Archive for nat

Cisco NAT Overload with CBAC

Posted in Operating System, Security with tags , , on June 4, 2012 by muhrizky

The reason behind this note that there is not many resource someone’s able to find by navigating Google, on how-to configure Network Address Translation (NAT) using Cisco routers. I do reread Todd Lammle book that i used to get my CCNA certification a couple of years ago, digging through Google tying to find a simple NAT configuration with dynamic IP address allocation from the ISP, and found several site (including which was wrote in the CCNA book) have configured it on the Cisco PIX firewall. I have that firewall in my personal lab so maybe i will write on that later.

Topology shown above is a simple diagram i draw it on Gliffy since they have sleek cloud-based drawing tools. The cable modem is getting a digital signal from the ISP, carried by a single coaxial cable which also have configured to be the DHCP relay in order to push IP address to consumer premises device. Cisco 2621XM modular access router came with 2 FastEthernet interface, 2 WIC, and 1 NM supporting up to 256 MB of RAM, mine is upgraded from 64 MB to 128 MB for CCNA Security certification requirements (Cisco SDM). I installed IOS version 12.2 with Advanced Security into this router so that it can be deploy as a router-based firewall supporting AAA, Radius, TACACS, SSH, Audit, CBAC, ZBF, IPS, IDS, and so on. Finally for daily internet usage, i used Linksys WAP610N dual-band access point. Actually we can expand this topology to create VLAN, Voice over IP (VoIP), secure them with PIX/ASA firewall for greater security for instance.

I mention a lot of terms above that i cannot explain this time, so everyone needs to find by ownself about what exactly is NAT and how it works, what is triple A, IPS, IDS, ZBF, and so on. So i assume that you are already know the basic if you want to continue reading. But here i will explain a brief on what is Cisco CBAC. Context-Based Access Control (CBAC) is Cisco stateful inspection firewall technology based on its Access List (ACL) configuration which will inspect TCP, UDP, and ICMP protocol up to OSI layer 7 and can prevent DDoS attacks. But since CBAC rely on the ACL, it can creates human error if we do not planning it well. Currently CBAC is been improved by Cisco Zone Based Firewall (ZBF).

Now for the configuration, first we need to configure the basic of Cisco router, i assume you are configuring from the scratch. We can start it by doing cables, set the router hostname, and IP addressing for each interfaces. For security, apply the console password, do password encryption, set username and privilege level for SSH or AAA or Radius, turn off HTTP/HTTPS service if you don’t do SDM or Cisco Network Assistant (CNA), and so forth. My suggestion: do this config accordingly to avoid your headache in further steps!

This following section is the main purpose for this article; to configure NAT and CBAC. Below is the NAT configuration, untrusted interface as the DHCP client and trusted interface resides as the DHCP server:

R18(config)#ip dhcp pool dhcp18
R18(dhcp-config)#default router 172.16.1.1
R18(dhcp-config)#network 172.16.1.0 255.255.255.224
R18(dhcp-config)#dns-servers 8.8.8.8 8.8.4.4
R18(dhcp-config)#exit
!---
set this to exclude router and wireless AP address.
R18(config)#ip dhcp excluded-address 172.16.1.1
R18(config)#ip dhcp excluded-address 172.16.1.7
!---
must be match on IP we get from the ISP
R18(config)#ip nat pool nat18 118.137.37.7 118.137.37.7 netmask 255.255.255.0
!---
ACL for NAT
R18(config)#ip access-list extended nat18-ol
R18(config)#permit ip 172.16.1.0 0.0.0.31 any
R18(config)#ip nat inside source list nat18-ol pool nat18 overload
R18(config)#interface fastethernet0/0
R18(config-if)#ip nat outside
R18(config-if)#interface fastethernet0/1
R18(config-if)#ip nat inside
R18(config-if)#do write memory

For CBAC auto secure firewall:

R18#auto secure firewall
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks ***
All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:yes
Enter the number of interfaces facing internet [1]:1
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 118.137.37.7 YES DHCP up down
FastEthernet0/1 172.16.1.1 YES NVRAM up down
Enter the interface name that is facing internet:FastEthernet0/0
Configure CBAC Firewall feature? [yes/no]:yes
This is configuration generated:
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface FastEthernet0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
!
end
Apply this configuration to running-config? [yes]:<strong>yes</strong>
Applying the config generated to running-config

I will not guarantee that the auto secure firewall will be running smoothly and trouble free since it depends on Cisco IOS and our exact configuration, this is why i mentioned before that you must configure it appropriately. AutoSecure can be a doom by locking all of your access to the router, including console access. Then of course we can configure CBAC manually but hence i do not want to explain it here, at least not for this part of note.