Deploying and Troubleshooting Network Address Translation

Size: px
Start display at page:

Download "Deploying and Troubleshooting Network Address Translation"

Transcription

1 Deploying and Troubleshooting Network Address Translation Session 2 Copyright Printed in USA.

2 Agenda The WWW of NAT The Why, the What, and the Where Pitfalls and How to Avoid Tools for Deployment VPN and Network Address Translation, Can They Get Along? Dealing with Voice Elements Question and Answers? 3 Why Use Network Address Translation? IPv4 shortage IPv6 is still the future Security benefits Make network administrators lives miserable! 4 Copyright Printed in USA.

3 What Is NAT, NAPT, PAT, Masquerading RFC : 1631 NAT Network Address Translation All IP Traffic Layer 3 address rewrite 1-1 Mapping of Traffic (1 inside to 1 outside) Think direct telephone line NAPT Network Address Port Translation (PAT) Originally planned for TCP, UDP and ICMP traffic Layer 3 and 4 address/ port rewrite Many-1 Mapping of Traffic (multiple inside to 1 outside) Think phone number with an extension 5 Why NAT or NAPT? NAT has a better chance of not breaking network applications over NAPT. Using NAT for internet use is rare to find these days since most ISPs are only giving out one address at a time which limits you to using NAPT only. NAPT is getting better with application fixup support, so test first and deploy second. 6 Copyright Printed in USA.

4 Basic Concept of NAT Example Local Src Addr Dest Addr Before NAT Outbound Packet NAT Src Addr Dest Addr After NAT Outbound Packet Remote Dest Addr Src Addr After NAT Return Packet Dest Addr Src Addr Before NAT Return Packet NAT changes the IP address in the IP header 7 Basic Concept of NAPT Example Src Addr Src Addr Src Port 1506 Src Port 1506 Dest Addr Dest Addr Before NAPT Outbound Packet Dest Port 23 Dest Port Src Addr Src Addr Src Port Dest Addr Src Port 1506 Dest Addr After NAPT Outbound Packet Dest Port 23 Dest Port Local NAPT Remote Dest Addr Port Src Addr Port After NAPT Inbound Packet 1 Dest Addr Dest Port Src Addr Before NAPT Inbound Packet Src Port 23 Port Address Translation (NAPT) extends NAT from one-to-one to many-to-one by associating the port information with each flow 8 Copyright Printed in USA.

5 The Life of a Translated Packet In the Beginning Local Src Addr Dest Addr Remote Host Remote Nat Inside Nat Outside Host Translation Boundary 2 No Translation Exists Table Is Empty 9 The Life of a Translated Packet The Evolution 3 Local Src Addr Dest Addr Remote Host Remote Nat Inside Nat Outside Host Translation Boundary Translation Mapping Local IP = Global IP Copyright Printed in USA.

6 What Does the Translation Table Contain? IT Depends Cisco IOS-Based Device NAT INSIDE traveling to NAT OUTSIDE Simple translation Extended translation Packet will pass, altered or not PIX Source interface and destination interface Extended translation Packet dropped if not translated 11 Cisco IOS Simple Translation Uses only the source IP to make its decisions Configuration options are limited to standard or extended access-list Router#show ip nat translation Pro Inside global Inside local Outside local Outsi de global Translated IP Source IP 12 Copyright Printed in USA.

7 Cisco IOS Extended Translation Uses the source IP, destination IP, port number, and protocol to make its decisions Will always be used if NAPT is involved (hint: overload keyword) Will also be used if using route-maps Destination IP Router#show ip nat translation Pro Inside global Inside local Outside local Outside global tcp : : : :23 tcp : : : :23 Protocol Port 13 PIX Translation Looks at the source interface and the interface it will be routed out of to make its translation decision No translation? no packet flow! pixfirewall(config)# show xlate detail 3 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, o - outside, r - portmap, s - static TCP PAT from inside: /1026 to outside: /1024 flags ri UDP PAT from inside: /1028 to outside: /1024 flags ri ICMP PAT from inside: /21505 to outside: /0 flags ri 14 Copyright Printed in USA.

8 Different Kinds of Translation Mappings Timers Static Dynamic Perspective Inside source Outside source 15 Inside Static Translation Src Addr Dest Addr Src Addr Dest Addr Local Before NAT After NAT Remote Using: NAT Inside NAT Outside ip nat inside source static The packet enters the ip nat inside interface, since we have a permanent mapping the source address is changed to Copyright Printed in USA.

9 Outside Static Translation Dest Addr Src Addr Dest Addr Src Addr Local After NAT Before NAT Remote Using: NAT Inside NAT Outside ip nat outside source static A packet enters the ip nat outside interface, from the mapping the source address is changed to NAT Decision Process Cisco IOS-Based Device Existing translation Static translation Dynamic translation Packet routed if possible PIX Firewall Existing translation NAT 0 access-list <#> Static NAT 0 <network> NAT <#>/Global <#> Dropped packet 18 Copyright Printed in USA.

10 NAT or NAPT Selection If you NAT only it will always NAT If you NAPT only it will NAPT For mixed mode (NAT and NAPT) Cisco IOS-Based Device NAPT ALL TCP/UDP/ICMPbased traffic NAT all other protocols PIX Use all available NAT pools NAT Pools exhausted, NAPT all new connections until a NAT is freed up 19 Setting the Timers We Recommend That You Do Not Change These Values Since It Will Affect the Router on a Global Basis NAT-vpn-2503(config)# ip nat translation? dns-timeout Specify timeout for NAT DNS flows finrst-timeout Specify timeout for NAT TCP flows after a FIN or RST icmp-timeout Specify timeout for NAT ICMP flows max-entries Specify maximum number of NAT entries port-timeout Specify timeout for NAT TCP/UDP port specific flows syn-timeout Specify timeout for NAT TCP flows after a SYN and no further data tcp-timeout Specify timeout for NAT TCP flows timeout Specify timeout for dynamic NAT translations udp-timeout Specify timeout for NAT UDP flows 20 Copyright Printed in USA.

11 On the PIX pixfirewall(config)# show xlate Translated Source Address 1 in use, 1 most used PAT Global (1024) Local (3729) pixfirewall(config)# show conn 1 in use, 1 most used TCP out :3389 in :3729 idle 0:00:00 Bytes flags UIO Destination Address pixfirewall(config)# show timeout timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute 21 Where Should Address Translation Be Used? Between Corporate network and the Internet Corporate network and business partner Corporate network and home office Test Labs and corporate networks 22 Copyright Printed in USA.

