Category: Services

The Cisco AnyConnect Secure Mobility Client is a endpoint software product that is not only a VPN client that provides access through Transport Layer Security and IPSec IKEv2, but also provides an enhanced security check through built in modules.

The modules are VPN Posture (HostScan) and ISE Posture module.

These modules can allow the AnyConnect software to scan the endpoint for compliance for things like Antivirus and firewall software.

If the host is found not to be compliant, its access to the corporate network can be restricted until the device is in compliance.

Cisco AnyConnect also includes web security through Cisco Cloud Web Security, network visibility into endpoint flows with StealthWatch, and roaming protection with Cisco Umbrella.

These protections apply even whilst not connected to a VPN.

AnyConnect is supported across a broad range of platforms including Windows, macOS, iOS, Linux, Android, Windows Phone/Mobile, Blackberry and ChromeOS.

Port Address Translation allows a mapping of many local private IP addresses to a single global IP address. The router maintains a table of translations by changing the source ports from the local address connection to an identifiable one on the global IP address.

To configure port address translation, configure the inside interface with ip nat inside and the outside interface with ip nat outside. Define an access-list for hosts and networks that will be permitted to utilise the port address translation, for example ip access-list standard 20 then permit 192.168.1.0.

Finally tie the configuration together with the command ip nat inside source list <access-list> interface <outside-interface> overload

Static Network Address Translation provides a simple one to one method of translating private to public IP addresses. Pooled NAT provides a more dynamic approach to one to one translation when required.

The dynamic translation lasts for at least 24 hours by default when requested by a private IP address. If a one to one translation remains idle for 24 hours, the public IP address will be returned to the dynamic pool to be reused by another private IP address at a later time.

The default timeout can be changed with the command ip nat translation time <seconds>. Existing mappings can be cleared with the command clear ip nat translation *

To configure Pooled Network Address Translation as an inside pooled NAT:

1. Configure outside interfaces with ip nat outside
2. Configure inside interfaces with ip nat inside
3. Create a standard or extended access control list to specify private IP addresses that will be able to utilise the pooled network address translation, for example:
   1. ip access-list standard 10
      1. permit 10.20.40.0 0.0.0.255
4. Create the global pool of IP addreses to be utilised with the command ip nat pool <pool-name> <starting-ip-address> <ending-ip-address> prefix-length <prefix-length>
5. Tie everything together with the command ip nat inside source list <access-list> pool <pool-name>

The Network Address Translation translation table will show static and dynamic entries of NAT on the router. It can be displayed with the command show ip nat translations

Static Network Address Translation translates a local IP address to a global IP address. It is based on a static mapping configured on the router.

There are two types of static NAT, Inside Static NAT and Outside Static NAT

Inside Static NAT

Inside static NAT maps an inside local address, a private IP address, to a inside global public IP address.

As a result, the private IP addresses are hidden from the outside hosts.

To configure inside static NAT: On the public outside interface, enter the command ip nat outside. On the inside interface, enter the command ip nat inside. Finally with the physical interfaces set up, in global configuration mode configure the translation with ip nat inside source static <inside-local-address> <inside-global-address>

The inside-global-address does not need to exist as a physically configured outside address on an interface on the router, but packets destined for that address on the outside must be forwarded towards the router.

When traffic enters a routers inside interface, the router will perform a route lookup for the destination interface on its outside interface. The router will be aware if the interface that the traffic entered is an inside interface, and check the network address table for any relevant configuration.

If the inside NAT entry configured on the router matches, the router will create a dynamic inside NAT entry with the packets destination set as the outside local and outside global addresses.

The source IP address of the packet will be changed from the inside interface to the outside interface.

On the return of traffic into the outside interface, the router will once again check the NAT table for an entry. It will discover and match the settings to the existing entry that was created earlier.

Outside Static NAT

Outside static NAT changes the mapping of an outside global IP address to an outside local private IP address. It allows external outside IP addresses to be hidden from inside hosts.

To configure outside static NAT, configure the outside interface with ip nat outside. Next configure the inside interface with ip nat inside. Finally configure the translation with the command ip nat outside source static <outside-ip-address> <outside-private-address>. There is an optional additional configuration keyword called add-route, add-route will insert a static address into the routing table.

