Access List & NAT
global addresses are
Addresses used after NAT translations. These are usually the public addresses used on the Internet
Extended IP Access Lists: IP Extended Access lists have the format,
access-list {number}{permit or deny} {protocol} {source} {destination} {port}
guidelines that you should keep in mind when creating and implementing access lists on a router: - You can assign only one access list per interface per protocol per direction. This means that when applying IP access lists, you can have only
one inbound access list and one outbound access list per interface.
guidelines that you should keep in mind when creating and implementing access lists on a router: - Anytime a new entry is added to the access list, it will be
placed at the bottom of the list, which is why I highly recommend using a text editor for access lists.
With the right combination of access lists, network managers arm themselves with the
power to enforce nearly any security policy they can invent.
Outside global
Address of outside destination host and, again, the real Internet address.
a list of rules to live by when configuring ACLs from the Internet to your production network to mitigate security problems:
- Deny any source addresses from your internal networks. - Deny any local host addresses (127.0.0.0/8). - Deny any reserved private addresses (RFC 1918). - Deny any addresses in the IP multicast address range (224.0.0.0/4).
two more things to keep in mind when working with block sizes and wildcards:
- Each block size must start at 0 or a multiple of the block size. For example, you can't say that you want a block size of 8 and then start at 12. You must use 0-7, 8-15, 16-23, etc. For a block size of 32, the ranges are 0-31, 32-63, 64-95, etc. - The command any is the same thing as writing out the wildcard 0.0.0.0 255.255.255.255.
list of the many security threats you can mitigate with ACLs:
- IP address spoofing, inbound - IP address spoofing, outbound - Denial of service (DoS) TCP SYN attacks, blocking external attacks - DoS TCP SYN attacks, using TCP Intercept - DoS smurf attacks - Denying/filtering ICMP messages, inbound - Denying/Filtering ICMP messages, outbound - Denying/Filtering Traceroute
With extended IP access lists, we can act on any of the following:
- Source address - Destination address - IP protocol (TCP, ICMP, UDP, etc.) - Port information (WWW, DNS, FTP, etc.)
list of situations when NAT can be especially helpful:
- When you need to connect to the Internet and your hosts don't have globally unique IP addresses -When you've changed to a new ISP that requires you to renumber your network - When you need to merge two intranets with duplicate addresses
Advantages of NAT
-Conserves legally registered addresses -Remedies address overlap events -Increases flexibility when connecting to the Internet. -Eliminates address renumbering as a network evolves.
two main types of access lists:
-Standard access lists -Extended access lists
three types of NATs:
-Static NAT -Dynamic NAT -Overloading
three important rules that a packet follows when it's being compared with an access list:
-The packet is always compared with each line of the access list in sequential order—it will always start with the first line of the access list, move on to line 2, then line 3, and so on. - The packet is compared with lines of the access list only until a match is made. Once it matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place. - There is an implicit "deny" at the end of each access list—this means that if a packet doesn't match the condition on any of the lines in the access list, the packet will be discarded.
Disadvantages of NAT
-Translation results in switching path delays -Causes loss of end-to-end IP traceability -Certain applications will not function with NAT enabled
The permitted numbers for some important access-lists are:
1-99: IP standard access list 100-199: IP extended access list 800-899: IPX standard access list 900-999: IPX extended access list 1000-1099: IPX SAP access list 1100-1199: Extended 48-bit MAC address access list
Access lists are primarily used for two purposes:
1. Controlling traffic through a router, and 2. Controlling VTY access to a router's VTY ports
Enable dynamic NAT on an interface include the following:
1. Defining a standard IP access-list using the command: access-list <access-list-number> {permit | deny} <local-ip-address> 2. Defining an IP NAT pool for the inside network using the command: ip nat pool <pool-name> <start-ip> <end-ip> {netmask <net-mask> | prefix-length <prefix-length>} [type-rotary] Note that type-rotary is optional command. It indicates that the IP address range in the address pool identifies hosts among which TCP load is distributed. 3. Mapping the access-list to the IP NAT pool by using the command: ip nat inside source list <access-list-number> pool <pool-name> 4. Enabling NAT on at least one inside and one outside interface using the command: ip nat {inside | outside}
The following two statements are true about dynamic NAT translations:
1. The inside IP addresses eligible for address translation are defined in a standard IP access-list. 2. Only packets moving between inside and outside networks will get translated. This is true even for static NAT. If a packet is destined for another host, but does not require to cross the NAT boundary, the packet source /destination addresses are not translated. This is understandable, since the packet is not crossing the inside network boundary
Overloading
A special case of dynamic NAT that maps multiple unregistered IP addresses to a single registered (globally unique) IP address by using different port numbers. Dynamic NAT with overloading is also known also as PAT (Port Address Translation).
Outside local
Address from which source host is known on the Internet. This is usually the address of the router interface connected to ISP the actual Internet address.
Extended access lists
Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the Protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic.
Network Address Translation (NAT) and private addressing. These features together allow organizations to use unregistered IP network numbers internally and still communicate well with the Internet. The third standard, classless interdomain routing (CIDR), allows
ISPs to reduce the wasting of IP addresses by assigning a company a subset of a network number rather than the entire network. CIDR also can allow ISPs to summarize routes such that multiple Class A, B, or C networks match a single route, which helps reduce the size of Internet routing tables.
Dynamic NAT
Maps an unregistered IP address to a registered (globally unique) IP address from a group of registered (globally unique) IP addresses.