12 Agenda The WWW of NAT The Why, the What, and the Where Pitfalls and How to Avoid Tools for Deployment VPN and Network Address Translation, Can They Get Along? Dealing with Voice Elements Question and Answers? 23 Cisco IOS PITFALL Packet Flow Outside/Inside Inside NAT Packet Flow Outside Outbound ACL Routing NAT Inbound ACL Decryption Inbound ACL* * Only if the Packet Is Encrypted 24 Copyright Printed in USA.

13 Cisco IOS PITFALL Packet Flow Outside/Inside Inside NAT Packet Flow Outside Inbound ACL Policy Routing Routing NAT Encryption Outbound ACL 25 PIX Pitfalls Translations must be built in order for the packet to traverse the firewall Do not forget the PIX is a firewall also so you need to include appropriate access rules to allow traffic flow 26 Copyright Printed in USA.

14 NAT Deployment Things to Know Which networking device being used Application-layer, embedded IP information in the payload Transport and network layer compliant Applications (5-7) Transport (4) Network (3) Datalink (2) Physical (1) 27 Considerations Embedded IP IP HDR: Src IP = Data: IP = Address Translation Inside Outside IP HDR: Src IP = x.x.x.x Data: IP = Copyright Printed in USA.

15 Some Applications that Embed IP Address Information DNS A and PTR queries NetBIOS over TCP/IP (datagram, name, and session services) NetMeeting 2.1, 2.11 ( ) and 3.01 ( ) FTP PORT and PASV commands Voice elements: SIP, Skinny, MGCP, H.323, CTI, 29 Overlapping Addresses Static and global translations should not overlap with any interface address Static translation should not be included in a dynamic pool range 30 Copyright Printed in USA.

16 Cisco IOS Overlapping with the Interface If You Have: Interface <interface> ip address Option #1 IP NAT POOL SWIM IP NAT INSIDE SOURCE LIST 1 POOL SWIM Option #2 IP NAT INSIDE SOURCE LIST 1 INTERFACE <interface> 31 Agenda Steps of Deployment The Why, the What, and the Where Pitfalls and How to Avoid Steps for Deployment VPN and Network Address Translation, Can They Get Along? Dealing with Voice Elements Question and Answers? 32 Copyright Printed in USA.

17 NAT Based on Destination Putting Criteria on the NAT Pools /24 Partners Serial 1 Serial 0 Internet Available Addresses: / /8 NAT Ethernet 0 Available Addresses: /27 Your Company 33 NAT by Destination Goals You must have Internet connectivity by utilizing only ONE of the /27 address space (hint: NAPT) You must have partner access to the /24 network but you cannot use your current /8 or Internet addresses You partner is using /24 as the address range for the point-2-point serial link back to your corporate site 34 Copyright Printed in USA.

18 NAT by Destination Working on One Side at a Time: the Partners, Step /24 Partners Available Addresses: /24.2 router(config)# ip nat pool partners netmask Serial /8 NAT Your Company Ethernet 0 35 NAT by Destination Working on the Internet Side, Step 1.2 Internet Ethernet 0 NAT.1 Serial 0 Available Addresses: / /8 Your Company Since Our Goal Was to Only Use One IP Address from the Available Range, We Will Use the IP of Serial 0 and Use NAPT; Therefore, No Pool Is Required 36 Copyright Printed in USA.

19 NAT by Destination Partners Side Route Map Declaration, Step /24 Partners Available Addresses: /24 Serial 1 Serial 0 Internet Available Addresses: /27 Ethernet /8 Your Company router(config)# route-map topartners permit 10 router(config-map)# match interface serial 1 37 NAT by Destination Internet Side Route Map Declaration, Step /24 Partners Available Addresses: /24 Available Addresses: /27 Serial 1 Serial 0 Internet /8 NAT Ethernet 0 Your Company router(config)# route-map topartners permit 10 router(config-map)# match interface serial 0 38 Copyright Printed in USA.

20 NAT by Destination Both Sided, Step 3 and 4 router(config)# ip nat inside source route-map topartners pool partners router(config)# ip nat inside source route-map tointernet interface serial /24 Partners Available Addresses: /24 Serial 1 Serial 0 NAT Ethernet 0 Internet Available Addresses: / /8 Your Company router(config)# interface ethernet 0 router(config-if)# ip nat inside router(config-if)# interface serial 0 router(config-if)# ip nat outside router(config-if)# interface serial 1 router(config-if)# ip nat outside 39 Alternative to the Cisco IOS Match Interface Internet Side: Access-list 100 deny ip Access-list 100 permit ip any Route-map to internet permit 10 match ip address 100 Partner Side: Access-list 100 permit ip Route-map to partner permit 10 match ip address Copyright Printed in USA.

21 Two Pools on a Single Interface Goal Client Serial 0 Internet Remote Host /24 NAT Ethernet 0 Pool: /27 To pull from the NAT pool if the destination is Use Serial 0 interface for everything else 41 Two Pools on a Single Interface Rules Client Serial 0 Internet Remote Host /24 NAT Ethernet 0 Pool: /27 router(config)# access-list 100 deny ip host router(config)# access-list 100 permit ip any 42 Copyright Printed in USA.

22 Two Pools on a Single Interface Overload Client Serial 0 Internet Remote Host /24 NAT Ethernet 0 Pool: /27 router(config)# route-map napt2internet permit 10 router(config-map)# match address 100 router(config)# ip nat inside source route-map napt2internet interface serial 0 overload 43 Two Pools on a Single Interface Pool Client Serial 0 Internet Remote Host /24 NAT Ethernet 0 Pool: /27 router(config)# ip nat pool natpool netmask router(config)# access-list 110 permit ip host router(config)# route-map vpnusenat permit 10 router(config-map)# match address 110 router(config)# ip nat inside source route-map vpnusenat pool natpool 44 Copyright Printed in USA.

23 How to Troubleshoot Address Translation Issues Always make sure your project works before adding Address Translation Verify proper routing (e.g. asymmetrical routing is not coming into play) Gather traces and debugs to support the test conditions 45 Showing the Active Translations show ip nat translations NAT-vpn-2503#show ip nat translations Pro Inside global Inside local Outside local Outside global Simple Translation Using NAT NAT-vpn-2503#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp : : : :6269 tcp : : : :23 Extended Translation Using NAPT Tip: You Can Use show ip nat translation include to Show Only the Hosts Translation Entries 46 Copyright Printed in USA.

