/*********************************************************************/ /* Document : Cisco IOS version 10.x, 11.x, 12.x router commands */ /* Doc. Versie : 1.0 */ /* File : cisco.txt */ /* Date : 28-02-2005 */ /* Contents : compilation of often used IOS commands */ /* Compiled by : Albert */ /*********************************************************************/ PART 1: Basic IOS commands: =========================== 1. Entering user mode, or privileged mode, or configuration mode: ----------------------------------------------------------------- - user mode ----------- When you access a router through console, aux, or remote terminal, you first enter the router in "user exec mode" (user mode). Here you can see all settings but you can not change anything. login to IOS via console, aux, or via a terminal via network -> you enter user exec mode first. - privileged mode ----------------- Via the "enable" command you can enter "privileged mode" whereby you can enter configuration mode and change settings of the router router>enable pasword: xxxx router# goiing back to user mode router#disable router> logout router>logout - configuration mode -------------------- When you are in privileged mode, you can enter the "configuration mode": - change running config router# configure terminal (or just config t) router(config)# - change startup config in NVRAM router# configure memory (or just config mem) router(config)# so, user mode -> via 'enable' -> privileged mode -> via 'config t' ->configuration mode Getting out from configuration mode can be done with "exit" or "Ctrl-Z" - exit brings you 'one level higher' - Ctrl-Z gets you out configuration mode examples: -- first logon to router password: xxxx router>enable password: yyyy router#configure terminal router(config)#enable password abcd router(config)#enable secret abcd router(config)#line console 0 router(config-line)#login router(config-line)#password cisco router(config-line)#line vty 0 4 router(config-line)#login router(config-line)#password cisco router(config)#service password-encryption router(config)#no service password-encryption router(config-line)#hostname critter critter(config)#prompt emma emma(config)#interface serial 1 emma(config-if)#exit emma(config)#exit emma# router(config)#interface fastethernet0/0 router(config-if)# router(config)#int f0/0.1 router(config-subif)# router#config t router(config)#router rip router(config-router)# clock: if the router must provide clocksignal router(config)#interface serial 0 router(config-line)#clock rate 64000 banners: exec, incoming,login, motd router(config)#banner motd # ... enter the banner text.... end with # Prompts: ROMMON 1> Monitor mode ROUTER> user mode ROUTER# privileged mode router(config)# global configuration mode router(config-if)# interface configuration mode router(config-subif)# Sub-interface configuration mode router(config-line)# line configuration mode router(config-router)# router configuration mode router(config-ipx-router)# ipx router configuration mode Router>enable Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#exit Router#exit -- ends the session 2. Logging and debugging commands: ---------------------------------- IOS creates (syslog) messages and by default, sends them to the console. But when you have a telnet session for example, no syslog messages are seen. router>terminal monitor means that this terminal is monitoring syslog messages or router>logging buffered means let the router buffer the messages router>show logging is the command to display the messages to your terminal session 3. Memory types and configuration types in Cisco routers: --------------------------------------------------------- When the router boots, it loads it's IOS from FLASH memory, which is some sort of PCMCIA card or EEPROM. The configuration of the router (address lists, ip addresses on interfaces etc..) is stored as the "startup configuration" in NVRAM which will be loaded into RAM as the "working configuration". RAM: working memory, with loaded IOS from FLASH, and running configuration initally loaded from NVRAM ROM: basic IOS software, should not be used normally FLASH: IOS software (=rewriteable permanent memory) NVRAM: contains startup, and saved, configuration (=Non Volatile RAM) You can display the "startup configuration" in NVRAM, and the "running configuration" in RAM with the following commands: router#show running-config router#show startup-config 4. copy of configuration files: ------------------------------- You can copy the running configuration to the startup configuration, and the other way around. You can also store the configuration to an ascii file via TFTP router#copy running-config startup-config router#copy startup-config running-config router#copy tftp startup-config router#copy startup-config tftp erase the startup-config: router#erase startup-config If you have an new IOS and want to load it into the router: router#copy tftp flash And you must reload or reboot the router. 5. BOOT procedure router: ------------------------- 1. power on self test 2. router loads bootstrap code from ROM 3. router finds IOS from flash and loads it 4. router finds startup configuration file and loads it as running configuration If no configuration is found in NVRAM, the router goes to setup mode Here will be asked to go choose from basic or extended setup mode The "config register" command: You can change the normal sequence by setting the "configuration register" to some other value. This register is a 16 bit register in the router which can be set by the "config register" command. The bootfield of the register are the first 4 bits. If the bootfield in hex is - 0: 2100 - load ROMMON; is used for lowlevel debugging or password recovery - 1: 2101 - RXBOOT; is used to load the limited function IOS from ROM - 2: 2102 - load normal IOS example: config-register 0x2101 bit 6 can be used to ignore the NVRAM, for recovering password put the config-register at 0x2141 6. CDP protocol: ---------------- CDP is enabled by default. S#no cdp run -- global command, disabling cdp S#cdp run -- enabling cdp S#(config-if)#no cdp enable -- disabling cdp for this interface S#(config-if)#cdp enable -- enabling cdp for this interface S#show cdp neighbour S#show cdp neighbour detail S#show cdp entry yosemite S#show cdp entry yosemite protocol S#show cdp interface S#show cdp traffic 7. Configuration interfaces example: ------------------------------------ hostname Gorno enable password cisco interface Serial0 ip address 134.141.12.1 255.255.255.0 interface Serial1 ip address 134.141.13.1 255.255.255.0 interface Ethernet0 ip address 134.141.1.1 255.255.255.0 -- to enable rip (classfull) RouterA(config)#router rip RouterA(config-router)network 134.141.0.0 -- to disable rip no router rip -- to disable rip on 1 interface RouterA(config)#router rip RouterA(config-router)#passive-interface serial 0 - Add a route: ip route network-number network-mask ip-address ip name-server server-address1 serveraddress-2... ip domain-lookup ip route 10.1.2.0 255.255.255.0 10.1.128.252 ip address 10.1.7.252 255.255.255.0 seconday ip address 10.1.2.252 255.255.255.0 default route example: ---------------------- R1(config)# ip route 0.0.0.0 0.0.0.0 168.13.1.101 PART 2. NETWORK CONFIGURATIONS: =============================== 8. IP/IPX configuration on point-to-point ------------------------------------------ 8.1 IP configuration on point-to-point serial links: ---------------------------------------------------- LAPB, HDLC, and PPP are used for a single point-to-point serial link. See section 10. ----- | A / \ Y---S | | --- --- Albequerque# A#configure terminal A(config)# interface serial 0 A(config-if)#ip address 10.1.128.251 255.255.255.0 A(config)# interface serial 1 A(config-if)#ip address 10.1.130.251 255.255.255.0 A(config)# interface