I am trying to get a 2851 router setup using static routing and NAT. My college uses static routing, otherwise I wouldn't ;-)
I can ping addresses on the internet from the router console, but not from a machine on the inside network. I can ping the inside router port from a network client but not the outside port. I think I have all of the NAT stuff in there correctly, but still no routing. Can anyone else point out my mistake?
CSLabRouter#sho run
Building configuration...
Current configuration : 3621 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CSLabRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
ip cef
!
!
no ip domain lookup
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3695308060
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3695308060
revocation-check none
rsakeypair TP-self-signed-3695308060
!
!
crypto pki certificate chain TP-self-signed-3695308060
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363935 33303830 3630301E 170D3136 30393033 30333032
BC404C81 47004B31 4B3E456C 81E50FC7 E3C9F387 BBB7B8CD 98CC230C 4068B586 FC92
quit
username Admin privilege 15 password 0 MasterPass
!
!
!
!
!
interface GigabitEthernet0/0
ip address 172.30.30.1 255.255.0.0
ip nat enable
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.13.13.1 255.255.255.0
ip nat enable
duplex auto
speed auto
!
ip default-gateway 172.30.30.1
ip default-network 172.30.0.0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.30.30.2
ip route 10.13.13.0 255.255.255.0 172.30.30.2
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool AC008Clients 10.13.13.0 10.13.13.255 prefix-length 24 add-route
ip nat source list 1 pool AC008Clients overload
ip nat source static udp 10.13.13.8 53 interface GigabitEthernet0/0 53
ip nat source static tcp 10.13.13.8 53 interface GigabitEthernet0/0 53
ip nat source static udp 10.13.13.8 5900 interface GigabitEthernet0/0 5900
ip nat source static tcp 10.13.13.8 5900 interface GigabitEthernet0/0 5900
ip nat source static udp 10.13.13.8 3283 interface GigabitEthernet0/0 3283
ip nat source static tcp 10.13.13.8 3283 interface GigabitEthernet0/0 3283
ip nat source static udp 10.13.13.8 311 interface GigabitEthernet0/0 311
ip nat source static tcp 10.13.13.8 311 interface GigabitEthernet0/0 311
ip nat source static tcp 10.13.13.8 80 interface GigabitEthernet0/0 80
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 10.13.13.0 0.0.0.255
snmp-server community CottonCandy RO
!
!
!
control-plane
!
!
!
!
!
!
!
!
alias exec s show ip int br
alias exec sr show run
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end
I can see that you are using "ip nat enable" commend under the interfaces, and "ip nat inside source list 1 interface GigabitEthernet0/0 overload" in global config.
When we use the "ip nat enable command", we also need to slightly modify the nat statement in global config as well (to remove the word "inside" in global config).
Otherwise use "ip nat inside/outside" command.
Related
recently I have an assignment and trying to configure HSRP of my layer 3 switches in cisco packet tracer.
After multiple attempts 2 of my layer 3 switches is still unable to get the standby router of one another.
These are the running config files of the switches respectively:
S4:
S4#sh run
Building configuration...
Current configuration : 2384 bytes
!
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname S4
!
!
!
!
!
!
!
no ip cef
ip routing
!
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface Port-channel4
switchport mode trunk
!
interface GigabitEthernet1/0/1
switchport mode trunk
channel-group 4 mode active
!
interface GigabitEthernet1/0/2
switchport mode trunk
channel-group 4 mode active
!
interface GigabitEthernet1/0/3
no switchport
ip address 192.168.1.18 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
no switchport
ip address 192.168.1.6 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet1/0/24
no switchport
ip address 192.168.1.14 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.0.2 255.255.255.0
standby version 2
standby 1 ip 192.168.0.253
standby 1 preempt
!
interface Vlan10
mac-address 0010.11cb.1201
ip address 192.168.10.25 255.255.255.252
!
interface Vlan11
mac-address 0010.11cb.1202
ip address 192.168.10.17 255.255.255.248
!
interface Vlan12
mac-address 0010.11cb.1203
ip address 192.168.10.1 255.255.255.240
!
ip classless
ip route 192.168.20.0 255.255.255.224 192.168.1.17
ip route 192.168.20.32 255.255.255.248 192.168.1.17
ip route 192.168.20.40 255.255.255.252 192.168.1.17
ip route 0.0.0.0 0.0.0.0 192.168.1.5
ip route 0.0.0.0 0.0.0.0 192.168.1.13
ip route 192.168.0.0 255.255.255.0 GigabitEthernet1/0/3
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
!
end
S3:
S3#sh run
Building configuration...
