Saturday, January 26, 2008

IP Management

IPplan

IPplan is a free (GPL), web based, multilingual, TCP IP address management software and tracking tool written in php 4, simplifying the administration of your IP address space. IPplan goes beyond TCPIP address management including DNS administration, configuration file management, circuit management (customizable via templates) and storing of hardware information (customizable via templates). IPplan can handle a single network or cater for multiple networks and customers with overlapping address space. Makes managing ip addresses and managing ip address space simple and easy!

more here



Posted by at No comments:
Labels:

Thursday, August 30, 2007

PAT and NAT

The weakness of port address translation as mentioned in earlier posting is singular IP for all internal users, yet it may look simple i.e. (only one public IP used) it augurs bad for restricted website;

Some website only allows limited downloading for certain IP address, as a method of checking or limiting the bandwidth.

Thus in my organization I have decided to mix PAT and NAT.

global (outside) 1 211.25.X.X-211.25.X.255 netmask 255.255.255.0
global (outside) 1 211.X.XI.1 netmask 255.255.255.0
The first rule tell the firewall to take NAT and translated according to the range, until the global IP address is completely used.
Then the rule will look into the subsequent ruling i.e PAT for all internal hosts using 211.X.XI.1.

One global IP can be used up to 65,536 [i.e 16 bits fields]

Example, when command sho xlate issued:
Global 211.X.X224 Local 10.101.35.53
Global 211.X.X139 Local 10.101.35.28
Global 211.X.X69 Local 10.101.73.42
Global 211.X.X122 Local 10.101.34.178
Global 211.X.X206 Local 10.101.81.102
Global 211.X.X186 Local 10.101.122.132
Global 211.X.X220 Local 10.101.34.103
Global 211.X.X218 Local 10.23.1.78
Global 211.X.X167 Local 10.101.24.68
Global 211.X.X235 Local 10.101.94.224
Global 211.X.X80 Local 10.101.30.18
Global 211.X.X193 Local 10.101.71.163
Global 211.X.X163 Local 10.101.24.249
Global 211.X.X236 Local 10.101.35.117
Global 211.X.X232 Local 10.101.57.48
Global 211.X.X136 Local 10.101.34.33
Global 211.X.X125 Local 10.101.41.136
Global 211.X.X189 Local 10.23.1.63
Global 211.X.X143 Local 10.101.128.75
Global 211.X.X174 Local 10.101.34.173
Global 211.X.X55 Local 10.24.1.202
Global 211.X.X225 Local 10.101.115.40
Global 211.X.X222 Local 10.101.73.66
PAT Global 211.X.X.XI.1(18507) Local 10.101.71.36(2162)
PAT Global 211.X.X.XI.1(19531) Local 10.101.124.79(2356)
PAT Global 211.X.X.XI.1(21323) Local 10.101.114.100(3476)
PAT Global 211.X.X.XI.1(21067) Local 10.105.1.213(2448)
PAT Global 211.X.X.XI.1(20811) Local 10.101.27.13(1909)
PAT Global 211.X.X.XI.1(20555) Local 10.101.158.55(2912)
PAT Global 211.X.X.XI.1(21579) Local 10.101.60.177(50516)
PAT Global 211.X.X.XI.1(5196) Local 10.101.28.39(2276)
PAT Global 211.X.X.XI.1(11852) Local 10.105.1.170(1111)
PAT Global 211.X.X.XI.1(20044) Local 10.101.38.101(1802)
PAT Global 211.X.X.XI.1(19532) Local 10.101.124.79(2357)
PAT Global 211.X.X.XI.1(21324) Local 10.101.60.100(1083)
PAT Global 211.X.X.XI.1(21068) Local 10.101.34.70(1949)
PAT Global 211.X.X.XI.1(20812) Local 10.101.27.13(1910)
PAT Global 211.X.X.XI.1(21580) Local 10.101.60.177(50518)



Posted by at No comments:
Labels: , , , ,

Wednesday, August 29, 2007

CISCO PIX Firewall

My organization have been using Cisco Pix firewall since forver, it is the only firewall that have been use in all the branches of my organizations; I know it to be reliable and operationwise less problematic.