ethernet 0 A(config-if)#ip address 10.1.1.251 255.255.255.0 A#show running-config A#show ip route 10.0.0.0/24 is subnetted, 3 subnets C 10.1.1.0 is directly connected, Ethernet0 C 10.1.130.0 is directly connected, Serial1 C 10.1.128.0 is directly connected, Serial0 A#terminal ip netmask-format decimal -- used to go from /24 notation -- to 255.255.255.0 A#show ip route Yosemite# Y#show ip interface brief Interface IP-Address OK? Method Status Protocol Serial0 10.1.128.252 YES Manual up up Serial1 10.1.129.252 YES Manual up up Ethernet0 10.1.2.252 YES Manual up up Seville# S#show ip route S#show ip interface serial 1 S#show ip interface serial 0 S#show ip arp S#debug ip packet IP packet debugging is on S#ping 10.1.130.251 Add static routes: A#ip route 10.1.2.0 255.255.255.0 10.1.128.252 A#ip route 10.1.3.0 255.255.255.0 10.1.130.253 A#show ip route 10.0.0.0/24 is subnetted, 5 subnets S 10.1.3.0 [1/0] via 10.1.130.253 S 10.1.2.0 [1/0] via 10.1.128.252 C 10.1.1.0 is directly connected, Ethernet0 C 10.1.130.0 is directly connected, Serial1 C 10.1.128.0 is directly connected, Serial0 Set a default route: R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.17.251 If you use a default route, you should use the command router(config)#ip classless 8.2 IPX configuration on point-to-point serial links: ----------------------------------------------------- ----- | A / \ Y---S | | --- --- =Router Alburquerque: ipx routing 0200.aaaa.aaaa (mac address lan) interface serial0 ip address 10.1.12.1 255.255.255.0 ipx network 1012 bandwith 56 interface serial1 ip address 10.1.13.1 255.255.255.0 ipx network 1013 interface ethernet 0 ip address 10.1.1.1 255.255.255.0 ipx network 1 =Router Yosemite: ipx routing 0200.bbbb.bbbb interface serial0 ip address 10.1.12.2 255.255.255.0 ipx network 1012 bandwith 56 interface serial1 ip address 10.1.23.1 255.255.255.0 ipx network 1023 interface ethernet 0 ip address 10.1.2.2 255.255.255.0 ipx network 2 ------------------------ A#show interface serial 0 A#show interface Ethernet0 A#sh int e0 A#show ipx interface serial0 A#show ip interface serial 0 A#show ip interface brief A#show ip route A#show ipx route A#show ipx servers A#debug ipx routing activity (IPXRIP activity) A#debug ipx routing events (IPXRIP events) A#debug ipx sap activity (IPXSAP activity) A#undebug all A#no debug all 9. Configuring RIP and IGRP: ---------------------------- Each network command enables RIP or IGRP on a set of interfaces. RIP: interface ethernet 0 ip address 10.1.2.3 255.255.255.0 interface ethernet 1 ip address 172.16.1.1 255.255.255.0 interface tokenring 0 ip address 10.1.3.3 255.255.255.0 interface serial 0 ip address 199.1.1.1 255.255.255.0 interface serial 1 ip address 199.1.2.1 255.255.255.0 R1#configure terminal R1(config)#router rip R1(config-router)#network 199.1.1.0 R1(config-router)#network 10.0.0.0 -- Ethernet0, Tokenring0, Serial0 have rip enabled IGRP: R1#configure terminal R1(config)#router igrp 1 -- autonomous system id R1(config-router)#network 199.1.1.0 R1(config-router)#network 10.0.0.0 R1(config-router)#network 199.1.2.0 R1(config-router)#network 172.16.0.0 -- all interfaces have now igrp enabled EIGRP: router eigrp (autonomous system id) network command for example router eigrp 10 network 10.0.0.0 network 172.16.0.0 DEBUGGING: R1#debug ip rip R1#debug ip igrp transactions R1#debug ip igrp events R1#no debug all R1#undebug all DISABLE RIP: R1(config)#no router rip 10. Serial links: ----------------- LAPB, HDLC, and PPP are used for a single point-to-point serial link. Error detection Protocol type field SDLC Yes None LAPB Yes None LAPD No None HDLC Yes None / Yes Cisco proprierty PPP Yes Yes -- encapsulation hdlc | ppp | lapb hdlc is default R1(config)#interface serial 0 R1(config-if)encapsulation ppp R1(config)#interface serial 0 R1(config-if)encapsulation hdlc -- compress predictor | stac | mppc R1(config)#interface serial 0 R!(config-if)ip address 10.1.11.253 255.255.255.0 R1(config-if)encapsulation ppp R1(config-if)compress stac R1#show compress R1#show process - ppp: LCP control protocols like IPCP, LQM, looped link detection, Authentication compression, mulitlink support - ppp, lapb, hdlc all support compression ppp : stac, predictor, mppc lapb: stac, predictor hdlc: stac - synchronous serial interface 60 pin D V.35, X.21, EIA/TIA-232, EIA/TIA-449, EIA/TIA-530 11. Frame Relay: ---------------- key terms: DTE, DCE, VC, DLCI, LMI, DE, FECN, BECN, LAPF, ITU Q.9xx/ANSI T1.6xx encapsulation frame-relay (ietf|cisco) frame-relay lmi-type (cisco|ansi|q933a) frame-relay map (ip nr - dlci nr) frame-relay interface-dlci (dlci-nr) bandwith num keepalive sec show ip route show frame-relay pvc show frame-relay map show frame-relay lmi show interfaces show interface s0 debug frame-relay lmi 11.1 One IP subnet/IPX network: ------------------------------- ----- | A dlci 51 199.1.1.1 / \ dlci 52 B---C dlci 53 199.1.1.3 199.1.1.2 | | --- --- example 1: lmi automatical, cisco instead ietf etc.. Router A: ipx routing 0200.aaaa.aaaa interface serial 0 encapsulation frame-relay ip address 199.1.1.1 255.255.255.0 ipx network 199 interface ethernet 0 ip address 199.1.10.1 255.255.255.0 ipx network 1 router igrp 1 network 199.1.1.0 network 199.1.10.0 Similar for routers B and C.... example 2: lmi is ansi: Router A: ipx routing 0200.aaaa.aaaa interface serial 0 encapsulation frame-relay frame-relay lmi-type ansi ip address 199.1.1.1 255.255.255.0 ipx network 199 ... Mayberry#show ip route Mayberry#show frame-relay pvc Mayberry#show frame-relay map ... DLCI - IP mapping is here automatically done by Inverse ARP example 3: same network, no Inverse ARP Now we must make mappings Router A: interface serial 0 frame-relay map ip 199.1.1.2 52 broadcast frame-relay map ipx 199.0200.bbbb.bbbb 52 broadcast frame-relay map ip 199.1.1.3 53 broadcast frame-relay map ipx 199.0200.cccc.cccc 53 broadcast similar for routers B and C 11.2 One IP subnet/IPX network per VC: -------------------------------------- ----- | A dlci 51 140.1.1.0=/ \=140.1.2.0 dlci 52 B C dlci 53 | | --- --- Router A: A(config)#ipx routing 0200.aaaa.aaaa A(config)#interface serial 0 A(config-if)#encapsulation frame-relay A(config-if)#interface serial 0.1 point-to-point A(config-subif)#ip address 140.1.1.1 255.255.255.0 A(config-subif)#ipx network 1 A(config-subif)#frame-relay interface-dlci 52 A(config-fr-dlci)#interface serial 0.2 point-to-point A(config-subif)#ip address 140.1.2.1 255.255.255.0 A(config-subif)#ipx network 2 A(config-subif)#frame-relay interface-dlci 53 A(config-fr-dlci)#interface ethernet 0 A(config-if)#ip address 140.1.11.1 255.255.255.0 A(config-if)#ipx network 11 Router B: B(config)#ipx routing 0200.bbbb.bbbb B(config)#interface serial 0 B(config-if)#encapsulation frame-relay B(config-if)#interface serial 0.1 point-to-point B(config-subif)#ip address 140.1.1.2 255.255.255.0 B(config-subif)#ipx network 1 B(config-if)#frame-relay interface-dlci 51 interface ethernet 0 ip address 140.1.12.2 255.255.255.0 ipx network 13 The 'ipx routing' command enables SAP and RIP. The 'ipx network' command per interface allows to use SAP and RIP on that interface. 