Saturday, June 28, 2014

Cisco IP NAT – Extendable Option

Recently at work I ran across a weird static NAT implemention, where it had the “extendable” key word, and the router had two Internet connections (two public IPs):

ip nat inside source static 10.0.0.1 100.0.0.2 extendable
ip nat inside source static 10.0.0.1 200.0.0.2 extendable

The “extendable” option allows static NAT mappings of one Inside Local Address (private address) to multiple Inside Global addresses (public addresses), the keyword “extendable” is added to the end of the mapping statements. [cisco]

This is a good option for accessing one a server via two Internet connections, the traffic can come from any internet connection, that public address gets translated to the same private address (server address), this raises no ambiguity.

imageAs for traffic started by the server with destination to the Internet, I didn’t found very clear information on how the router handles the ambiguity created by the fact that the SERVER address (private address) can be translated to two public addresses.

So in order two answer this question i did some testing, using the topology above.

 

Testing Conclusions

My conclusions where the following:

The Nat extendable works great in following direction:

  • R3->R1 (ISP1 –> SERVER)
  • R4->R1 (ISP2 –> SERVER)

because the isn't any ambiguity

But in the inverse direction

  • R1->R3 (SERVER –> ISP1)
  • R1->R4 (SERVER –> ISP2)

it depends on the on the order of intruduction of the NAT rules,

R2-CFG1 
ip nat inside source static 10.0.0.1 100.0.0.2 extendable - R1->R3 - OK
ip nat inside source static 10.0.0.1 200.0.0.2 extendable - R1->R4 - NOK

or
R2-CFG2 
ip nat inside source static 10.0.0.1 200.0.0.2 extendable - R1->R4 - OK
ip nat inside source static 10.0.0.1 100.0.0.2 extendable -
R1->R3 - NOK

where the first introduced NAT rule is the one that works
despite of always having the same order on the running-config

ip nat inside source static 10.0.0.1 100.0.0.2 extendable 
ip nat inside source static 10.0.0.1 200.0.0.2 extendable

My guess, is that it’s that this happens because the first rule is considered the main rule and second rule "extends" it (secondary rule), and when there’s ambiguity it defaults to the main rule. 

   

Topology and Configuration

image

R1
==========================
hostname R1

interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 10.0.0.254

line con 0
logging synchronous
line aux 0
line vty 0 4
password cisco
login

R2
===========================
hostname R2

interface FastEthernet0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 100.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 200.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!        
ip nat inside source static 10.0.0.1 100.0.0.2 extendable
ip nat inside source static 10.0.0.1 200.0.0.2 extendable

R3
==========================
hostname R3

interface FastEthernet0/1
ip address 100.0.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

R4
==========================
hostname R4

interface FastEthernet0/1
ip address 100.0.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

Tests – Part 1

Initial NAT Table on R2
--------------------------------------------------------------
R2#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
--- 100.0.0.2          10.0.0.1           ---                ---
--- 200.0.0.2          10.0.0.1           ---                ---

Trying To Ping R3 and R4 from R1 via NAT on R2
--------------------------------------------------------------
R1#ping 100.0.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/21/40 ms

R1#ping 200.0.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5
)

NAT Table on R2 after the Pings from R1->R3 / R1->R4
--------------------------------------------------------------
R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 100.0.0.2:30      10.0.0.1:30    100.0.0.254:30     100.0.0.254:30
icmp 100.0.0.2:31      10.0.0.1:31        200.0.0.254:31     200.0.0.254:31
--- 100.0.0.2          10.0.0.1           ---                ---
--- 200.0.0.2          10.0.0.1           ---
                ---

The ping to R4 didn't work, and you can see why on second translation in the NAT table (the "Inside Global" instead of beeing 200.0.0.2 it’s 100.0.0.2 and R4 does not know network 100.0.0.0/24, so it does not reply)

Trying To Ping R1 from R3 and R4 via NAT
--------------------------------------------------------------
R3#ping 100.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/36 ms

R4#ping 200.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/32 ms

As you can see in this direction things work great

NAT Table on R2 after the Pings from R3->R1 / R4->R1
--------------------------------------------------------------
R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 100.0.0.2:5       10.0.0.1:5         100.0.0.254:5      100.0.0.254:5
icmp 200.0.0.2:7       10.0.0.1:7         200.0.0.254:7      200.0.0.254:7
--- 100.0.0.2          10.0.0.1           ---                ---
--- 200.0.0.2          10.0.0.1           ---                ---

Trying To Ping R3 and R4 from R1 via NAT on R2 (AGAIN)
----------------------------------------------------------
R1#ping 100.0.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/21/40 ms

R1#ping 200.0.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

This was just to see if the ping from R3->R1 and R4->R1,
could somehow influence the pings in the opposite direction
from R1->R3 / R1->R4, but no, the result is the same.

