Let’s assume the following for this example

• We have 2 public IP addresses (192.168.1.1 & 192.168.1.2)
• The IP address on the outside interface has been configured to use PAT for all internal IP addresses for Internet access (192.168.1.1)
• I have a DMZ with 3 servers, FTP, E-mail, and Web Server (10.0.1.1, 10.0.1.2 & 10.0.1.3 respectively)
• I need my 3 DMZ servers to be reachable from the Internet.

The above scenario poses a slight problem. If I have already used one of my public addresses for PAT to allow all internal hosts to access the Internet, I only have one IP address left but I require 3 static NAT entries to be created. In my post on Static NAT we saw that we configure NAT to map on a one-to-one basis, so in this scenario I would require 3 IP addresses, one for each of my DMZ servers.

The nice thing about the above scenario, is that each of the three servers is hosting a totally different service and therefore each requires different ports to be accessible from the Internet. This allows me to create static NAT’s that specify the ports, a type of overload function.

FTP would require ports 20,21 to be allowed
E-mail would require port 25 to be opened, and possibly 143 and 110 if you are using IMAP or POP
Web Server will require port 80, and possibly 443 if there is any SSL been used (https).

The above can be configured in the following way (interfaces would need to be configured as inside and outside as well, as seen here)

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.1 192.168.1.2 20
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.1 192.168.1.2 21

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 25
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 143
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 110

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.3 192.168.1.2 80
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.3 192.168.1.2 443

Related posts:

1. Configuring Static NAT on Cisco Routers
2. Configuring PAT on Cisco Routers (NAT Overload)
3. NAT (Network Address Translation)

PAT or otherwise known as NAT overload, allows you to translate IP addresses in a many-to-one method.
In my previous post on Configuring Dynamic NAT we saw that we can NAT many-to-many  but this was limited by the amount of public addresses that you have available. In cases such as home ADSL, your ISP will only issue you with a single public IP address but you might have 2 or more devices that need to access the Internet at any given time. This is where PAT takes over and makes this all possible.

As with any NAT configuration we need to first define our inside and outside interfaces. In this example I’ll use FastEthernet 0/0 as my inside, and Serial 0 as my outside.

AOIP.ORG (config) # interface FastEthernet 0/0
AOIP.ORG (config-if) # ip nat inside
AOIP.ORG (config-if) # interface Serial 0
AOIP.ORG (config-if) # ip nat outside

The next step is to define which addresses in my inside network I want to allow to be translated. Let’s assume my inside IP address range is 10.0.1.0 /24

AOIP.ORG (config) # access-list 1 permit 10.0.1.0 0.0.0.255 (Using a standard access-list is the easiest way to achieve this)

Then I need to configure the address that will be used by my internal IP addresses for accessing the outside interface. This can be done in 2 ways.

Option 1:
If I only have 1 public IP address, which is the case with home ADSL, the router will already have that IP address allocated to it by your ISP. The only thing I can do is tell the router to share that address with my internal hosts.

AOIP.ORG (config) # ip nat inside source list 1 Serial 0 overload (This defines my access-list 1 as the source addresses, and tell them to be translated into the same IP address that is configured on Serial 0. The overload command tells the router that it needs to keep track of all the source and destination ports so the IP address can be used multiple times, overloaded)

Option 2:
If I have a second public IP address that I would like to use for Internet browsing, I can configure PAT for that IP address.

AOIP.ORG (config) # ip nat inside source list 1 192.168.1.1 overload (Same as the above command, but I’ve specifically told the router which IP address to translate my internal hosts into)

This option is fantastic if you have multiple public addresses and you want to segment your Internet browsing based on departments or geographic locations. For example
Marketing – 10.1.0.0 /24
Sales – 10.2.0.0 /24
Technical – 10.3.0.0 /24

I can have each of the above departments using their own public IP address, which will make log files easier to read when tracking Internet use and for troubleshooting connection errors.

access-list 2 permit 10.1.0.0 0.0.0.255
access-list 3 permit 10.2.0.0 0.0.0.255
access-list 4 permit 10.3.0.0 0.0.0.255
ip nat inside source list 2 192.168.1.2 overload
ip nat inside source list 3 192.168.1.3 overload
ip nat inside source list 4 192.168.1.4 overload