11.3 Different frametypes with IPX: ---------------------------------- Novell: Cisco: Ethernet_II ARPA Ethernet_802.3 Novell-ether this is the default Ethernet_802.2 SAP Ethernet_SNAP SNAP Suppose on the Ethernet of Router B, 2 frametypes are used: Ethernet_802.3 and Ethernet_802.2 Router B: B(config)#ipx routing 0200.bbbb.bbbb B(config)#interface serial 0 B(config-if)#encapsulation frame-relay B(config-if)#interface serial 0.1 point-to-point B(config-subif)#ip address 140.1.1.2 255.255.255.0 B(config-subif)#ipx network 1 B(config-if)#frame-relay interface-dlci 51 interface ethernet 0 ip address 140.1.12.2 255.255.255.0 ipx network 13 encapsulation novell-ether ipx network 23 encapsulation sap secondary or use interface ethernet 0.1 ipx network 13 encapsulation novell-ether interface ethernet 0.2 ipx network 23 encapsulation 23 12. Access lists: ================= ip packet -> inbound ACL ->ROUTING -> outbound ACL -> - packets can be filtered as they enter an interface, before routing decision - packets can be filtered before they exit an interface, after routing decision 12.1 Standard IP access list: ----------------------------- Logic: 1. compare matching of the first access-list statement to packet 2. If a match is made, perform permit or deny 3. Or, repeat matching next sequential access-list statements 4. no match, perform deny The standard access list only use the source ip address, or part of the address, to filter traffic. commands: ip access-group 'number' : to bind to an interface access-list 'number' : define the access-list access-class show access-list : shows all access lists show ip access-list : shows the ip access lists show ipx access-list : shows the ipx access lists show ip interface : shows all acl's and interfaces show ipx interface : shows all acl's and interfaces show ip interface ethernet 0 :show all acl's attached to this interface show ipx interface ethernet 0 :show all acl's attached to this interface access-list 'number', where number is 1-100 Wildcards in access-list commands: 0.0.0.0 = complete match ip address 0.0.0.255 = match the first 24 bits 0.0.255.255 = match the first 16 bits 0.255.255.255 = match the first 8 bits 255.255.255.255 = always a match example 1: ---------- RouterA(config)#interface Ethernet0 RouterA(config-if)#ip address 172.16.1.1 255.255.255.0 RouterA(config-if)ip access-group 1 out RouterA(config)#access-list 1 deny 172.16.3.10 0.0.0.0 RouterA(config)#access-list 1 permit 0.0.0.0 255.255.255.255 or the modern equivalent: interface Ethernet0 ip address 172.16.1.1 255.255.255.0 ip access-group 1 access-list 1 deny host 172.16.3.10 access-list 1 permit any example 2: ---------- ----- 10.1.1.0 | A s0 A s1 10.1.128.0=/ \=10.1.130.0 s0/ \s0 B---C B---C |129| s1 s1 10.1.2.0 --- --- 10.1.3.0 x= 10.1.2.1 Suppose: - x not allowed access to 10.1.1.0 - all hosts on 10.1.3.0 not allowed access to 10.1.2.0 - all other combinations are allowed On Router B: interface serial 0 ip access-group 1 access-list 1 deny host 10.1.2.1 access-list 1 permit any On Router C: interface serial 1 ip access-group 1 access-list 1 deny 10.1.3.0 0.0.0.255 access-list 1 permit any 12.2 Extended IP access list: ----------------------------- - access-list "number" where number must be in 100-199 - here you can match on ports, protocols, and other fields in the ip and tcp/udp headers General syntax: ip access-group 'number' : to bind to an interface access-list 'number' : define the access-list access-list number deny|permit protocol source destination RouterA(config)#access-list 101 deny tcp any host 10.1.1.1 eq 23 RouterA(config)#access-list 101 deny tcp any host 10.1.1.1 eq telnet RouterA(config)#access-list 101 deny udp 1.0.0.0 0.255.255.255 lt 1023 any RouterA(config)#access-list 101 deny upd 1.0.0.0 0.255.255.255 lt 1023 44.1.2.3 0.0.255.255 RouterA(config)#access-list 101 deny ip 33.1.2.0 0.0.0.255 44.1.2.3 0.0.255.255 RouterA(config)#access-list 101 deny icmp 33.1.2.0 0.0.0.255 44.1.2.3 0.0.255.255 echo RouterA(config)#access-list 101 deny tcp any host 172.16.30.2 eq 23 log RouterA(config)#access-list 128 deny tcp any 10.55.66.0 0.0.0.255 eq 23 You should follow this with RouterA(config)#access-list 101 permit ip any any 12.3 Named IP access list: -------------------------- numbered: access-list 1-99 permit|deny named: ip access-list standard 'name' permit|deny numbered: access-list 100-199 permit|deny named: ip access-list extended 'name' permit|deny numbered: ip access-group 1-99 in|out named: ip access-group 'name' in|out numbered: ip access-group 100-199 in|out named: ip access-group 'name' in|out Using access-list with vty telnet access config t line vty 0 4 login password cisco access-class 3 in access-list 3 permit 10.1.1.0 0.0.0.255 12.4 IPX standard and extend access lists: ------------------------------------------ Similar to IP access lists IPX has two types of access lists: Standard IPX Access Lists and Extended IPX Access lists. Standard: --------- Standard IPX access lists allow or deny packets based on source and destination IPX addresses. Template to enter standard IPX access lists is as follows: Access-list (number from 800 to 899) (permit or deny) (source network IPX number) (destination network IPX number) Following example will show how the access list will permit or deny access to IPX packets. Router#config t Router(config)#access-list 810 permit 30 10 Router(config)#int e0 Router(config-if)#ipx access-group 810 out Router#config t Router(config)#access-list 810 deny 50 10 Router(config)#int e0 Router(config-if)#ipx access-group 810 out Extended: --------- Extended IPX access lists can filter based on the following: Source network, source node, destination network, destination node, IPX protocol (SAP, SPX etc) and IPX sockets. Template to enter the extended IPX access list is as follows: access-list (number, 900 to 999) permit or deny (protocol) (source IPX network number) (source socket) (destination IPX network number) (destination socket) Following example will show how the extended access list will permit or deny IPX network access using extended access lists Router(config)#access-list 910 deny –1 50 0 10 0 This means that the access is denied to any IPX protocol type from IPX network 50 on all sockets to enter IPX network 10 on all sockets. Access lists: ------------- ipx access-group 'number'|'name' in|out : to bind to an interface ipx input-sap-filter number : to bind a sap filter to an interface ipx output-sap-filter number : to bind a sap filter to an interface access-list 800-899 permit|deny : numbered IPX standard access-list 900-999 permit|deny : numbered IPX extended access-list 1000-1099 permit|deny : numbered SAP access-list ipx access-list standard|extended|sap 'name': named access-list Example 1: ---------- 102 ----- eth1| eth0 R2---|101 /1001 | /s0 |--R1 | \s1 | \1002 200 R3---| eth0|302 At R1: ipx routing 0200.1111.1111 interface serial 0 ip address 10.1.1.1 255.255.255.0 ipx network 1001 ipx access-group 820 in interface serial 1 ip address 10.1.2.1 255.255.255.0 ipx network 1002 interface ethernet 0 ip address 10.1.200.1 255.255.255.0 ipx network 200 ipx access-group 810 access-list 820 deny 101 access-list 820 permit -1 access-list 810 permit 302 Example 2: network wildcard mask -------------------------------- interface serial0 ip address 10.1.1.2 255.255.255.0 ipx network 200 ipx access-group 910 access-list 910 deny any 1000 0000000F access-list 910 permit any -1 13. Cisco switch configuration: =============================== Cisco switch IOS is a bit different compared to the regular router IOS, ofcourse due to the different functions. But for most configuration syntax, they are pretty much alike. Sometimes, a port is called 'interface', but it's really a port. A crossover utp cable must be used to connect a switch to another switch or hub: pin 1 - pin 3 pin 2 - pin 6 example Catalyst 1912 with 12 10BaseT ports: e0/1 - e0/12 2 fastethernet ports fa0/26, fa0/27 s#show running_config s#show spantree s#show vlan_membership s#show vlan s#show vlan 3 s#show ip s#show interfaces s#show mac-address-table s#show mac-address-table security s#show version s#ip address (for inband management, global for switch) s#ip default-gateway s#mac-address-table permanent mac-address port s#mac-address-table restricted static port src-list s#port secure max-mac-count number s#copy nvram tftp:// S#copy tftp:// nvram s#address-violation (suspend|ignore|disable) s#no address-violation s#delete nvram note that with a router, it is R1#erase