Current configuration : 2448 bytes
!
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname S3
!
!
!
!
!
!
!
no ip cef
ip routing
!
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface Port-channel2
!
interface Port-channel3
!
interface Port-channel5
!
interface GigabitEthernet1/0/1
channel-group 2 mode active
!
interface GigabitEthernet1/0/2
channel-group 2 mode active
!
interface GigabitEthernet1/0/3
channel-group 3 mode active
!
interface GigabitEthernet1/0/4
channel-group 3 mode active
!
interface GigabitEthernet1/0/5
no switchport
ip address 192.168.1.17 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
no switchport
ip address 192.168.1.1 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet1/0/24
no switchport
ip address 192.168.1.10 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
standby version 2
standby 1 ip 192.168.0.253
standby 1 priority 105
standby 1 preempt
!
interface Vlan20
mac-address 0040.0bab.3601
ip address 192.168.20.41 255.255.255.252
!
interface Vlan21
mac-address 0040.0bab.3602
ip address 192.168.20.33 255.255.255.248
!
interface Vlan22
mac-address 0040.0bab.3603
ip address 192.168.20.1 255.255.255.224
!
ip classless
ip route 192.168.10.0 255.255.255.240 192.168.1.18
ip route 192.168.10.16 255.255.255.248 192.168.1.18
ip route 192.168.10.24 255.255.255.252 192.168.1.18
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.1.9
ip route 192.168.0.0 255.255.255.0 GigabitEthernet1/0/5
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
!
end
Not sure how am I able to get S3 to become the active router and S4 to become the standby router
are there any solutions?
I've tried inter connecting the layer 2 switches to one another too but still nothing changes etc.
For debugging purpose I need to set up a MITM proxy between 2 devices.
All devices have static IP (example) and are directly connected each other:
Device 1 : 192.168.10.50
Device 2 : 192.168.10.60
Proxy computer have 2 nic on the same subnet and is between other devices :
D1 .50 <=> [.60 PROXY .50] <=> D2 .60
My problem is, from the proxy if one of the 2 nic is disabled, D1 or D2 can reach the proxy.
Once I bring up the 2 nic, no one can see any other device.
D1 and D2 ip can't be changed.
Proxy is linux centos 8.
Already tested :
adding log on iptables : if 2 nic are up no more input / output log
Drop all input / output then accept only right ip from right interface => no result
Changing arp_filter = 1 and arp_announce = 2 => no result
Testing multiple SO post about 2 nic on same subnet
If anyone can help.
Thanks .
I've found a solution which consist in creating a transparent proxy and intercept some packets.
1- Create a bridge with the 2 NIC :
nmcli connection add type bridge autoconnect yes con-name "br0" ifname "br0"
nmcli connection modify "br0" ipv4.addresses "192.168.10.10/24" ipv4.method manual
nmcli connection delete enp0s3
nmcli connection delete enp0s8
nmcli connection add type bridge-slave autoconnect yes con-name enp0s3 ifname enp0s3 master br0
nmcli connection add type bridge-slave autoconnect yes con-name enp0s8 ifname enp0s8 master br0
2 Add correct rules to intercept specific traffic
nft add table bridge mitm
nft add chain bridge mitm filter { type filter hook prerouting priority 0\; }
nft add rule bridge mitm filter tcp dport 10000 ip saddr 192.168.10.50 meta pkttype set host ether daddr set xx:xx:xx:xx:xx:xx # br0 mac address
nft add rule ip nat PREROUTING tcp dport 10000 ip saddr 192.168.10.50 dnat to 192.168.10.10
It worked for me.
I'm new to Brocade/NetIron but I thought the config was similar to Cisco until we tried to hook up a new transit provider. Routes don't seem to be loading correctly and we have an issue pinging our router on the Cogent issued IP that we have added onto the interface.
Can anyone see a problem with this config?
NetIron CER 2024C-4X#show run
Current configuration:
!
ver V5.6.0gT183
!
no spanning-tree
!
vlan 1 name DEFAULT-VLAN
!
!
!
!
!
enable telnet password .....
enable super-user-password .....
telnet server
!
