enable-training-log <\/span><\/strong>
\n !<\/span><\/strong>
\ninterface ATM0.1 point-to-point<\/span><\/strong>
\n ip address dhcp<\/span><\/strong>
\n ip nat outside<\/span><\/strong>
\n ip virtual-reassembly<\/span><\/strong>
\n no snmp trap link-status<\/span><\/strong>
\n atm route-bridged ip<\/span><\/strong>
\n atm pppatm link reset<\/span><\/strong>
\n pvc 0\/38 <\/span><\/strong>
\n encapsulation aal5snap<\/span><\/strong>
\n protocol ppp dialer<\/span><\/strong>
\n dialer pool-member 1<\/span><\/strong>
\n ip addr inarp<\/span><\/strong>
\n !<\/span>
\n!<\/span>
\ninterface FastEthernet0<\/span>
\n!<\/span>
\ninterface FastEthernet1<\/span>
\n! <\/span>
\ninterface FastEthernet2<\/span>
\n!<\/span>
\ninterface FastEthernet3<\/span>
\n!<\/span>
\ninterface Dot11Radio0<\/span>
\n no ip address<\/span>
\n shutdown<\/span>
\n speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0<\/span>
\n station-role root<\/span>
\n!<\/span>
\ninterface Vlan1<\/span><\/strong>
\n ip address 192.168.1.100 255.255.255.0<\/span><\/strong>
\n ip access-group LAN2WEB in<\/span><\/strong>
\n ip nat inside<\/span><\/strong>
\n ip nat enable<\/span><\/strong>
\n ip virtual-reassembly<\/span><\/strong>
\n!<\/span>
\ninterface Dialer1<\/span><\/strong>
\n ip address negotiated previous<\/span><\/strong>
\n ip access-group BLOCKWAN in<\/span><\/strong>
\n ip nat outside<\/span><\/strong>
\n ip nat enable<\/span><\/strong>
\n ip virtual-reassembly<\/span><\/strong>
\n encapsulation ppp<\/span><\/strong>
\n dialer pool 1<\/span><\/strong>
\n dialer-group 1<\/span><\/strong>
\n autodetect encapsulation ppp<\/span><\/strong>
\n ppp authentication chap pap callin<\/span><\/strong>
\n ppp chap hostname user@plus.net<\/span><\/strong>
\n ppp chap password 7 071C3549580C1C<\/span><\/strong>
\n ppp ipcp wins request<\/span><\/strong>
\n ppp ipcp mask request<\/span><\/strong>
\n ppp ipcp route default<\/span><\/strong>
\n ppp ipcp address accept<\/span><\/strong>
\n!<\/span>
\nip default-gateway 195.166.130.250<\/span><\/strong>
\n ip route 0.0.0.0 0.0.0.0 Dialer1<\/span><\/strong>
\n!<\/span>
\n!<\/span>
\nno ip http server<\/span>
\nno ip http secure-server<\/span>
\nip nat pool CLIENTS 192.168.1.20 192.168.1.25 netmask 255.255.255.0<\/span><\/strong>
\n ip nat inside source list LAN2WEB interface Dialer1 overload<\/span><\/strong>
\n!<\/span>
\nip access-list extended BLOCKWAN<\/span><\/strong>
\n permit tcp any any established<\/span><\/strong>
\n permit udp any any<\/span><\/strong>
\n permit udp host 91.189.89.198 eq ntp any<\/span><\/strong>
\n deny ip any any<\/span><\/strong>
\n ip access-list extended LAN2WEB<\/span><\/strong>
\n permit ip any any<\/span><\/strong>
\n!<\/span>
\ndialer-list 1 protocol ip permit<\/span><\/strong>
\nsnmp-server community public RO<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\n!<\/span>
\ncontrol-plane<\/span>
\n!<\/span>
\n!<\/span>
\nline con 0<\/span>
\n no modem enable<\/span>
\nline aux 0<\/span>
\nline vty 0 4<\/span>
\n password 7 051B090031<\/span><\/strong>
\n login<\/span>
\n!<\/span>
\nscheduler max-task-time 5000<\/span>
\nend<\/span><\/p>\n

Sometimes, a router needs a reload to connect properly - as any OS may, so the above did not work fully until rebooted.<\/p>\n

Now I have connected my laptop and got an IP address of\u00a0192.168.1.21 as per the DHCP pool settings:<\/p>\n

stevee@AMDA8 ~ $ ifconfig<\/span>
\neth0 Link encap:Ethernet HWaddr 38:63:bb:ca:cf:2c <\/span>
\n inet addr:192.168.1.21<\/strong> Bcast:192.168.1.255 Mask:255.255.255.0<\/span><\/p>\n

I can also telnet to the 877 and login.<\/p>\n

I have Internet access to grc.com which shows a full stealth pass:<\/p>\n

\"\"<\/a><\/p>\n

This shows the BLOCKWAN ACL on the WAN interface functions well, and that this LAN client has sufficient protocol access to fully load required web pages also, via the LAN2WEB ACL on the Vlan1 interface.<\/p>\n

DNS must be working to access web pages.<\/p>\n

So what does NAT show?<\/p>\n

\"\"<\/a><\/p>\n

You can see all the IP\/port translations between the WAN IP and the LAN IP requests.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

<\/div>\n

<\/path><\/svg><\/i> \"Loading\"<\/p>\n

<\/div>\n

Home routers use Network Address Translation as a method to maximise finite IPv4 address space on the Internet by allowing LAN only IP address ranges on private networks to have Web access by sharing the external WAN IP address(es) and ports, so\u00a0have an effective basic firewall as part of the process, as WAN devices cannot ...\u00a0 Cisco Setup NAT Connections (LAN to WAN), ACLs, DNS and DHCP Server<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-5949","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"a3_pvc":{"activated":true,"total_views":2,"today_views":0},"_links":{"self":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/5949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/comments?post=5949"}],"version-history":[{"count":0,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/5949\/revisions"}],"wp:attachment":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/media?parent=5949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/categories?post=5949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/tags?post=5949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}