startup-config nvram is automatically updated when running-config is changed, so there is no 'copy run start' command sample session: to configure a port ----------------------------------- s#config terminal s(config)#ip address 10.5.5.11 255.255.255.0 s(config)#ip default-gateway 10.5.5.3 s(config)#interface e0/1 s(config-if)#duplex half (full, auto, half, full-flow-control) s(config-if)#end s# sample session: to configure restrictions ----------------------------------------- In this example, a server is always on port e0/3 (permanent) and another server is on port e0/4 and only devices on port e0/1 are allowed to send frames to it. s(config)#mac-address-table permanent 0200.2222.2222 e0/3 s(config)#mac-address-table restricted static 0200.1111.1111 e0/4 e0/1 s(config)#end s#show mac-address-table sample session: port security ----------------------------- Port security limits the number of mac addresses associated with a port in the mac address table. Port security can be used to restrict port e0/1 so that only 3 mac addresses can source frames that enter port e0/1 s(config)#mac-address-table permanent 0200.2222.2222 e0/3 s(config)#mac-address-table restricted static 0200.1111.1111 e0/4 e0/1 s(config)#interface ethernet 0/1 s(config-if)#port secure max-mac-count 3 s(config-if)#end s#show mac-address-table security VLAN: ----- A switch creates 1 broadcast domain, but every port is its own collision domain. This is an implicit VLAN 1. VLAN's: - can create n broadcast domains = n VLAN's = n layer 3 groupings - routing is needed between VLAN's - switch let devices in 1 VLAN communicate, but do not forward a frame entering 1 vlan to go to different vlan - seperate address table for each VLAN - interswitch communication between members of the same vlan is done via tagging the frame with an 26 byte ISL header = trunking - trunking with ISL = Cisco, alternative is IEEE 802.1Q Trunking is used between 2 switches, but also between a switch and arouter, if the router supports 'ISL' routing. Then tagged frames can go to and from the router. The router is connected with a trunk link to the sdwitch. How does the router use this. It sees the vlan-id and layer 3 address in the frame. And the router should be configured as in this example: #interface fastethernet 0.1 #ip address 10.1.1.1 255.255.255.0 #encapsulation isl 1 #interface fastethernet 0.2 #ip address 10.1.2.1 255.255.255.0 #encapsulation isl 2 But you can also have multiple router intefaces connect to multiple normal accesslinks on the switches which are in the corresponding VLANS. sample session: creating VLANS ------------------------------ s(config)#vlan 2 name VLAN2 s(config)#vlan 3 name VLAN3 s(config)#interface e 05 s(config-if)#vlan-membership static 2 s(config-if)#interface e 0/6 s(config-if)#vlan-membership static 2 s(config-if)#interface e 0/7 s(config-if)#vlan-membership static 2 .. .. s#show vlan 2 .. To let a VLAN span multiple switches, connect them via fast ethernet ports, and put 'trunking' on. s1(config)#vlan 2 name VLAN2 s1(config)#vlan 3 name VLAN3 s1(config)#interface e 05 s1(config-if)#vlan-membership static 2 s1(config-if)#interface e 0/6 s1(config-if)#vlan-membership static 2 s1(config-if)#interface e 0/7 s1(config-if)#vlan-membership static 2 s1(config-if)#interface e 0/8 s1(config-if)#vlan-membership static 3 s1(config-if)#interface e 0/9 s1(config-if)#vlan-membership static 3 s1(config-if)#interface fa 0/26 s1(config-if)#trunk on s1(config-if)#vlan-membership static 1 s1(config-if)#vlan-membership static 2 s1(config-if)#vlan-membership static 3 s1#show trunk a | b VTP: ---- VLAN trunking protocol: - 1 Domain, 1 VTP Server with VTP clients. - configure VTP Server and clients: s1(config)#vtp server domain abc pruning enable s2(config)#vtp client s1#show vtp 14. Some Examples: ================== Example 1: ---------- Starboss# show running-config Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Starboss ! enable password cwc ! ! ! ! ! memory-size iomem 15 ip subnet-zero ! frame-relay switching isdn switch-type basic-net3 ! ! process-max-time 200 ! interface FastEthernet0/0 description Starboss RUK LAN ip address 172.17.35.70 255.255.255.0 no ip directed-broadcast ip accounting output-packets speed 100 full-duplex ! interface Serial0/0 bandwidth 128 no ip address no ip directed-broadcast encapsulation frame-relay IETF no ip mroute-cache priority-group 1 cdp enable ! interface Serial0/0.1 point-to-point description 32k PVC to Titan ref:NXPC203765 bandwidth 32 ip address 10.10.35.2 255.255.255.0 no ip directed-broadcast no arp frame-relay frame-relay interface-dlci 100 ! interface BRI0/0 no ip address no ip directed-broadcast encapsulation ppp shutdown dialer map ip 172.17.34.1 02082614099 dialer-group 1 isdn switch-type basic-net3 ! interface Ethernet1/0 description Starboss RPL LAN ip address 172.29.31.30 255.255.255.0 no ip directed-broadcast ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 no ip http server ! priority-list 1 protocol ip high tcp telnet description Starboss RPL LAN ip address 172.29.31.30 255.255.255.0 no ip directed-broadcast ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 no ip http server ! priority-list 1 protocol ip high tcp telnet dialer-list 1 protocol ip permit snmp-server engineID local 000000090200003094017780 snmp-server community ricoh RO ! line con 0 password cwc transport input none line aux 0 line vty 0 4 password cwc login ! end Starboss# Example 2: ---------- Titan#show running-config Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Titan ! enable password cwc ! ip subnet-zero ! frame-relay switching ! ! ! interface FastEthernet0/0 description connected to Titan LAN ip address 172.17.30.33 255.255.255.0 no ip directed-broadcast ip accounting output-packets ! interface Serial0/0 description *** LMI to C&W Node HRW/EM1 Fruni 4320 Cct M1181933 NXUK271094 *** bandwidth 256 no ip address no ip directed-broadcast encapsulation frame-relay IETF no ip mroute-cache priority-group 1 ! interface Serial0/0.1 point-to-point description **** 32k Pvc to Starboss S0/0.1 **** bandwidth 32 ip address 10.10.35.1 255.255.255.0 no ip directed-broadcast frame-relay interface-dlci 101 ! interface Serial0/0.2 point-to-point description **** 32k Pvc to Hatton S0/0.1 **** bandwidth 32 ip address 10.10.33.1 255.255.255.0 no ip directed-broadcast frame-relay interface-dlci 102 ! interface Serial0/0.3 point-to-point description **** 32k Pvc to Cornhill S0/0.1 **** bandwidth 32 ip address 10.10.37.1 255.255.255.0 no ip directed-broadcast frame-relay interface-dlci 103 ! ip classless ip route 10.1.7.1 255.255.255.255 172.17.30.22 permanent ip route 133.139.117.53 255.255.255.255 172.17.30.1 permanent ip route 133.139.157.51 255.255.255.255 172.17.30.1 ip route 172.17.0.0 255.255.0.0 172.17.30.1 ip route 172.17.2.209 255.255.255.255 172.17.30.1 permanent ip route 172.17.31.0 255.255.255.0 172.17.30.1 ip route 172.17.32.0 255.255.255.0 172.17.30.1 ip route 172.17.33.0 255.255.255.0 Serial0/0.2 ip route 172.17.35.0 255.255.255.0 Serial0/0.1 ip route 172.17.36.0 255.255.255.0 172.17.30.1 ip route 172.17.37.0 255.255.255.0 Serial0/0.3 ip route 172.17.38.0 255.255.255.0 Null0 ip route 172.29.31.0 255.255.255.0 172.17.35.70 permanent ip route 192.168.174.6 255.255.255.255 172.17.30.1 permanent ip route 172.17.33.0 255.255.255.0 Serial0/0.2 ip route 172.17.35.0 255.255.255.0 Serial0/0.1 ip route 172.17.36.0 255.255.255.0 172.17.30.1 ip route 172.17.37.0 255.255.255.0 Serial0/0.3 ip route 172.17.38.0 255.255.255.0 Null0 ip route 172.29.31.0 255.255.255.0 172.17.35.70 permanent ip route 192.168.174.6 255.255.255.255 172.17.30.1 permanent no ip http server ! priority-list 1 protocol ip high tcp telnet snmp-server engineID local 000000090200003094C14FA0 snmp-server community ricoh RO ! line con 0 password cwc transport input none line aux 0 line vty 0 4 password cwc login ! end Titan# PART 3: OTHER STUFF: ==================== 1. Subnetting ip network: ------------------------- Traditional Classes: A: 1-126 0xxxxxxx.yyyyyyyy.yyyyyyy.yyyyyyyy B: 128-191 10xxxxxx.xxxxxxxx.yyyyyyy.yyyyyyyy C: 192-223 110xxxxx.xxxxxxxx.xxxxxxx.yyyyyyyy D: 224 1110----.