 

Tests – Part 2

R2 Config Change – Change the Order of the NAT Rules
--------------------------------------------------------
no ip nat inside source static 10.0.0.1 100.0.0.2 extendable
no ip nat inside source static 10.0.0.1 200.0.0.2 extendable
ip nat inside source static 10.0.0.1 200.0.0.2 extendable
ip nat inside source static 10.0.0.1 100.0.0.2 extendable

As you will see bellow instead of a success ping from R1->R3,
you will see a successful ping from R1->R4, and the running
config looks the same before and after this change:

...
ip nat inside source static 10.0.0.1 100.0.0.2 extendable
ip nat inside source static 10.0.0.1 200.0.0.2 extendable
...
   

Initial NAT Table on R2
---------------------------------------------------------------
R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 100.0.0.2          10.0.0.1           ---                ---
--- 200.0.0.2          10.0.0.1           ---                ---

Trying To Ping R3 and R4 from R1 via NAT on R2
--------------------------------------------------------------
R1#ping 100.0.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#ping 200.0.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/31/60 ms

NAT Table on R2 after the Pings from R1->R3 / R1->R4
---------------------------------------------------------------
R2#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global
icmp 200.0.0.2:39      10.0.0.1:39        100.0.0.254:39     100.0.0.254:39
icmp 200.0.0.2:40      10.0.0.1:40    200.0.0.254:40     200.0.0.254:40
--- 200.0.0.2          10.0.0.1           ---                ---
--- 100.0.0.2          10.0.0.1           ---                ---

The ping to R3 didn't work, and you can see why on first translation in the NAT table (the "Inside Global" instead of beeing 100.0.0.2 it’s 200.0.0.2 and R3 does not know network 200.0.0.0/24, so it does not reply)

Trying To Ping R1 from R3 and R4 via NAT
--------------------------------------------------------------
R3#ping 100.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms

R4#ping 200.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24 ms

NAT Table on R2 after the Pings from R3->R1 / R4->R1
--------------------------------------------------------------
R2#show ip nat translations

R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 100.0.0.2:6       10.0.0.1:6         100.0.0.254:6      100.0.0.254:6
icmp 200.0.0.2:8       10.0.0.1:8         200.0.0.254:8      200.0.0.254:8
--- 200.0.0.2          10.0.0.1           ---                ---
--- 100.0.0.2          10.0.0.1           ---                ---

Trying To Ping R3 and R4 from R1 via NAT on R2 (AGAIN)
--------------------------------------------------------------
R1#ping 100.0.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R1#ping 200.0.0.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/28

This was just to see if the ping from R3->R1 and R4->R1,
could somehow influence the pings in the opposite direction
from R1->R3 and from R1->R4, but no, the result is the same.

As stated before in the conclusions above:

  • R1->R3 (SERVER –> ISP1) –– OK on Tests - Part 1
  • R1->R4 (SERVER –> ISP2) –– OK on Tests - Part 2

the order of the introduction off the NAT static matters, because only the first rule is used, because of the ambiguity.

Links

Tuesday, June 24, 2014

Nano Basics – Linux CLI

Nano Basics

Purpose

This guide was written to cover basic operations in nano, and is meant to be very concise. For more information about nano check out: http://www.nano-editor.org.

Opening and creating files

Opening and creating files is simple in nano, simply type:

root # nano filename

Nano is a modeless editor so you can start typing immediately to insert text. If you are editing a configuration file like /etc/fstabuse the -w switch to disable wrapping on long lines as it might render the configuration file unparseable by whatever tools depend on it. For example:

root # nano -w /etc/fstab

Warning

It is very, very important that you use the -w switch when opening a config file. Failure to do so may keep your system from booting or cause other bad things.

Saving and exiting

If you want to save the changes you've made, press Ctrl + O. To exit nano, type Ctrl + X. If you ask nano to exit from a modified file, it will ask you if you want to save it. Just press N in case you don't, or Y in case you do. It will then ask you for a filename. Just type it in and press Enter.

If you accidentally confirmed that you want to save the file but you actually don't, you can always cancel by pressing Ctrl +C when you're prompted for a filename.

Cutting and pasting

To cut a single line, you use Ctrl + K (hold down Ctrl and then press K). The line disappears. To paste it, you simply move the cursor to where you want to paste it and punch Ctrl + U. The line reappears. To move multiple lines, simply cut them with several Ctrl + K in a row, then paste them with a single Ctrl + U. The whole paragraph appears wherever you want it.

