Wednesday, April 22, 2015

Port Forwarding and NAT on Cisco Routers - Accessing private network from the internet


This article demonstrates on how to access your private network from outside- the internet, using port forwarding or static nat on cisco routers.

Port forwarding is redirecting a request from one ip address and port number combination to another by a gateway or router. So, Port forwarding allows remote computers (for example, computers on the internet to connect to a specific computer or service within a private local-area network (LAN).

LAB
In our scenario, we have used cisco router 887va, dialer 1 is the outside interface of the cisco router which is connected to the internet (ISP), and vlan 1 is the inside interface of the cisco router which is connected to the local network.

Looking at the above diagram, we need accessing the pc 192.168.50.11 from the internet, as you see in the diagram, the pc (My Pc) is connected to the internet using dsl modem in Germany, and the pc 192.168.50.11 is connected to the internet using cisco router 887VA in Palestine. The pc (My PC) from the internet in Germany will request the public ip of the cisco router and remote desktop port 3389, the router will forward or redirect this packet to the LAN PC 192.168.50.11 on port 3389, This represents the port forwarding.
Port forwarding is a part of network address translation (NAT).

Configuratiion Steps:
1- Configure redirecting the request of the public ip address or the outside interface of the cisco 887va and port number 3389 to the private ip 192.168.50.11

R(config)#ip nat inside source static tcp 192.168.5.11 3389 interface dialer 1 3389

2- Specify the inside interface and outside interface of the router

R(config)#int vlan 1
R(config)#ip nat inside
R(config)#int dialer 1
R(config)#ip nat outside




For more details and explanation , watch this video on youtube


To get automatic updates on your facebook, join a facebook group







Thursday, April 16, 2015

Configure Cisco Named Standard Access Control List ACL on Cisco routers / ACL Rules

In this article will demonstrate on Named Standard Access Contol List (Named Standard ACL).
Access control list is used for filtering unwanted traffic, there are two types of acl :numbered and named acl. numbered acess lists are either standard or extended. Also, named access lists are either standard and extended. So, there are four access lists
  1. Numbered standard access list
  2. Numbered extended access list
  3. Named standard access list
  4. Named extended access list

In this article will cover Named Standard Access List. Standard means it will filter the packet based on the source ip address, named  means that the access list is identified by name not by number and has a feature of editing (adding and removing specific lines capability).

Access Control List Rules
1- If you use Numbered (Standard and Extended) and Named (Standard and Extended) Access Lists, the packet is always compared with each line of the access list in sequential order, means If the source packet ip address matches the first line(entry) of the acl, the router will not check  all other entries in the access list. If the source ip address doesn't match the first line of the acl, the router will check the second line and so on. The packet is compared with lines of the access list only until a match is made. Once it matches the condition on a line of the access list, no further comparisons take place.

2- There is an implicit deny at the end of each access list—this means that if a packet doesn't match the condition on any of the lines in the access list, the packet will be discarded.

3- The access list is applied on an interface in a specific direction -Inbound or Outbound. Inbound:The packets will be processed through the acl before routed to the outbound interfaces. Outbound:The packets are routed to the outbound interface, and then processed through the acl.

4- Standard (Numbered&Named) access control lists filter network traffic by examining the source ip address in a packet (filtering traffic based on the source ip address).

5- The Named Access Lists (Standard and Extended) are editable, means you can insert a line in between the lines or at the top of the entries. Also you can delete specific line. So, there is a capability of modifying the access list(adding a line or deleting specific line).

6- Named Standard Access Control List is identified by a name specified by the network administrator.

7- Standard Access Control List is placed as close to destination as possible.

8- Named Standard Access Control Lists use the following syntax
R(config)# ip access-list standard <acl name>
R(config-std-nacl)#<permit or deny> <source address> 


Named access list acl configuring

Looking at the above diagram, we want preventing network 192.168.10.0/24 from accessing network 192.168.30.0/24, and everthing else is permitted.

Configuration Steps:
1- Create an access list which is identified by a name, I used tariq as a name of the access list as you see below in the first command. the second command prevents the packets coming from network 192.168.10.0/24, means dropping the packets from the source network 192.168.10.0/24.The third line permits the packets coming from any other source ip address. the third line is very necessary because if this line is not written all the packets will be dropped because there is an implicit deny any at the end of the access list.
R2(config)#ip access-list standard tariq

R2(config-std-nacl)#deny 192.168.10.0 0.0.0.255
R2(config-std-nacl)#permit any

2- The access list is applied on an interface in a specific direction: no action(permit or deny)  will be taken until the access list is applied on an interface in a specific direction.
you should know the packet coming from network 192.168.10.0/24 will enter R2 interface g0/0 as you see in the diagram. if you apply this acl on the g0/0 interface of  R2 in inbound direction, the router after checking the acl (that prevent network 192.168.10.0/24), will prevent this packet from being routed to the outbound interfaces g0/1&g0/2 based on the action in the first line of the acl. So, network 192.1698.10.0/24 will not access not only network 192.168.30.0/24 but also network 192.168.50.0/24. So you should be care where you will apply the acl and in which direction.
The Solution is applying the acl on the interface g0/2 in outbound direction, means the router will permit the packets from entering g0/0 and routes the packets to the outbound interfaces g0/1 and g0/2, after that, the packet are processed through the acl. In our example will apply the acl on g0/2 to prevent network 10 to reach network 50  but will not apply the acl on the g0/1 because we want allowing network 10 from accessing network 50.
before writing the commands below, host 192.168.10.2 can reach 192.168.30.2 

R2(config)#int f0/0
R2(config-if)#ip access-group tariq out

After writing the above commands (applying the acl on the interface), host 192.168.10.2 can't access 192.168.30.2
To view the configured access list

