Thursday 29 June 2023

What is Administrative Distance? How to change AD value of OSPF, EIGRP, RIPv2 and BGP?

 

 

Administrative Distances

The administrative distance is used to rate the accuracy of routing protocol information received on a router from a neighbor router. An administrative distance is an integer value ranging from 0 to 255, where 0 means most trusted and 255 untrusted no traffic will be passed through this route or this route will never be installed in the routing table.

 




What will happen if our router receives two updates for the same remote network?

The first task our route will do is to check the administrative distance (AD). If one of the two updates has a lower AD than the other route.  our router will install a lower AD route in the routing table.

Now again, what will happen if both the advertise updates have the same AD for the same remote network?

In this case, our router will find the best path for the remote network by comparing routing protocol metrics like hop count or the bandwidth of the lines depending on the routing protocol. The lowest metric will win and our router will install the route in the routing table.

Now one more time again, what if both advertise updates (route) have the same AD, and the same metric which route a router will install in its routing table?

The answer is router will do load balances to the remote network.

 

The administrative distance default values

Route source (protocol)

Default Administrative distance (AD)

Connected interface

0

Static route

1

Enhanced Interior Gateway Routing Protocol (EIGRP) summary route

5

External Border Gateway Protocol (BGP)

20

Internal EIGRP

90

IGRP

100

Open Shortest Path First OSPF OSPF

110

Intermediate System-to-Intermediate System (IS-IS)

115

Routing Information Protocol (RIP)

120

Exterior Gateway Protocol (EGP)

 

140

On-Demand Routing (ODR)

 

160

External EIGRP

 

 

170

Internal BGP

 

200

Unknown*

 

255

 if you want to change the default administrative distance value yes you can change it, so let's configure the experiment here we are going to advertise the same remote network with 5 different protocols. let's see the router will install which route and then we will change the default AD and see the router action.

(If you are familiar with Internetworks blogs you know we come straight to the point and like LABS, I request you please visit our YouTube program and click here thank you) 



Topology: -


  • configure the topology as per the diagram 
  • assign the IP addresses to their ports as per the topology
  • configure a static route between routers 1-2-7
  • configure EIGRP routing between routers 1-3-7
  • configure OSPF routing between routers 1-4-7 
  • configure RIPv2 routing between routers 1-5-7
  • configure IBGP routing between routers 1-6-7
  • advertise directly connected network
  • now you will see all the routers (R2, R3, R4, R5 and R6) advertising the same network 20.1.1.0 with different administrative distance
  • now ping from PC-1 to PC-2 and see which path router-1 will choose in order to reach the 20.0.0.0 network. 

Thursday 22 June 2023

What is Smurf attack DDoS attack? How to configure Smurf attack?

 A Smurf attack is a form of a DDoS attack (distributed denial of service). Smurf attack occurs at layer 3. A Smurf attack is named after the malware DDoS Smurf and more widely Smurf attack is named after a cartoon because it takes down a big target by working together.




 Smurf attack exploiting vulnerabilities of IP and ICMP. 






First, the attacker builds a Smurf malware spoofed packet that has its source address set to the targeted victim and this packet is sent to the destination address is a subnet broadcast address of a router or firewall. This is also called a directed broadcast. Now it sends requests (ICMP) to every host device address inside the network. More numbers of devices mean more requests. All the devices receive these requests and they reply to the target victim host with an ICMP packet. This attack makes the victim overwhelmed and results in denial-of-service to legitimate traffic. 




I am assuming you understand the DDoS Smurf's attack, now let's configure and then we will see how to prevent these attacks. 


Topology: -


  • configure the topology as per the diagram 
  • assign the IP addresses on servers and PCs as per the topology. 
  • assign the IP address Kali Linux 2-2 as per the topology
  • configure trunk and allowed all VLANs on the switch
  • configure PC ports as access ports. 
  • configure static routing between routers
  • target server-1 from Kali 2-2
  • configure Smurf to attack the victim server with ICMP messages 
  • make sure the server choked up and make it almost dead.


