ACL, DHCP Y NAT

Fast Track CCNA R&S

SWITCH v7 Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 1
 ACCESS CONTROL LIST
 Filtrado de paquetes para implementar políticas de control y
seguridad.
 Existen 2 tipos:
 ACL estándar
 ACL Extendida
 Existen dos clases de configuración:
 ACL Numeradas
 ACL Nombradas

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 2
 ACL ESTÁNDAR
 Están basadas en la dirección IP origen de un paquete.
 Utilizan número de ACL entre 1 y 99 y entre 1300 y 1999
 Se configuran lo más cerca posible al destino del paquete.
 SINTAXIS DE CONFIGURACIÓN:
 access-list access-list-number {permit |
deny} source {source-mask}
 Aplicación sobre una interfaz:
 ip access-group access-list-number {in | out}

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 3
 ACL´s NOMBRADAS
 Las ACLs estándar y extendidas pueden ser configuradas
utilizando nombres en lugar de números.
 SINTAXIS
 ip access-list {standard | extended} {name | number}
 EJEMPLO:
 ip access-list extended in_to_out permit tcp host
10.0.0.1 host 187.100.1.6 eq telnet
 Aplicación sobre una interfaz:
 ip access-group in_to_out in

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 4
 ACL´s NOMBRADAS
 Las ACLs estándar y extendidas pueden ser configuradas
utilizando nombres en lugar de números.
 SINTAXIS
 ip access-list {standard | extended} {name | number}
 EJEMPLO:
 ip access-list extended in_to_out permit tcp host
10.0.0.1 host 187.100.1.6 eq telnet
 Aplicación sobre una interfaz:
 ip access-group in_to_out in

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 5
 ACL SIM1

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 6
 ACL SIM1

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 7
 ACL SIM1
 La ACL se esta aplicando a la Interfaz f0/0 como inbound
 La ACL 106 solo permite el echo-reply, por lo cual no permite el
ingreso de paquetes ICMP echo, y el ping desde el SW no puede
ingresar al router.
 La ACL 104 PERMITE el ingreso de paquetes ICMP eco, la ACL
se esta aplicando solo como entrada por lo cual los paquetes
eco-reply pueden salir por la interfaz sin que aplique la ACL.

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 8
 ACL SIM1
 Aplicar la ACL 104 en lugar de la ACL 106 resuelve el problema,
considerando que se mantiene en la interfaz f0/0 una ACL de
entrada (Inbound)

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 9
 ACL SIM1

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 10
 ACL SIM1

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 11
 ACL SIM1

 La ACL 114 PERMITE cualquier tipo de tráfico desde la red

10.4.4.0/24 hacia cualquier IP destino

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 12
 ACL SIM1

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 13
 ACL SIM1

 No se indica que se elimina la ACL 102 de la interfaz s0/0/1, pero

al ejecutar el commando “access-group 115 in”, esta ACL se
sobreescribe en lugar de la ACL 102.
 La ACL permite cualquier tráfico hacia cualquier destino, sin
embargo la wildcard hace referencia a una máscara tipo x.x.x.0,
por lo cual hace referencia a una IP de red y no de host.
 La opción A se acerca al resultado de esta ACL, debido a la
wildcard ningún host podría acceder al router ya que no hay
dirección de host que coincida con esta ACL.
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 14
 ACL SIM2 v1

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 15
 ACL SIM2 v1

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 16
 ACL SIM2 v1

 access-list 101 permit tcp 192.168.33.3 0.0.0.0

172.22.242.23 0.0.0.0 equal www
access-list 101 deny tcp any host 172.22.242.23 eq 80
access-list 101 permit ip any any
interface FastEthernet0/1
ip access-group 101 out

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 17
 ACL SIM2 v2

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 18
 ACL SIM2 v2

access-list 101 permit tcp host 192.168.33.4 host 172.22.142.23 eq 80

access-list 101 deny ip any host 172.22.142.23
access-list 101 permit ip any any
interface fa0/1
ip access-group 101 out

NOTA:
“access-list 100 permit ip any any”
“access-list 100 permit ip any host (IP of Public Web Server)”

Posible causa para no usar la segunda opción:

Core and LAN users cannot access web server by name, only
by IP address

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 19
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 20
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 21
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 22
 DHCP