Cisco PIX (Private Internet EXchange) is a firewall originally conceived in March 1994 by John Mayes of Redwood City, California and coded by Brantley Coiles of Athens, Georgia. The PIX name is derived from Coiles' aim of creating the functional equivalent of an IP PBX; that is, at a time when NAT was just being investigated as a viable approach, he wanted to conceal a block or blocks of RFC 1918 IP addresses behind a single or multiple registered IP addresses, much like PBX's do for internal phone extensions. When he began, RFC 1631 was being discussed, but the now-familiar RFC 1918 had not yet been submitted.

The design, and testing were carried out in 1994 by John Mayes, Brantley Coile1 and Johnson Wu of Network Translation, Inc. , with Brantley Coile being the sole software developer. Beta testing was completed and first customer acceptance was on December 21, 1994 at KLA Instruments in San Jose, California. The PIX was awarded the Data Communications Magazine "Hot Product of the Year" award of 1994.[1]

After Cisco acquired Network Translation in 1995, Brantley hired four long time associates: Jim Jordan, Tom Bohannon, and Richard Howes and Pete Tenereillo (both who worked for NTI prior to the acquisition). Together they developed Finesse OS and the original version of the Cisco PIX Firewall, now known as the PIX "Classic". During this time, the PIX shared most of its code with another Cisco product, the LocalDirector. After Cisco acquired Global Internet Software Group in 1997, the PIX was sold alongside GISG's Windows NT-based softwall firewall product, known as the Centri firewall, until 2000. [2]

In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IDS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with version PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.[3]

The PIX runs a custom-written proprietary operating system originally called Finesse (Fast InterNEt Server Executive), but now the software is known simply as PIX OS. It is classified as a network layer firewall with stateful inspection, although technically the PIX would more precisely be called a Layer 4, or Transport Layer Firewall, as its access is not restricted to Network Layer routing, but socket based connections (a port and an IP Address - Port communications occur at Layer 4). By design it allows internal connections out (outbound traffic), and only allows inbound traffic that is a response to a valid request or is allowed by an ACL (Access Control List) or a conduit. The PIX can be configured to perform many functions including NAT (network address translation) and PAT (port address translation) as well as serving as a VPN (Virtual Private Network) endpoint appliance.

The PIX was the first commercially available firewall product to introduce protocol specific filtering with the introduction of the "fixup" command. The PIX "fixup" capability allows the Firewall to apply additional security policies to connections identified as using specific protocols. Two protocols for which specific fixup behaviors were developed are DNS and SMTP. The DNS fixup originally implemented a very simple but effective security policy; it allowed just one DNS response from a DNS server on the Internet (or outside interface) for each DNS request from a client on the protected (or inside) interface.

The Cisco PIX was also one of the first commercially available security appliances to incorporate IPSec VPN gateway functionality.

The PIX can be managed by a CLI or a GUI. The CLI is accessible from the serial console, telnet or SSH. GUI administration was introduced with version 4.1, and it has been through several incarnations: PFM (PIX Firewall Manager) for PIX OS versions 4.x and 5.x, which runs locally on a Windows NT client; PDM (PIX Device Manager) for PIX OS version 6.x, which runs over https and requires Java; and ASDM (Adaptive Security Device Manager) for PIX OS version 7 and greater, which can run locally on a client or in reduced-functionality mode over HTTPS.[4] [5] [6]

As PIX is an acquired product, the command line interface (CLI) was originally not aligned with the Cisco IOS 'standards'. Starting with version 7.0, the configuration is much more IOS-like. As the PIX only supports IP traffic (not IPX, DECNet, etc.), in most configuration commands, 'ip' is omitted. The configuration is upwards compatible, not downwards. When a 5.x or 6.x configuration is loaded on a 7.x platform, the configuration is automatically converted to 7.x formatting. This allows for an easy migration from PIX to ASA. PIX OS v7.0 is only supported on models 515, 515(E), 525 and 535. Although the 501 and 506E are relative recent models, the flash size of 8 MB prevents support of version 7.x, although rumors are that 7.0 can be installed on a 506E (see external links). For the PIX 515(E), a doubling of the memory size is required (32->64 MB for restricted and 64->128MB for Unrestricted/Failover licenses).