Related posts:

1. Configuring Dynamic NAT on Cisco Routers
2. Configuring Static NAT on Cisco Routers
3. Static NAT overloaded???

Dynamic NAT allows us to translate many IP addresses into a pool of many IP addresses. The big thing to realize here is that the pool does not need to contain enough IP addresses to translate all the internal addresses at the same time, as would be the case if we used Static NAT. Dynamic NAT allows internal hosts to be translated into an IP address in the pool when it requires a connection. Once the internal host has finished it’s session the NAT entry is removed from the NAT table allowing another internal host to use the external IP address for it’s session.

Assume we have 50 hosts in our inside network but only have 5 public IP addresses available to use. With Dynamic NAT we can allow all 50 internal addresses to share the 5 public addresses as and when they need them. This of course does impose a limit of only 5 simultaneous connections to the outside world and that is where PAT would come in and solve that problem.

On of the benefits of using Dynamic NAT vs Static NAT, is that Dynamic NAT requires the session to originate from the inside network. No outside connections can be established to the inside network. This is obviously a more secure solution as connections from the outside won’t work; only traffic originating from the inside will be translated. Static NAT is different in the fact that the entry is added to the NAT table on a permanent basis and will allow connections in either direction.

Here are the steps to configure Dynamic NAT on a Cisco Router.

Step 1 : I need to define the IP address range that will be translated (my inside IP addresses). I can do this with a standard access-list

AOIP.ORG (config)# access-list 1 permit 10.0.1.0 0.0.0.255 (don’t forget, access-lists use wildcard masks, not subnet masks)

Step 2 : I need to configure the range of addresses that my internal network will be translated into by using a NAT pool.

AOIP.ORG (config) # ip nat pool MY_POOL 10.50.1.1 10.50.1.5 netmask 255.255.255.0 (There are 5 IP addresses that can be used for translation in this example)

Step3 : Define inside and outside interfaces

AOIP.ORG (config) # interface FastEthernet 0/0
AOIP.ORG (config-if) # ip nat inside
AOIP.ORG (config-if) # interface Serial 0
AOIP.ORG (config-if) # ip nat outside

Step 4 : Configure the translation to take place.

AOIP.ORG (config) # ip nat inside source list 1 pool MY_POOL (List 1 is my access-list that defined my inside IP addresses, MY_POOL defined the IP addresses to be used for the translation)

Related posts:

1. Configuring PAT on Cisco Routers (NAT Overload)
2. Configuring Static NAT on Cisco Routers
3. NAT (Network Address Translation)

Static NAT is a one-to-one mapping. It allows us to translate a single IP address into a different single IP address. This is most commonly found when you have a server inside your DMZ that you would like to allow the outside world (The Internet) to connect to, such as E-mail servers, FTP servers and Web servers (if you’re hosting your own).

The first step in configuration static NAT, is to define which interfaces on your router are involved in the NAT process and then configuring your Cisco router to know which interface is on which side of the network. Your Cisco router needs to know which interface is the inside interface and which is the outside interface to allow the translation to take place.

For example purposes let’s assume that FastEthernet 0/0 is the inside interface, and Serial 0 is my outside.

AOIP.ORG > en
AOIP.ORG # conf t
AOIP.ORG (config)# interface FastEthernet 0/0
AOIP.ORG (config-if)# ip nat inside
AOIP.ORG (config-if)# interface Serial 0
AOIP.ORG (config-if)# ip nat outside

So we have just informed our Cisco router of the inside and the outside, the next step is to tell your Router how to translate and what to translate.

Let’s assume that I have a server in my DMZ that has an IP address of 10.0.1.1 and I have a public IP address of 192.168.1.1 (yes I know this a private range part of RFC 1918, but for example purposes, let’s assume it’s not).

AOIP.ORG (config)# ip nat inside source static 10.0.1.1 192.168.1.1

That’s it, your done. When your server 10.0.1.1 connects to anything on Serial 0 and beyond, the source IP address will be translated into 192.168.1.1. Similarly, when someone from the Internet connects to the IP address 192.168.1.1 it will be translated into a destination IP address of 10.0.1.1 and hence connect to our server in the DMZ (Access-list permitting).