24 Showing the Active Translations show ip nat translations verbose NAT-vpn-2503#show ip nat translations verbose Pro Inside global Inside local Outside local Outside global create 00:00:05, use 00:00:05, left 23:59:54, flags: none, use_count: 0 Shows when the Simple Translation Using NAT and Time Left before Expiring NAT-vpn-2503#show ip nat translations verbose Pro Inside global Inside local Outside local Outside global icmp : : : :6269 create 00:00:02, use 00:00:02, left 00:00:57, flags: extended, use_count: 0 Extended Translation Using NAPT Translation Was First Created, Last Used, 47 NAT Show Commands show ip nat statistics NAT-vpn-2503#sh ip nat statistics Total active translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet0 Hits: 9 Misses: 1 Expired translations: 0 Dynamic mappings: -- Inside Source access-list 10 pool natpool refcount 1 pool natpool: netmask start end type generic, total addresses 21, allocated 1 (4%), misses 0 48 Copyright Printed in USA.

25 NAT Show Commands Total Translations NAT-vpn-2503#sh ip nat statistics Total active translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: Serial0 Number of translations active Inside interfaces: on the system; this number is Ethernet0 incremented each time a translation Hits: 9 Misses: 1 is created and is decremented each Expired translations: 0 time a translation is cleared or Dynamic mappings: times out -- Inside Source access-list 10 pool natpool refcount 1 pool natpool: netmask start end type generic, total addresses 21, allocated 1 (4%), misses 0 49 NAT Show Commands Outside/Inside NAT-vpn-2503#sh ip nat statistics Total active translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: Serial0 Interfaces that have an Inside interfaces: IP NAT {Inside/Outside} Ethernet0 designation Hits: 9 Misses: 1 Expired translations: 0 Dynamic mappings: -- Inside Source access-list 10 pool natpool refcount 1 pool natpool: netmask start end type generic, total addresses 21, allocated 1 (4%), misses 0 50 Copyright Printed in USA.

26 NAT Show Commands Hits/Misses NAT-vpn-2503#sh ip nat statistics Total active translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: Hits: Number of times the software does a Serial0 translations table lookup and finds an Inside interfaces: existing translation Ethernet0 (Fast/CEF Switched Packet) Hits: 9 Misses: 1 Expired translations: 0 Misses: Number of times the table lookup fails Dynamic mappings: and needs to create a new translation -- Inside Source (Process Switched Packet) access-list 10 pool natpool refcount 1 pool natpool: netmask start end type generic, total addresses 21, allocated 1 (4%), misses 0 51 NAT Show Commands Overview NAT-vpn-2503#sh ip nat statistics Total active translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet0 Hits: 9 Misses: 1 Cumulative count of translations Expired translations: 0 that have expired since the router Dynamic mappings: was restarted -- Inside Source access-list 10 pool natpool refcount 1 pool natpool: netmask start end type generic, total addresses 21, allocated 1 (4%), misses 0 52 Copyright Printed in USA.

27 NAT Show Commands Mapping Information NAT-vpn-2503#sh ip nat statistics Total active translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: Dynamic inside source mappings using Serial0 access-list 10; the pool of addresses Inside interfaces: available, , total 21; Ethernet0 since only 1 translation is being used Hits: 9 Misses: 1 of the available 21, that equates to 4% Expired translations: 0 Dynamic mappings: -- Inside Source access-list 10 pool natpool refcount 1 pool natpool: netmask start end type generic, total addresses 21, allocated 1 (4%), misses 0 The number of times a translation could not be created when one should have 53 Levels of Debugging NAT debug ip nat {detailed} Warning: Debugging at any level could be fatal to a router if done incorrectly NAT-vpn-2503# debug ip nat 6d01h: NAT: s= > , d= [15] 6d01h: NAT*: s= , d= > [15] 6d01h: NAT*: s= > , d= [16] 6d01h: NAT*: s= , d= > [16] * = IP Fast/CEF Switched Packet NAT-vpn-2503# debug ip nat detailed 6d01h: NAT: installing alias for address d01h: NAT: i: icmp ( , 7584) -> ( , 7584) [20] 6d01h: NAT: s= > , d= [20] 6d01h: NAT*: o: icmp ( , 7584) -> ( , 7584) [20] 6d01h: NAT*: s= , d= > [20] 6d01h: NAT*: i: icmp ( , 7585) -> ( , 7585) [21] 6d01h: NAT*: s= > , d= [21] 6d01h: NAT*: o: icmp ( , 7585) -> ( , 7585) [21] 54 Copyright Printed in USA.

28 Logging the Built Translations Cisco IOS Commands: ip nat log translations syslog logging host logging trap debug What the SYSLOG Server Sees: :42:16 Local7.Debug : 00:12:13: NAT:Created tcp : : : : :43:22 Local7.Debug : 00:13:19: NAT:Deleted tcp : : : : :36:25 Local7.Debug : 00:06:22: NAT:Created icmp : : : : :37:25 Local7.Debug : 00:07:22: NAT:Deleted icmp : : : : Stateful NAT (SNAT) Cisco IOS New feature as of T code Platform independent Support for only peer-to-peer Works with/without an HSRP environment for true fault tolerance 56 Copyright Printed in USA.

29 Without SNAT The Problem IL R1 NAT Translation Table IG OL OG R1-NAT 3 R1 Fails Network R2-NAT 4 R2 NAT Translation Table IL IG OL OG 57 With SNAT The Solution R1 NAT Translation Table 1* IL IG OL OG *1 4 R1 Fails 3 R1-NAT *2 Network R2-NAT 5 R2 NAT Translation Table 2* IL IG OL OG Copyright Printed in USA.

30 SNAT Options Primary/backup mode (non-hsrp) Only peer-to-peer Redundancy (HSRP) Single peer only Updates/communication between the SNAT routers is done via TCP/ With SNAT Primary/Backup Mode Primary Configuration / R1-NAT R2-NAT You Are on This Router Network R1(config)# access-list 1 permit R1(config)# ip nat pool P netmask R1(config)# ip nat inside source list 1 pool P1 mapping-id 11 R1(config)# ip nat stateful ID 101 R1(config-ipnat-snat)# primary R1(config-ipnat-snat-pri)# peer R1(config-ipnat-snat-pri)# mapping-id 11 Local Correlation 60 Copyright Printed in USA.