more on this site
Posted by at 1 comment:
Labels: , ,

Port Address Translation

My Organization is using PAT (port addrees translation) which is easier since all users are using one public IP; (and ofcourse cisco pix firewall 525 series)

nat (inside) 1 10.0.0.0 255.0.0.0 0 0
ip address outside 211.x.x.x 255.255.254.0
ip address inside 10.101.2.10 255.255.255.0
outside 0.0.0.0 0.0.0.0 211.x.x.x 1 OTHER static
inside 10.0.0.0 255.0.0.0 10.101.2.2 1 OTHER static
global (outside) 1 211.x.x.x netmask 255.255.255.254


By using the configuration above, all 10.0.0.0 hosts will be translated to the global address 211.x.x.x.

All source ports will be changed will be changed to a unique port number greater than 1024.

Example: Issue command sho xlate [ENTER}
PAT Global 211.x.x.x(25356) Local 10.23.2.76(1416)
PAT Global 211.x.x.x(24844) Local 10.101.28.31(2205)
PAT Global 211.x.x.x(32524) Local 10.1.2.47(56471)
PAT Global 211.x.x.x(32012) Local 10.1.2.11(39603)
PAT Global 211.x.x.x(31500) Local 10.1.2.11(56975)
PAT Global 211.x.x.x(31500) Local 10.101.129.108(1825)
PAT Global 211.x.x.x(30988) Local 10.1.2.11(25106)
PAT Global 211.x.x.x(29964) Local 10.1.2.11(23049)
PAT Global 211.x.x.x(29452) Local 10.1.2.11(47968)
PAT Global 211.x.x.x(28940) Local 10.1.2.11(27356)
PAT Global 211.x.x.x(34572) Local 10.101.30.220(3354)
PAT Global 211.x.x.x(34060) Local 10.101.73.44(3060)
PAT Global 211.x.x.x(33036) Local 10.1.2.11(18828)
PAT Global 211.x.x.x(40716) Local 10.101.44.115(51250)
PAT Global 211.x.x.x(44812) Local 10.101.82.63(4954)
PAT Global 211.x.x.x(44300) Local 10.101.82.63(4048)
PAT Global 211.x.x.x(43788) Local 10.101.82.63(3721)
PAT Global 211.x.x.x(43276) Local 10.101.82.63(3358)
PAT Global 211.x.x.x(42764) Local 10.101.82.63(2962)
PAT Global 211.x.x.x(42252) Local 10.101.82.63(2622)
PAT Global 211.x.x.x(41740) Local 10.101.82.63(2304)
PAT Global 211.x.x.x(41228) Local 10.101.82.63(2141)
PAT Global 211.x.x.x(48908) Local 10.101.44.56(3840)
PAT Global 211.x.x.x(46348) Local 10.101.82.63(4559)
PAT Global 211.x.x.x(45836) Local 10.101.23.190(2602)
PAT Global 211.x.x.x(53004) Local 10.101.25.30(2504)
PAT Global 211.x.x.x(52492) Local 10.101.44.51(1218)
PAT Global 211.x.x.x(51980) Local 10.20.3.120(1142)
PAT Global 211.x.x.x(51468) Local 10.101.44.75(1102)
PAT Global 211.x.x.x(50956) Local 10.101.28.64(1402)

Problem with PAT is whenever you encounter websites that resricted activities based on IPs. e.g rapidshare for downloading and etc. Then the users started complaining.

To solve this problem i believed we can simultaneously use NAT ( network address translation) and PAT (Port Address Translation) together.  Currently working into it.

Keep you posted, soon
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)