Archive

Archive for October, 2010

OSI Model – free iPhone app

October 7, 2010 3 comments

If you’re learning for your CCNA or want to refresh your memory AND have an iPhone\iPad\iTouch check out this OSI model app – NOW FREE

Description

The most engaging OSI Model Video e-learning combining multiple modalities to help you understand the theory behind the OSI Model.Over 31000 people have viewed these video’s with a rating of 4.7.

The App is broken up into 3 videos:
1. Introduction to the OSI Model
2. Layer 1-3 of the OSI Model
3. Layer 4-7 of the OSI Model.

The video’s were created in a high quality production mode, not boring powerpoints or wipe boards. These videos were created by a Cisco Learning Solutions Partner – Tech 2000 and can be used to help you fulfill your CCENT or CCNA knowledge requirements. The commentator is a Cisco Certified Instructor.

nat-control

October 3, 2010 1 comment

As I wrote in my last post, I’m working on a PIX to ASA migration.

One of the things that came up when I checked the PIX config is nat-control. What is it doing and should I use it in my ASA? Reading this post will answer some of the questions.

Historically, PIX required NAT translation for traffic flowing from one interface to another. It all changed in PIX 7.0 when Cisco added the nat-control command which let you configure your PIX\ASA to allow traffic to flow across without the usage of NAT.

How does it work?
You should decide using the nat-control command in configuration mode to specify if NAT is required for outside communications. When NAT control is enabled, configuration of NAT rules is required in order to allow outbound traffic, as is the case with earlier versions of PIX software (older than 7.0).
If NAT control is disabled (using no nat-control), inside hosts can communicate with outside networks without the configuration of a NAT rule as long as they have valid public addresses.

This is how it looks in ASDM:

Per Cisco, there are 2 required policies for outbound traffic without NAT

  1. Translation method – this can be a static translation with the static command, or a dynamic translation with a nat or global rule.
  2. Access control list (ACL) – If an ACL is present, then it must allow the source host access to the destination host with the use of the specific protocol and port.

To figure out if nat-control is enabled or disabled, use this simple show command:

show run nat-control

When enabled, the output would be

nat-control

When disabled it will show

no nat-control

To sum, newer PIX\ASA do not need require NAT configuration and you have the option to disable nat-control. You should figure out the types of connections you pass through your firewall and make a decision if you want to enable or disable nat-control. At least you have the option 😉