IP Services

EMS uses static IP routes to define paths through the Cisco IAD1101 and across the network. You can assign static IP routes to direct IP traffic on the Ethernet interface, and any T1 lines configured for IP (IP over Frame Relay or IP over PPP).

A static IP route consists of the following information:

Interface—The interface that leads to the destination IP address
Destination—The destination IP address
Gateway—The next hop along the path to the destination address
Netmask—The subnet mask to apply to the destination address

Figure 11-1 shows a sample network, with a Cisco IAD1101 connected to a router over a PPP link. To assign a static route from the Cisco IAD1101 to Host A, enter the following information:

Interface—IP over PPP
Destination—10.1.1.12
Gateway—171.1.2.3
Netmask—255.255.255.255

Figure 11-1: Static IP Route Example

Assigning Static IP Routes

To assign a static route, perform the following steps starting in node view:

Step 1 From node view, double-click the node nameplate. EMS launches the NE provision window.

Step 2 From the function bar on the left, click on the Datalink Route Configuration button. EMS launches the datalink route configuration window. (See Figure 11-2.)

Figure 11-2: Datalink Route Configuration Window

Step 3 Set the following parameters in the data-link route configuration window:

Interface—Select the outgoing interface for the route. You must identify the card type, slot, and line number. To use the Ethernet port, select Ethernet.
Destination IP Address—The destination address for the route. To configure a default route, leave this field at the default (0.0.0.0).
Gateway IP Address—The next hop along the route path.
Netmask—The netmask for the destination IP address. To configure a default route, leave blank.
Route Type—Select one of the following route types:
- Default—This route is always used, unless another static route (Host or Network) is created.
- Host—This route points to a specific host.
- Network—This route points to a specific network of hosts.

Step 4 Click Add when finished.

Step 5 Click the Exit button (on the function bar) to return to the node view.

You can add as many routes as needed, but only one route can be the default route.

Access Lists

An access list is a sequential collection of permit and deny conditions that apply to IP addresses. EMS tests addresses against the conditions in an access list one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the software rejects the address.

Access lists allow the Cisco IAD1101 to filter incoming or outgoing IP packets based on the following criteria:

Interface
Direction of traffic (incoming or outgoing)
Source IP address, subnet mask, and port
Destination IP address, subnet mask, and port
Layer 4 protocol (TCP, UDP, ICMP)
ICMP message type

Note UDP ports 161 and 162 are used for management and alarm traffic, respectively.

Provisioning Access Lists

To provision access lists on the NE, perform the following steps starting in the NE provisioning window:

Step 1 Click IP Access Lists in the function bar. EMS launches the access list provisioning window. (See Figure 11-3.)

Figure 11-3: Provisioning IP Access Lists

Step 2 Set the following fields to configure the access list:

Action—Select Accept or Reject.
IP Interface—Select an individual PPP link, or select Ethernet.
Direction—Select In or Out.
Protocols—Select the protocols to be filtered (All, TCP, UDP, or ICMP).
- ICMP Type—Select the ICMP protocol type to be filtered.
- ICMP Code—Select the code for the ICMP protocol type.
Source IP Address—Select the source IP address to filter.
Source Netmask Width—Select the netmask for the IP address.
Source Ports—Select the ports to be filtered.
- Include or Exclude—Select the action to be applied to the ports.
Destination IP Address—Select the destination IP address to filter.
Destination Netmask Width—Select the netmask for the IP address.
Destination Ports—Select the ports to be filtered.

Step 3 Click Add when finished.

Step 4 Repeat Step 2 and Step 3 to configure additional access lists. You can configure as many as 32 access lists.

Step 5 Click Enable/Disable Access Lists.

Caution EMS rejects traffic on every interface that does not have an access list definition. Before you proceed, you must create at least one entry per interface to accept traffic, or the NE will reject all traffic on the unprovisioned interface, including management traffic.

Step 6 Click Apply NE Enable to activate access lists.

Caution Enabling access lists may prevent user traffic from entering or exiting the NE, including management traffic.