If you need a little more fine-grained control, then you have to mark the text. Move the cursor to the beginning of the text you want to cut. Hit Ctrl + 6 (or Alt + A). Now move your cursor to the end of the text you want to cut: the marked text gets highlighted. If you need to cancel your text marking, simply hit Ctrl + 6 again. Press Ctrl + K to cut the marked text. Use Ctrl + U to paste it.

Searching for text

Searching for a string is easy as long as you think "WhereIs" instead of "Search". Simply hit Ctrl + W, type in your search string, and press Enter. To search for the same string again, hit Alt + W.

Note

In nano's help texts the Ctrl is represented by a caret (^), so Ctrl + W is shown as ^W, and so on. The Altkey is represented by an M (from "Meta"), so Alt + W is shown as M-W.

More options

If you're interested in tweaking nano, be sure to read /etc/nanorc .

Wrap up

That is all! Thanks to kiyose and quazion from #gentoo. Again, for more information about nano check out: http://www.nano-editor.org.

Acknowledgements

We would like to thank the following authors and editors for their contributions to this guide:

  • Sven Vermeulen
  • Sherman Boyd

Taken From: https://wiki.gentoo.org/wiki/Nano/Basics_Guide

Sunday, June 22, 2014

Raspberry Pi on Your PC (Linux or Windows)

QEMU – Emulating Raspberry Pi the easy way (Linux or Windows!)

15APR/12

This page will shows how to emulate an ARM1176JZF-S system the quick and easy way.

 

Assumptions

You have:

- QEMU - Linux or Windows. Make sure you have a suitable version (see 'Quick note on QEMU and ARM1176').

- A disk image for your distro of choice

  • Raspian and Debian should work out of the box, however Arch Linux requires a few tweaks to work. These will not be explored in this article, as they can only be done in Linux.

- Ability to read and follow instructions carefully

 

Preparing the Environment

- Create and enter the work directory.

- Download the linux kernel:

wget http://xecdesign.com/downloads/linux-qemu/kernel-qemu

- Download and extract the disk image .img file to the working directory.

- All of the instructions will be carried out in this directory.

 

Check that you Have Everything

- Make sure you have kernel-qemu and your disk image files.

- qemu-system-arm -cpu ?

If everything looks right, you should be ready to go.

 

First Boot

- qemu-system-arm -kernel kernel-qemu -cpu arm1176 -m 256 -M versatilepb -no-reboot -serial stdio -append "root=/dev/sda2 panic=1 rootfstype=ext4 rw init=/bin/bash" -hda 2013-09-25-wheezy-raspbian.img

  • Windows users should use qemu-system-armw.exe instead of qemu-system-arm.
  • Make sure you replace '2013-09-25-wheezy-raspbian.img' with the name of your disc image.
  • Do not try to use more than 256 MB of RAM, the value is hard-coded in and QEMU will not work correctly.
  • You should be presented with a minimal shell. From here, you will need to make some modifications before you can boot properly.

- nano /etc/ld.so.preload

- Put a # in front of the first line so that it looks like this:

#/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so

- Press ctrl-x then y then enter to save and exit.

- (Optional) Use steps 2 to 4 above to create a file /etc/udev/rules.d/90-qemu.rules with the following content:

KERNEL=="sda", SYMLINK+="mmcblk0"
KERNEL=="sda?", SYMLINK+="mmcblk0p%n"
KERNEL=="sda2", SYMLINK+="root"

  • The kernel sees the disk as /dev/sda, while a real pi sees /dev/mmcblk0. This will create symlinks to be more consistent with the real pi.

halt

First (proper) Boot

- qemu-system-arm -kernel kernel-qemu -cpu arm1176 -m 256 -M versatilepb -no-reboot -serial stdio -append "root=/dev/sda2 panic=1 rootfstype=ext4 rw" -hda 2013-09-25-wheezy-raspbian.img

  • This is the same command as before, but without init=/bin/bash.
  • This will take a while, but will be much quicker on subsequent boots.

QEMU running raspbian

That's it, you should see the system starting to boot.

 

Things to Keep in Mind

  • The disc image will only contain about 200MB of free space (if any at all) for you to play with, so don't expect to be able to install a full system. You can use DD to expand the image and then resize manually, but that is not within the scope of this tutorial.
  • You may see a few steps failing while the image boots. That's normal, since QEMU cannot emulate ALL of the hardware exactly. Double check that all the important steps are fine, but in general, this isn't something to worry about.

 

Acknowledgements

kinsa for figuring out the ld.so.preload business. Stevie-O for testing. Mjlally for finding a QEMU build that actually works on windows. v13 for a method to fix up ld.so.preload on windows.

 

For Troubleshooting Check:

http://xecdesign.com/qemu-emulating-raspberry-pi-the-easy-way/

Taken From: http://xecdesign.com/qemu-emulating-raspberry-pi-the-easy-way/