Network Address Translation, NAT, allows an internal IP network (such as those defined in RFC 1918) to appear as a publicly routed network on the internet.

A NAT device such as a firewall or router will modify the source or destination IP in a packets header as they arrive on an inside or outside interface. Typically most routers do not translate IP addresses within the payload of a packet.

NAT can be used to translate network addresses in other scenarios too, if there is a situation where two separate networks share similar private network subnet addressing, NAT can be utilised to translate to a unique network address to establish a connection.

Terms in NAT

There are four important terms related to Network Address Translation

Inside Local

The private IP address assigned to a device on the inside network

Inside Global

The public IP address that represents one or more inside local IP addresses

Outside Local

The IP address of an outside host as it appears to the inside network. The IP address does not need to be reachable by the outside, but must be reachable by the inside network.

Outside Global

The public IP address assigned to a host on the outside network. The IP address must be reachable by the outside network

Types of NAT

There are three common types of network address translation

Static Network Address Translation

Static NAT provides a 1-to-1 mapping of a local IP address to a global IP address

Pooled Network Address Translation

Pooled Network Address Translation provides a dynamic 1-to-1 mapping of a local IP address to a global IP address for a duration of time. If the dynamic translation becomes idle, the global IP address goes into a pool of addresses to be re-used by the same or another local IP address

Port Address Translation

Port Address Translation (PAT) provides a many to one mapping of multiple local IP addresses to a single global IP address.

A mechanism is used in the NAT device to identify the specific IP address to return traffic from the outside back to the private IP address on the inside.

The mechanism translates the local IP address and source port to the global IP address and a unique port number for the duration of the session.

The command show glbp with an optional additional parameter of brief will show high level details of the global load balancing protocol configuration and status.

Under interface configuration mode, define the group and virtual IP address.

glbp <group-id> ip <ip-address>

Preemption is disabled by default for an election of an active virtual gateway. To enable preemption use the command glbp <group-id> preemption

GLBP timers can be modified from their defaults (3 seconds hello, 10 seconds hold) with the command glbp <group-id> timers <hello-seconds> <hold-seconds>. GLBP supports millisecond timers too.

Authentication can be defined in GLBP will the command glbp <group-id> authentication, finish the command with one of the following parameters:

• text <text-password>
• md5 key-chain <key-chain-name>
• md5 key-string <key-string>

Load balancing can be modified from the default round robin configuration with the command glbp <group-id> load balancing followed by a choice of:

• round-robin
• weighted
• host-dependent

If the weighted load balancing method is being used, a local routers weight can be set with the command glbp <group-id> weighting <weight>

Gateway Load Balancing builds on existing first hop redundancy protocols by providing gateway redundancy and an additional benefit of load balancing capabilities.

GLBP is made up of two roles, the active virtual gateway and the active virtual forwarder.

Active Virtual Gateway

All the participating routers in a GLBP group will elect one active virtual gateway. The active virtual gateway will respond to ARP requests within that group for the active virtual forwarder

Active Virtual Forwarder

The active virtual forwarder routes traffic that it receives from hosts within the GLBP group. Each active virtual forwarder has a unique virtual MAC address assigned to it by the active virtual gateway. The active virtual gateway will respond with this MAC address and other active virtual forwarder MAC addresses to ARP requests in the GLBP group.

There can be up to four active virtual forwarders, and one active virtual gateway per GLBP group. A router can be a virtual gateway and a virtual forwarder at the same time.

If an active virtual gateway fails, there will be another virtual gateway on standby in the same group ready to take on the role of the active virtual gateway.

If an active virtual forwarder fails, another router in the GLBP group will take on the virtual MAC address in addition to its own and forward traffic on behalf of the failed device

Load Balancing

GLBP balances the traffic between active virtual forwarders in a round robin fashion. There are three difference types of load balancing that gateway load balancing protocol is capable of:

Round Robin

Round robin rotates between different virtual forwarder MAC addresses sequentially to load balance traffic.

Weighted

Introduces weights assigned to virtual active forwarders to define a ratio of load balancing between devices. Routers with better bandwidth capabilities can be assigned a larger portion of traffic

Host dependent

The hosts MAC address is used in calculating in which active virtual forwarder is used for that host. By utilising an algorithm the host will always receive the same active virtual forwarder

To check the status of VRRP, use the command show vrrp with the optional additional keyword of brief