Modifying or Deleting Access Lists

Use the following buttons to modify or delete an access list.

Caution Changes made to an access list entry take place immediately. Cisco Systems recommends that you disable access lists for the NE before making changes.

Modify—Changes the settings of an existing access list.
Up/Down—Moves an existing access list up or down relative to other list entries.
Delete—Removes an access list.
Refresh—Displays the settings of the selected access list.

Access List Example

Network Address Translation

Network Address Translation (NAT) is a feature that allows an organization's IP network to appear from the outside to use different IP address space than what it is actually using. Thus, NAT allows an organization with nonglobally routable addresses to connect to the Internet by translating those addresses into globally routable address space. NAT is described in RFC 1631.

NAT enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. NAT is configured on the router at the border of a stub domain (referred to as the inside network) and a public network such as the Internet (referred to as the outside network). NAT translates the internal local addresses to globally unique IP addresses before sending packets to the outside network.

Figure 11-4 shows an example of NAT configured on a Cisco Integrated Access Device.

Figure 11-4: NAT Example

Static and Dynamic NAT

NAT offers two types of address translation, static and dynamic.

Static translation establishes a one-to-one mapping between the inside address and outside address. Static translation is useful when a host on the inside must be accessible by a fixed address from the outside.

10.0.0.1 --> 11.0.0.5
10.0.0.2 --> 11.0.0.6
10.0.0.3 --> 11.0.0.7

Dynamic translation establishes a mapping between an inside address and a pool of outside addresses. With dynamic NAT, a large number of inside addresses can be mapped to a single outside address, using port numbers to keep track of the address maps.

10.0.0.1 --> 12.0.0.9
10.0.0.2 --> 12.0.0.9
10.0.0.3 --> 12.0.0.9

NAT Restrictions

The following conditions apply to NAT provisioned on the Cisco IAD1101:

A Cisco IAD1101 provisioned with static NAT does not allow passive FTP attempts from the outside network to the inside network.
You cannot login using the Reflection X application through a Cisco IAD1101 implementing NAT.
Routing tables contain outside NAT addresses. When sending RIP updates over a NAT-enabled interface, the Cisco IAD1101 looks at both routing table and NAT table. If the destination address/subnet for a particular route is part of an inside subnet (based on the address and netmask) for this interface, this entry will be suppressed from RIP updates on this interface. Note that NAT translations are unique to each interface.

Provisioning NAT

To provision NAT on the NE, perform the following steps starting in the NE provision window:

Step 1 Click IP Network Access Translation (NAT). EMS launches the NAT provisioning window. (See Figure 11-5.)

Figure 11-5: Provisioning NAT

Step 2 Set the following fields to configure the network address translation:

IP Interface—Select an individual IP data link, or select Ethernet to configure the Ethernet port.
NAT Class—Select the type of NAT for this interface:
- Static—A one-to-one translation of IP addresses.
- Dynamic—A scalable translation of IP addresses.
Inside IP Address—Enter the inside IP addresses to translate.
Inside Netmask Width—Enter the netmask for the inside IP addresses to translate.
Inside Ports—Enter the range of ports for the inside IP addresses.
Outside IP Address—Enter the outside IP addresses used for translation.
Outside Netmask Width—Enter the netmask for the outside IP address.
Outside Ports—Enter the range of ports for the outside IP addresses.
Protocols—Select the protocols to be filtered (All, TCP, or UDP).
Timeout—For dynamic NAT, enter the time in seconds for a NAT table entry to expire.

Step 3 Click Add when finished.

Step 4 Repeat Step 2 and Step 3 to configure additional NAT entries. You can configure as many as 8 NAT entries.

Step 5 Click Enable/Disable NAT to activate NAT.

Caution Enabling NAT may prevent user traffic from entering or exiting the Cisco IAD1101, including management traffic.

Modifying or Deleting NAT

Click a NAT entry in the list window, and use the following buttons to modify or delete a NAT entry:

Modify—Changes the settings of an existing NAT entry.
Delete—Removes a NAT entry.

