CCNA and CCNP Study - Technical Rock: January 2024

Tuesday, January 30, 2024

Network Address Translation (NAT)

NETWORK ADDRESS TRANSLATION

NAT is used to translate a private IP address into a public IP address. If you want to access the internet then you need a public IP address, if we are using a private IP address in our LAN network then we have to configure NAT on our router so that NAT can translate private IP range with Public address because Private IP addresses can not travel over the internet.

The development of NAT resolved two major issues in IT networking-

1. To handle a shortage of IPv4 addresses.

2. Hide network address schemes.

· Internet users and small companies typically get their public IP address directly from their ISPs, which have a limited no.

· ISPs and Large companies can sometimes get their public IP address from a registration authority, such as Internet Assigned Numbers Authority (IANA).

· Most Networking devices such as Routers, Layer 3 Switches, and firewalls have NAT features available, and most VPN policies are configured by enabling NAT. certain addresses assigned by IANA for private IP ranges such as -

Class A 10.0.0.0 to 10.255.255.255

Class B 172.16.0.0 to 172.31.255.255

Class C 192.168.0.0 to 192.168.255.255

Conditions that required NAT:

If you have a private IP address and you need to connect to the internet.

You need to connect your organization's subnets by a single public IP address.

You need to provide private IP addresses to your VPN users so that they can connect with your organization by firewall policy.

You need to hide your address visibility from the outside world.

NAT Advantage:

· Conserve IPv4 address space.

· Reduce address overlap occurrence, and increase flexibility when connecting to the internet.

· Provide security to your organization because no one can track you from outside NAT.

· Eliminates address renumbering as network changes.

NAT Disadvantage-

· Translation introduces switching path delays.

· Loss of end-to-end IP traceability.

· Certain applications will not function with NAT enabled.

NAT Terminology

Inside Local Address-Name of inside source address before translation (Private IP)

Inside Global Address-Name of inside host after translation (Public IP)

Outside Local Address-Name of destination host before translation

Outside Global Address-Name of destination host after translation

Types of NAT:

1. Static Nat

2. Dynamic NAT

3. PAT (Overload)

Static NAT

· This type of NAT design allows one-to-one mapping between local and global addresses, which means you can map a single private IP address with a Single Public IP address.

· Keep in mind that the static version requires you to have one real Internet IP address for every host on your network.

Dynamic NAT-

· Dynamic NAT can map a group of Private IP addresses with a group of Public IP address ranges. Also known as Many-to-many mapping.

· You don’t have to statically configure your router to map an inside to an outside address as you would use static NAT, you do have to have enough real IP addresses for everyone who’s going to be sending packets to and receiving them from the internet.

PAT or Overload-

· In dynamic NAT, you can map a group of private IP address ranges with a single public IP address, also known as many-to-one or Port Address Translation (PAT). This type of NAT is mostly used today. you get to have thousands of users connect to the internet using only one real global IP address.

· NAT overload is the real reason we haven’t run out of valid IP address on the internet