Related posts:

1. Configuring PAT on Cisco Routers (NAT Overload)
2. Configuring Dynamic NAT on Cisco Routers
3. Static NAT overloaded???

The name SubSeven was derived by reversing the word Netbus (also a famous backdoor program) and replacing with the world ‘ten’ with ‘seven’

netbus = subten = subseven

In order to mitigate this application from attacking your network the following Access-list can be configured on your routers interfaces. Most Anti-Virus programs will also prevent it from attacking your machine.

AOIP.ORG(config)# access-list 100 deny tcp any any eq 1243 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 2773 log

AOIP.ORG(config)# access-list 100 deny tcp any any range 6711 6713 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 6776 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 7000 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 7215 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 27374 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 27573 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 54283 log

AOIP.ORG(config)# access-list 100 permit ip any any

AOIP.ORG(config)# interface fa0/0

AOIP.ORG(config-if)# ip access-group 100 in

AOIP.ORG(config-if)# exit

AOIP.ORG(config)# interface fa0/1

AOIP.ORG(config-if)# ip access-group 100 in

AOIP.ORG(config-if)# exit

AOIP.ORG(config)#

Related posts:

1. Mitigating Smurf DoS Attacks
2. IP Address Spoofing Mitigation with Access Control Lists (ACL)
3. DoS TCP SYN Attack Mitigation

The enable password by default is saved in clear text so when looking at the running-configuration of the router you will be able to read the password. It is possible to encrypt this password using the service password-encryption command.

The service password-encryption command will also encrypt all other clear text passwords on your router including the VTY, AUX, Console and User passwords. Although the service password-encryption command encrypts your passwords so you can no longer read them in the running-configuration, the encryption algorithm is not very secure.

If we look at the running-configuration of my router in the article Setting the enable password and secret on a Cisco device , you will see that after the service password-encryption command was issued the password was stored in the running-configuration as

Enable password 7  12180A1E02

The number ‘7’ tells me the type of password, the rest of the number is the password in its encrypted format.

Copy and paste with password without the ’7′ into the below form, and see just how easy it is to decrypt the enable password.

NOTE: Please only use the below form for password recovery and demonstration purposes!

Related posts:

1. Setting the enable password and secret on a Cisco device
2. Hashing, What is it and how does it work?
3. How encryption works

A Smurf works on a weakness of IP and ICMP by sending an ICMP packet to the broadcast address of a network. For example, I could send an ICMP (Ping packet) to every computer on the network 192.168.1.0 /24

I would do this by sending an ICMP packet to the address 192.168.1.255. This would result in every computer in that network (possibly 254 machines) sending me an echo-reply message. So far, this is not the end of the world, however Smurf adds ip spoofing to the equation…

When someone does a Smurf attack, the first thing that they do is an IP Spoof to make the their IP address look like an internal address. For example, I would spoof my address to have a source IP address of 192.168.1.10. Let’s assume that the IP address 192.168.1.10 was the Domain Controller, or perhaps the E-mail or Web server of that network. If I was to now send multiple echo packets to the destination address 192.168.1.255, every machine on that network would now send a echo-reply to the source IP of 192.168.1.10 (The internal server). This means I have just caused every machine on the target network to attack the internal target machine with echo-replies. Of course this is not the end of the world if this happens once or twice, but what if I did this a few thousand, or a few hundred thousand times? What if the target network was larger and had more than 254 machines? On a larger scale this could cause the target machine to be so over loaded with echo-replies that its network card becomes saturated to a point where its prevented from doing its job… denying it from doing it’s service… “Denial of Service” (DoS). Since this attack is not coming from me directly, and I’m forcing multiple machines to attack a single host, this now becomes a “Distributed Denial of Service” (DDos) attack.

So in order for us to prevent Smurf attacks happening on our networks, we need to make sure we block directed broadcast traffic coming into our network.

