PAT or otherwise known as NAT overload, allows you to translate IP addresses in a many-to-one method.
In my previous post on Configuring Dynamic NAT we saw that we can NAT many-to-many  but this was limited by the amount of public addresses that you have available. In cases such as home ADSL, your ISP will only issue you with a single public IP address but you might have 2 or more devices that need to access the Internet at any given time. This is where PAT takes over and makes this all possible.

As with any NAT configuration we need to first define our inside and outside interfaces. In this example I’ll use FastEthernet 0/0 as my inside, and Serial 0 as my outside.

AOIP.ORG (config) # interface FastEthernet 0/0
AOIP.ORG (config-if) # ip nat inside
AOIP.ORG (config-if) # interface Serial 0
AOIP.ORG (config-if) # ip nat outside

The next step is to define which addresses in my inside network I want to allow to be translated. Let’s assume my inside IP address range is 10.0.1.0 /24

AOIP.ORG (config) # access-list 1 permit 10.0.1.0 0.0.0.255 (Using a standard access-list is the easiest way to achieve this)

Then I need to configure the address that will be used by my internal IP addresses for accessing the outside interface. This can be done in 2 ways.

Option 1:
If I only have 1 public IP address, which is the case with home ADSL, the router will already have that IP address allocated to it by your ISP. The only thing I can do is tell the router to share that address with my internal hosts.

AOIP.ORG (config) # ip nat inside source list 1 Serial 0 overload (This defines my access-list 1 as the source addresses, and tell them to be translated into the same IP address that is configured on Serial 0. The overload command tells the router that it needs to keep track of all the source and destination ports so the IP address can be used multiple times, overloaded)

Option 2:
If I have a second public IP address that I would like to use for Internet browsing, I can configure PAT for that IP address.

AOIP.ORG (config) # ip nat inside source list 1 192.168.1.1 overload (Same as the above command, but I’ve specifically told the router which IP address to translate my internal hosts into)

This option is fantastic if you have multiple public addresses and you want to segment your Internet browsing based on departments or geographic locations. For example
Marketing – 10.1.0.0 /24
Sales – 10.2.0.0 /24
Technical – 10.3.0.0 /24

I can have each of the above departments using their own public IP address, which will make log files easier to read when tracking Internet use and for troubleshooting connection errors.

access-list 2 permit 10.1.0.0 0.0.0.255
access-list 3 permit 10.2.0.0 0.0.0.255
access-list 4 permit 10.3.0.0 0.0.0.255
ip nat inside source list 2 192.168.1.2 overload
ip nat inside source list 3 192.168.1.3 overload
ip nat inside source list 4 192.168.1.4 overload

Related posts:

1. Configuring Dynamic NAT on Cisco Routers
2. Configuring Static NAT on Cisco Routers
3. Static NAT overloaded???

Dynamic NAT allows us to translate many IP addresses into a pool of many IP addresses. The big thing to realize here is that the pool does not need to contain enough IP addresses to translate all the internal addresses at the same time, as would be the case if we used Static NAT. Dynamic NAT allows internal hosts to be translated into an IP address in the pool when it requires a connection. Once the internal host has finished it’s session the NAT entry is removed from the NAT table allowing another internal host to use the external IP address for it’s session.

Assume we have 50 hosts in our inside network but only have 5 public IP addresses available to use. With Dynamic NAT we can allow all 50 internal addresses to share the 5 public addresses as and when they need them. This of course does impose a limit of only 5 simultaneous connections to the outside world and that is where PAT would come in and solve that problem.

On of the benefits of using Dynamic NAT vs Static NAT, is that Dynamic NAT requires the session to originate from the inside network. No outside connections can be established to the inside network. This is obviously a more secure solution as connections from the outside won’t work; only traffic originating from the inside will be translated. Static NAT is different in the fact that the entry is added to the NAT table on a permanent basis and will allow connections in either direction.

Here are the steps to configure Dynamic NAT on a Cisco Router.

Step 1 : I need to define the IP address range that will be translated (my inside IP addresses). I can do this with a standard access-list

AOIP.ORG (config)# access-list 1 permit 10.0.1.0 0.0.0.255 (don’t forget, access-lists use wildcard masks, not subnet masks)

Step 2 : I need to configure the range of addresses that my internal network will be translated into by using a NAT pool.

AOIP.ORG (config) # ip nat pool MY_POOL 10.50.1.1 10.50.1.5 netmask 255.255.255.0 (There are 5 IP addresses that can be used for translation in this example)

Step3 : Define inside and outside interfaces

AOIP.ORG (config) # interface FastEthernet 0/0
AOIP.ORG (config-if) # ip nat inside
AOIP.ORG (config-if) # interface Serial 0
AOIP.ORG (config-if) # ip nat outside

Step 4 : Configure the translation to take place.

AOIP.ORG (config) # ip nat inside source list 1 pool MY_POOL (List 1 is my access-list that defined my inside IP addresses, MY_POOL defined the IP addresses to be used for the translation)

Related posts:

1. Configuring PAT on Cisco Routers (NAT Overload)
2. Configuring Static NAT on Cisco Routers
3. NAT (Network Address Translation)

The name SubSeven was derived by reversing the word Netbus (also a famous backdoor program) and replacing with the world ‘ten’ with ‘seven’

netbus = subten = subseven

In order to mitigate this application from attacking your network the following Access-list can be configured on your routers interfaces. Most Anti-Virus programs will also prevent it from attacking your machine.

AOIP.ORG(config)# access-list 100 deny tcp any any eq 1243 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 2773 log

AOIP.ORG(config)# access-list 100 deny tcp any any range 6711 6713 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 6776 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 7000 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 7215 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 27374 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 27573 log

AOIP.ORG(config)# access-list 100 deny tcp any any eq 54283 log

AOIP.ORG(config)# access-list 100 permit ip any any

AOIP.ORG(config)# interface fa0/0

AOIP.ORG(config-if)# ip access-group 100 in

AOIP.ORG(config-if)# exit

AOIP.ORG(config)# interface fa0/1

AOIP.ORG(config-if)# ip access-group 100 in

AOIP.ORG(config-if)# exit

AOIP.ORG(config)#

Related posts:

1. Mitigating Smurf DoS Attacks
2. IP Address Spoofing Mitigation with Access Control Lists (ACL)
3. DoS TCP SYN Attack Mitigation

The enable password by default is saved in clear text so when looking at the running-configuration of the router you will be able to read the password. It is possible to encrypt this password using the service password-encryption command.

The service password-encryption command will also encrypt all other clear text passwords on your router including the VTY, AUX, Console and User passwords. Although the service password-encryption command encrypts your passwords so you can no longer read them in the running-configuration, the encryption algorithm is not very secure.

If we look at the running-configuration of my router in the article Setting the enable password and secret on a Cisco device , you will see that after the service password-encryption command was issued the password was stored in the running-configuration as

Enable password 7  12180A1E02

The number ‘7’ tells me the type of password, the rest of the number is the password in its encrypted format.

Copy and paste with password without the ’7′ into the below form, and see just how easy it is to decrypt the enable password.

NOTE: Please only use the below form for password recovery and demonstration purposes!

Related posts:

1. Setting the enable password and secret on a Cisco device
2. Hashing, What is it and how does it work?
3. How encryption works

A Smurf works on a weakness of IP and ICMP by sending an ICMP packet to the broadcast address of a network. For example, I could send an ICMP (Ping packet) to every computer on the network 192.168.1.0 /24

I would do this by sending an ICMP packet to the address 192.168.1.255. This would result in every computer in that network (possibly 254 machines) sending me an echo-reply message. So far, this is not the end of the world, however Smurf adds ip spoofing to the equation…

When someone does a Smurf attack, the first thing that they do is an IP Spoof to make the their IP address look like an internal address. For example, I would spoof my address to have a source IP address of 192.168.1.10. Let’s assume that the IP address 192.168.1.10 was the Domain Controller, or perhaps the E-mail or Web server of that network. If I was to now send multiple echo packets to the destination address 192.168.1.255, every machine on that network would now send a echo-reply to the source IP of 192.168.1.10 (The internal server). This means I have just caused every machine on the target network to attack the internal target machine with echo-replies. Of course this is not the end of the world if this happens once or twice, but what if I did this a few thousand, or a few hundred thousand times? What if the target network was larger and had more than 254 machines? On a larger scale this could cause the target machine to be so over loaded with echo-replies that its network card becomes saturated to a point where its prevented from doing its job… denying it from doing it’s service… “Denial of Service” (DoS). Since this attack is not coming from me directly, and I’m forcing multiple machines to attack a single host, this now becomes a “Distributed Denial of Service” (DDos) attack.