How to Configure Static NAT-

R1(config)#ip nat inside source static 10.0.0.2 1.1.1.100

R1(config)#int fa 0/0

R1(config-if)#ip nat inside

R1(config-if)#int se 0/0

R1(config-if)#ip nat outside

R1(config-if)#do wr

Verification-

R1#show ip nat translations

R1#show ip nat statistics

GoogleServer# tracert 10.0.0.2

R1#Clear IP nat translations *

Remove Static NAT-

R1#no ip nat inside source static 10.0.0.2 1.1.1.100

How to Configure Dynamic NAT-

R1(config)#access-list 1 permit 10.0.0.0 0.255.255.255

R1(config)#ip nat pool lab1 1.1.1.100 1.1.1.200 netmask 255.0.0.0

R1(config)#ip nat inside source list 1 pool lab1

R1(config)#int fa 0/0

R1(config-if)#ip nat inside

R1(config-if)#int se 0/0

R1(config-if)#ip nat outside

R1(config-if)#do wr

Verification-

R1#show ip nat translations

R1#show ip nat statistics

GoogleServer# tracert 10.0.0.2

R1#Clear IP nat translations *

Remove Dynamic NAT-

R1(config)#no access-list 1 permit 10.0.0.0 0.255.255.255

R1(config)#ip nat pool lab1 1.1.1.100 1.1.1.200 netmask 255.0.0.0

R1(config)#ip nat inside source list 1 pool lab1

How to Configure Overload or PAT-

R1(config)#access-list 1 permit 10.0.0.0 0.255.255.255

R1(config)#ip nat pool lab2 1.1.1.100 1.1.1.100 netmask 255.0.0.0

R1(config)#ip nat inside source list 1 pool lab2 overload

R1(config)#int fa 0/0

R1(config-if)#ip nat inside

R1(config-if)#int se 0/0

R1(config-if)#ip nat outside

R1(config-if)#do wr

Verification-

R1#show ip nat translations

R1#show ip nat statistics

GoogleServer# tracert 10.0.0.2

R1#Clear IP nat translations *

Remove PAT (Overload)-

R1(config)#no access-list 1 permit 10.0.0.0 0.255.255.255

R1(config)#ip nat pool lab2 1.1.1.100 1.1.1.200 netmask 255.0.0.0

R1(config)#ip nat inside source list 1 pool lab2

Watch my YouTube videos -

https://www.youtube.com/watch?v=_Ig78fp5oJU&t=0s

https://www.youtube.com/watch?v=fjJxRhFURc8&t=0s

https://www.youtube.com/watch?v=RlULesIq30U&t=0s

https://www.youtube.com/watch?v=R57yCHR5Kd4&t=0s

https://www.youtube.com/watch?v=3pjL5D4EuRg&t=0s

https://www.youtube.com/watch?v=Zb_APzMlUng&t=0s

https://www.youtube.com/watch?v=vXSMcKLVAx0&t=0s

https://youtu.be/uSg9D9lMCr0

https://www.youtube.com/watch?v=A2OaptZirmg

https://youtu.be/932KO7tckSk

NAT PAT

Tuesday, January 23, 2024

ACCESS CONTROL LIST

ACCESS CONTROL LIST

Why Use Access Lists?

It is used to filter network incoming and outgoing traffic and provide security on your network.

What are ACLs?

· ACLs are a list of conditions that match statements one by one and take decisions according to a particular statement.

· Router read ACL statement according to sequence number.

· Deny and Permit statements can be based on specified conditions.

· ACL can filter network traffic by Deny or Permit statement.

· ACL can filter network traffic by examining source and destination addresses. Some ACLs can filter traffic by examining protocol and port numbers.

· ACL can filter the network for specific addresses or whole subnets.

Reasons to Create ACLs-

The following are some of the primary reasons to create ACLs:

· Increase security by filtering network traffic.

· Decide which types of traffic are denied or permitted at the router interfaces.

· For Instance: Deny web services for a user but allow SSH from the same web server.

· Distinguish the subnetted network by using a wild card mask.

ACL Rules-

· ACL reads all statements one by one means it follows sequence order.

· We should first mention all Deny statements and then Permit statements in most cases.

· You should mention one permit statement at the end of the deny statement.

· If you do not mention any permit or deny statement at the end of ACL it will deny all.

· You can configure one ACL at one interface in one direction or two ACLs per interface.

· You can not add any statement in the middle of ACL, for adding a new line you have to create from scratch and you should use a text editor for that.

· You can not remove any statement and if you want to remove you have to remove all statements and create again new modified statements.

Types of ACL’s

There are two types of ACL’s

1. Standard, 2. Extended

Standard ACL-

Standard ACL can filter network traffic by examining the source address and you should apply close to the destination. Standard ACL start from (1-99) and the Extended range of Standard ACL start from (1300-1999)

The full syntax of the standard ACL command is:

Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ]

Remove a standard ACL. This is the syntax:

Router(config)#no access-list access-list-number

How to Configure Standard ACL

R3 Configuration-

Router(config)#access-list 10 deny host 10.0.0.2

Router(config)#access-list 10 permit any

Router(config)#int fa 0/0

Router(config-if)#ip access-group 10 out

Router(config-if)#do wr

Router#show access-lists

Standard IP access list 10

10 deny host 10.0.0.2 (12 match(es))

20 permit any (8 match(es))

Router#show ip access-lists 10

Standard IP access list 10

deny host 10.0.0.2 (12 match(es))

permit any (8 match(es))

Extended ACL-

Extended ACL filters the network traffic by examining source, destination address and protocol, and port numbers. You should apply Extended ACL near to source.

