Browsing articles in "Tutorial"
NAT Virtual Interface aka NVI, what is that?!

Not everyone knows that from IOS version 12.3(14)T, Cisco has introduced a new feature called NAT Virtual Interface; NVI removes the requirements to configure an interface as either NAT inside or NAT outside. An interface can be configured to use NAT or not use NAT. How to use NVI? It’s easy! You must use the command ‘ip nat source …’ without specifying the inside/outside tag and enable the nat to the interfaces using the command ‘ip nat enable’. For instance, if you use legacy statement:

Using route maps for conditional NAT

As explained in a previous article, NAT is the process of modifying IP address information in IP packet headers, while route maps are mainly used to redistribute and manipulate routes (OSPF, BGP, EIGRP, and so on). The question is obvious… What is the relationship between these two features? Static NAT configuration with the route-map option can be used to implement destination-based NAT scenarios where the same inside local address needs to be translated to more than one inside global address, depending on where the traffic is destined.

NAT and PAT: a complete explanation

Network address translation (NAT) is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device. There are two different types of NAT: NAT Static NAT: The simplest type of NAT provides a one-to-one translation of IP addresses. It is often also referred to as one-to-one NAT. In this type of NAT only the IP addresses, IP header checksum and any higher level checksums that include the IP address need to be changed. The rest of the packet can be left untouched (at least for basic TCP/UDP functionality, some higher level protocols may […]

Switchport capture: a good alternative to SPAN port

Do you remember the article “How to analyze traffic with SPAN feature“? The SPAN port is a feature that mirror traffic (on physical or virtual port) to a specific port. In general, behind this ‘destination’ port can be a traffic analyzer (wireshark, ntop and so on…), an IDS or other appliances. The SPAN feature is a good tool but it has two limitations: The number of SPAN sessions that can be configured is limited. A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This […]

How to configure Cisco VPN SSL aka WebVPN

The SSL VPN feature (also known as WebVPN) provides support for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer- (SSL-) enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure Virtual Private Network (VPN) tunnel using a web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support. What is SSL? Secure Sockets Layer is a protocol developed by Netscape for transmitting private documents […]

How to create self-signed certificates

A digital certificate or identity certificate is an electronic document which uses a digital signature to bind a public key with an identity, information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). However, there are situations where it is not possible use a CA, so the only solutions is to use a self-signed certificate, an identity certificate that is signed by […]

Unicast flooding due to asymmetric routing

Asymmetric routing is not a problem by itself, but will cause problems when Network Address Translation (NAT) or firewalls are used in the routed path. For example, in firewalls, state information is built when the packets flow from a higher security domain to a lower security domain. The firewall will be an exit point from one security domain to the other. If the return path passes through another firewall, the packet will not be allowed to traverse the firewall from the lower to higher security domain because the firewall in the return path will not have any state information. Another […]

How to perform SSH RSA User Authentication

Cisco IOS SSH Version 2 (SSHv2) supports keyboard-interactive and password-based authentication methods. The SSHv2 Enhancements for RSA Keys feature also supports RSA-based public key authentication for the client and the server. RSA based user authentication uses a private/public key pair associated with each user for authentication. The user must generate a private/public key pair on the client and configure a public key on the Cisco IOS SSH server to complete the authentication.

Nmap for IOS? No, IOSMap

The Tcl shell can be used to run Cisco IOS CLI EXEC commands within a Tcl script. Using the Tcl shell to run CLI commands allows customers to build menus to guide novice users through tasks, to automate repetitive tasks, and to create custom output for show commands. Not everyone knows that it is possible to implement a port scanning tool like a light Nmap. Surfing the web I have found a tool named IOSMap, a Cisco port scanning tool. It is not mandatory know Tcl to use this script; the only thing you need to know is how execute a […]

How to monitor devices with Cacti

There are many ways to monitor devices: netflow, span port, switchport and so on. Today I will explain how to monitor bandwith, CPU, … of routers and switches using SNMP and Cacti. Simple Network Management Protocol (SNMP) is an “Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more.” It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). It consists […]