31 With SNAT Primary/Backup Mode Backup Configuration / R1-NAT R2-NAT Network You Are on This Router R2(config)# access-list 1 permit R2(config)# ip nat pool P netmask R2(config)# ip nat inside source list 1 pool P1 mapping-id 11 R2(config)# ip nat stateful ID 101 R2(config-ipnat-snat)# backup R2(config-ipnat-snat-bkp)# peer R2(config-ipnat-snat-bkp)# mapping-id With SNAT Redundant Mode / R2(config)# interface Ethernet 0 R2(config-if)# standby 1 ip R2(config-if)# standby 1 name snat R2(config)# ip nat pool P netmask R2(config)# ip nat inside source list 1 pool P1 mapping-id 11 R2(config)# ip nat stateful ID 101 R2(config-ipnat-snat)# redundancy snat R2(config-ipnat-snat-bkp)# mapping-id Virtual.2 R1-NAT R2-NAT Network You Are on This Router Link HSRP to SNAT 62 Copyright Printed in USA.

32 Stateful Failover Cisco IOS Unlike Cisco IOS, PIX will swap IP and MAC addresses instead of using a virtual address PIX has had failover since 3.x PIX added stateful failover in 5.x Must use a dedicated interface for updates 63 With SNAT Primary/Backup Mode Backup Configuration / PIX1-NAT PIX2-NAT Network Dedicated LAN Interface x / 24 Pixfirewall(config)# nameif ethernet2 failover-int 50 Pixfirewall(config)# ip address failover-int Pixfirewall(config)# failover ip address failover-int Pixfirewall(config)# failover link failover-int 64 Copyright Printed in USA.

33 Agenda VPN s and Address Translation The Why, the What, and the Where Pitfalls and How to Avoid Tools for Deployment VPN and Network Address Translation, Can They Get Along? Dealing with Voice Elements Question and Answers? 65 PPTP 101 Point-to-Point Tunneling Protocol (PPTP): Protocol 47: Data Protocol 6 (TCP) Port 1723: Authentication Original Packet IP HDR Layer 4 Data Layer 5-7 Encapsulation within GRE without MPPE New IP HDR Tunnel ID IP HDR Layer 4 Data This Unique Number Is What Gives the Router the Ability to Determine what Flow Goes to what System when Being NAPT 66 Copyright Printed in USA.

34 IPSec 101 ESP Encapsulating Security Payload (ESP): Protocol 50 Tunnel Mode Only Original Packet IP HDR Data NAT WORKS! New IP HDR IPSec HDR Layer 3 IP HDR Encrypted Data Authenticated 67 IPSec 101 AH Authentication Headers (AH): Protocol 51 NAT IP HDR Authenticated HDR + Data = Checksum Breaks! Data IP HDR Layer 3 IPSec HDR Checksum Stored Data 68 Copyright Printed in USA.

35 What Is Being Done? PPTP over NAPT IPSec over UDP proprietary IPSec over TCP proprietary NAT-T (IPSec over UDP) standard IPSEC NAT transparency 69 Where Do We Stand Today? Address Translation Support for VPN Traffic: PPTP over NAPT IPSec over UDP** IPSec over TCP** NAT-T IPSec NAT Transparency (Phase 1)* IPSec NAT Transparency (Phase 2) Cisco IOS T N/A N/A T T T PIX 6.3 N/A N/A NO 70 Copyright Printed in USA.

36 VPN Head End Problem Topology Your Company /8 NAT/VPN VPN Gateway Internet IPSec Tunnel ISP Roaming User NAT by Destination Rules Will Be Used router(config)# access-list 100 deny ip ??? Not Sure on the Destination ISP Address router(config)# access-list 100 permit ip any 71 VPN Head End Solution Mode Config VPN Gateway with Mode Configuration Pool of /8 NAT router (config)# access-list 100 deny ip router(config)# access-list 100 permit ip any Your Company IPSec Tunnel Roaming User 72 Copyright Printed in USA.

37 VPN Head End Using Static Translation VPN Gateway NAT Internet ISP IPSec Tunnel MAIL Server Roaming User router(config)# ip nat inside source static route-map nonat 73 Cisco IOS VPN Configuration access-list 100 deny ip access-list 100 permit ip any route-map nonat permit 10 match address 100 Ip nat pool natpool netmask ip nat inside source route-map nonat pool natpool ip nat inside source static route-map nonat 74 Copyright Printed in USA.

38 PIX VPN Configuration Access-list 100 permit ip Global (outside) netmask Nat (inide) Static (inside,outside) netmask Nat (inside) 0 access-list Agenda Dealing with Voice Elements The Why, the What, and the Where Pitfalls and How to Avoid Tools for Deployment VPN and Network Address Translation, Can They Get Along? Dealing with Voice Elements Question and Answers? 76 Copyright Printed in USA.

39 Voice Traffic vs. Address Translation Device H323v1v2 H323v3v4 SIP Skinny Skinny NAPT MGCP CTI/TAPI/JTAPI Cisco IOS T T* T T No Future No PIX *Compatibility Support Algorithm Support Planned for Future Release 77 Prior to the Voice Fix Ups Registration IP Phone A /24 IP Phone B.5 Skinny Registration.1 NAT NAT.30 Skinny Registration /27 78 Copyright Printed in USA.

40 Prior to the Voice Fix Ups Dialing IP Phone A /24 IP Phone B Display Caller 5505 and Start Ringing.1 NAT NAT.30.2 Off Hook Dial Digits /27 79 Prior to the Voice Fix Ups Off Hook IP Phone A /24 IP Phone B Off Hook NAT NAT Stop Ring, Called Party Off Hook /27 80 Copyright Printed in USA.

41 Prior to the Voice Fix Ups Media Offer IP Phone A 5510 Phone A Media IP: Port: / IP Phone B NAT NAT /27 Phone B Media IP: Port: Internet 81 Prior to the Voice Fix Ups Media Ports IP Phone A 5510 Phone B Media IP: Port: / IP Phone B NAT NAT /27 Phone A Media IP: Port: Internet 82 Copyright Printed in USA.

42 Prior to the Voice Fix Ups One Way One Way Audio IP Phone A /24 Phone A>B RTP Stream IP Phone B NAT NAT /27 Phone B>A RTP Stream.1 Internet.2 83 With the Voice Fix Ups Media Ports IP Phone A 5510 Phone B Media IP: Port: /24.1 IP Pool IP Phone B NAT NAT Phone A /27 Media Phone A Media IP: IP: Port: Port: Copyright Printed in USA.

43 With the Voice Fix Ups Final Solution Two Way Audio IP Phone A /24 Phone A>B RTP Stream IP Phone B Phone B>A RTP Stream NAT Internet /27 85 Voice Summary Address translation devices need to be audio/video aware in order to process the packets correctly One-way audio is the typical problem when address translation is used 86 Copyright Printed in USA.