Extended ACL start from (100-199) and Extended Range start from (2000-2699). Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers.

Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt), that the extended ACL will perform on specific protocols.

How to Configure Extended ACL-

R1(config)#access-list 100 deny tcp host 30.0.0.2 10.0.0.101 0.0.0.0 eq 21

R1(config)#access-list 100 deny tcp host 30.0.0.3 10.0.0.100 0.0.0.0 eq 80

R1(config)#access-list 100 permit ip any any

R1(config)#int fa 0/0

R1(config-if)#ip access-group 100 out

R1(config-if)#do wr

R1(config-if)#do show access-list

Extended IP access list 100

10 deny tcp host 30.0.0.2 host 10.0.0.101 eq ftp (12 match(es))

20 deny tcp host 30.0.0.3 host 10.0.0.100 eq www (12 match(es))

30 permit ip any any (15 match(es))

R1(config-if)#do show access-list 100

Extended IP access list 100

deny tcp host 30.0.0.2 host 10.0.0.101 eq ftp (12 match(es))

deny tcp host 30.0.0.3 host 10.0.0.100 eq www (12 match(es))

permit ip any any (15 match(es))

Wildcard Mask

Wildcard mask is the inverse of the subnet mask, for calculating Wildcard mask, you can subtract your subnet mask from Layer 3 broadcast address for example-

255.255.255.255 Layer 3 Broadcast address

-255.255.255.0 subnet mask

0.0.0.255 Wildcard mask

Access-list 99 permit 192.168.1.1 wildcard mask

All 32 bits of an IP Address can be filtered

Wildcard inverse mask

0=must match

1= ignore

Block Telnet Access-

R2#conf t

R2(config)#enable secret cisco

R2(config)#line vty 0 4

R2(config-line)#password 123

R2(config-line)#login

R2(config-line)#access-class 10 in

R2(config-line)#exit

R2(config)#access-list 10 permit 10.0.0.100 0.0.0.0

R2(config)#access-list 10 deny any

R2(config)#do show access-list

Standard IP access list 10

10 permit host 10.0.0.100 (2 match(es))

20 deny any (10 match(es))

R2(config)#do show access-list 10

Standard IP access list 10

permit host 10.0.0.100 (2 match(es))

deny any (10 match(es))

Named ACLs

Named ACL is used to allow ACLs (Both Standard and Extended) to use names instead of numbers so that users can understand the purpose of ACLs.

The characteristics of the named access list:

· Named ACL is case-sensitive and identifies an ACL using an alphanumeric name.

· Name cannot start with a number or (Sign as! Or ?), and can not use space in the name and same name cannot be used for multiple ACLs.

· You have to specify the named ACL as standard or Extended.

· You can delete individual statements in a named access list.

· You will have to use the ip access-list command to create named access lists.

· The same name may not be used for multiple ACLs.

How to Configure Named ACLs-

R3(config)#ip access-list standard test1

R3(config-std-nacl)#deny 10.0.0.2 0.0.0.0

R3(config-std-nacl)#permit any

R3(config-std-nacl)#exit

R3(config)#int fa 0/0

R3(config-if)#ip access-group test1 out

R3(config-if)#do wr

Video Link-

https://www.youtube.com/watch?v=A2OaptZirmg

CCNA and CCNP Study - Technical Rock

CCNA and CCNP Study - Technical Rock

Tuesday, January 30, 2024

Network Address Translation (NAT)

NAT PAT

Tuesday, January 23, 2024

ACCESS CONTROL LIST

Access Control list

EtherChannel