!
ip prefix-list VISPA-OUT seq 25 permit 1.2.3.0/24
!
ip prefix-list ALL-PREFIXES seq 5 permit 0.0.0.0/0 le 32
!
ip prefix-list DENY-ALL seq 5 deny 0.0.0.0/0 le 32
!
!
!
!
!
ip router-id 1.2.3.1
!
!
!
!
!
interface management 1
ip address 192.168.1.245/24
enable
!
interface ethernet 2/1
port-name *** Cogent ***
enable
ip address x.x.x.42/29
!
interface ethernet 2/4
enable
ip address 1.2.3.1/24
!
!
!
router bgp
local-as 29129
neighbor x.x.x.41 remote-as 174
neighbor x.x.x.41 description Cogent
address-family ipv4 unicast
synchronization
network 1.2.3.0/24
redistribute connected
neighbor x.x.x.41 route-map in COGENT-IN
neighbor x.x.x.41 route-map out COGENT-OUT
exit-address-family
address-family ipv4 multicast
exit-address-family
address-family ipv6 unicast
exit-address-family
address-family ipv6 multicast
exit-address-family
address-family vpnv4 unicast
exit-address-family
address-family vpnv6 unicast
exit-address-family
!
!
!
route-map COGENT-IN permit 20
match ip address prefix-list ALL-PREFIXES
set local-preference 300
!
route-map COGENT-OUT permit 10
match ip address prefix-list VISPA-OUT
route-map COGENT-OUT deny 20
match ip address prefix-list ALL-PREFIXES
!
!
!
!
!
!
!
end
BGP Sum :-
NetIron CER 2024C-4X#show run
NetIron CER 2024C-4X#show ip bgp sum
BGP4 Summary
Router ID: 1.2.3.1 Local AS Number: 123
Confederation Identifier: not configured
Confederation Peers:
Maximum Number of IP ECMP Paths Supported for Load Sharing: 1
Number of Neighbors Configured: 1, UP: 1
Number of Routes Installed: 2, Uses 172 bytes
Number of Routes Advertising to All Neighbors: 1 (1 entries), Uses 48 bytes
Number of Attribute Entries Installed: 2, Uses 180 bytes
Neighbor Address AS# State Time Rt:Accepted Filtered Sent ToSend
x.x.x.41 174 ESTAB 0h 7m 6s 0 0 1 0
I can ping Cogent's IP, x.x.x.41 fine.
I can't ping my router from the outside world. Cogent also can't ping me - x.x.x.42.
Make sure you have a default route.
ip route 0.0.0.0/0 x.x.x.x
where x.x.x.x is your cogent gateway.
I want to create a Private network in google compute platform where I will be able to enter only using a vpn.
So, I create a machine in GCE and I install openvpn. This machine has an static IP, the ssh port open and the default network configuration from GCE.
Then, I create a second machine (call it MachineA) , in the same network, but without external IP.
Then I create the route rule in order to redirect traffic from vpn-machine to another internal instances.
I'm able to connect from my machine to the vpn.
I'm able to ping to vpn machine.
I'm able to ping to MachineA.
I'm able to ssh to vpn machine.
I'm able to ssh to MachineA.
but...
When I connect to ssh vpn machine and run gsutil it works, also ping to 8.8.8.8
When I connect to ssh MachineA and run gstult or ping 8.8.8.8 does not work.
Any Idea what Im doing wrong ?
Some information
from VPN-machine
xxx#dev-vpn:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.240.10.1 0.0.0.0 UG 0 0 0 eth0
10.16.0.0 10.16.0.2 255.255.255.0 UG 0 0 0 tun0
10.16.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.240.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
xxx#dev-vpn:~$ traceroute 10.240.10.3
traceroute to 10.240.10.3 (10.240.10.3), 30 hops max, 60 byte packets
1 * * instance-1.c.project.internal (10.240.10.3) 1.188 ms
from MachineA
traceroute to 10.240.10.2 (10.240.10.2), 30 hops max, 60 byte packets
1 * * *
2 * * dev-vpn.c.project.internal (10.240.10.2) 0.899 ms
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.240.10.1 0.0.0.0 UG 0 0 0 eth0
10.240.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
In google networking I add this rule
vpn-routing 10.16.0.0/24 1001 None dev-vpn (Zone us-central1-a)
I have a working system that does this. The innovation I made was to add an alias IP range and make the OpenVPN server use that Google IP range.
