Let’s assume the following for this example

• We have 2 public IP addresses (192.168.1.1 & 192.168.1.2)
• The IP address on the outside interface has been configured to use PAT for all internal IP addresses for Internet access (192.168.1.1)
• I have a DMZ with 3 servers, FTP, E-mail, and Web Server (10.0.1.1, 10.0.1.2 & 10.0.1.3 respectively)
• I need my 3 DMZ servers to be reachable from the Internet.

The above scenario poses a slight problem. If I have already used one of my public addresses for PAT to allow all internal hosts to access the Internet, I only have one IP address left but I require 3 static NAT entries to be created. In my post on Static NAT we saw that we configure NAT to map on a one-to-one basis, so in this scenario I would require 3 IP addresses, one for each of my DMZ servers.

The nice thing about the above scenario, is that each of the three servers is hosting a totally different service and therefore each requires different ports to be accessible from the Internet. This allows me to create static NAT’s that specify the ports, a type of overload function.

FTP would require ports 20,21 to be allowed
E-mail would require port 25 to be opened, and possibly 143 and 110 if you are using IMAP or POP
Web Server will require port 80, and possibly 443 if there is any SSL been used (https).

The above can be configured in the following way (interfaces would need to be configured as inside and outside as well, as seen here)

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.1 192.168.1.2 20
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.1 192.168.1.2 21

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 25
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 143
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.2 192.168.1.2 110

AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.3 192.168.1.2 80
AOIP.ORG (config) # ip nat inside source static tcp 10.0.1.3 192.168.1.2 443

Related posts:

1. Configuring Static NAT on Cisco Routers
2. Configuring PAT on Cisco Routers (NAT Overload)
3. NAT (Network Address Translation)

The enable password by default is saved in clear text so when looking at the running-configuration of the router you will be able to read the password. It is possible to encrypt this password using the service password-encryption command.

The service password-encryption command will also encrypt all other clear text passwords on your router including the VTY, AUX, Console and User passwords. Although the service password-encryption command encrypts your passwords so you can no longer read them in the running-configuration, the encryption algorithm is not very secure.

If we look at the running-configuration of my router in the article Setting the enable password and secret on a Cisco device , you will see that after the service password-encryption command was issued the password was stored in the running-configuration as

Enable password 7  12180A1E02

The number ‘7’ tells me the type of password, the rest of the number is the password in its encrypted format.

Copy and paste with password without the ’7′ into the below form, and see just how easy it is to decrypt the enable password.

NOTE: Please only use the below form for password recovery and demonstration purposes!

Related posts:

1. Setting the enable password and secret on a Cisco device
2. Hashing, What is it and how does it work?
3. How encryption works

As an additional method for securing your Cisco devices, it’s a good idea to bind an ACL (Access Control List) to the VTY’s (Virtual Terminal Lines). This will only allow IP addresses included in the ACL to create a connection to the device in addition to needing the password for the lines.

If we look at the diagram below, I might want to restrict telnet access into R1 so telnet will only be allowed to take place from AOIP.ORG and not from any other device or computer.

 In order to achieve the above, the following commands would need to be configured.

R1# conf t

R1(config)# access-list 1 permit host 192.168.1.10 log

Create a standard access-list (only checks the source address) and include the ‘log’ command so I will be able to see how many times the ACL has been matched. I don’t have to include any deny statements since there is always a implicit deny any statement at the end of every ACL

R1(config)# line vty 0 4

Enter the Virtual lines

R1(config-line)# access-class 1 in

Attach the ACL to the virtual lines for traffic inbound to the router.

Below is the live demo.

Related posts:

1. Configuring VTY Access
2. IP Address Spoofing Mitigation with Access Control Lists (ACL)
3. Mitigating SubSeven attacks

Syslog messages allow us to track system error messages, exceptions, and other information, such as device configuration changes.

It allows for historical reporting, depending on the application keeping the logs, as well as help in fault finding.

Cisco devices support 8 levels of logging information from Facility level 0 through 7

To enable Syslog 2 things are required

                1/ Configuration on the device to send Syslog messages

                2/ An application that will receive the messages and store them in a database.

In the below live demo, you will see my putty screen with my telnet session into my router, and behind it you will see my Syslog application. There are many of these products on the market, each with its own pro’s and con’s, so use whatever you prefer. In my Live demo I am using an application called  ‘Syslog Watcher Personal Edition’, it’s a very easy to use application and is freeware. You will notice after I configured logging on the router, the log messages appear in my application.

The command breakdown for the live demo is as follows

AOIP.ORG# conf t

AOIP.ORG(config)# logging 192.168.1.1

This instructs the router to send Syslog messages to my application hosted on a machine with the IP 192.168.1.1

AOIP.ORG(config)# logging trap info

I have chosen to have level 6 messages sent to my application.

Additionally you could have used the ‘service timestamps log datetime localtime’ command to force the time on the logs.

If you still do not see any log messages after using the above commands, make sure that logging has not been disabled on the device. To force logging on a Cisco device use the ‘logging on’ command.

Related posts:

1. Cisco Router Login Lockdown
2. Configuring PAT on Cisco Routers (NAT Overload)
3. Configuring the Console port on a Cisco Device