When you are configuring NAT, NAT should be enabled on at least one inside and one outside interface. The command for enabling NAT on inside interface is:
R(config-if)#ip nat inside The command for enabling NAT on the outside interface is: R(config-if)#ip nat outside Remember to enter into appropriate configuration modes before entering the commands. Usually, the inside NAT will be configured on an Ethernet interface, whereas the outside NAT is configured on a serial interface.
Inside global
Source host address used after translation to get onto the Internet. This is also the actual Internet address.
Inside local
Source host inside address before translation—typically an RFC 1918 address.
Standard access lists
These ACLs use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don't distinguish between any of the many types of IP traffic such as Web, Telnet, UDP, and so on.
Static NAT
This type of NAT is designed to allow one-to-one mapping between local and global addresses. Keep in mind that the static version requires you to have one real Internet IP address for every host on your network.
Inbound access lists
When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won't be routed because they're discarded before the routing process is invoked.
Outbound access lists
When an access list is applied to outbound packets on an interface, packets are routed to the outbound interface and then processed through the access list before being queued.
You typically use NAT on
a border router
Standard IP Access Lists: These have the format,
access-list [number] [permit or deny] [source_address]
The command, ip nat inside source static <local ip> <global ip>configures
address translation for static NAT
Applying an access list causes the router to
analyze every packet crossing that interface in the specified direction and take the appropriate action.
named access lists
are either standard or extended and not actually a distinct type. they're created and referred to differently than standard and extended access lists are, but they're still functionally the same.
Access-list statements are basically packet filters that packets are
compared against, categorized by, and acted upon accordingly. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface
An access list is essentially a list of
conditions that categorize packets, help to exercise control over network traffic,and filter unwanted packets when implementing security policies.
NAT-
decreases the overwhelming amount of public IP addresses required in a networking environment
guidelines that you should keep in mind when creating and implementing access lists on a router: - Unless your access list ends with a permit any command, all packets will be
discarded if they do not meet any of the list's tests. This means every list should have at least one permit statement or it will deny all traffic.
Wildcards are used with access lists to specify an
individual host, a network, or a specific range of a network or networks. The block sizes key to understanding wildcards.
To use an access list as a packet filter, you need to apply it to an
interface on the router where you want the traffic filtered. Reason for this you may want different controls in place for traffic leaving your enterprise destined for the Internet than you'd want for traffic coming into your enterprise from the Internet. (by specifying the direction of traffic, you can and must use different access lists for inbound and outbound traffic on a single interface)
guidelines that you should keep in mind when creating and implementing access lists on a router: - Create access lists and then apply them to an
interface. Any access list applied to an interface without access-list test statements present will not filter traffic.
The most common attack is a denial of service (DoS) attack. Although ACLs can help with a DoS, you really need an
intrusion detection system (IDS) and intrusion prevention system (IPS) to help prevent these common attacks. (Cisco sells the Adaptive Security Appliance (ASA), which has IDS/IPS modules, but lots of other companies sell IDS/IPS products too.)
The syntax for enabling dynamic NAT to translate many inside hosts to an inside global IP address is:
ip nat inside source list <access-list-number> pool <pool-name> overload where <access-list-number> is the standard access list number, and <pool-name> is the pool name. Note that the option 'overload' specifies many to one relationship. This configuration is typically used when many hosts with private IP addresses need to access Internet through a specified globally unique IP address.
The following command configures a static NAT translation by mapping inside local address to the inside global address.
ip nat inside source static 192.168.0.100 88.248.153.137 Here, 192.168.0.100 is the inside local address, and 88.248.153.137 is the inside global address. A packet's source address 192.168.0.100 is changed to 88.248.153.137 by the NAT device.
The command, ip nat inside source list <access-list-number> pool <name>
is used to map the access-list to the IP NAT pool during the configuration of Dynamic NAT.
NAT is also a useful tool for network migrations and
mergers, server load sharing, and creating "virtual servers
NAT, defined in RFC 3022, allows a host that does not have a valid
registered, globally unique IP address to communicate with other hosts through the Internet.
guidelines that you should keep in mind when creating and implementing access lists on a router: -Place IP extended access lists as close to the
source as possible. (Since extended access lists can filter on very specific addresses and protocols, you don't want your traffic to traverse the entire network just to be denied. By placing this list as close to the source address as possible, you can filter traffic before it uses up precious bandwidth.)
guidelines that you should keep in mind when creating and implementing access lists on a router: -Place IP standard access lists as close to
the destination as possible. (This is the reason we don't really want to use standard access lists in our networks. You can't put a standard access list close to the source host or network because you can only filter based on source address and all destinations would be affected as a result.)
guidelines that you should keep in mind when creating and implementing access lists on a router: - You can't remove one line from an access list. If you try to do this, you will remove
the entire list. This is why it's best to copy the access list to a text editor before trying to edit the list. The only exception is when you're using named access lists.
guidelines that you should keep in mind when creating and implementing access lists on a router: - Organize your access lists so that
the more specific tests are at the top.
Local addresses are
the ones we use before NAT translation. This means that the inside local address is actually the private address of the sending host that's attempting to get to the Internet
Wild card masking is used
to permit or deny a group of addresses. For example, if we have a source address 185.54.13.2 and want all the hosts on the last octet to be considered, we use a wild card mask, 185.54.13.255. Special cases: Host 185.54.13.2 is same as 185.54.13.2 with a wild card mask of 0.0.0.0, considers only specified IP. Any is equivalent to saying 0.0.0.0 with a wild card mask of 255.255.255.255. This means none of the bits really matter. All IP addresses need to be considered for meeting the criteria.
guidelines that you should keep in mind when creating and implementing access lists on a router: -Access lists are designed to filter traffic going through the router. They will not filter
traffic that has originated from the router.