So in order for us to prevent Smurf attacks happening on our networks, we need to make sure we block directed broadcast traffic coming into our network.

Below is the configuration required to stop Smurf Attacks. Use the diagram as a reference for the ACL’s

AOIP.ORG(config)# access-list 101 deny ip any host 192.168.1.255 log

Deny the directed broadcast

AOIP.ORG(config)# access-list 101 permit ip any 192.168.1.0 0.0.0.255 log

Allow unicast traffic

AOIP.ORG(config)# interface fa0/0

AOIP.ORG(config-if)# ip access-group 101 in

Attach the ACL to the interface for inbound traffic

AOIP.ORG(config-if)# exit

Now for the other direction……

AOIP.ORG(config)# access-list 102 deny ip any host 10.0.1.255 log

Deny the directed broadcast

AOIP.ORG(config)# access-list 102 permit ip any 10.0.1.0 0.0.0.255 log

Allow unicast traffic

AOIP.ORG(config)# interface fa0/1

AOIP.ORG(config-if)# ip access-group 102 in

Attach the ACL to the interface for inbound traffic

AOIP.ORG(config-if)# exit

AOIP.ORG(config)#

In the above configuration we have now mitigated Smurf attacks from either network segments in either direction.

Related posts:

1. Mitigating SubSeven attacks
2. IP Address Spoofing Mitigation with Access Control Lists (ACL)
3. DoS TCP SYN Attack Mitigation

Most, but not all, of the spoofing attacks that take place start with someone on the outside of your network spoofing their IP address to make it look like they are part of the inside of your network. Since all private networks worldwide follow the standards of RFC 1918, knowing what IP addresses a company is using inside their network is not complex.

RFC 1918 defines that the following IP addresses are usable inside private networks.

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255

Based on the above, the most obvious first step is to deny traffic that has a source IP address inside the RFC 1918 block that is coming into your network from the outside interface. The outside interface should have outside (public) IP addresses as their source. There would be no valid reason for an IP address on the outside of your network falling within that range.

Further to the RFC 1918 block of addresses, we also need to block any source coming from the following:

local loopback (127.0.0.1)

network address (0.0.0.0)

broadcast address (255.255.255.255)

Private multicast range (224.0.0.0 /4 )

Here is the configuration breakdown for the above scenario

AOIP.ORG(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

AOIP.ORG(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log

AOIP.ORG(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

The above are the RFC 1918 Unicast IP addresses

AOIP.ORG(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log

Local loopback restriction

AOIP.ORG(config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log

Network address restriction

AOIP.ORG(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any log

Private multicast range restriction

AOIP.ORG(config)# access-list 100 deny ip host 255.255.255.255 any log

Broadcast source address restriction

AOIP.ORG(config)# access-list 100 permit ip any 192.168.1.0 0.0.0.255

There is an implicit deny any at the bottom of every access list, so without a permit statement, NO traffic would be allowed. In the above entry I have allowed any traffic to go to the destination address 192.168.1.0 /24 (My internal network)

AOIP.ORG(config)# interface fa0/0

For example purposes FastEthernet 0/0 is my outside interface

AOIP.ORG(config-if)# ip access-group 100 in

I have applied this ACL inbound, which will also protect the router from been attacked.

AOIP.ORG(config-if)# exit

AOIP.ORG(config)#

Not only do we want to prevent people from the outside of our network ‘pretending’ they are inside our network, we also want to prevent our inside people from spoofing to a different IP address as well. The above configuration had a focus on traffic INBOUND to our network, the below configuration is focused on preventing OUTBOUND traffic from spoofing.

AOIP.ORG(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any

The only range that is allowed to transmit is my internal network, in this case 192.168.1.0 /24

AOIP.ORG(config)# access-list 105 deny ip any any log

Although there is an implicit ‘deny any’ at the end of all ACL’s, I have included this with the log statement so I can see how many attempts have been made by internal machines to spoof their address before leaving the network

AOIP.ORG(config)# interface fa0/1

For example purposes, interface FastEthernet 0/1 is my inside interface

AOIP.ORG(config-if)# ip access-group 105 in

I have applied this ACL inbound, which will also protect the router from been attacked.

