Configuring NAT on Cisco Routers

For the following scenarios we will be using the following simple network:

NAT on Cisco Router

Scenario 1:

Assume we have an internal Web server with IP address 192.168.1.10 connected on the LAN. We want to configure static NAT on the border Cisco router in order to translate the private IP of the Web Server to a public IP. That is, IP 192.168.1.10 should be translated to 20.20.20.10 (assuming that we own the public IP range 20.20.20.0/24).

Here is how to do it:

interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static 192.168.1.10 20.20.20.10

With the above configuration, our web server will be visible on the public Internet as IP 20.20.20.10.

 

Scenario 2:

Assume now that we have only one public IP address which is the one configured on the outside interface of our border router. We want traffic hitting our router’s public IP 20.20.20.1 on port 80 to be redirected to our internal Web Server at IP 192.168.1.10

interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static tcp 192.168.1.10 80 20.20.20.1 80

 

Scenario 3:

Here we want to configure dynamic NAT overload (PAT) using the outside interface of the router. This is the most common scenario for simple networks that need to have internet access. All IP addresses of the LAN network (192.168.1.0/24) will be translated using the public IP of the router (20.20.20.1).

interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/0 overload

 


A few days ago I have published the updated 3rd edition of “Cisco ASA Firewall Fundamentals” tutorial ebook which covers the latest ASA version 9.x and also is applicable for both the 5500 and 5500-X series of devices. What I have done with the 3rd Edition (in addition to adding a lot of new content) is that I have made sure that all configurations and examples in the book (commands, scenarios etc) will work with the newest ASA v9.x software and also will work on both 5500 and 5500-X devices.

Moreover, I have added extra chapters and I have updated existing chapters with new features and configurations that work on version 9.x. If you have a slightly older version (8.x) the book is still applicable for you. For example, in case of NAT which was completely changed in ASA v8.3 and later, the book includes the commands for pre-8.3 and post-8.3 versions.

As a free bonus with the main ASA Guide, I’m offering also a tutorial with 11 complete configuration examples. In each configuration example I include a network diagram at the beginning with the objectives of the scenario, and then I include the complete ASA configuration commands together with explanations and comments for each command.

The main ASA ebook is full of practical scenarios, examples, troubleshooting information (where necessary), lots of step-by-step configuration commands, some theory where needed, more than 50 colorful networks diagrams and screenshots etc. Currently, this book is the most updated and comprehensive ASA tutorial out there.

Some people are skeptical about buying an electronic PDF ebook and think that a hard-copy book is better. This is wrong in my opinion. With an ebook, you can have it stored on your computer, tablet, smartphone etc and reference it easily when needed. You can search inside and find the content you want without having to keep turning pages of a printed book. Also, the most important advantage of an ebook is that I can update it easily with new features and commands and offer it to existing customers fast.

READ MORE ABOUT “Cisco ASA Firewall Fundamentals 3rd Edition” HERE

The following article describes the proper way to allow BGP sessions between two routers to pass through a Cisco ASA firewall appliance. Especially if the BGP configuration between the two routers uses MD5 authentication (which is a good security practice), you need some special “treatment” on this session in order to pass it successfully through an ASA device.

By default, the Cisco ASA does TCP Sequence Number Randomization to every session passing through it. Also, the ASA will strip TCP option 19 by default. This TCP option (defined by RFC 2385) is a TCP extension to enhance security for BGP when using MD5 authentication. The two actions above will cause problems to a BGP session when passing through the ASA and therefore we need to disable them.

bgp through asa

From diagram above, first we need to match the BGP traffic between R1 and R2 using an Access Control List. Then we must create a TCP Map that allows TCP Option 19 and also disable the TCP Sequence Number Randomization for this specific BGP traffic class.

Step1:

Match the BGP traffic with an ACL:

access-list bgp-traffic extended permit tcp host 10.1.1.1 host 10.2.2.2 eq bgp
access-list bgp-traffic extended permit tcp host 10.2.2.2 host 10.1.1.1 eq bgp

Step2:

Allow TCP option 19 with a TCP Map.

tcp-map ALLOW-TCP-19
   tcp-options range 19 19 allow

Step3:

Create a class map to match the BGP Traffic using the ACL above.

class-map BGP-CLASS
     match access-list bgp-traffic

Step4:

Use the Global Policy to apply all the actions:

policy-map global_policy
class BGP-CLASS
  set connection random-sequence-number disable
  set connection advanced-options ALLOW-TCP-19

It has been over a year now that I have transferred all of my websites from a shared Hostgator account (Baby Plan shared hosting package) to a managed VPS server from wiredtree.com. Specifically I have purchased their Managed VPS1000 option which offers the following specs:

Main WiredTree VPS1000 Specs:

  • 1024 MB Guaranteed RAM
  • 100 GB Disk Space
  • 3000 GB monthly bandwidth
  • SSD Accelerated disks for caching and acceleration (tremendous improvement in website loading time and response).
  • 4 dedicated IP addresses
  • cPanel / WHM for easy management of server
  • Fully Managed solution (you don’t have to install or manage anything).
  • ServerShield security hardening of your VPS server including security protection tools like Advanced Firewall (CSF) for firewall and brute force protection, Spam Prevention and Antivirus, HTTP intrusion and Denial of Service Protection, Security Audits, continuous software updates etc.
  • 24×7 Service Monitoring so you don’t have to worry if your VPS is down.
  • 24×7 Phone and Help Desk support
  • 100% Node Uptime SLA
  • Many more features

Traffic Handling Performance

When I was using shared hosting from Hostgator, there were several occasions that my websites were throwing an “Error 500 Internal Server Error” message which was caused by excessive traffic to the shared server. Especially whenever I was sending an email broadcast to my subscribers asking them to check out an article I have written on my site, the whole website was inaccessible because of the sudden increase in traffic from the email subscribers. Now, with my wiredtree VPS server I never had such an outage problem. It can handle all of my traffic with no problems.