--------.-------.-------- Class C subnetting: subnets hosts subnetbits hostbits ----------------------------------------------------------- *255.255.255.128 NA NA 1 7 not valid 255.255.255.192 2 62 2 6 255.255.255.224 6 30 3 5 255.255.255.240 14 14 4 4 255.255.255.248 30 6 5 3 255.255.255.252 62 2 6 2 Class B subnetting: subnets hosts subnetbits hostbits ----------------------------------------------------------- 255.255.128.0 NA NA 1 15 255.255.192.0 2 16382 2 14 255.255.224.0 6 8190 3 13 255.255.240.0 14 4094 4 12 255.255.248.0 30 2046 5 11 255.255.252.0 62 1022 6 10 255.255.254.0 126 510 7 9 255.255.255.0 254 254 8 8 255.255.255.128 510 126 9 7 255.255.255.192 1022 62 10 6 255.255.255.224 2046 30 11 5 255.255.255.240 4094 14 12 4 255.255.255.248 8190 6 13 3 255.255.255.252 16382 2 14 2 PART 4: ISDN: ============= - Reference points -------NT1---- Carrier/ISDN switch T U -------NT2-----NT1---- Carrier/ISDN switch S | T U | -------TA R R1---U---------Provider Router with ISDN card with U interface (NT1) - bri0 R1--S/T--NT1---U---Provider Router with ISDN card with S/T interface (TE1) -bri0 R1--R----TA--S--NT2--T--NT1--U--Provider Router no isdn hardware (TE2) - serial0 - Channels: BRI: 2B+1D, PRI: 23B+1D (US), 30B+1D (Europe) - Standards Telephone network and ISDN - E series example E.163, E.164 ISDN conceps, interfaces - I series example I.100, I.400 Switching and signaling - Q series example Q.921, Q.931 - Signalling, Call setup LAPD is used on D channel between router - ISDN switch HDLC or PPP is used on B channel from end to end, but PPP support control protocols as well as PAP and CHAP Call setup messages refers to both the called and calling SPIDs - router setup for PPP and CHAP Router Fred: username Barney password xyz interface bri 0 ip address 10.3.3.1 255.255.255.0 encapsulation ppp ppp authentication chap Router Barney: username Fred password xyz interface bri 0 ip address 10.3.3.2 255.255.255.0 encapsulation ppp ppp authentication chap ppp multilink -- ppp multilink dialer load-threshold 25 either (in|out|either) ppp multilink -- Configuration Router RouterA#config t RouterA(config)#int bri0 RouterA(config-if)#encapsulation ppp RouterA(config-if)#isdn switch-type 'type' --remote switch type RouterA(config-if)#isdn spid1 086506610100 8650661 RouterA(config-if)#isdn spid2 086506620100 8650662 -- DDR 1. define static routes on the routers involved RouterA(config)#int bri0 RouterA(config-if)#ip address 172.16.60.1 255.255.255.0 RouterA(config-if)#encap ppp RouterA(config)#ip route 172.16.50.0 255.255.255.0 172.16.60.2 RouterA(config)#ip route 172.16.60.2 255.255.255.255 bri0 2. define interesting traffic, or what brings up the isdn line RouterA(config)#dialer-list 1 protocol ip permit RouterA(config)#int bri0 RouterA(config-if)#dialer-group 1 -- binds the access list to bri0 3. define the dialer information, or who must be dialed RouterA(config-if)#dialer-group 1 RouterA(config-if)#dialer string 8350661 or use RouterA(config-if)#dialer map ip 172.16.60.2 name 804B 8350661 This associates an isdn phone number to a next hop router ip address And now define an idle time-out to terminate the connection, and allocate multiple channels at a certain threshold. RouterA(config-if)#dialer load-threshold 125 either RouterA(config-if)#dialer idle-timeout 180 RouterA(config-if)#dialer fast-idle 120 (if more B channels active) 5. Access lists You can limit possible traffic by using an extended access list. For example, permit only email cross the isdn link RouterA(config)#dialer-list 1 list 110 RouterA(config)#access-list 110 permit tcp any any eq smtp RouterA(config)#int bri0 RouterA(config-if)#dialer-group 1 #show interfaces bri 0:1 #show dialer interface bri 0 #show isdn active #show isdn status #debug isdn q921 #debug isdn q931 #debug dialer events #debug dialer packets ============ PART 5: NAT: ============ CISCO NAT: ========== The translation done by NAT can be either static or dynamic. Static translation is where we specify a lookup table, and one inside address is turned into one pre-specified outside address. Dynamic is where we tell the NAT router what inside addresses need to be translated, and what pool of addresses may be used for the outside addresses. There can be multiple pools of outside addresses. ICMP host unreachable messages are used when addresses run out. With NAT, multiple internal hosts can also share a single outside IP address, which conserves address space. This is done by port multiplexing: changing the source port on the outbound packet so that replies can be directed back to the appropriate machine. Address translation is not practical for large numbers of internal hosts all talking at the same time to the outside world. NAT just won't work well at a large scale. Performance may be a consideration. Currently, NAT causes process switching on NAT interfaces on a Cisco 7000. You can think of this as: the CPU has to look at every packet, to decide whether or not to translate it, and to alter the IP header, possibly the TCP header. One doubts that this will be easily cache-able. Configuring NAT: ---------------- Static: ------- Here's a minimal sample configuration for static address translation. We assume Ethernet 0 is "inside" and Serial 0 is "outside". Private network 10.0.0.0 is used inside, and 192.1.1.0 is used outside. We'll translate "10.1.2.3" to "192.1.1.2" (and vice versa). The words "inside source" emphasize that the inside source address is what's getting changed. 10.0.0.0 192.1.1.0 |----------------| --------| |----------------------------- | e0 |----------------|s0 | ------------------------ | | 10.1.2.3 ip nat inside source static 10.1.2.3 192.1.1.2 interface ethernet 0 ip address 10.1.2.1 255.255.255.0 ip nat inside interface serial 0 ip address 192.1.1.1 255.255.255.0 ip nat outside You may add address mappings or inside or outside interfaces as necessary. Dynamic: -------- Let's look at dynamic (pooled) translation. Same network and addresses as before. We'll set up a pool of addresses, translating sources in the range 10.1.2.0 through 10.1.2.255 to the range 192.1.1.10 through 20. The access list indicates what source addresses can be translated. The idea of the third line is that inside source addresses matching list 20 get translated to addresses from the pool named LegalPool. It pretty much says that, doesn't it! ip nat pool LegalPool 192.1.1.10 192.1.1.20 access-list 20 permit 10.1.2.0 0.0.0.255 ip nat inside source list 20 pool LegalPool interface ethernet 0 ip address 10.1.2.1 255.255.255.0 ip nat inside interface serial 0 ip address 192.1.1.1 255.255.255.0 ip nat outside You can configure outside source address translation similarly, changing "inside source" to "outside source" in the above examples. Let's look at how to do static outside address translation, supposing subnet 10.1.5.0 occurs both inside and outside (we're connecting to another company here). We only need to talk to the outside machine 10.1.5.3, and we'll readdress it as private address 192.168.1.1 on the inside (if we use 10.1.5.x, we have more complex routing issues to think about). This might call for something like the following. ip nat outside source static 10.1.5.3 192.168.1.1 interface ethernet 0 ip address 10.1.2.1 255.255.255.0 ip nat inside interface serial 0 ip address 10.1.3.1 255.255.255.0 ip nat outside Examples: --------- Example 1: ========== Define Inside Local and Inside Global Addresses: ------------------------------------------------ A= 10.10.10.1 171.16.68.1 | | | |----------------| | --------------| |----------------------------- >>> e0 |----------------|s0 In the configuration shown, when the NAT router receives a packet on its inside interface with a source address of 10.10.10.1, the source address is translated to 171.16.68.5. This also means that when the NAT router receives a packet on its outside interface with a destination address of 171.16.68.5, the destination address is translated to 10.10.10.1. ip nat inside source static 10.10.10.1 171.16.68.5 !