AOIP.ORG(config-if)# exit

AOIP.ORG(config)#

Related posts:

1. Mitigating Smurf DoS Attacks
2. DoS TCP SYN Attack Mitigation
3. Mitigating SubSeven attacks

As an additional method for securing your Cisco devices, it’s a good idea to bind an ACL (Access Control List) to the VTY’s (Virtual Terminal Lines). This will only allow IP addresses included in the ACL to create a connection to the device in addition to needing the password for the lines.

If we look at the diagram below, I might want to restrict telnet access into R1 so telnet will only be allowed to take place from AOIP.ORG and not from any other device or computer.

 In order to achieve the above, the following commands would need to be configured.

R1# conf t

R1(config)# access-list 1 permit host 192.168.1.10 log

Create a standard access-list (only checks the source address) and include the ‘log’ command so I will be able to see how many times the ACL has been matched. I don’t have to include any deny statements since there is always a implicit deny any statement at the end of every ACL

R1(config)# line vty 0 4

Enter the Virtual lines

R1(config-line)# access-class 1 in

Attach the ACL to the virtual lines for traffic inbound to the router.

Below is the live demo.

Related posts:

1. Configuring VTY Access
2. IP Address Spoofing Mitigation with Access Control Lists (ACL)
3. Mitigating SubSeven attacks

In this tutorial I’m going to explain how to use this command, and different options available using it.

Below is the breakdown of the commands I used in the live demo, and an explanation of each.

AOIP.ORG_Switch# terminal monitor

Since I was connected to my switch via telnet, and I knew there were going to be messages from the switch, I needed to configure Terminal Monitor so I would have these messages sent to my telnet session. By default when connected to a Cisco device via telnet or ssh, no messages will be displayed to your terminal.

AOIP.ORG_Switch(config)# interface fa0/6

Enter the interface that I wish to configure the port security on

AOIP.ORG_Switch(config-if)# switchport mode access

In order for port security to be used, the port MUST be an access port, this command defines that

AOIP.ORG_Switch(config-if)# switchport port-security

This enables the port security feature, and allows me to define the commands below.

AOIP.ORG_Switch(config-if)# switchport port-security maximum 1

I have chosen to only allow 1 mac-address to be learned on this port. At any point if more than 1 mac address was to be discovered, the violation action I define will come into effect.

AOIP.ORG_Switch(config-if)# switchport port-security mac-address aaaa.bbbb.cccc

I have further secured the switch port by defining what mac address is allowed to be learned on this port. If a machine is plugged into this port that does NOT have this mac-address, the violation action will take effect.

AOIP.ORG_Switch(config-if)# switchport port-security violation shutdown

I have 3 choices when defining the violation action

                1/ protect – The switch will drop packets until the violation has been removed

                2/ restrict – This is the same as protect, however it also causes the Security/Violation counter to increment

                3/ shutdown – This will put the interface into a error-disabled state and send an SNMP trap notification

I have chosen the more harsh of the options, and the port will be shut if any of my conditions (more than 1 mac address is learned on the port, and if that one mac address is not aaaa.bbbb.cccc)

AOIP.ORG_Switch(config-if)# exit

AOIP.ORG_Switch(config)# exit

AOIP.ORG_Switch# show port-security interface f 0/6

The first time I ran this command in the live demo, you will notice the configuration on the port that I had just made, however there are no violations recorded. Shortly afterwards, I plugged a device into port f0/6 that DID NOT have the mac address aaaa.bbbb.cccc which caused a violation. You will notice I received error messages on screen (thanks to term mon), and when I run the show port-security command again, you will notice the violation count has incremented.

Additional commands I could have used are.

AOIP.ORG_Switch(config-if)# switchport port-security aging time 5

If you have configured the switch to allow 5 mac addresses to be learned dynamically, those addresses will be kept in the database until the aging time has expired. This command will set the aging time to 5 minutes, which overrides my switches default value of 20 minutes.

AOIP.ORG_Switch(config-if)# no switchport port-security aging

This will DISABLE the aging time.