Website Loading Speed

Website loading times have also improved considerably. It seems that the SSD Accelerated disks (SSD = Solid State Drive = much faster than normal disks) make a huge difference in your website speed performance. See this article here from wiretree which explains the benefits of SSD acceleration. As you might know already, Google likes websites which load fast, therefore you will have an SEO benefit from increased website speed performance.

Security

As a security and I.T professional myself, I always take my websites’ security very seriously. I know that a hacker or a malware infiltration in my sites can be devastating. So one of the main factors that I was looking at when evaluating webhosting solutions was the security features offered from the VPS provider. WiredTree ticked all the right boxes regarding security.

A hacker can get into your website either via the webapplication (e.g via wordpress for example) or via the webserver. The security tools and features utilized by Wiredtree will make your VPS webserver as bulletproof as possible.

ServerShield is developed by Wiredtree and is a unique and comprehensive software security and optimization suite that is provided free of charge to all customers. When Wiredtree installs your server for the first time, the server is hardened and several security protection tools are installed, including advanced firewall, spam protection, antivirus protection, Denial of Service protection etc. The last 1 year that I have been with Wiredtree, they have already updated my VPS operating system and other software (kernel, cpanel etc) several times in order to close security holes that were identified in the software. This proactive approach to security makes me sleep at night without worrying that my VPS will be knocked out from some malicious hackers. See more Security Features of Wiredtree here.

My overall Experience with WiredTree

In a few words, I’m EXTREMELY SATISFIED!! Their support team is like never sleeping!!! Whenever I open a support ticket with them, they usually answer back and resolve my issue within 1 hour!! Moreover, I enjoy faster websites with SEO benefits, reliable server, and most importantly a secure environment to host all of my sites.

If you are thinking to move your websites from another hosting provider to WiredTree, You can have a look how I did it here.

Comparison of Cisco ASA5500 Vs ASA5500-X

Although Cisco created a new series of ASA appliances (5500-X series), there are hundreds of thousands of older Cisco ASA 5500 models installed and working in networks all over the world.

If you are one of those professionals who are considering to upgrade your older ASA5500 appliances with the new “X” models, I have prepared a comparison article for you with the most important similarities and differences between the two ASA generations.

First, let’s see what Cisco recommends as replacement models for the older ASA5500:

Older ASA5500 Models

Suggested Replacement 5500-X Model

ASA 5505

ASA 5505 (no new model)

ASA 5510

ASA 5512-X or ASA 5515-X

ASA 5520

ASA 5525-X

ASA 5540

ASA 5545-X

ASA 5550

ASA 5555-X

ASA 5580

ASA 5585-X

 

Next let’s discuss the similarities between the two ASA generations.

Similarities

The major similarity between ASA5500 and ASA5500-X generation is on core firewall functionality and configuration. That is, the major firewall features (NAT, Access Control Lists, VPN configuration, routing, failover configuration, traffic inspection, modular policies, file system management, VLAN and subinterfaces, authentication etc) are configured exactly the same on both ASA5500 and ASA5500-X models. In fact, the new software version 9.X runs on both ASA series.

So, if you have an existing ASA5500 model which works as a regular firewall and you don’t need any new fancy features (called “Next Generation Firewall” features) then you can stay with your current model for now. You should consider though that Cisco has announced the End-of-Sale for the 5500 models which is September 16, 2013. The last date of support for the 5500 generation is September 30, 2018.

Differences

Of course with every new generation of appliances, almost always the new models are improved in terms of both hardware and software capabilities. Let’s see the major differences in bullet form.

  • The new 5500-X models provide around 4 times more firewall throughput than the older 5500 models. Also, they offer 60% higher VPN throughput.
  • The new 5500-X are running on multicore 64-bit processors compared with single core 32-bit processors on older ASA models.
  • The new 5500-X models support Next-Generation Firewall Services either as cloud-based services (such as Cloud Web Security and Web Security Essentials) or as software based modules which do not need additional hardware (only a license to use the software module). You should note however that the “Next-Generation Firewall Services” cost extra money in addition to the core firewall appliance. You will either need to purchase Cloud Subscription or purchase software licenses (for the IPS software module for example).
  • For Intrusion Prevention functionality (IPS) you don’t need an additional hardware module like the older 5500 generation. You can enable an embedded IPS on any 5500-X model by purchasing a software license.
  • More network interfaces available on the 5500-X models (up to 14 Gigabit Ethernet ports).
  • On ASA5500-X models the management interface port is shared between the Firewall and the embedded IPS module. Also, the management port on ASA5500-X cannot be used as a data port. Remember that on the older 5500 models you could use the management port as a data port as well (as a regular interface). This is not supported on 5500-X models. Management port is only for management of the appliance.

 

These are the main differences between the two ASA generations. My new ebook which I’m working on right now (“Cisco ASA Firewall Fundamentals-3rd Edition”) will be applicable for both ASA5500 and ASA5500-X (regarding the core firewall functionality of the appliances), and will cover also the newest ASA version 9.X.

I hope you found my article useful. Talk to you soon.

Harris Andrea

 Page 1 of 47  1  2  3  4  5 » ...  Last »