44 Call Manager Registration/Failover Issues Cisco IP phones can support SIP, Skinny, and MGCP TFTP fixup exists today for PIX and Cisco IOS So what is the issue? 87 IP Phone Configuration File Contains embedded information <authenticationurl> </authenticationurl> <directoryurl> URL> <idleurl></idleurl> <informationurl> asp </informationurl> <messagesurl></messagesurl> <proxyserverurl></proxyserverurl> <servicesurl> </servicesurl> </device> 88 Copyright Printed in USA.

45 IP Phones and NAT On the Cisco CallManagers use DNS instead of IP addresses Static NAT entries for CallManager Servers Either Split DNS or DNS Fixup can be used to properly resolve DNS entries for IP Phone Services 89 DNS Fix Up with IP Phones E0 E NAT Cisco CallManager DNS /27 Nat Outside /24 Nat Inside Translation Boundary Ip nat inside source static Ip nat inside source static udp interface Ethernet Copyright Printed in USA.

46 DNS Fix Up with IP Phones, the Query E0 E NAT Cisco CallManager DNS DNS Query What IP Is CallManager.cisco.com 91 DNS Fix Up with IP Phones, the Query E0 E NAT Cisco CallManager.cisco.com DNS Response: Response: ip nat inside source static Copyright Printed in USA.

47 Agenda Questions and Answers The Why, the What, and the Where Pitfalls and How to Avoid Tools for Deployment VPN and Network Address Translation, Can They Get Along? Dealing with Voice Elements Question and Answers? 93 Useful URLs Cisco IOS NAT Product Support Page: psp_view.pl?p=internetworking:nat Cisco IOS NAT FAQ: CCO Document ID: Cisco IOS NAT order of operation : Cisco IOS NAT configuration: s121/121cgcr/ip_c/ipcprt1/1cdipadr.htm#xtocid Copyright Printed in USA.

48 Summary NAT/NAPT (PAT-overload) one-to-one/manyto-one address mappings Know your applications and how they behave Cisco IOS need to match inside to outside address translation domain (and vice versa) otherwise packet will be forwarded without any address translation being performed PIX needs a translation otherwise packet is dropped Avoid asymmetrical routing! 95 Please Complete Your Evaluation Form Session 96 Copyright Printed in USA.

49 97 Copyright Printed in USA.

Configuring NAT for High Availability

Configuring NAT for High Availability Configuring NAT for High Availability Last Updated: December 18, 2011 This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient

More information

Permitting PPTP Connections Through the PIX/ASA

Permitting PPTP Connections Through the PIX/ASA Permitting PPTP Connections Through the PIX/ASA Contents Introduction Prerequisites Requirements Components Used Background Theory Conventions PPTP with the Client Inside and the Server Outside Network

More information

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example Table of Contents IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example...1 Document ID: 63881...1 Introduction...1 Prerequisites...2 Requirements...2 Components Used...2 Conventions...2

More information

co Configuring PIX to Router Dynamic to Static IPSec with

co Configuring PIX to Router Dynamic to Static IPSec with co Configuring PIX to Router Dynamic to Static IPSec with Table of Contents Configuring PIX to Router Dynamic to Static IPSec with NAT...1 Introduction...1 Configure...1 Components Used...1 Network Diagram...1

More information

Configure the ASA for Dual Internal Networks

Configure the ASA for Dual Internal Networks Configure the ASA for Dual Internal Networks Document ID: 119195 Contributed by Dinkar Sharma, Bratin Saha, and Prashant Joshi, Cisco TAC Engineers. Aug 05, 2015 Contents Introduction Prerequisites Requirements

More information

Configuring Hosted NAT Traversal for Session Border Controller

Configuring Hosted NAT Traversal for Session Border Controller Configuring Hosted NAT Traversal for Session Border Controller The Cisco IOS Hosted NAT Traversal for Session Border Controller Phase-1 feature enables a Cisco IOS Network Address Translation (NAT) Session

More information

Applying Application Layer Protocol Inspection

Applying Application Layer Protocol Inspection CHAPTER 21 This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that

More information

This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501.

This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501. 1.0 Overview This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501. 2.0 PIX Config The following is the PIX config

More information

Table of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0

Table of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0 Table of Contents Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0...1 Document ID: 64693...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...1

More information

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example Document ID: 66171 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure

More information

Network Address Translation. All you want to know about

Network Address Translation. All you want to know about Network Address Translation All you want to know about (C) Herbert Haas 2005/03/11 Reasons for NAT Mitigate Internet address depletion Save global addresses (and money) Conserve internal address plan TCP

More information

Configuring Static and Dynamic NAT Translation

Configuring Static and Dynamic NAT Translation This chapter contains the following sections: Network Address Translation Overview, page 1 Information About Static NAT, page 2 Dynamic NAT Overview, page 4 Timeout Mechanisms, page 4 NAT Inside and Outside

More information

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example Table of Contents PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example...1 Document ID: 64692...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...1 Conventions...2 Configure...2

More information

Network Address Translation Bindings

Network Address Translation Bindings In Network Address Translation (NAT), the term binding describes the address binding between a local address and the global address to which the local address is translated. A binding is also called a

More information

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec Document ID: 14095 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations

More information

Cisco Network Address Translation (NAT)

Cisco Network Address Translation (NAT) Cisco Network Address Translation (NAT) Introduction IETF NGTrans working group defined several translation mechanisms to enable communications between IPv6-only and IPv4-only hosts. One such example is

More information

Network Address Translation (NAT)

Network Address Translation (NAT) The following topics explain and how to configure it. Why Use NAT?, page 1 NAT Basics, page 2 Guidelines for NAT, page 8 Configure NAT, page 12 Translating IPv6 Networks, page 40 Monitoring NAT, page 51

More information

Configuration Examples

Configuration Examples CHAPTER 4 Before using this chapter, be sure that you have planned your site s security policy, as described in Chapter 1, Introduction, and configured the PIX Firewall, as described in Chapter 2, Configuring

More information

Network Address Translation (NAT)

Network Address Translation (NAT) The following topics explain and how to configure it. Why Use NAT?, page 1 NAT Basics, page 2 Guidelines for NAT, page 7 Dynamic NAT, page 12 Dynamic PAT, page 21 Static NAT, page 40 Identity NAT, page

More information

CISCO EXAM QUESTIONS & ANSWERS

CISCO EXAM QUESTIONS & ANSWERS CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco

More information

Secure ACS Database Replication Configuration Example

Secure ACS Database Replication Configuration Example Secure ACS Database Replication Configuration Example Document ID: 71320 Introduction Prerequisites Requirements Components Used Related Products Conventions Background Information Scenario I Scenario

More information

Configuring Static and Dynamic NAT Translation

Configuring Static and Dynamic NAT Translation This chapter includes the following sections: Network Address Translation Overview, on page 1 Information About Static NAT, on page 2 Dynamic NAT Overview, on page 3 Timeout Mechanisms, on page 3 NAT Inside

More information

Carrier Grade Network Address Translation

Carrier Grade Network Address Translation (CGN) is a large-scale NAT that translates private IPv4 addresses into public IPv4 addresses. CGN employs Network Address and Port Translation methods to aggregate multiple private IPv4 addresses into

More information

show ipv6 nat translations, on page 71

show ipv6 nat translations, on page 71 show ip masks, on page 4 show ip nat limits all-host, on page 5 show ip nat limits all-vrf, on page 7 show ip nat nvi statistics, on page 9 show ip nat nvi translations, on page 11 show ip nat redundancy,

More information

Implementing NAT-PT for IPv6

Implementing NAT-PT for IPv6 Implementing NAT-PT for IPv6 Last Updated: August 1, 2012 Network Address Translation--Protocol Translation (NAT-PT) is an IPv6 to IPv4 translation mechanism, as defined in RFC 2765 and RFC 2766, allowing

More information

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example Contents Network Address Translation (NAT) 13.10.2008 Prof. Sasu Tarkoma Overview Background Basic Network Address Translation Solutions STUN TURN ICE Summary What is NAT Expand IP address space by deploying

More information

ipv6 mobile home-agent (global configuration)

ipv6 mobile home-agent (global configuration) ipv6 mobile home-agent (global configuration) ipv6 mobile home-agent (global configuration) To enter home agent configuration mode, use the ipv6 mobile home-agent command in global configuration mode.

More information

Politecnico di Milano Scuola di Ingegneria Industriale e dell Informazione. 09 Intranetting. Fundamentals of Communication Networks

Politecnico di Milano Scuola di Ingegneria Industriale e dell Informazione. 09 Intranetting. Fundamentals of Communication Networks Politecnico di Milano Scuola di Ingegneria Industriale e dell Informazione 09 Intranetting Fundamentals of Communication Networks 1 Private networks and Intranets EG subnet IG IG Private network IG o Private

More information

Fundamentals of Network Security v1.1 Scope and Sequence

Fundamentals of Network Security v1.1 Scope and Sequence Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document

More information

Network Address Translation

Network Address Translation Network Address Translation All you want to know about (C) Herbert Haas 2005/03/11 Reasons for NAT Mitigate Internet address depletion Save global addresses (and money) Conserve internal address plan TCP

More information

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels This article provides a reference for deploying a Barracuda Link Balancer under the following conditions: 1. 2. In transparent (firewall-disabled)

More information

PIX/ASA : Port Redirection(Forwarding) with nat, global, static and access list Commands

PIX/ASA : Port Redirection(Forwarding) with nat, global, static and access list Commands PIX/ASA : Port Redirection(Forwarding) with nat, global, static and access list Commands Document ID: 63872 Introduction Prerequisites Requirements Components Used Related Products Conventions Network

More information

Network Address Translation (NAT)

Network Address Translation (NAT) The following topics explain and how to configure it. Why Use NAT?, page 1 NAT Basics, page 2 Guidelines for NAT, page 6 Dynamic NAT, page 12 Dynamic PAT, page 18 Static NAT, page 29 Identity NAT, page

More information

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley. IPv4 addressing, NAT http://xkcd.com/195/ Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley Some materials copyright 1996-2012 J.F Kurose and K.W. Ross, All Rights

More information

IPsec NAT Transparency

IPsec NAT Transparency The feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities

More information

IPsec NAT Transparency

IPsec NAT Transparency sec NAT Transparency First Published: November 25, 2002 Last Updated: March 1, 2011 The sec NAT Transparency feature introduces support for Security (sec) traffic to travel through Network Address Translation

More information

Configuring Network Address Translation

Configuring Network Address Translation Finding Feature Information, on page 1 Network Address Translation (NAT), on page 2 Benefits of Configuring NAT, on page 2 How NAT Works, on page 2 Uses of NAT, on page 3 NAT Inside and Outside Addresses,

More information

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved.  Worldwide Education Services Junos Security Chapter 4: Security Policies 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter,

More information

Lab Configuring NAT Overload

Lab Configuring NAT Overload Lab 10.5.3 Configuring NAT Overload Objective Configure dynamic NAT with overload. Scenario The International Travel Agency (ITA) expanded and updated their network. They chose to use the 192.168.0.0 /24

More information

Mobile IP Support for RFC 3519 NAT Traversal

Mobile IP Support for RFC 3519 NAT Traversal The Mobile IP: Support for RFC 3519 NAT Traversal feature introduces an alternative method for tunneling Mobile IP data traffic. New extensions in the Mobile IP registration request and reply messages

More information

Configuring PPP over Ethernet with NAT

Configuring PPP over Ethernet with NAT CHAPTER 3 The Cisco Secure Router 520 Ethernet-to-Ethernet routers support Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT). Multiple PCs can be connected to

More information

BIG-IP CGNAT: Implementations. Version 12.1

BIG-IP CGNAT: Implementations. Version 12.1 BIG-IP CGNAT: Implementations Version 12.1 Table of Contents Table of Contents Deploying a Carrier Grade NAT... 7 Overview: The carrier-grade NAT (CGNAT) module... 7 About ALG Profiles...8 About CGNAT

More information

Firewall Stateful Inspection of ICMP

Firewall Stateful Inspection of ICMP Firewall Stateful Inspection of ICMP Last Updated: March 26, 2012 The Firewall Stateful Inspection of ICMP feature addresses the limitation of qualifying Internet Control Management Protocol (ICMP) messages

More information

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example Document ID: 26402 Contents Introduction Prerequisites Requirements Components Used Conventions Configure

More information

Configuring PPP over Ethernet with NAT

Configuring PPP over Ethernet with NAT This chapter provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT) that can be configured on the Cisco 819, Cisco 860, Cisco 880, and Cisco

More information

Cisco PIX. Interoperability Guide

Cisco PIX. Interoperability Guide Cisco PIX Interoperability Guide Copyright 2004, F/X Communications. All Rights Reserved. The use and copying of this product is subject to a license agreement. Any other use is strictly prohibited. No