--- Inside device A is known by the outside cloud as 171.16.68.5. interface s 0 ip nat inside interface s 1 ip nat outside Because of the way NAT is configured, the inside addresses are the only addresses that are translated; therefore, the "inside local" address is different from the "inside global" address, while the "outside local" address is the same and the "outside global" address. Define Outside Local and Outside Global Addresses: -------------------------------------------------- In the next configuration, when the NAT router receives a packet on its outside interface with a source address of 171.16.68.1, the source address is translated to 10.10.10.5. This also means that if the NAT router receives a packet on its inside interface with a destination address of 10.10.10.5, the destination address is translated to 171.16.68.1. ip nat outside source static 171.16.68.1 10.10.10.5 !--- Outside device A is known to the inside cloud as 10.10.10.5. interface s 0 ip nat inside interface s 1 ip nat outside In this example, because of the way NAT is configured, only the outside addresses get translated; therefore, the "outside local" address is different from the "outside global" address, while the "inside local" address is the same and the "inside global" address. Define All Local and Global Addresses: -------------------------------------- In the final configuration, when the NAT router receives a packet on its inside interface with a source address of 10.10.10.1, the source address is translated to 171.16.68.5. When the NAT router receives a packet on its outside interface with a source address of 171.16.68.1, the source address is translated to 10.10.10.5. This also means that when the NAT router receives a packet on its outside interface with a destination address of 171.16.68.5, the destination address is translated to 10.10.10.1. Also, when the NAT router receives a packet on its inside interface with a destination address of 10.10.10.5, the destination address is translated to 171.16.68.1. ip nat inside source static 10.10.10.1 171.16.68.5 !--- Inside device A is known to the outside cloud as 171.16.68.5. ip nat outside source static 171.16.68.1 10.10.10.5 !--- device A is known to the inside cloud as 10.10.10.5. interface s 0 ip nat inside interface s 1 ip nat outside Example 2: ========== internal Device A | NAT 10.10.10.1/24 --| e0 ------ |----------| | --| ------ | |s0 172.16.130.2/24 | | | | |172.16.130.1/24 ------- | | OutSide Device A ------- |192.168.1.1/24 | | | | | ------------------------- These commands are configured on the NAT router shown above: ip nat pool test 172.16.131.2 172.16.131.10 netmask 255.255.255.0 ip nat inside source list 7 pool test ip nat inside source static 10.10.10.1 172.16.131.1 interface e 0 ip address 10.10.10.254 255.255.255.0 ip nat inside interface s 0 ip address 172.16.130.2 255.255.255.0 ip nat outside ip route 192.168.1.0 255.255.255.0 172.16.130.1 access-list 7 permit 10.10.10.0 0.0.0.255 The configuration on the OutsideA device is: interface Serial1/0 ip address 172.16.130.1 255.255.255.0 serial restart-delay 0 clockrate 64000 ! interface FastEthernet2/0 ip address 192.168.1.1 255.255.255.0 speed auto half-duplex ip route 172.16.131.0 255.255.255.0 172.16.130.2 The configuration on the InsideA device is: interface Ethernet1/0 ip address 10.10.10.1 255.255.255.0 half-duplex ! ip route 0.0.0.0 0.0.0.0 10.10.10.254 Using the show ip nat translations command, you can see the contents of the translation table: NATrouter#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 172.16.131.1 10.10.10.1 --- --- Example 3: ========== internal Device A | NAT 145.21.32.150/22 --| 145.21.32.89/22 e0 ------ |-------------------------| | --| ------ | |e1 10.x.y.z/24 | | | | |10.x.y.w/24 ------- | | OutSide Device A ------- |10. | | | | | ------------------------- These commands are configured on the NAT router shown above: ip nat pool test 10.x.w.n 10.x.w.m netmask 255.255.255.0 ip nat inside source list 1 pool miskm ip nat inside source static 145.21.32.150 10.x.w.n interface e 0 ip address 145.21.32.89 255.255.248.0 ip nat inside interface e 1 ip address 10.x.y.z 255.255.255.0 ip nat outside ip route 192.168.1.0 255.255.255.0 172.16.130.1 access-list 7 permit 145.21.32.0 0.0.0.255 CISCO PIX NAT: ============== Example 1: ---------- In this tip, administrators can learn how to configure a new PIX firewall, out of the box. You will configure passwords, IP addresses, network address translation (NAT) and basic firewall rules. Let's say that your boss hands you a new PIX firewall. It has never been configured. He says that it needs to be configured with some basic IP addresses, security and a couple of basic firewall rules. You have never used a PIX firewall before. How will you be able to perform this configuration? After reading this article, it should be easy. Let's find out how. -- The basics of a Cisco PIX firewall A Cisco PIX firewall is meant to protect one network from another. There are PIX firewalls for small home networks and PIX firewalls for huge campus or corporate networks. In this example, we will be configuring a PIX 501 firewall. The 501 model is meant for a small home network or a small business. PIX firewalls have the concept of inside and outside interfaces. The inside interface is the internal, usually private, network. The outside interface is the external, usually public, network. You are trying to protect the inside network from the outside network. PIX firewalls also use the adaptive security algorithm (ASA). This algorithm assigns security levels to interfaces and says that no traffic can flow from a lower-level interface (like the outside interface) to a higher-level interface (like the inside interface) without a rule allowing it. The outside interface has a security level of zero and the inside interface has a security level of 100. Here is what the output of the show nameif command looks like: pixfirewall# show nameif nameif ethernet0 outside security0 nameif ethernet1 inside security100 pixfirewall# Notice the ethernet0 interface is the outside interface (its default name) and the security level is 0. On the other hand, the ethernet1 interface is named inside (the default) and has a security level of 100. -- Guidelines: -- ----------- Before beginning the configuration, your boss has given you some guidelines that you need to follow. Here they are: -All passwords should be set to "cisco" (in reality, you make these whatever you want, but not "cisco"). -The inside network is 10.0.0.0 with a 255.0.0.0 subnet mask. The inside IP address for this PIX should be 10.1.1.1. -The outside network is 1.1.1.0 with a 255.255.255.0 subnet mask. The outside IP address for this PIX should be 1.1.1.1. -You want to create a rule to allow all inside clients on the 10.0.0.0 network to do port address translation and connect to the outside network. They will all share the global IP address 1.1.1.2. -However, clients should only have access to port 80 (Web browsing). -The default route for the outside (Internet) network will be 1.1.1.254. 