Sunday, 8 April 2007

Cisco Access lists part 2

Cisco Access lists part 2

Ok last time we looked at access lists for blocking and permitting traffic now we’ll look at their uses with route-map command we are going to cover some NAT (Network Address Translation)and even some VPN so let’s look at how access list can help with NAT.

This is the basic network address translation command note how it looks to list 1 for the IP range to translate.


ip nat inside source list 1 interface Dialer0 overload


access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255


Now let’s look at another kind of NAT using route-map to translate the IP range, the route map name is NONAT in this case it defines a list of addresses not to be translated to the outside world, in this example traffic heading to 192.168.55.0 subnet does not enter the public internet, but all other traffic does.

ip nat inside source route-map NONAT interface Dialer0 overload

route-map nonat permit 10
match ip address 125

access-list 125 deny ip 172.16.0.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 125 permit ip 172.16.0.0 0.0.255.255 any


Now we have a look at the role access list play in a VPN first of all you need encryption in this case I’ve decided on 3 DES and to use pre shared keys so that the encryption password is not sent over the public internet.

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

crypto isakmp key ENA8LE address 195.168.235.17 no-xauth

crypto ipsec transform-set My-VPN esp-3des esp-md5-hmac


Now you have picked an encryption type you need to use it below there is a statement to you the encryption type and to the IP address the only thing left to know is what addresses are public and private, this is defined by the match address command that here match to list 110 also since we’re using NAT still we have list 105 for all other transitions.

crypto map cm-cryptomap 110 ipsec-isakmp
set peer 195.168.235.17
set transform-set My-VPN
match address 110

ip nat inside source list 105 interface Dialer0 overload

access-list 105 remark Traffic to NAT
access-list 105 deny ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 172.16.1.0 0.0.0.255 any

access-list 110 remark Site to Site VPN
access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.1.0 0.0.0.255 any


Now you see how an access list fits into a VPN and NAT this still doesn’t fully explore their full range of abilities as there are many other functions they can be used with as well such as routing protocols and rate limit.

No comments: