Security configuration scheme of Cisco IOS Firewall

This article mainly introduces the firewall security configuration for CISCO router IOS, and describes the NAT conversion function. I believe you have read this article to understand CISCO router IOS.

Network security technologies include authentication and authorization, data encryption, access control, and security audit. The following types of security gateway services are provided: address translation, packet filtering, application proxy, access control, and D OS defense. This document describes two security gateway services: address translation and access control. You can use a cisco router to set security rules for ISDN dial-up access. In the test environment, a LAN consisting of a cisco2621 router with a fir ewall IOS version and a vswitch is connected to the Internet using ISDN dial-up.

We know that Internet technology is based on IP protocol. All information communication is implemented through IP packets. Each device must have a unique IP address for communication. Therefore, when a network needs to access Inte rnet, the device that needs to communicate over the Internet must have a unique address on the global Internet. When a network needs to be connected to the Internet for use, each device in the network has an I nternet address, which is of course the most ideal for implementing various Internet applications. However, this also causes every device to be exposed on the network, and anyone can attack these devices. At the same time, due to the IPV4 protocol currently used by I nternet, there are not many available IP addresses, and each device in the network needs an IP address, which is almost impossible.

With port address translation, the Administrator only needs to set a public Internet address that can be used for port address translation. User access will be mapped to a port of the IP address in the IP address pool, this allows each valid Internet IP address to map more than 60 thousand Intranet hosts. In this way, the internal network address information is hidden, so that the outside world cannot directly access the internal network device.

Cisco routers provide several NAT translation functions:

1. One-to-one correspondence between the internal address and the egress address
Disadvantage: When the egress address resources are scarce, only a small number of hosts can be connected to the internet.

2. Internal address share egress address
The router uses the egress address and port number, as well as the external host address and port number as the interface. The internal address port number is a random number greater than 1024, and the external host port number is recognized as a standard port number. In this way, you can use the same egress address to allocate different port numbers to connect any number of internal hosts to the Internet.

Specific configuration: Because the experiment uses ISDN dial-up internet access, only the egress address can be obtained randomly on the internet, so the address pool for NAT translation is set to the address obtained by dialing on the BRI port.
Interface FastEthernet0/0
Ip address 172.16.18.200 255.255.255.0
Ip nat inside the interface connected to inside world
!
Interface BRI0/0
Ip address negotiated
Ip nat outside the interface connected to outside network
Encapsulation ppp
No ip split-horizon
Dialer string 163
Dialer load-threshold 150 inbound
Dialer-group 1
Isdn switch-type basic-net3
Ip nat inside source list 1 interface BRI0/0 overload
Access-list 1 permit 172.16.18.0 0.0.255

3. Overlapping internal and external addresses
When the same network segment address is used internally and externally, you can perform NAT translation on the internal and external interfaces to enable normal communication without duplicate addresses.

4. Map multiple internal hosts with one egress address
A large website applied to the internet has multiple hosts corresponding to the same egress address of the same system.
You can use the sh ip nat translation and debug ip nat commands to check the NAT status.