More information

PIX/ASA as a DHCP Server and Client Configuration Example

PIX/ASA as a DHCP Server and Client Configuration Example PIX/ASA as a DHCP Server and Client Configuration Example Document ID: 70391 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure DHCP Server Configuration

More information

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. AudioCodes Family of Multi-Service Business Routers (MSBR)

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. AudioCodes Family of Multi-Service Business Routers (MSBR) Configuration Guide AudioCodes Family of Multi-Service Business Routers (MSBR) Mediant MSBR Security Setup Version 6.8 Version 6.8 May 2014 Document # LTRT-31640 Configuration Guide Contents Table of

More information

How to Configure the Cisco VPN Client to PIX with AES

How to Configure the Cisco VPN Client to PIX with AES How to Configure the Cisco VPN Client to PIX with AES Document ID: 42761 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Configurations Network Diagram

More information

ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example

ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example Contents Introduction Prerequisites Requirements Components Used Related Products Conventions

More information

Prof. Bill Buchanan Room: C.63

Prof. Bill Buchanan Room: C.63 Wireless LAN CO72047 Unit 7: Filtering Prof. Bill Buchanan Contact: w.buchanan@napier.ac.uk Room: C.63 Telephone: X2759 MSN Messenger: w_j_buchanan@hotmail.com WWW: http://www.dcs.napier.ac.uk/~bill http://buchananweb.co.uk

More information

Inspection of Router-Generated Traffic

Inspection of Router-Generated Traffic Inspection of Router-Generated Traffic The Inspection of Router-Generated Traffic feature allows Context-Based Access Control (CBAC) to inspect traffic that is originated by or destined to the router on

More information

Cisco IOS Firewall Authentication Proxy

Cisco IOS Firewall Authentication Proxy Cisco IOS Firewall Authentication Proxy This feature module describes the Cisco IOS Firewall Authentication Proxy feature. It includes information on the benefits of the feature, supported platforms, configuration

More information

Network Interconnection

Network Interconnection Network Interconnection Covers different approaches for ensuring border or perimeter security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Lecture

More information

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013 Network Address Translation (NAT) Background Material for Overlay Networks Course Jan, 2013 Prof. Sasu Tarkoma University of Helsinki, Department of Computer Science Contents Overview Background Basic

More information

Network Address Translators (NATs) and NAT Traversal

Network Address Translators (NATs) and NAT Traversal Network Address Translators (NATs) and NAT Traversal Ari Keränen ari.keranen@ericsson.com Ericsson Research Finland, NomadicLab Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN

More information

Configuring Stateful Interchassis Redundancy

Configuring Stateful Interchassis Redundancy The Stateful Interchassis Redundancy feature enables you to configure pairs of devices to act as backups for each other. This module describes conceptual information about and tasks for configuring stateful

More information

Cisco Secure PIX Firewall Advanced (CSPFA)

Cisco Secure PIX Firewall Advanced (CSPFA) 9E0-571 9E0-571 Cisco Secure PIX Firewall Advanced (CSPFA) Version 3.0-1 - Important Note Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations

More information

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface CCNA4 Chapter 5 * Router and ACL By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. *

More information

Information About NAT

Information About NAT CHAPTER 26 This chapter provides an overview of how Network Address Translation (NAT) works on the ASA and includes the following sections: Introduction to NAT, page 26-1 NAT Types, page 26-2 NAT in Routed

More information

Hot Standby Router Protocol (HSRP): Frequently Asked Questions

Hot Standby Router Protocol (HSRP): Frequently Asked Questions Hot Standby Router Protocol (HSRP): Frequently Asked Questions Document ID: 9281 Contents Introduction Will the standby router take over if the active router LAN interface state is "interface up line protocol

More information

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2017 Cisco and/or its affiliates. All rights

More information

Load Balancing Technology White Paper

Load Balancing Technology White Paper Load Balancing Technology White Paper Keywords: Server, gateway, link, load balancing, SLB, LLB Abstract: This document describes the background, implementation, and operating mechanism of the load balancing

More information

Network Protocol Configuration Commands

Network Protocol Configuration Commands Network Protocol Configuration Commands Table of Contents Table of Contents Chapter 1 IP Addressing Configuration Commands...1 1.1 IP Addressing Configuration Commands...1 1.1.1 arp...1 1.1.2 arp timeout...2

More information

Context Based Access Control (CBAC): Introduction and Configuration

Context Based Access Control (CBAC): Introduction and Configuration Context Based Access Control (CBAC): Introduction and Configuration Document ID: 13814 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information What Traffic Do

More information

ipv6 hello-interval eigrp

ipv6 hello-interval eigrp ipv6 hello-interval eigrp ipv6 hello-interval eigrp To configure the hello interval for the Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6 routing process designated by an autonomous system

More information

Using Application Level Gateways with NAT

Using Application Level Gateways with NAT Using Application Level Gateways with NAT Network Address Translation (NAT) performs translation service on any Transmission Control Protocol/User Datagram Protocol (TCP/UDP) traffic that does not carry

More information

Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT The Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT feature supports the forwarding of packets from a standby

More information

Network Address Translation

Network Address Translation Network Address Translation All you want to know about (C) Herbert Haas 2005/03/11 In this chapter we discuss the idea of Network Address Translation and special issues associated to it. Invented in 1994,

More information

Configuring IP Session Filtering (Reflexive Access Lists)

Configuring IP Session Filtering (Reflexive Access Lists) Configuring IP Session Filtering (Reflexive Access Lists) This chapter describes how to configure reflexive access lists on your router. Reflexive access lists provide the ability to filter network traffic

More information

Access Rules. Controlling Network Access

Access Rules. Controlling Network Access This chapter describes how to control network access through or to the ASA using access rules. You use access rules to control network access in both routed and transparent firewall modes. In transparent

More information

Network Security CSN11111

Network Security CSN11111 Network Security CSN11111 VPN part 2 12/11/2010 r.ludwiniak@napier.ac.uk Five Steps of IPSec Step 1 - Interesting Traffic Host A Router A Router B Host B 10.0.1.3 10.0.2.3 Apply IPSec Discard Bypass IPSec

More information

Cisco Exam Troubleshooting and Maintaining Cisco IP Networks (TSHOOT) Version: 6.0 [ Total Questions: 79 ]

Cisco Exam Troubleshooting and Maintaining Cisco IP Networks (TSHOOT) Version: 6.0 [ Total Questions: 79 ] s@lm@n Cisco Exam 300-135 Troubleshooting and Maintaining Cisco IP Networks (TSHOOT) Version: 6.0 [ Total Questions: 79 ] Topic break down Topic No. of Questions Topic 1: Mix Questions 26 Topic 2: Troubleshooting

