Never go to bed mad. Stay up and fight!
Cisco
Configure Static NAT – Cisco Router
Mar 4th
One of the basic questions that every administrator have is about configuring static NAT for the services they provide for their customers (mail/web/application/VoIP etc). I have myself answered this question a lot of times in Experts-Exchange. So here is the standard configuration;
Cisco Router :
ip nat inside source static <protocol> <InternalIP> <Port> <PublicIP> <Port>
access-list <Number> permit tcp any host <PublicIP> eq <Port>
int <Internal>
ip nat inside
int <External>
ip nat outside
ip access-group <Number> in
So using the above if I want to allow web server access, the configuration would be as below; Assuming Public IP = 11.12.13.14 and Private IP = 10.10.10.10, Internal Interface = Ethernet0/0, External Interface = Serial0/0
ip nat inside source static tcp 10.10.10.10 80 11.12.13.14 80
access-list 100 permit tcp any host 11.12.13.14 eq 80
int e0/0
ip nat inside
int s0/0
ip nat outside
ip access-group 100 in
Configure Static NAT – PIX Firewall
Mar 4th
One of the basic questions that every administrator have is about configuring static NAT for the services they provide for their customers (mail/web/application/VoIP etc). I have myself answered this question a lot of times in Experts-Exchange. So here is the standard configuration;
Cisco PIX Firewall :
static (inside,outside) <PublicIP> <Private IP> netmask 255.255.255.255
access-list <Name> permit <Protocol> any host <PublicIP> eq <service>
access-group <Name> in interface outside
So using the above if I want to allow web server access, the configuration would be as below; Assuming Public IP = 11.12.13.14 and Private IP = 10.10.10.10
static (inside,outside) 11.12.13.14 10.10.10.10 netmask 255.255.255.255
access-list Outside_In permit tcp any host 11.12.13.14 eq 80
access-group Outside_In in interface outside
Multiple Networks…Unique PAT
Oct 13th
One of the recent post in EE that came up was a user wanted to have a scenario where-in he has multiple subnets in his network and he wants to do unique patting for all those networks when they exit for internet access.
Say for example if my SubnetA has an ip of 10.10.10.0/24, SubnetB has an ip of 10.10.20.0/24 and I have 2 public ip addresses (PublicIPA, PublicIPB), I could do the patting for each individual networks. This gives the granularity of auditing based on exit public ip address. So here is what I think can be done.
If this is done on PIX Firewall:
global (outside) 1 PublicIPA
nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 PublicIPB
nat (inside) 1 10.10.20.0 255.255.255.0
If this has to be done on a Cisco Router:
ip nat pool SubnetA PublicIPA PublicIPA netmask 255.255.255.255
ip nat inside source list 1 pool SubnetA overload
access-list 1 permit ip 10.10.10.0 0.0.0.255
ip nat pool SubnetB PublicIPB PublicIPB netmask 255.255.255.255
ip nat inside source list 2 pool SubnetB overload
access-list 2 permit ip 10.10.20.0 0.0.0.255
int <Internal_Int>
ip nat inside
int <External_Int>
ip nat outside
Cool.
Block P2P using PIX
Sep 10th
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00801e419a.shtml
Above includes the various p2p blocking using PIX firewall, one of the hottest and greediest on your networks 
Setting MTU with Cisco VPN Client
Aug 11th
I guess one of the nice utility often forgotten that comes with Cisco VPN Client is SetMTU. It is installed with the client and you can find it at;
StartMenu->Programs->Cisco VPN Client->SetMTU
So it is a peaceful life and don’t have go through the GUid in registry finding out which adaptor you want to set it 
Oh yEAH! Using CVPN Client on Microsoft XP ? Don’t forget to get the latest version, 4.8 which is the stable one and you can download it from Cisco Site.
PIX site-to-site VPN
Jul 29th
Everyday I learn something and one such thing is this; Think of a scenario where you have to build site-to-site VPN between 2 PIXs. Adding interest to this is, the outside interfaces of both the pixes are connected to each other directly like this;
Internal—–PIX1–Outside———-Outside–PIX2—–Internal
With all configuration options as mentioned at cisco site (Click here to Cisco config sample for this), the tunnel still doesn’t come up!!! A point where I started scratching my head Then one of my friend at Experts-Exchange came along and said like ‘even though the outside interfaces are connected directly, still you need to have a default route (or route) configured on the PIX to have this get it working’. It was great and was right above all.
Check out the link to see the whole discussion at the forum;
Trace Route through PIX ?
Jul 23rd
Ever noticed this fact ? When a trace route is done from a network which is protected by PIX firewall, the pix interface doesn’t appear in the hop list ?
Consider this network;
10.1.1.1——–(10.1.1.2)Router(100.100.100.100)—-(100.100.100.101)(PIX)(200.200.200.200)—–InternetIP
Trace route will list;
10.1.1.2
100.100.100.101
InternetIP
The PIX interfaces will not be listed in it, either the trace route in ‘inbound’ or ‘outbound’! This is by design until 6.3(5) and in 7.0 version, you have an option of choose to disable natting. Once that is done, PIX acts as a router and the interfaces will be displayed.
DNS Doctoring
Jul 17th
The name is kinda funny, we’ll see what it is all about. Often times, a network hosting the webserver on the internal network is protected by a Cisco PIX firewall. So anybody accessing the site from the Internet would just access it as http://www.domain.com, and since it is registered with a Public DNS Server, the name will be resolved and the site is displayed to the user. However, the same isn’t possible for someone who is internal to the network where the webserver is hosted because of 2 reasons;
1. The hostname is different
2. The ip address will be private and won’t resolve to http://www.domain.com
In such situations, one of the ways you can make it possible would be something called DNS Doctoring…
Letz take an example;
The internal ip address of the webserver : 10.1.1.1
The Host Name of the webserver : mywebserver
Public Name of the webserver : www.domain.com
So in the PIX firewall, you make the following configuration;
Let the PIX know that you are trying to reach the internal machine by modifying the following static NAT;
static (Inside,Outside) x.x.x.x 10.1.1.1 netmask 255.255.255.255
(The above statement tells pix that any request coming to the ip address x.x.x.x should be natted to 10.1.1.1)
Change the above to;
static (Inside,Outside) tcp x.x.x.x www 10.1.1.1 www DNS netmask 255.255.255.255
^^^
(Watch the ‘DNS’ keyword in the modifed ‘static’ statement. This tells the pix that DNS resolution also should be taken care).
From now onwards any internal user can also browse the website using http://www.domain.com What makes this possible is that, PIX intelligently resolves it for you! Kinda cool huh ??
How else can this be done ?
Add an ‘A’ record in the internal DNS server as www (assuming that your domain name is also domain.com) pointing to 10.1.1.1
Static IP for Cisco VPN Clients
Jul 16th
Setting up a VPN session between remote user and Cisco PIX firewall is fairly easy because of numerous documents out there at Cisco site. Uniquely enough, there might be a situation where you want a particular VPN client to be given a static ip all the time ? How do ya do this? Only way as I see it now is;
1. Create 2 groups (Group1 and Group2)
2. Create 2 pools (Pool1 and Pool2)
Put “THE” user in Group1 and have Pool1 be assigned to him. Configure in such a way that Pool1 has only one ip address.
Put all the other users into the second group and configure Pool2 be assigned to them with regular pool. Comes very handy for administrators…