{assign the IP addresses on servers and PCs as per the topology}

SERVER-1> show ip all
NAME   IP/MASK              GATEWAY           MAC                DNS
SERVER-192.168.1.20/24      192.168.1.1       00:50:79:66:68:04

SERVER-2> show ip all
NAME   IP/MASK              GATEWAY           MAC                DNS
SERVER-192.168.1.21/24      192.168.1.1       00:50:79:66:68:06

SERVER-3> show ip all
NAME   IP/MASK              GATEWAY           MAC                DNS
SERVER- 192.168.1.22/24      192.168.1.1       00:50:79:66:68:05


PC1> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC1    192.168.1.10/24      192.168.1.1       00:50:79:66:68:00


PC2> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC2    192.168.1.11/24      192.168.1.1       00:50:79:66:68:01


PC3> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC3    192.168.1.12/24      192.168.1.1       00:50:79:66:68:02


PC4> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC4    192.168.1.13/24      192.168.1.1       00:50:79:66:68:03


{assign the IP address Kali Linux 2-2 as per the topology}





{configure trunk and allowed all VLANs on the switch}


SWITCH-1#show interface trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/0       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/0       1-4094

Port        Vlans allowed and active in management domain
Gi0/0       1,100,200,300

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/0       1,100,200,300


{configure static routing between routers}


R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

*Jun 22 17:30:44.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0, changed state to up

R1(config)#interface fastethernet 0/0
R1(config-if)#ip addres 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

*Jun 22 17:31:13.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, 


R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

*Jun 22 12:27:58.131: %LINK-3-UPDOWN: Interface Serial4/0, changed state to up
*Jun 22 12:27:59.135: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial4/0,                                                                             
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit


R1(config)#ip route 1.0.0.0 255.0.0.0 1.1.1.2
R1(config)#ip route 192.168.2.0 255.255.255.0 1.1.1.2

R2(config)#ip route 1.0.0.0 255.0.0.0 1.1.1.1
R2(config)#ip route 192.168.1.0 255.255.255.0 1.1.1.1
R2(config)#exit


R2#show ip route static
S    192.168.1.0/24 [1/0] via 1.1.1.1


R1#show ip route static
S    192.168.2.0/24 [1/0] via 1.1.1.2

(Now we try to ping from PCs to KALI and we will make sure the network is working fine)


PC1> ping 192.168.2.25
84 bytes from 192.168.2.25 icmp_seq=1 ttl=62 time=62.669 ms
84 bytes from 192.168.2.25 icmp_seq=2 ttl=62 time=66.405 ms
84 bytes from 192.168.2.25 icmp_seq=3 ttl=62 time=63.907 ms
84 bytes from 192.168.2.25 icmp_seq=4 ttl=62 time=70.719 ms
84 bytes from 192.168.2.25 icmp_seq=5 ttl=62 time=62.990 ms

SERVER-1> ping 192.168.2.25
84 bytes from 192.168.2.25 icmp_seq=1 ttl=62 time=63.265 ms
84 bytes from 192.168.2.25 icmp_seq=2 ttl=62 time=64.596 ms
84 bytes from 192.168.2.25 icmp_seq=3 ttl=62 time=72.530 ms
84 bytes from 192.168.2.25 icmp_seq=4 ttl=62 time=63.830 ms
84 bytes from 192.168.2.25 icmp_seq=5 ttl=62 time=64.962 ms

(AS OF NOW EVERYTHING IS WORKING FINE, NOW WE ARE GOING TO ATTACK OUR VICTIM SERVER-1)






(Now we are going to capture traffic with the help of Wireshark) 




(As you can see from the above output, we are capturing traffic between router-1 and router-2 and router-1 is getting thousands of ICMP requests. now capture traffic between server and switch)






(Now you will see router-1 sending ICMP requests and now our server is getting down) let's see on the server)

SERVER-1>
SERVER-1> ping 192.168.1.10
84 bytes from 192.168.1.10 icmp_seq=1 ttl=64 time=25.006 ms
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
84 bytes from 192.168.1.10 icmp_seq=2 ttl=64 time=5.128 ms
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
84 bytes from 192.168.1.10 icmp_seq=3 ttl=64 time=10.348 ms
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
84 bytes from 192.168.1.10 icmp_seq=4 ttl=64 time=7.397 ms
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
84 bytes from 192.168.1.10 icmp_seq=5 ttl=64 time=6.493 ms
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full
queue is full

SERVER-1>


(When we try to ping PC1 from the server the queue is full. Soon our server goes down and it chocked up)


(Now the question comes to how to prevent SMURF ATTACK)


R1(config)#interface serial 4/0
R1(config-if)#no ip broadcast-address
R1(config-if)#ip verify unicast source reachable-via rx allow-default allow-self-ping
R1(config-if)#ip cef

(Now again we try to ping from server to PC)

SERVER-1> ping 192.168.1.10
84 bytes from 192.168.1.10 icmp_seq=1 ttl=64 time=13.014 ms
84 bytes from 192.168.1.10 icmp_seq=2 ttl=64 time=6.296 ms
84 bytes from 192.168.1.10 icmp_seq=3 ttl=64 time=6.508 ms
84 bytes from 192.168.1.10 icmp_seq=4 ttl=64 time=9.503 ms
84 bytes from 192.168.1.10 icmp_seq=5 ttl=64 time=6.806 ms


(As you can see the server is working fine no queues full one more thing try to capture traffic between the victim and switch)







(Now our network is working fine and thank you so much for reading)
if you like this blog please visit our YouTube program.