Note If a dynamic NAT entry is in use, you must uncheck the Enable NAT for NE box before deleting the NAT entry.

Refresh—Displays the settings of the selected NAT entry.

Security with NAT

On a Cisco IAD1101 with a static or dynamic NAT translation, an outside host can still gain access to an inside (untranslated) host address. To block outside access to the inside network, create a static NAT that translates inbound addresses into a "dummy" address, then create an access list that filters out the dummy address. See the "Access Lists" section for access list information and procedures.

NAT and Access List Example

The following task list is an example of using a "dummy" address, as described in the "Security with NAT" section on this page.

Step 1 Provision the Cisco IAD1101 with a static NAT entry:

IP Interface—Select the PPP link to the router.
NAT Class—Select Static.
Inside IP Address—10.0.0.0.
Inside Netmask Width—8.
Inside Ports—0 to 65535 (default).
Outside IP Address—12.0.0.0.
Outside Netmask Width—8.
Outside Ports—0 to 65505 (default).
Protocols—All (default).
Timeout—86400 (default).

Step 2 Create a dynamic NAT entry to prevent direct outside access to 10.0.0.0/8. Use 99.0.0.1 as the dummy address.

Step 3 Create an access list entry that rejects all inbound traffic with IP address 99.0.0.1:

Action—Reject.
IP Interface—Select the PPP link to the router.
Direction—In.
Protocols—All.
Source IP Address—0.0.0.0.
Source Netmask Width—32.
Source Ports—Include 0 to 65535.
Destination IP Address—99.0.0.1.
Destination Netmask Width—0.
Destination Ports—Include 0 to 65535.

Routing Information Protocol

The Routing Information Protocol (RIP) is a distance-vector protocol that uses hop count as its metric. RIP sends routing-update messages at regular intervals, and also whenever the network topology changes. When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route.

Note On a Cisco IAD1101 with a Frame Relay link, but without a PPP link, RIP does not advertise the node IP address over the Frame Relay link. To gain access to the Cisco IAD1101 over the Frame Relay link, use the Frame Relay address (not the node address) as the address for the Cisco IAD1101. This is not needed when both Frame Relay and PPP links exist on the Cisco IAD1101.

Provisioning RIP

To provision RIP on the NE, perform the following steps starting in the NE provision window:

Step 1 Click IP RIP Configuration. EMS launches the RIP provisioning window. (See Figure 11-6.)

Figure 11-6: Provisioning RIP

Step 2 Click Enable RIP for NE.

Step 3 In the IP Interfaces list, select the interfaces to be provisioned for RIP.

Note When you activate RIP on a Cisco IAD1101 interface, RIP advertises all directly-connected nodes over the interface.

Step 4 Click Enable RIP.

Step 5 Select the Rx RIP Version—1, 2, or "1 or 2".

Step 6 Select the Tx RIP Version—None, 1, RIP1Compatible, or 2.

Note RIP1Compatible is a version of RIPv2 that can be processed by a node using RIPv1.

Step 7 Select the Authentication—None or Password.

Step 8 If password authentication is selected (RIPv2 only), enter the password in the Authentication Key field.

Step 9 Click Apply to provision RIP for the selected interfaces.

Monitoring IP Statistics

EMS maintains statistics for all IP activity on the Cisco IAD1101, including routing tables, interface activity, and Layer 4 protocol statistics.

To display IP statistics, perform the following steps starting from node view:

Step 1 Select Objects > IP Statistics from the node view menu bar. EMS launches the IP statistics window (See Figure 11-7.)

Figure 11-7: IP Statistics Window

Step 2 Under Available IP Statistics, click the icon for the desired display. Statistic information and descriptions can be found in RFC1213 (Management Information Base for Network Management of TCP/IP-based internets: MIB-II).

Step 3 Use the following buttons to alter the display:

Refresh—Updates the table with the latest information
Flip—Changes the orientation of the table, from horizontal to vertical

Step 4 Click Close to close the display.

Table of Contents

IP Services