My Blog: IT & T in Australia

I thought I will put together a NAT and PAT example to assist anyone who is trying to implement NAT and PAT using a Cisco ASA product.

Mainly NAT (Network Address Translation) means you make an internal network talks to outside networks using a given public/outside IP or a pool of such IPs. Below diagram shows the most common use of NAT, Internet connectivity for a private network.

Lets get to it then… First how to configure PAT from the ASDM

Lets look at a scenario to understand the process properly in steps. My example scenario is to tunnel traffic which hits the outside interface to my interface FTP server.

First create an access-list to allow any traffic coming to the outside interface on a given service port to pass through. In my example I am using ftp (21). Apply that using the ASDM.

Next is to create a static nat to the statically nat the inside host (service server) to the outside interface.

First create a name object so it is easier to remember your mapping and make your configuration easier to read understand down the track.

Then create the static nat using the dialog box as below.

That is all there is to Port Address Translation (PAT) in order for you to open up a FTP server to the outside world in your private network using an ASA appliance.

Lets do the same using the command line (CLI).

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-group outside_access_in in interface outside

static (inside,outside) tcp interface ftp FTPServer ftp netmask 255.255.255.255

Next look at Network Address Translation.

This scenario is where the ISP has given you a block of public IPs and you want your network to use them in order to communicate with the public networks.

First step is to create the pool as belong using the “Edit Global Address Pool” dialog box.

After that add the dynamic nat as belong to use the previously created ip pool to nat to outside networks.

Now lets do the same using the CLI.

global (outside) 1 10.142.188.50-10.142.188.100 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

Simple as that.

Let me know if you want me to clear any NAT and PAT issues with any specific scenarios.

Hot Standby Router Protocol (HSRP) is a technology by Cisco to implement router redundancy using layer 3 switches or routers.

Basic idea of HSRP is it lets an virtual IP be hosted and shared by two different hardware units. I deployed a solution using 4 Cisco 3750 stackwise switches for client. They had two 3750 switches at the core of their network. They were connected into a single virtual unit using the stackwise technology. Which increase the resilience of the core network to some extend. My solution added another set of 3750 switches in to the cluster creating a complete HSRP cluster while increasing reliability and extending the number of ports per vlan.

Below is the solution design diagram I put together for the client.

How to implement HSRP using Cisco 3750.

To enable HSRP on an interface use the following command;

(config-if)# standby ip

Mainly using HSRP in a organize manner it is advisable to implement the HSRP group. Specially if you are using HSRP clustering.

Clients network consisted of 7 vlans and each vlan’s default gateway address were set to the 7 HSRP virtual router addresses. Furthermore the HSRP can implement load sharing using the priority to select which physical units take ownership (active router) of the virtual router in normal operation (MHSRP). HSRP priority is between 1 and 255, highest numbered router interface per HSRP group becomes the active router which holds the virtual router process.

Don’t forget to set the preempt so when a active router recovers from a failure it can become the active router for that HSRP group automatically, keeping that load sharing in place in normal operation.

Below is a complete interface configuration in order to implement HSRP.

Switch# configure terminal

(config)# interface vlan 1

(config-if)# ip address 192.168.0.1 255.255.255.0

(config-if)# standby 1 ip 192.168.0.254

(config-if)# standby 1 priority 110

(config-if)# standby 1 preempt

(config-if)# standby 1 authentication word

(config-if)# standby 1 timers 5 15

(config-if)# standby 1 name VR_VLAN1

Timers set advertising time (heart-beat) between interfaces participating in the HSRP group and authentication keeps unauthorized routing interfaces participating in the HSRP group.

After configuring all of the interfaces in a cluster with the HSRP settings, enable the cluster HSRP using the command below.

(config)# cluster standby-group VR_VLAN1 routing-redundancy

I would like to add another note in HSRP which I learn through this project. If you have ACL applied to vlan or any interface which you are implementing HSRP, make sure you add the following line in to your ACL. This allows the HSRP multicasting packets between participating interfaces.

permit udp any eq 1985 host 224.0.0.2 eq 1985

All in all it was a good project. Learn a lot and it is always good to brush up on switch solutions and implementations. Cisco is not just routers and ISRs :).

I am starting to setup my lab now. First thing first, I want to connect all of my Cisco gear through an Access Server. It is pretty ease to do.

I am using a Cisco 2510 Router with IOS 12.2 with an Octal cable (8 serial ports).

First of all you need to configure a Loop Back interface as your internal IP address.

interface lo 0

ip address 10.0.0.1 255.255.255.0

Next is setting up the console and vty connections on the router

line con 0

line 1 9

session-timeout 20

no exec

exec-timeout 10

transport input all

After you set the lines you can start adding hosts into your configuration.

ip host Router1 2001 10.0.0.1

In the ip host command port number 2001 is number 1 cable and 2000 is reverse telnet ports.

Now you are ready to proceed. Save the config and from the Access Server console you are ready to access any of the hosts mapped.

Just use the host name you gave in the IP HOST command. (eg: Router1) and to move between sessions press Ctrl+Shift+6 then release and press x.

Past few months has been really busy as you already may know I starting my own consulting company NCX Consulting (www.ncx.com.au). it is lot of work to own and run your own business from ground up.

The really good news out of all of these is finally I was able to spend some hard earn cash into building my own lab. So from now on, I am going to put on lots of LAB projects on which I been doing on my free time as well as on my consulting work on here.

I am doing lots of lab work for my CCNP studies, so I hope these labs will help anyone out there who is doing CCNP or like to know how to do crazy routing protocol stuff.

Stay tune.

I brought myself a Lenovo S10 netbook the other day and I am loving it. It is perfect for my busy IT life (even though these days it has been a bit quite with changing my role and all).

Anyways it is the best tool to blog from… start the movement get yourself a new netbook and join the frontier.

Cloud computing is not a new tech at all. But my thinking is a new way of doing it. Can you call a VPN link between the client sites and the ASP datacenter network cloud computing?
I am open to ideas on how to do this with minimal investment and change. Also would be a plus to make it user friendly while making it less complicated to implement.

Just stumbled across this article on iPhone OS 3.0 Beta Hands-On. Update looks promising, specially the cut and paste function is there, man that is a big step for Apple. Also looks like it has MMS, even though I never found it to be a big issue, it is good to have I guess. Beside those main features nothing much has changed. Searching has improved as well, but its not like you are going to get lost in your phone looking for stuff lol.

Email search function might come handy though. Lets see when the final version comes out what actually will be included in the update.

-Lal Antony

I have been using Windows 7 for past 3 months and loving it. I feel like it is the os that should have come instade of Vista, basically Microsoft has jumped the gun with Vista.
Also should note that during the time I been using Windows 7 I have not had any major crashes. Wish I could have said that to Vista trial I did while back.
But must say not a lot has changed from Vista on Windows 7 beside some GUI upgrades, which does and much needed user friendlyness to the is though.
I will be posting a full review down the track. Stay tune….

It is great here 2009 Air Show is better and much popular than 2007. I will be putting some crazy pics soon on here. Keep tune.

F18 and C17 were the best out of all that were in the show. Sound and been able to get so close to a plane is awsome.

The funniest part was people taking cover under planes when it was raining you have to see the pics lol.

http://www.airshow.net.au/avalon2009/index.html

– Lal Antony

New tool from WordPress for Bloggers. http://iphone.wordpress.org/

Now it is easy as abc to blog from iPhone itself. No more third-party tools.

Gears of War 2 xbox gaming night tonight looking forward to kicking some asses.