Tuesday 13 June 2023

How to configure MAC address flooding attack? How to prevent MAC flooding attack? | cyber security | ethical hacking

 

MAC address flooding attack or CAM overflow attack is a very serious concern for ethical hackers, this can leave your systems vulnerable to attack.








How MAC flooding attack works?

The first attacker finds the connection and connects to your switch then the attacker starts to flood large numbers of fake source MAC addresses to switch with port mappings. Now we know switches have a limited amount of memory and when memory is full and there is no space left for a new MAC address in the table. Our switch will act like a hub and frames are flooded to all ports. Now attackers can capture sensitive data from the network.

Now let’s configure MAC address flooding attack and then we see how to prevent overflow attacks.





  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology 
  • configure a static IP address on KALI MACHINE
  • make sure all the PC able to communicate including KALI with the ping command.
  • configure Wireshark on the KALI machine for ICMP capture 
  • and configure CYBER ATTACK MAC flooding with the help of Kali.
  • check the MAC table on the switch if it's full of FAKE MAC addresses 
  • configure port security on a switch and make sure will not happen again.
  • try again MAC flooding ATTACK and make sure to switch take action shutdown attacking port. 

{configure the IP addresses as per the topology}

PC1> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS

PC1    10.1.1.3/8           10.1.1.1          00:50:79:66:68:00

PC2> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS

PC2    10.1.1.4/8           10.1.1.1          00:50:79:66:68:01

PC3> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS

PC3    10.1.1.5/8           10.1.1.1          00:50:79:66:68:02

PC4> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS

PC4    10.1.1.6/8           10.1.1.1          00:50:79:66:68:03

PC5> show ip all

NAME   IP/MASK              GATEWAY           MAC                DNS
PC5    10.1.1.7/8           10.1.1.1          00:50:79:66:68:04


{configuring Kali first bootup}










{now configure a static IP address on KALI MACHINE}










{verify the IP address}










{make sure all the PC able to communicate including KALI with the ping command}

PC1> ping 10.1.1.2

84 bytes from 10.1.1.2 icmp_seq=1 ttl=64 time=10.039 ms

84 bytes from 10.1.1.2 icmp_seq=2 ttl=64 time=15.646 ms

84 bytes from 10.1.1.2 icmp_seq=3 ttl=64 time=18.816 ms

84 bytes from 10.1.1.2 icmp_seq=4 ttl=64 time=8.456 ms

84 bytes from 10.1.1.2 icmp_seq=5 ttl=64 time=64.010 ms

PC2> ping 10.1.1.5
84 bytes from 10.1.1.5 icmp_seq=1 ttl=64 time=34.211 ms
84 bytes from 10.1.1.5 icmp_seq=2 ttl=64 time=8.096 ms
84 bytes from 10.1.1.5 icmp_seq=3 ttl=64 time=25.769 ms
84 bytes from 10.1.1.5 icmp_seq=4 ttl=64 time=10.434 ms
84 bytes from 10.1.1.5 icmp_seq=5 ttl=64 time=18.360 ms

PC1 : 10.1.1.5 255.0.0.0 gateway 10.1.1.1

PC3> ping 10.1.1.6
84 bytes from 10.1.1.6 icmp_seq=1 ttl=64 time=13.186 ms
84 bytes from 10.1.1.6 icmp_seq=2 ttl=64 time=12.276 ms
84 bytes from 10.1.1.6 icmp_seq=3 ttl=64 time=38.496 ms
84 bytes from 10.1.1.6 icmp_seq=4 ttl=64 time=34.286 ms
84 bytes from 10.1.1.6 icmp_seq=5 ttl=64 time=15.887 ms



PC4> ping 10.1.1.7
84 bytes from 10.1.1.7 icmp_seq=1 ttl=64 time=26.638 ms
84 bytes from 10.1.1.7 icmp_seq=2 ttl=64 time=10.758 ms
84 bytes from 10.1.1.7 icmp_seq=3 ttl=64 time=48.530 ms
84 bytes from 10.1.1.7 icmp_seq=4 ttl=64 time=81.011 ms
84 bytes from 10.1.1.7 icmp_seq=5 ttl=64 time=60.035 ms