10.0.0.0 / 8 1.1.1.0 / 24 | | | |----------------| | |---------------| --------------| PIX |--------------------------| Router |-------- e1 |----------------|e0 1.1.1.254 |---------------| 10.1.1.1 1.1.1.1 1.1.1.2 -- The configuration: -- ------------------ When you boot up your PIX firewall for the first time, you should see a screen like this: Cannot be shown in a text document, but looks a bit like: ************************************* Copyright (c) 1996-2003 Cisco Systems, Inc. Restricted Rights Legend Use, duplication >>>>>>>>>>>>>>> >>>>>>>> more stuff >>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Cryptochecksum(changed): d41424 gs6266 e373738 ec52525 Pre-configure PIX Firewall now through interactive prompts [yes]? You will be prompted to answer YES or NO as to whether or not you want to configure the PIX through interactive prompts. Answer NO to this question because you want to learn how to really configure the PIX firewall, not just answer a series of questions. After that, you will be sent to a prompt that looks like this: pixfirewall> With the "greater than" symbol at the end of the prompt, you are in the PIX user mode. Change to privileged mode with the en or enable command. Press "enter" at the Password prompt. Here is an example: pixfirewall> en Password: pixfirewall# You now have administrative mode to show things but would have to go into global configuration mode to configure the PIX. Now, let's move on to basic configuration of the PIX: -- Basic PIX configuration : -- ------------------------ What I am calling basic configuration is made up of three things: Set the hostname Set passwords (login and enable) Configure IP addresses on interfaces Enable interfaces Configure a default route Before you can do any of these things, you need to go into global configuration mode. To do this, type: pixfirewall# config t pixfirewall(config)# To set the hostname, use the hostname command, like this: pixfirewall(config)# hostname PIX1 PIX1(config)# Notice that the prompt changed to the name that you set. Next, set the login password to cisco, like this: PIX1(config)# password cisco PIX1(config)# This is the password required to gain any access to the PIX except administrative access. Now, configure the enable mode password, used to gain administrative mode access. PIX1(config)# enable password cisco PIX1(config)# Now we need to configure IP addresses on interfaces and enable those interfaces. The PIX, unlike a router, has no concept of interface configuration mode. To configure the IP address on the inside interface, use this command: PIX1(config)# ip address inside 10.1.1.1 255.0.0.0 PIX1(config)# Now, configure the outside interface IP address: PIX1(config)# ip address outside 1.1.1.1 255.255.255.0 PIX1(config)# Next, enable both the inside and outside interfaces. Make sure that the Ethernet cable, on each interface, is connected to a switch. Note that the ethernet0 interface is the outside interface, and it is only a 10base-T interface on a PIX 501. The ethernet1 interface is the inside interface, and it is a 100Base-T interface. Here is how you enable these interfaces: PIX1(config)# interface ethernet0 10baset PIX1(config)# interface ethernet1 100full PIX1(config)# Note that you can do a show interfaces command, right from the global configuration prompt line. Finally, let's configure a default route so that all traffic sent to the PIX will flow to the next upstream router (the 1.1.1.254 IP address that we were given). Here is how you do this: PIX1(config)# route outside 0 0 1.1.1.254 PIX1(config)# The PIX firewall can, of course, support dynamic routing protocols as well (such as RIP and OSPF). Now, let's move on to some more advanced configuration. -- Network Address Translation: -- ---------------------------- Now that we have IP address connectivity, we need to use Network Address Translation (NAT) to allow inside users to connect to the outside. We will use a type of NAT, called PAT or NAT Overload, so that all inside devices can share one public IP address (the outside IP address of the PIX firewall). To do this, enter these commands: PIX1(config)# nat (inside) 1 10.0.0.0 255.0.0.0 PIX1(config)# global (outside) 1 1.1.1.2 Global 1.1.1.2 will be Port Address Translated PIX1(config)# With this, all inside clients are able to connect to devices on the public network and share IP address 1.1.1.2. However, clients don't yet have any rule allowing them to do this. -- Firewall rules: -- --------------- These clients on the inside network have a NAT translation, but that doesn't necessarily mean that they are allowed access. They now need a rule to allow them to access the outside network (the Internet). That rule will also allow the return traffic to come back in. To make a rule to allow these clients port 80 (Web browsing), you would type this: PIX1(config)# access-list outbound permit tcp 10.0.0.0 255.0.0.0 any eq 80 PIX1(config)# access-group outbound in interface inside PIX1(config)# Note that PIX access lists, unlike router access lists, use a normal subnet mask, not a wildcard mask. With this access list, you have restricted the inside hosts to accessing Web servers only on the outside network (routers). -- Showing and saving the configuration: -- ------------------------------------- Now that you have configured the PIX firewall, you can show your configuration with the show run command. Make sure that you save your configuration with the write memory or wr m command. If you don't, your configuration will be lost when the PIX is powered off. Example 2: ---------- !--- Sets the outside address of the PIX Firewall: ip address outside 131.1.23.2 !--- Sets the inside address of the PIX Firewall: ip address inside 10.10.254.1 !--- Sets the global pool for hosts inside the firewall: global (outside) 1 131.1.23.12-131.1.23.254 !--- Allows hosts in the 10.0.0.0 network to be !--- translated through the PIX: nat (inside) 1 10.0.0.0 !--- Configures a static translation for an admin workstation !--- with local address 10.14.8.50: static (inside,outside) 131.1.23.11 10.14.8.50 !--- Allows syslog packets to pass through the PIX from RTRA. !--- You can use conduits OR access-lists to permit traffic. !--- Conduits has been added to show the use of the command, !--- however they are commented in the document, since the !--- recommendation is to use access-list. !--- To the admin workstation (syslog server): !--- Using conduit: !--- conduit permit udp host 131.1.23.11 eq 514 host 131.1.23.1 !--- Using access-list: Access-list 101 permit udp host 131.1.23.1 host 131.1.23.11 255.255.255.0 eq 514 Access-group 101 in interface outside !--- Permits incoming mail connections to 131.1.23.10: static (inside, outside) 131.1.23.10 10.10.254.3 !--- Using conduits !--- conduit permit TCP host 131.1.23.10 eq smtp any !--- Using Access-lists, we use access-list 101 !--- which is already applied to interface outside. Access-list 101 permit tcp any host 131.1.23.10 eq smtp !--- PIX needs static routes or the use of routing protocols !--- to know about networks not directly connected. !--- Add a route to network 10.14.8.x/24. route inside 10.14.8.0 255.255.255.0 10.10.254.2 !--- Add a default route to the rest of the traffic !--- that goes to the internet. Route outside 0.0.0.0 0.0.0.0 131.1.23.1 !--- Enables the Mail Guard feature !--- to accept only seven SMTP commands !--- HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT: !--- (This can be turned off to permit ESMTP by negating with !--- the no fixup protocol smtp 25 command): fixup protocol smtp 25 !--- Allows Telnet from the inside workstation at 10.14.8.50 !--- into the inside interface of the PIX: telnet 10.14.8.50 !--- Turns on logging: logging on !--- Turns on the logging facility 20: logging facility 20 !--- Turns on logging level 7: logging history 7 !