So for a router instance, that has an external IP address and will run the OpenVPN server on GCE, you need to create the instance with just one interface and a small IP Alias range. This would then permit IP forwarding from the main interface to the small Alias range. Let's say you are on default network 10.156.0.10/20 and you have added an Alias range of 10.156.1.0/28, you then add as the server line in your OpenVPN server configuration: server 10.156.1.1.
So the tun0 interface of OpenVPN (server-side) will come up on 10.156.1.1 and the tunnel endpoint on 10.156.1.2.
You have to push the routes to the OpenVPN clients (so push 10.156.0.0/20 in the server configuration). You will also need iroute statements in the server's ccd/client.
Here's an excerpt from the OpenVPN server's configuration file:
server 10.156.1.0 255.255.255.240
push "route 10.156.0.0 255.255.240.0"
push "route 10.164.0.0 255.255.240.0"
push "route 10.132.0.0 255.255.240.0"
route 192.168.127.0 255.255.255.0
If your site network is 192.168.127.0/24 and you use 3 Google networks. The ccd/client file has this
route 192.168.127.0 255.255.255.0
iroute 192.168.127.0 255.255.255.0
And you may need to add others, if you have other routes. (There's a section in the OpenVPN manuals about ccd/ and iroute.)
Back on the Google cloud, you will need to add a Google route via the OpenVPN gateway on 10.156.0.10 to get back to 192.168.127.0/24.
And there's lots of firewalling that you should do to make your hosts safe, but you must at least open the 1194 port for OpenVPN.
On your site, if you want to access the Google Cloud private networks, you will need to use RIPd from Quagga. That's a relatively easy configuration:
router rip
network eth0
passive-interface tun0
no default-information originate
redistribute kernel route-map GMAP
access-list GCE permit 10.156.0.0/20
access-list GCE permit 10.164.0.0/20
access-list GCE permit 10.132.0.0/20
access-list GCE deny any
route-map GMAP permit 10
match ip address GCE
This is the RIPd configuration for the OpenVPN client gateway, which is a router. This configuration propagates any routes for the three Google Cloud networks 10.{156,164,132}.0.0/20.
The RIPd configuration on the other hosts in your site network doesn't require any special configuration, just name the "router rip" and the "network eth0", your host's network interface and start RIPd. (The configuration on the VPN client gateway should be easier than this, but I found that "no default-information originate" didn't work for me, so I had to just propagate the Google routes.)
Context: I have setup a demo cloud in my laptop using VirtualBox and have two virtual machines - one has the client and other as server. Create a small instance using the server and running instance is TinyLinux.
Problem: How shall I send data to that instances and stores in that instance.
Some pointers would be very helpful.
Well, with libvirt, you have several options how to do the networking. The default is to use NATing. In that case libvirt creates a bridge and virtual nics for every so configured virtual nic:
$ brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.525400512fc8 yes virbr0-nic
vnet0
Then sets-up iptables rules to NAT (masquerade) the packets on such bridge.
Chain POSTROUTING (policy ACCEPT 19309 packets, 1272K bytes)
pkts bytes target prot opt in out source destination
8 416 MASQUERADE tcp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
216 22030 MASQUERADE udp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
11 460 MASQUERADE all -- any any 192.168.122.0/24 !192.168.122.0/24
enables forwarding
# cat /proc/sys/net/ipv4/ip_forward
1
and spawns DHCP server (dnsmasq is both DHCP and DNS in one)
ps aux | grep dnsmasq
nobody 1334 0.0 0.0 13144 568 ? S Feb06 0:00 \
/sbin/dnsmasq --strict-order --local=// --domain-needed \
--pid-file=... --conf-file= --except-interface lo --bind-dynamic \
--interface virbr0 --dhcp-range 192.168.122.2,192.168.122.254 \
--dhcp-leasefile=.../default.leases --dhcp-lease-max=253 --dhcp-no-override
If I had two virtual network interfaces (two machines with one NIC on same network, there would be two nics in that bridge. The machines gets the address from the range 192.168.122.2-254 from the dnsmasq DHCP server. So if you know that addresses, you should be able to connect from one to the other VM as both are on same broadcast domain (connected by the bridge). To the outside of your computer the machines all appear as "one IP address".
The more "advanced" option is to use Bridged networking, which again puts the virtual interfaces into one bridge, but it puts some physical device there as well, so the machines appears as if there were several machines connected to some switch...
I usually bind a web server to the gateway interface the VMs use to NAT with the physical host.