 DHCPDISCOVER messages are sent as broadcast

messages.
 Routers do not forward broadcasts.
 A Cisco IOS helper address is configured so that the router
acts as a relay agent forwarding the message to the DHCPv4
server.
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 23
 DHCP

 Four step process for a client to obtain a

lease:
1. DHCP Discover (DHCPDISCOVER) -
client uses Layer 2 and Layer 3 broadcast
addresses to find a DHCP server.
2. DHCP Offer (DHCPOFFER) - DHCPv4
server sends the binding DHCPOFFER
message to the requesting client as a
unicast.
3. DHCP Request (DHCPREQUEST) – the
client sends back a broadcast
DHCPREQUEST in response to the servers
offer.
4. DHCP Acknowledgment (DHCPACK) –
the server replies with a unicast DHCPACK
message.

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 24
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 25
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 26
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 27
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 28
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 29
 DHCP

So there is only one command related to NTP configuration on R2

so we need to check if the IP address of 192.168.100.1 is correct or
not. But from the “show ip interface brief” command on R1 we
don’t see this IP -> This IP address is not correct. It should be
192.168.10.1 (IP address of interface E0/2 of R1), not
192.168.100.1.
Chapter 3
30
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 31
 DHCP

If R3 wants to receive an IP address from R2 via DHCP,

interface E0/1 should be configured with the command “ip
address dhcp” so the answer “DHCP is not enabled on this
interface” is correct.

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 32
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 33
 DHCP

This access-list is applied to E0/2 interface with inbound direction. The

purpose of this access-list is to block traffic with source IP address of
172.16.200.0/24 so it will block all traffic sent from Server 1 to us.
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 34
 DHCP

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 35
 DHCP

We notice that interface E0/0 (connected to ISP) has been configured as

“nat inside” while interfaces E0/1 & E0/2 (connected to our company)
have been configured as “nat outside”. This is not correct because “nat
inside” should be configured with interfaces connected to our company
while “nat outside” should be configured with interfaces connected to the
internet. Therefore we can conclude the NAT configuration on these
interfaces is not correct.
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 36
 NAT
• Always consider the device that is having its private address translated to understand this
concept.
• Inside address – address of the company network device that is being translated by NAT
• Outside address – IP address of the destination device
• Local address – any address that appears on the inside portion of the network
• Global address – any address that appears on the outside portion of the network

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 37
 NAT
• Always consider the device that is having its private address translated to understand this
concept.
• Inside address – address of the company network device that is being translated by NAT
• Outside address – IP address of the destination device
• Local address – any address that appears on the inside portion of the network
• Global address – any address that appears on the outside portion of the network

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 38
 STATIC NAT
 Static address translation (static NAT) assigns one public IP address to
one private IP address
 Commonly used for servers that need to be accessed by external devices
or for devices that must be accessible by authorized personnel when
offsite
 One-to-one address mapping between local and global addresses

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 39
 DYNAMIC NAT

 Dynamic NAT assigns a public

IP address from a pool of
addresses to each packet that
originates from a device that has
a private IP address assigned
when that packet is destined to
a network outside the company.
• Addresses are assigned on a first-
come, first serve basis
• The number of internal devices that
can transmit outside the company is
limited to the number of public IP
addresses in the pool.

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 40
 DYNAMIC NAT

 Dynamic NAT assigns a public

IP address from a pool of
addresses to each packet that
originates from a device that has
a private IP address assigned
when that packet is destined to
a network outside the company.
• Addresses are assigned on a first-
come, first serve basis
• The number of internal devices that
can transmit outside the company is
limited to the number of public IP
addresses in the pool.

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 41
 PAT NAT
 PAT (otherwise known as NAT overload) can use one public IPv4 address to
allow thousand of private IPv4 addresses to communicate with outside
network devices.
 Uses port numbers to track the session

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 42
 STATIC NAT

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 43
 DINAMIC
NAT

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 44
 STATIC NAT

Still need an ACL to define which

private IP addresses gets translated.

Instead of associating an ACL with a

pool, the ACL is associated with an
interface that has a public IP address
assigned. The overload
command is
always needed
for PAT.

Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 45
Chapter 3
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 46