--- Turns on the logging on the inside interface: logging host inside 10.14.8.50 Example 3: ---------- pix outside: 195.73.20.75 / 255.255.255.248 Device A in inside is: 192.168.1.2 / 255.255.255.0 A= 192.168.1.2 195.73.20.75 | | | |----------------| | |---------------| --------------| PIX |--------------------------| ADSL or Cable |-------- e0 |----------------|e1 195.73.20.73 |---------------| ip address outside 195.73.20.75 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 nat (inside) 1 192.168.1.0 static (inside, outside) 192.168.1.2 195.73.20.75 route outside 0 0 195.73.20.73 1 Example 4: ---------- ip address inside 10.1.1.1 255.255.255.0 ip address outside 209.165.201.1 255.255.255.224 nat (inside) 1 10.1.1.0 255.255.255.0 global (outside) 1 209.165.201.2 netmask 255.255.255.224 static (inside,outside) 209.165.201.3 10.1.1.3 netmask 255.255.255.255 access-list acl_out permit tcp any host 209.165.201.3 eq www aaa authentication include http outside 209.165.201.3 255.255.255.255 0 0 TACACS+ route outside 0 0 209.165.201.4 1 telnet 10.1.1.2 255.255.255.255 In these examples, the ip address commands specify addresses for the inside and outside network interfaces. The ip address command only uses network masks. The inside interface is a Class A address, but only the l ast octet is used in the example network and therefore has a Class C mask. The outside interface i s part of a subnet so the mask reflects the .224 subnet value. The nat command lets users start connections from the inside network. Because a network address is specified, the class mask specified by the ip address inside command is used. The global command provides a PAT (Port Address Translation) address to handle the translated connections from the inside. The global address is also part of the subnet and contains the same mask specified in the ip address outside command. The static command maps an inside host to a global address for access by outside users. Host masks are always specified as 255.255.255.255. The access-list command permits any outside host to access the global address specified by the static command. The host parameter is the same as if you specified 209.165.201.3 255.255.255.255. The aaa command indicates that any users wishing to access the global address must be authenticated. Because authentication only occurs when users access the specified global which is mapped to a host, the mask is for a host. The "0 0" entry indicates any host and its respective mask. The route statement specifies the address of the default router. The "0 0" entry indicates any host and its respective mask. The telnet command specifies a host that can access the PIX Firewall unit's console using Telnet. Because it is a single host, a host mask is used. 2. About the Global command: ---------------------------- [no] global [(if_name)] nat_id {global_ip [-global_ip] [netmask global_mask]} | interface clear global show global The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id. When used on a PPPoE interface, the global command should explicitly include a netmask. Otherwise, the 255.255.255.255 netmask, assigned to the interface by PPPoE, is used as the broadcast mask. In that case, all addresses in the global pool may become broadcast addresses and will become unusable for address translation. Use caution with names that contain a "-" (dash) character because the global command interprets the last (or only) "-" character in the name as a range specifier instead of as part of the name. For example, the global command treats the name "host-net2" as a range from "host" to "net2". If the name is "host-net2-section3" then it is interpreted as a range from "host-net2" to "section3". The following command form is used for Port Address Translation (PAT) only: global [(if_name)] nat_id {{global_ip} [netmask global_mask] | interface} After changing or removing a global command statement, use the clear xlate command. Use the no global command to remove access to a nat_id, or to a Port Address Translation (PAT) address, or address range within a nat_id. The "show global" command displays the global command statements in the configuration. Examples: global (outside) 1 209.165.201.2 netmask 255.255.255.224 global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224 global (outside) 1 interface global (inside) 1 209.165.202.128 netmask 255.255.255.224 PAT You can enable the Port Address Translation (PAT) feature by entering a single IP address with the global command. PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the PIX Firewall chooses a unique port number from the PAT IP address for each outbound xlate (translation slot). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for your outbound connections. An IP address you specify for a PAT cannot be used in another global address pool. When a PAT augments a pool of global addresses, first the addresses from the global pool are used, then the next connection is taken from the PAT address. If a global pool address is available, the next connection takes that address. The global pool addresses always come first, before a PAT address is used. Augment a pool of global addresses with a PAT by using the same nat_id in the global command statements that create the global pools and the PAT. For example: global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224 global (outside) 1 209.165.201.22 netmask 255.255.255.224 More examples: -------------- 1. == Cisco PIX: Allow traffic to an internal host Permit selected traffic to an internal host: First, a static mapping must be made for the host. There is another recipe for this configuration. static (inside,outside) 1.1.1.1 192.168.0.100 netmask 255.255.255.255 then: To allow traffic, a conduit must be constructed. For example, to allow ICMP (ping) traffic to all hosts from anywhere (bad idea): conduit permit icmp any any To allow SSH to a specific host from anywhere: conduit permit tcp host 1.1.1.1 eq 22 any or With ACLs: access-list 100 permit tcp any host 1.1.1.1 22 access-group 100 in interface outside 2. == How to add a static map through a PIX to a device on the inside of your network. A one to one translation. static (inside,outside) (outside IP) (inside IP) netmask 255.255.255.255 Example: static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 Now you have a static nat to a specific device on the inside of your PIX. You can now write an Access List to specify what services to allow to this device. 3: == Load a new Cisco PIX software image from a TFTP server: TFTP (trivial file transfer protocol) provides a convenient means of quickly transferring a Cisco IOS image to a firewall over an ethernet interface. This procedure is substantially faster than transferring over a serial port. Step 1: Copy the IOS binary file to the TFTP directory. By default on most UNIX systems, the default data directory for the TFTP server is /tftpboot Copy the IOS image file to this directory and make sure it is world readable (i.e., chmod 544 /tftpboot/filename.bin). The first time you try this procedure, or anytime you experience troubles, test the TFTP server configuration with the tftp client: cd /tmp tftp localhost get filename.bin You can change directory to /tmp or any other directory that does not contain the image file. You must use the exact name of your binary file. If there are no error messages, proceed; otherwise troubleshoot based on the error message. Step 2: Configure an ethernet interface on the firewall if not already configured. Test the configuration by pinging the ip address of the TFTP server from the firewall. Step 3: Load the IOS image From enable mode on the firewall, the following command will load the IOS image in filename.bin from the TFTP server at IP address 192.168.200.15: copy tftp://192.168.200.15/filename.bin flash You will be asked to confirm this procedure. Press ENTER to confirm. Step 4: Restart the firewall From enable mode, use the 'reload' command to restart the firewall. ============== PART 6: PROXY ============== -- END OF FILE