R2#sh access-list
Standard IP access list tariq
10 deny 192.168.10.0 0.0.0.255
 20 permit any

Adding a line in between the lines of the ACL
After that, if you want to deny the host 192.168.2.10 by using the command deny host 192.168.2.10. you can't add normally because it will be added at the bottom of the acl. If you add it normally at the bottom of the list, the host 192.168.2.10 will not be denied because the acl find a match in the second line of the acl that permit this host.
So, you have to insert the command before the second line(permit any), means the number of the inserted line must be before number 20 (The number of the second line)
R2(config)#ip access-list standard tariq

R2(config-std-nacl)#15 deny 192.168.2.10
View the access list after adding a line
Router#sh access-lists 

Standard IP access list tariq
10 deny 192.168.10.0 0.0.0.255
15 deny host 192.168.2.10
 20 permit any

Delete individual lines
To delete individual line from the acl, for example to delete line number 20.
Router(config)#ip access-list standard tariq

Router(config-std-nacl)#no 20
View the access list after deleting line number 20
Router#sh access-lists 

Standard IP access list tariq
10 deny 192.168.10.0 0.0.0.255
15 deny host 192.168.2.10



For more details and explanation , watch this video on youtube

To get automatic updates on your facebook, join a facebook group



Sunday, April 12, 2015

Cisco Numbered Standard Access Control List Configuring - How ACL works

In this article will demonstrate on numbered standard access control list (Numbered Standard ACL) and how access list works.
Access control list is used for filtering unwanted traffic, There are two types of acl, numbered and named acl. Numbered access lists are either standard or extended. Also, named access lists are either standard and extended. So, there are four access lists
  1. Numbered standard access list
  2. Numbered extended access list
  3. Named standard access list
  4. Named extended access list

In this article will cover numbered standard access list. Standard means the ios router will filter the packet based on the source ip address, numbered means that the access list is identified by a number and has not the capability of editing the acl.

Access Control List Rules
 1-  If you use Numbered (Standard and Extended) and Named (Standard and Extended) Access Lists, the packet is always compared with each line of the access list in sequential order, means If the source packet ip address matches the first line(entry) of the acl, the router will not check  all other entries in the access list. If the source ip address doesn't match the first line of the acl, the router will check the second line and so on. The packet is compared with lines of the access list only until a match is made. Once it matches the condition on a line of the access list, no further comparisons take place.


2- There is an implicit deny at the end of each access listthis means that if a packet doesn't match the condition on any of the lines in the access list, the packet will be discarded.

3- The access list is applied on an interface in a specific direction -Inbound or Outbound. Inbound:The packets will be processed through the acl before routed to the outbound interfaces. Outbound:The packets are routed to the outbound interface, and then processed through the acl
4- Standard (Numbered&Named) access control lists filter network traffic by examining the source ip address in a packet (filtering traffic based on the source ip address).
5- The Numbered Access Lists (Standard and Extended) are non-editable, means you can't insert a line in between the lines or at the top of the entries. Also you can't delete specific line. So, if you want to modify(adding a line or deleting specific line) the access list, you have to delete it and write it again.This is not flexible at all, to solve this problem use the named access list.
6- Numbered Standard Access Control List is identified by a number from the ranges 1-99,1300-1999.
7- Place Standard access lists as close to destination as possible, for example, if you want preventing network 192.168.10.0/24 -source- from accessing network 192.168.30.0/24 - destination-, the access list should be placed on the router that is directly connected to the destination network 192.168.30.0/24 (The router located in the middle) as you see at the diagram below.
8- Numbered Standard Access Control Lists use the following syntax
R(config)# access-list <1-99><permit/deny> <source address> <wildcard mask> 



Looking at the above diagram, we want preventing network 192.168.10.0/24 from accessing network 192.168.30.0/24, and everything else is permitted.

Configuration Steps:
1- Create an access list which is identified by anumber from the range 1-99, I used number 5 as you see in the first command that permit the packets coming from network 192.168.10.0/24, means permitting the packets from the source network 192.168.10.0/24.The second line to permit the packets coming from any source ip address. the second line is very necessary because if this line is not written all the packets will be dropped because there is an implicit deny any at the end of the access list.
R2(config)#access-list 5 deny 192.168.10.0 0.0.0.255

R2(config)#access-list 5 permit any

2- The access list is applied on an interface in a specific direction: no action(permit or deny)  will be taken until the access list is applied on an interface in a specific direction.
you should know this packet will enter interface f0/1 as you see in the diagram. if you apply this acl on the f0/1 interface of  R2 in inbound direction, the router after checking the acl (that prevent network 192.168.10.0/24), will prevent this packet from being routed to the outbound interfaces f0/0,f1/0  based on the action in the first line of the acl. So, network 192.168.10.0/24 will not access not ony network 192.168.30.0/24 but also network 192.168.50.0/24. So you should be care where you will apply the acl and in which direction.
The Solution applying the acl on the interface f0/0 in outbound direction, means the router will permit the packets from entering f0/1 and route the packets to the outbound interfaces f0/0 and f1/0, after that, the packet are processed through the acl. In our example will apply the acl on f0/0 to prevent network 10 to reach network 30  but will not apply the acl on the f1/0 because we want allowing network 10 from accessing network 50.
before writing the commands below, host 192.168.10.2 can reach 192.168.30.2
R2(config)#int f0/0
R2(config-if)#ip access-group 5 out

After writing the above commands (applying the acl on the interface), host 192.168.10.2 can't access 192.168.30.2

For more details and explanation , watch this video on youtube

To get automatic updates on your facebook, join a facebook group