PC5> ping 10.1.1.3
84 bytes from 10.1.1.3 icmp_seq=1 ttl=64 time=20.204 ms
84 bytes from 10.1.1.3 icmp_seq=2 ttl=64 time=61.496 ms
84 bytes from 10.1.1.3 icmp_seq=3 ttl=64 time=15.266 ms
84 bytes from 10.1.1.3 icmp_seq=4 ttl=64 time=19.207 ms
84 bytes from 10.1.1.3 icmp_seq=5 ttl=64 time=10.576 ms

{now ping from Kali}












(Now let's take a look at the switch MAC table we have 6 PCs)


vIOS-L2-01#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0050.7966.6800    DYNAMIC     Gi0/1
   1    0050.7966.6801    DYNAMIC     Gi0/2
   1    0050.7966.6802    DYNAMIC     Gi0/3
   1    0050.7966.6803    DYNAMIC     Gi1/0
   1    0050.7966.6804    DYNAMIC     Gi1/1
   1    0c67.5676.0000    DYNAMIC     Gi0/0
Total Mac Addresses for this criterion: 6

(As of now everything is working good now let configure MAC flooding ATTACK)
configure Wireshark on the KALI machine for ICMP capture) 






















{now configure MAC flooding ATTACK}


















(As you can see from the above image our machine sending fake MAC address continuously now let's take a look on Wireshark)




















{now let's take a look at our switch MAC address table}



















































(As you can see from the above output, the MAC address table is getting full by FAKE MAC addresses and it's getting from Gig 0/0 which is connected with the KALI machine)

  • configure port security on a switch and make sure will not happen again.



vIOS-L2-01(config)#interface gigabitEthernet 0/0
vIOS-L2-01(config-if)#switchport
vIOS-L2-01(config-if)#switchport mode access
vIOS-L2-01(config-if)#switch port-security
vIOS-L2-01(config-if)#switch port-security maximum 2
vIOS-L2-01(config-if)#switchport port-security mac-address sticky
vIOS-L2-01(config-if)#switchport port-security violation shutdown
vIOS-L2-01(config-if)#exit
vIOS-L2-01(config-if)#exit

vIOS-L2-01#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Gi0/0              2            1                  0          Protect
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 4096


{try again MAC flooding ATTACK and make sure to switch take action shutdown attacking port}


 












(Now let's see the switch is taking action or not)


*Jun 13 07:36:41.843: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state
vIOS-L2-01(config)#
*Jun 13 07:36:41.848: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address bebc.f55f.9ae2 on port GigabitEthernet0/0.
vIOS-L2-01(config)#
*Jun 13 07:36:42.844: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
vIOS-L2-01(config)#
*Jun 13 07:36:43.848: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down

(As you can see the switch is shutdown the violation hacker port. this is how we can prevent MAC flooding attacks)

vIOS-L2-01#show mac  address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0050.7966.6800    DYNAMIC     Gi0/1
Total Mac Addresses for this criterion: 1

thank you so much for visiting, please visit our YouTube video

Saturday 10 June 2023

How to configure PAT NAT on ASA Firewall?

 NAT (Network Address Translation) is used to translate private IP addresses into public IP addresses. NAT changes the source and destination IP addresses and ports. NAT Address translation reduces the need for IPv4 public addresses and it also hides private network address ranges. NAT generally operates on a router or firewall. previously we configure SNAT, DNAT, and PAT on the router now we are going to configure PAT on the ASA firewall. 





Port Address Translation (PAT)- This NAT is also known as dynamic NAT overload. PAT allows thousands of users can access to the internet using only one real global registered public IP address. PAT maps thousands to one by using ports. PAT is the only reason or solution we have not run out of valid IP addresses on the internet. This PAT is cost-effective because of single public IP is used; the port number is used to distinguish the traffic means which traffic belongs to which IP address.








let's configure PAT on the ASA firewall:

Topology: -

  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology 
  • configure the Access-list permit ICMP traffic from lower level to higher level.  
  • configure access-list on the interface 
  • configure network object
  • configure PAT statement 

(On ASA)


ciscoasa(config)# int Gig 0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif INSIDE
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# exit

ciscoasa(config)# int Gig 1
ciscoasa(config-if)# no shut
ciscoasa(config-if)# ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# exit

ciscoasa(config)# int Gig 2
ciscoasa(config-if)# no shut
ciscoasa(config-if)# ip address 101.1.1.1 255.255.255.0
ciscoasa(config-if)# nameif OUTSIDE
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# exit

(On router)

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 101.1.1.2 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fastEthernet 1/0
R1(config-if)#ip address 30.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit


ciscoasa# show interface ip brief

Interface                        IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.1.1     YES manual up                    up
GigabitEthernet1           192.168.2.1     YES manual up                    up
GigabitEthernet2           101.1.1.1       YES manual up                    up


(On PC 1)

PC1> ip 192.168.1.10 255.255.255.0 192.168.1.1

Checking for duplicate addresses...

