Este lab es realmente eterno. Segun la guia son 10 horas pero claramente seran muchas mas. La primera parte es NTP. Un ejemplo de NTP server (R9) auth'ed y cliente auth'ed (R5):
R9#sh run inc ntp
ntp authentication-key 1 md5 aquivaelpass
ntp authenticate
ntp trusted-key 1
ntp source FastEthernet0/0
ntp master 1
ntp authentication-key 1 md5 aquivaelpass
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179846
ntp source Loopback0
ntp server x.y.z.w key 1
Luego, pasamos a NAT. Aqui "inverti" mucho tiempo. Aqui hay algunos ejemplos de NAT condicionado a ciertos origenes/destinos y algunas perillas que se pueden ajustar:
ip nat translation tcp-timeout 40
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 20
ip nat translation icmp-timeout 3
ip nat pool pul1 9.2.1.100 9.2.1.100 prefix-length 24 add-route
ip nat pool pul2 192.1.49.150 192.1.49.150 prefix-length 24
ip nat pool pul3 9.2.13.13 9.2.13.13 prefix-length 24 add-route
ip nat pool pul4 9.9.156.13 9.9.156.13 prefix-length 24
ip nat inside source list lista5 interface FastEthernet0/0.256 overload
ip nat inside source route-map rm1 pool pul1 reversible
ip nat inside source route-map rm2 pool pul2 reversible
ip nat inside source route-map rm3 pool pul3 reversible
ip nat inside source route-map rm4 pool pul4 reversible
!
ip access-list extended lista1
deny ip host 10.1.1.100 192.1.49.0 0.0.0.255
permit ip host 10.1.1.100 any
ip access-list extended lista2
permit ip host 10.1.1.100 192.1.49.0 0.0.0.255
ip access-list extended lista3
deny ip host 10.0.13.13 9.4.45.0 0.0.0.255
permit ip host 10.0.13.13 any
ip access-list extended lista4
permit ip host 10.0.13.13 9.4.45.0 0.0.0.255
ip access-list extended lista5
permit ip 10.1.1.0 0.0.0.255 any
permit ip 10.0.13.0 0.0.0.255 any
!
!
!
!
route-map rm4 permit 1
match ip address lista4
!
route-map rm3 permit 1
match ip address lista3
!
route-map rm2 permit 1
match ip address lista2
!
route-map rm1 permit 1
match ip address lista1
!
Un par de cosas interesantes:
- Un NAT pool con el add-route sirve para agregar la ruta como estatica en el router, y luego esta se puede propagar a otros peers... por lo tanto nunca se agrega la ruta explicitamente.
- El ip nat inside source .... con reversible significa que es valido para trafico originado desde inside o desde el outside tambien, es decir, NAT bidireccional.
Adicionalmente, un ejemplo de NAT _SIN_ uso de inside o outside (no lo conocia!):
!
interface FastEthernet0/0
ip address 10.0.7.7 255.255.255.0
ip nat enable
duplex auto
speed auto
!
interface FastEthernet0/0.78
encapsulation dot1Q 78
ip address 9.9.156.7 255.255.255.0
ip nat enable
!
ip nat translation max-entries all-host 25
ip nat pool pul1 9.7.7.101 9.7.7.250 prefix-length 24 add-route
ip nat source list 11 pool pul1 overload
ip nat source static 10.0.7.10 9.7.7.10
ip nat source static 10.0.7.100 9.7.7.100
!
Luego, pase por el tema Time range y TCP intercept:
ip access-list extended legacy
permit icmp any any echo-reply
permit tcp any host 9.9.45.4 eq www time-range tr1
permit tcp any host 9.9.45.4 eq 443 time-range tr1
time-range tr1
periodic Saturday 19:35 to 19:37
Esto significa que el access-list legacy permite el trafico http/https al host 9.9.45.4 desde cualquier origen, solo los sabados de 19:35:00 a las 19:37:59. Ojo con ese detalle de los segundos (comprobado empiricamente)!!
Sobre TCP intercept:
Change the TCP Intercept Aggressive Thresholds
Two factors determine when aggressive behavior begins and ends: total incomplete connections and connection requests during the last one-minute sample period. Both thresholds have default values that can be redefined.
The two factors that determine aggressive behavior are related and work together. When either of the high values is exceeded, aggressive behavior begins. When both quantities fall below the low value, aggressive behavior ends.
!
ip tcp intercept list blah
ip tcp intercept max-incomplete low 150
ip tcp intercept max-incomplete high 300
ip tcp intercept mode watch
!
ip access-list extended blah
permit tcp any host 9.9.45.4 eq www
permit tcp any host 9.9.45.4 eq 443
!
Ojo con el orden de operaciones. TCP intercept viene despues de NAT!
Argh!
Saludotes