Below is the configuration required to stop Smurf Attacks. Use the diagram as a reference for the ACL’s

AOIP.ORG(config)# access-list 101 deny ip any host 192.168.1.255 log

Deny the directed broadcast

AOIP.ORG(config)# access-list 101 permit ip any 192.168.1.0 0.0.0.255 log

Allow unicast traffic

AOIP.ORG(config)# interface fa0/0

AOIP.ORG(config-if)# ip access-group 101 in

Attach the ACL to the interface for inbound traffic

AOIP.ORG(config-if)# exit

Now for the other direction……

AOIP.ORG(config)# access-list 102 deny ip any host 10.0.1.255 log

Deny the directed broadcast

AOIP.ORG(config)# access-list 102 permit ip any 10.0.1.0 0.0.0.255 log

Allow unicast traffic

AOIP.ORG(config)# interface fa0/1

AOIP.ORG(config-if)# ip access-group 102 in

Attach the ACL to the interface for inbound traffic

AOIP.ORG(config-if)# exit

AOIP.ORG(config)#

In the above configuration we have now mitigated Smurf attacks from either network segments in either direction.

Related posts:

1. Mitigating SubSeven attacks
2. IP Address Spoofing Mitigation with Access Control Lists (ACL)
3. DoS TCP SYN Attack Mitigation

Most, but not all, of the spoofing attacks that take place start with someone on the outside of your network spoofing their IP address to make it look like they are part of the inside of your network. Since all private networks worldwide follow the standards of RFC 1918, knowing what IP addresses a company is using inside their network is not complex.

RFC 1918 defines that the following IP addresses are usable inside private networks.

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255

Based on the above, the most obvious first step is to deny traffic that has a source IP address inside the RFC 1918 block that is coming into your network from the outside interface. The outside interface should have outside (public) IP addresses as their source. There would be no valid reason for an IP address on the outside of your network falling within that range.

Further to the RFC 1918 block of addresses, we also need to block any source coming from the following:

local loopback (127.0.0.1)

network address (0.0.0.0)

broadcast address (255.255.255.255)

Private multicast range (224.0.0.0 /4 )

Here is the configuration breakdown for the above scenario

AOIP.ORG(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

AOIP.ORG(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log

AOIP.ORG(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

The above are the RFC 1918 Unicast IP addresses

AOIP.ORG(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log

Local loopback restriction

AOIP.ORG(config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log

Network address restriction

AOIP.ORG(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any log

Private multicast range restriction

AOIP.ORG(config)# access-list 100 deny ip host 255.255.255.255 any log

Broadcast source address restriction

AOIP.ORG(config)# access-list 100 permit ip any 192.168.1.0 0.0.0.255

There is an implicit deny any at the bottom of every access list, so without a permit statement, NO traffic would be allowed. In the above entry I have allowed any traffic to go to the destination address 192.168.1.0 /24 (My internal network)

AOIP.ORG(config)# interface fa0/0

For example purposes FastEthernet 0/0 is my outside interface

AOIP.ORG(config-if)# ip access-group 100 in

I have applied this ACL inbound, which will also protect the router from been attacked.

AOIP.ORG(config-if)# exit

AOIP.ORG(config)#

Not only do we want to prevent people from the outside of our network ‘pretending’ they are inside our network, we also want to prevent our inside people from spoofing to a different IP address as well. The above configuration had a focus on traffic INBOUND to our network, the below configuration is focused on preventing OUTBOUND traffic from spoofing.

AOIP.ORG(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any

The only range that is allowed to transmit is my internal network, in this case 192.168.1.0 /24

AOIP.ORG(config)# access-list 105 deny ip any any log

Although there is an implicit ‘deny any’ at the end of all ACL’s, I have included this with the log statement so I can see how many attempts have been made by internal machines to spoof their address before leaving the network

AOIP.ORG(config)# interface fa0/1

For example purposes, interface FastEthernet 0/1 is my inside interface

AOIP.ORG(config-if)# ip access-group 105 in

I have applied this ACL inbound, which will also protect the router from been attacked.