PC1 : 192.168.1.10 255.255.255.0 gateway 192.168.1.1


(On PC2)


PC2> ip 192.168.2.10 255.255.255.0 192.168.2.1

Checking for duplicate addresses...

PC1 : 192.168.2.10 255.255.255.0 gateway 192.168.2.1


(On PC3)

PC3> ip 30.1.1.2 255.0.0.0 30.1.1.1
Checking for duplicate addresses...
PC1 : 30.1.1.2 255.0.0.0 gateway 30.1.1.1


(On ASA)

ciscoasa(config)# access-list traffic_out permit icmp any any
ciscoasa(config)# access-list traffic_dmz permit icmp any any

ciscoasa(config)# access-group traffic_out in interface outside
ciscoasa(config)# access-group traffic_dmz in interface dmz


ciscoasa(config)# object network inside-nat
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# exit

ciscoasa(config)# nat (INSIDE,OUTSIDE) source dynamic inside-nat  interface


ciscoasa(config)#object network dmz-nat
ciscoasa(config-network-object)# subnet 192.168.2.0 255.255.255.0
ciscoasa(config-network-object)# exit

ciscoasa(config)# nat (DMZ,OUTSIDE) source dynamic dmz-nat interface


ciscoasa(config)# object network dmz-nat-pool
ciscoasa(config-network-object)# range 120.1.1.1 120.1.1.10
ciscoasa(config-network-object)# exit

ciscoasa(config)# route OUTSIDE 0.0.0.0 0.0.0.0 101.1.1.2

(Now ping from INSIDE to OUTSIDE and from DMZ to OUTSIDE)

(from PC1)













(From PC 2)












(As you can see, we can ping outside from inside and DMZ)

(from ASA)

ciscoasa# show xlate

10 in use, 15 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

ICMP PAT from DMZ:192.168.2.10/2689 to OUTSIDE:101.1.1.1/61018 flags ri idle 0:00:02 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/2433 to OUTSIDE:101.1.1.1/25249 flags ri idle 0:00:03 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/2177 to OUTSIDE:101.1.1.1/28580 flags ri idle 0:00:04 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/1921 to OUTSIDE:101.1.1.1/6494 flags ri idle 0:00:05 timeout 0:00:30

ICMP PAT from DMZ:192.168.2.10/1665 to OUTSIDE:101.1.1.1/14856 flags ri idle 0:00:06 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/2177 to OUTSIDE:101.1.1.1/21203 flags ri idle 0:00:05 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/1665 to OUTSIDE:101.1.1.1/1845 flags ri idle 0:00:06 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/1409 to OUTSIDE:101.1.1.1/63559 flags ri idle 0:00:07 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/897 to OUTSIDE:101.1.1.1/56354 flags ri idle 0:00:08 timeout 0:00:30

ICMP PAT from INSIDE:192.168.1.10/385 to OUTSIDE:101.1.1.1/51849 flags ri idle 0:00:08 timeout 0:00:30



ciscoasa# show nat pool

UDP PAT pool INSIDE, address 0.0.0.0, range 1-511, allocated 0

UDP PAT pool INSIDE, address 0.0.0.0, range 512-1023, allocated 0

UDP PAT pool INSIDE, address 0.0.0.0, range 1024-65535, allocated 4

UDP PAT pool DMZ, address 192.168.2.1, range 1-511, allocated 0

UDP PAT pool DMZ, address 192.168.2.1, range 512-1023, allocated 0

UDP PAT pool DMZ, address 192.168.2.1, range 1024-65535, allocated 4

UDP PAT pool OUTSIDE, address 0.0.0.0, range 1-511, allocated 0

UDP PAT pool OUTSIDE, address 0.0.0.0, range 512-1023, allocated 0

UDP PAT pool OUTSIDE, address 0.0.0.0, range 1024-65535, allocated 4

ICMP PAT pool OUTSIDE, address 101.1.1.1, range 1-511, allocated 0

ICMP PAT pool OUTSIDE, address 101.1.1.1, range 512-1023, allocated 0

ICMP PAT pool OUTSIDE, address 101.1.1.1, range 1024-65535, allocated 0


{thank you so much for visiting, please watch our YouTube videos)

https://youtube.com/@internetworkss




What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supp...