Cisco Archives - Page 2 of 6

Cisco ICND2 – Troubleshoot NAT implementation issues

March 24, 2013March 31, 2013 Chris Stark Leave a comment

Here are some NAT troubleshooting tips:

show ip nat translations
show running-config
show ip nat statistatics
debug ip nat
clear ip nat translations *
Check inside and outside are placed on the correct interfaces
Ensure the natpool covers the correct range of IPs
Check the name of the pools are matched – I made a typo during testing and as a result NAT didn’t work
Ensure the access-list is configured correctly to allow translation

Cisco ICND2 – Configure Network Address Translation for given network requirements using CLI

March 23, 2013March 23, 2013 Chris Stark Leave a comment

Showing examples of Dynamic, Static and Nat overload.

Configuring NAT Overload on Router1:

interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.224
ip nat inside

interface Serial0/1/0
ip address 62.0.0.2 255.255.255.0
ip nat outside

ip nat pool natpool 62.0.0.2 62.0.0.2 netmask 255.255.255.0
ip nat inside source list 1 pool natpool overload

access-list 1 permit 10.0.0.0 0.0.0.31

Configuring Static NAT on Router1:

interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.224
ip nat inside

interface Serial0/1/0
ip address 62.0.0.2 255.255.255.0
ip nat outside

ip nat inside source static 10.0.0.2 62.0.0.2
ip nat inside source static 10.0.0.3 62.0.0.4

Configuring Dynamic NAT on Router1:

interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.224
ip nat inside

interface Serial0/1/0
ip address 62.0.0.2 255.255.255.0
ip nat outside

ip nat pool natpool 62.0.0.3 62.0.0.4 netmask 255.255.255.0
ip nat inside source list 1 pool natpool

access-list 1 permit 10.0.0.0 0.0.0.31

Cisco ICND2 – Explain the basic operation of NAT

March 22, 2013March 30, 2013 Chris Stark Leave a comment

Network Address Translation allows private IPv4 addresses to be translated to an IPv4 public address to communicate over the Internet. This saves public IP addresses as not every device needs a public IP address and if we allowed that we would’ve run out of IPv4 addresses by now.

NAT allows multiple private IPv4 addresses to be translated to one public IP address, therefore saving public IP addresses.

There are three different types of NAT.

Static NAT – This is a one-to-one translation, one private IP address will be translated to one public IP address
Dynamic NAT – You don’t need to manually map each IP static with dynamic NAT but you do need to ensure you have enough public IPs for the private IPs to be translated to.
Overloading (PAT) – This is a many-to-one translation, multiple private IP addresses will be translated to one public IP, kinda cool right? This is the reason we haven’t run out of IPv4 addresses yet.

Cisco ICND2 – Troubleshoot ACL implementation issues

March 21, 2013March 17, 2013 Chris Stark Leave a comment

Some tips when troubleshooting ACL:

Ensure correct IP and wildcast masks are correctly entered into the ACL
Ensure an access-group is applied to an interface
If no traffic is permitted, all traffic will be denied, there is an explicit deny.
Access-lists are read top to bottom, if a first match is found it will stop reading. So if a deny is specified it may block a permit statement. Order of ACL is important.
Remarks can be added to ACL to make reading them in future easier using the access-list <number> remark “This ACL blocks FTP”

Cisco ICND2 – verify and monitor ACL’s in a network environment

March 20, 2013January 1, 2016 Chris Stark Leave a comment

The following commands can be used on Router to verify and monitor ACL’s :

show access-list
show access-list 101
show ip access-list
show ip interfaces
show running-config

It is possible to verify connectivity depending on the ACL by using applications such as FTP, Telnet and SSH from an end device such as a PC/Laptop.

Cisco ICND2 – Configure and apply an access control list to limit telnet and SSH access to the router

March 19, 2013March 19, 2013 Chris Stark Leave a comment

To block SSH and Telnet using an access-list:

Router1 config:

configure terminal
access-list 101 deny tcp host 10.0.0.2 eq 23 host 10.0.0.65
access-list 101 deny tcp host 10.0.0.2 eq 22 host 10.0.0.65
access-list 101 permit ip any any
interface s0/1/0
ip access-group 101 out

Cisco ICND2 – Configure and apply access control lists based on network filtering requirements

March 18, 2013March 18, 2013 Chris Stark Leave a comment

I have created two access lists, one extended and one standard. The first is an extended access to stop PC1 (10.0.0.2) from FTPing to the FTP server 10.0.0.35.

On Router1 – the access-list has been placed on Fa0/0 as its the closest to the source.

configure terminal
access-list 101 deny tcp any eq ftp host 10.0.0.35
access-list 101 permit ip any any
interface fa0/0
ip access-group 101 in

When creating an access-list, if a match isn’t found then there is an explicit deny. As can see from above I have created a permit for any IP traffic Without these lines, OSPF wasn’t being advertised and I had no way of testing PC1 could ping the FTP server to verify connectivity and to ensure that FTP was indeed being blocked and not all traffic.

The next access list is an standard access list, the point of this one is to deny host 10.0.0.2 from communicating with the 10.0.0.33 network. However, host 10.0.0.3 can ping the 10.0.0.33 network.

On Router0 I have placed the access list on the Fa0/0 as this is the closest to the destination.

configure terminal
access-list 1 deny host 10.0.0.2
access-list 1 permit any
interface fa0/0
ip access-group 1 out

Category: Cisco