AOIP.ORG(config-if)# exit

AOIP.ORG(config)#

Related posts:

1. Mitigating Smurf DoS Attacks
2. DoS TCP SYN Attack Mitigation
3. Mitigating SubSeven attacks

As an additional method for securing your Cisco devices, it’s a good idea to bind an ACL (Access Control List) to the VTY’s (Virtual Terminal Lines). This will only allow IP addresses included in the ACL to create a connection to the device in addition to needing the password for the lines.

If we look at the diagram below, I might want to restrict telnet access into R1 so telnet will only be allowed to take place from AOIP.ORG and not from any other device or computer.

 In order to achieve the above, the following commands would need to be configured.

R1# conf t

R1(config)# access-list 1 permit host 192.168.1.10 log

Create a standard access-list (only checks the source address) and include the ‘log’ command so I will be able to see how many times the ACL has been matched. I don’t have to include any deny statements since there is always a implicit deny any statement at the end of every ACL

R1(config)# line vty 0 4

Enter the Virtual lines

R1(config-line)# access-class 1 in

Attach the ACL to the virtual lines for traffic inbound to the router.

Below is the live demo.

Related posts:

1. Configuring VTY Access
2. IP Address Spoofing Mitigation with Access Control Lists (ACL)
3. Mitigating SubSeven attacks

In this tutorial I’m going to explain how to use this command, and different options available using it.

Below is the breakdown of the commands I used in the live demo, and an explanation of each.

AOIP.ORG_Switch# terminal monitor

Since I was connected to my switch via telnet, and I knew there were going to be messages from the switch, I needed to configure Terminal Monitor so I would have these messages sent to my telnet session. By default when connected to a Cisco device via telnet or ssh, no messages will be displayed to your terminal.

AOIP.ORG_Switch(config)# interface fa0/6

Enter the interface that I wish to configure the port security on

AOIP.ORG_Switch(config-if)# switchport mode access

In order for port security to be used, the port MUST be an access port, this command defines that

AOIP.ORG_Switch(config-if)# switchport port-security

This enables the port security feature, and allows me to define the commands below.

AOIP.ORG_Switch(config-if)# switchport port-security maximum 1

I have chosen to only allow 1 mac-address to be learned on this port. At any point if more than 1 mac address was to be discovered, the violation action I define will come into effect.

AOIP.ORG_Switch(config-if)# switchport port-security mac-address aaaa.bbbb.cccc

I have further secured the switch port by defining what mac address is allowed to be learned on this port. If a machine is plugged into this port that does NOT have this mac-address, the violation action will take effect.

AOIP.ORG_Switch(config-if)# switchport port-security violation shutdown

I have 3 choices when defining the violation action

                1/ protect – The switch will drop packets until the violation has been removed

                2/ restrict – This is the same as protect, however it also causes the Security/Violation counter to increment

                3/ shutdown – This will put the interface into a error-disabled state and send an SNMP trap notification

I have chosen the more harsh of the options, and the port will be shut if any of my conditions (more than 1 mac address is learned on the port, and if that one mac address is not aaaa.bbbb.cccc)

AOIP.ORG_Switch(config-if)# exit

AOIP.ORG_Switch(config)# exit

AOIP.ORG_Switch# show port-security interface f 0/6

The first time I ran this command in the live demo, you will notice the configuration on the port that I had just made, however there are no violations recorded. Shortly afterwards, I plugged a device into port f0/6 that DID NOT have the mac address aaaa.bbbb.cccc which caused a violation. You will notice I received error messages on screen (thanks to term mon), and when I run the show port-security command again, you will notice the violation count has incremented.

Additional commands I could have used are.

AOIP.ORG_Switch(config-if)# switchport port-security aging time 5

If you have configured the switch to allow 5 mac addresses to be learned dynamically, those addresses will be kept in the database until the aging time has expired. This command will set the aging time to 5 minutes, which overrides my switches default value of 20 minutes.

AOIP.ORG_Switch(config-if)# no switchport port-security aging

This will DISABLE the aging time.

In order to activate a port that has been put into ‘error-disabled’ state. Shut the port, and no shut it afterwards. If the violation has not been removed, the port will revert back to error-disabled.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. Configuring an Access port on a Cisco switch
3. Configuring an IP address and Default-Gateway on a Cisco Switch