In order to activate a port that has been put into ‘error-disabled’ state. Shut the port, and no shut it afterwards. If the violation has not been removed, the port will revert back to error-disabled.

Related posts:

1. Configuring a Trunk port on a Cisco Switch
2. Configuring an Access port on a Cisco switch
3. Configuring an IP address and Default-Gateway on a Cisco Switch

Syslog messages allow us to track system error messages, exceptions, and other information, such as device configuration changes.

It allows for historical reporting, depending on the application keeping the logs, as well as help in fault finding.

Cisco devices support 8 levels of logging information from Facility level 0 through 7

To enable Syslog 2 things are required

                1/ Configuration on the device to send Syslog messages

                2/ An application that will receive the messages and store them in a database.

In the below live demo, you will see my putty screen with my telnet session into my router, and behind it you will see my Syslog application. There are many of these products on the market, each with its own pro’s and con’s, so use whatever you prefer. In my Live demo I am using an application called  ‘Syslog Watcher Personal Edition’, it’s a very easy to use application and is freeware. You will notice after I configured logging on the router, the log messages appear in my application.

The command breakdown for the live demo is as follows

AOIP.ORG# conf t

AOIP.ORG(config)# logging 192.168.1.1

This instructs the router to send Syslog messages to my application hosted on a machine with the IP 192.168.1.1

AOIP.ORG(config)# logging trap info

I have chosen to have level 6 messages sent to my application.

Additionally you could have used the ‘service timestamps log datetime localtime’ command to force the time on the logs.

If you still do not see any log messages after using the above commands, make sure that logging has not been disabled on the device. To force logging on a Cisco device use the ‘logging on’ command.

Related posts:

1. Cisco Router Login Lockdown
2. Configuring PAT on Cisco Routers (NAT Overload)
3. Configuring the Console port on a Cisco Device

The other major reason for IOS upgrades is to fix bugs that Cisco may have found in the software.

The 2 most common ways to do an upgrade are

                1/ Take the Flash card out the router, plug it into a card reader and paste the new file on the card. Replace the card in the router and reboot.

                2/ Copy the file over the network using a protocol like TFTP.

When copying the IOS over the network, the router will check to confirm it has enough storage space to accommodate the file. It will often ask to erase the flash before copying the new image. Before erasing the flash on the router, make sure there are no other files on the flash that you might need. If there are files that you will require, make sure you have made a backup of them before erasing!

Here are the steps for upgrading via the network.

1/ Run your TFTP server and confirm it’s hosting the IOS that you wish to upgrade to

2/ Configure the following on the router

 AOIP.ORG# copy tftp: flash:

Address or name of remote host []? 192.168.1.1

Source filename []? c1841-ipbase-mz.124-5b.bin

Destination filename [c1841-ipbase-mz.124-5b.bin]?

%Warning: There is a file already existing with this name

Do you want to over write? [confirm]

In the example above, I had chosen to upgrade to the same image that was already loaded on the router. Although not a practical solution, it does show the commands to upgrade.

Below you will see the different output when I chose a different file.

AOIP.ORG# copy tftp: flash:

Address or name of remote host [192.168.1.1]?

Source filename [c1841-ipbase-mz.124-5b.bin]? c1841.bin

Destination filename [c1841.bin]?

Accessing tftp://192.168.1.1/c1841.bin…

Loading c1841.bin from 192.168.1.1 (via FastEthernet0/0): !

%Error copying tftp://192.168.1.1/c1841.bin (Not enough space on device)

Again, I have received an error message, this time due to lack of free space on my flash card on the router. I would then have a chance to confirm there are no files on the flash that I need to keep before erasing the flash. If there are files I need to retain, make sure you back them up before erasing!

Make sure that you have already confirmed that the router physically has enough flash to be able to support the image you wish to install. You can see how much Flash is available and installed by using the ‘show flash:’ and ‘show version’ commands

Depending on the router model, you can erase the contents of the flash by typing

AOIP.ORG# erase flash:

OR

AOIP.ORG# erase nvram:

After the flash has been erased, you would then be able to copy the file from the tftp server.

Below is a live demo of an upgrade.

Related posts:

1. Backing Up the Running-Config and IOS
2. Restoring Cisco Router Configuration
3. Configuring DHCP on a Cisco router