More information

IP Addressing: Fragmentation and Reassembly Configuration Guide

IP Addressing: Fragmentation and Reassembly Configuration Guide First Published: December 05, 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls NAT and ALG Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATH1000FE&SECBLADEII-CMW520-R3166 SECPATH5000FA-CMW520-R3206

More information

ip dhcp-client network-discovery through ip nat sip-sbc

ip dhcp-client network-discovery through ip nat sip-sbc ip dhcp-client network-discovery through ip nat sip-sbc ip dhcp-client network-discovery, page 3 ip dhcp-client update dns, page 5 ip dhcp drop-inform, page 8 ip dhcp-relay information option server-override,

More information

BIG-IP CGNAT: Implementations. Version 13.0

BIG-IP CGNAT: Implementations. Version 13.0 BIG-IP CGNAT: Implementations Version 13.0 Table of Contents Table of Contents Deploying a Carrier Grade NAT... 9 Overview: The carrier-grade NAT (CGNAT) module... 9 About ALG Profiles...10 About CGNAT

More information

HP High-End Firewalls

HP High-End Firewalls HP High-End Firewalls NAT and ALG Command Reference Part number: 5998-2639 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information

More information

IP Addressing: Fragmentation and Reassembly Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)

IP Addressing: Fragmentation and Reassembly Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000) IP Addressing: Fragmentation and Reassembly Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000) Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com

More information

Configuration Summary

Configuration Summary POWER ACT NETWORK PIX Firewall SERIES How to configure dynamic IPSec tunneling Configuration Summary This document describes configuring an NSE initiated IPSec tunnel from behind a NAT device to a VPN

More information

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP CCNA Security Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP Topology Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet Interfaces. 2015 Cisco and/or its affiliates.

More information

ASA Access Control. Section 3

ASA Access Control. Section 3 [ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look

More information

Identity Firewall. About the Identity Firewall

Identity Firewall. About the Identity Firewall This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History

More information

Three interface Router without NAT Cisco IOS Firewall Configuration

Three interface Router without NAT Cisco IOS Firewall Configuration Three interface Router without NAT Cisco IOS Firewall Configuration Document ID: 13893 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations

More information

6 Network Security Elements

6 Network Security Elements 6 Network Security Elements http://www.asecuritysite.com/security/information/chapter06 6.1 Objectives The key objectives of this unit are to: Provide an overview of security devices and infrastructures.

More information

IPV6 SIMPLE SECURITY CAPABILITIES.

IPV6 SIMPLE SECURITY CAPABILITIES. IPV6 SIMPLE SECURITY CAPABILITIES. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB. ABSTRACT The RFC which this presentation is based upon is focused on

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls NAT and ALG Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATHF1000SAI&F1000AEI&F1000ESI-CMW520-R3721 SECPATH5000FA-CMW520-F3210

More information

Granular Protocol Inspection

Granular Protocol Inspection The feature adds flexibility to the Cisco IOS Firewall by allowing it to perform a higher degree of inspection of TCP and User Data Protocol (UDP) traffic for most RFC 1700 application types. Finding Feature

More information

Stateful Network Address Translation 64

Stateful Network Address Translation 64 The feature provides a translation mechanism that translates IPv6 packets into IPv4 packets and vice versa. The stateful NAT64 translator algorithmically translates the IPv4 addresses of IPv4 hosts to

More information

ip nat source through iterate-ip-addrs

ip nat source through iterate-ip-addrs ip nat source through iterate-ip-addrs ip nat source, page 4 ip nat stateful id, page 7 ip nat switchover replication http, page 10 ip nat translation, page 11 ip nat translation (timeout), page 12 ip

More information

HOME-SYD-RTR02 GETVPN Configuration

HOME-SYD-RTR02 GETVPN Configuration GETVPN OVER DMVPN Topology Details HOME-SYD-RTR02 is GETVPN KS. R2 & R3 are GETVPN Members. R2 is DMVPN Hub. R3 is DMVPN Spoke. HOME-PIX01 is Firewall between R2 and R3. IP Addressing Details HOME-SYD-RTR01

More information

IP Addressing: NAT Configuration Guide

IP Addressing: NAT Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 2018 Cisco Systems, Inc. All rights

More information

Firepower Threat Defense Site-to-site VPNs

Firepower Threat Defense Site-to-site VPNs About, on page 1 Managing, on page 3 Configuring, on page 3 Monitoring Firepower Threat Defense VPNs, on page 11 About Firepower Threat Defense site-to-site VPN supports the following features: Both IPsec

More information

Service Provider PAT Port Allocation Enhancement for RTP and RTCP

Service Provider PAT Port Allocation Enhancement for RTP and RTCP Service Provider PAT Port Allocation Enhancement for RTP and RTCP Problem Overview With the increase in the use of multimedia and real-time traffic over the Internet, private network administrators face

More information

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 7.2. AudioCodes Family of Multi-Service Business Routers (MSBR)

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 7.2. AudioCodes Family of Multi-Service Business Routers (MSBR) Configuration Guide AudioCodes Family of Multi-Service Business Routers (MSBR) Mediant MSBR Security Setup Version 7.2 Version 6.8 May 2014 Document # LTRT-31640 Configuration Guide Contents Table of

More information

Table of Contents. Cisco Configuring IP Access Lists

Table of Contents. Cisco Configuring IP Access Lists Table of Contents Configuring IP Access Lists...1 Introduction...1 Prerequisites...2 Requirements...2 Components Used...2 Conventions...2 ACL Concepts...2 Masks...2 ACL Summarization...3 Process ACLs...4

More information

Network Configuration Example

Network Configuration Example Network Configuration Example Configuring Stateful NAT64 for Handling IPv4 Address Depletion Release NCE0030 Modified: 2017-01-23 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089

More information

NAT Support for Multiple Pools Using Route Maps

NAT Support for Multiple Pools Using Route Maps NAT Support for Multiple Pools Using Route Maps Document ID: 13739 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Access List Approach Host 1 to Host

More information

: Saved : : Serial Number: JMX1813Z0GJ : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : Written by enable_15 at 09:21: UTC Thu Dec !

: Saved : : Serial Number: JMX1813Z0GJ : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : Written by enable_15 at 09:21: UTC Thu Dec ! : Saved : : Serial Number: JMX1813Z0GJ : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : Written by enable_15 at 09:21:59.078 UTC Thu Dec 17 2015 ASA Version 9.2(2)4 hostname ciscoasa enable password

More information

Network Security Fundamentals

Network Security Fundamentals Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case

More information