I could make a list of things that we can do as Christians to serve Jesus, but all that ends up being is a list from which to reference different things to choose from. Is that what we need to do to serve God? Eeny meeny miny mo------ this is the area of service to which I will go. That's a bit pragmatic, don't you think? We all have gifts, which oddly enough tend to be cultivated in the lives we live as children of wrath before we repent of our sins and turn to God. Not always, but often.
I am convinced He is using me in these last days before the Rapture to try to plant a seed of hope and curiosity about Him in the hearts of those I meet.
I think that is what it has all come down to. You don’t have to shout from a mountain-top to be heard. You don’t have to put up bill-boards and run full-page ads in the newspaper to make a point. You can just sit down with some of the other regular shmoes you meet each day and tell them about how God is working in your life. What better occupation in which to be engaging when He comes to call you home?
I always ask and talk to someone about the rapture.
He thinks I’m obsessed and probably a little nuts for believing in “the whole Jesus thing”. They smile, not condescendingly, really—patiently, I guess, when I remind them that when the time comes and I disappear they are NOT to take the mark of the beast, just give in and be one of the 144,000 witnesses and accept Christ right away. They thinks they know better. But if the Rapture happens before I die, and they are there to witness it all the things I’ve told them will come back and, hopefully, they’ll finally believe—I pray daily that the Rapture will happen while we are in the same room so there can be no doubt.
All this may not seem like much, but I can at least plant the seeds. So can we all—with a friend, an acquaintance, a relative who is not a believer. Who knows who you might be preparing for the Kingdom just by telling them you prayed for them? And my motto has become, “When there’s a delay—it’s time to pray.” Talk about passing the time in traffic! There’s always an endless list of people who need prayer, including me.
I’ll never make a huge impact on the world. But I hope that when I finally get to meet my Father and look Him in the eye I won’t be completely ashamed of my efforts. I want Him to place His hand on my head and smile and tell me I did alright—that I didn’t disappoint Him as I fear that I do. And then I want Him to smile on my husband as he comes marching proudly through the pearly gates and I get to tell him, one last time, “I told you so.” by someone_else
Wednesday, May 28, 2008
Tuesday, May 13, 2008
NAT
Takeaway: Network address translation (NAT) has become one of the key components of today's corporate networks attached to the Internet. See how to set up and manage NAT using the Cisco Internetwork operating system.
Network address translation (NAT) is one of those rare information technology buzzwords that does exactly what its name implies. In this case, it translates one network address into another network address. The most popular use for NAT is to connect an internal network to the Internet. The proliferation of hosts that now connects to the Internet is causing a shortage of IP addresses, so NAT is a key tool for connecting corporate networks using private IP addresses to the Internet. Since Cisco provides the bulk of the routers that connects to the Internet, we're going to show you how to set up NAT using the Cisco Internetwork Operating System (IOS).
Understanding NAT
Using NAT to connect to the Internet allows you to:
·Use only one public, registered IP address for Internet access for many thousands of private IP addresses at your site.
·Change Internet service providers (ISPs) easily, without readdressing the majority of hosts on your network.
·Hide the identity of hosts on your local network behind the single public IP address to keep outside hosts from easily targeting them.
The most difficult part of using NAT in the Cisco IOS is getting a handle on these four key terms:
·Inside Local—This is the local IP address of the private host on your network (i.e., your PC’s IP address).
·Inside Global—This is the public, legal, registered IP address that the outside network sees as the IP address of your local host.
·Outside Local—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.
·Outside Global—This is the public, legal, registered IP address of the remote host (i.e., the IP address of the remote Web server that your PC is connecting to).
Figure A
My first reaction after reading Cisco’s definitions for these terms was nearly total confusion, so don’t feel bad if you feel the same thing. But after seeing a diagram of these terms, it started to click for me. Take a look at Figure A for a logical diagram of these terms.
Figure B
·Configure your pool of legal, public IP addresses that the router can use to represent your local addresses on the Internet. This pool can contain as few as one or as many addresses as you would like to provide. For a small to medium-size network, one address is typically fine. The syntax is:
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
·Define an access-list to specify what range of IP addresses is allowed to be translated from your local network to the remote network. This is, basically, a security feature asking you, “Who (what range of IP addresses) can use the NAT service?” The syntax is:
access-list access-list-number permit source [source-wildcard]
·Specify that you want a dynamic translation from the source IP address to the pool and that you want to overload the pool address (or addresses). The syntax is:
ip nat inside source list access-list-number pool name overload
·Specify which of the router’s interfaces will be the “inside” address. The syntax for the Ethernet 0 interface is:
int en0
ip nat inside
·Specify which of the router’s interfaces will be the “outside” address. The syntax for the Serial 0 interface is:
int s0
ip nat outside
·Add a static route to your router to send any traffic not destined for your local network to the Internet interface. (In our case, I will use a default route to send traffic out the serial interface.) Here’s the syntax:
ip route 0.0.0.0 0.0.0.0 serial0
Configuring NAT
To configure the standard NAT scenario I mentioned in the opening paragraph, refer to Figure B and then look at the simple steps that need to be taken if you are using a Cisco router between your local network and the Internet.
Listing A shows the resulting configuration for the router. One way to examine this on your router would be to issue the command show run.
Listing A
int en0
! This is the Ethernet 0 interface on the Router- attached to the local network
ip address 10.10.10.10 255.0.0.0
ip nat inside
int s0
! This is the Serial 0 interface on the Router- attached to the Internet
ip address 11.11.11.254 255.255.255.128
ip nat outside
ip nat pool mypool 11.11.11.1 11.11.11.127 netmask 255.255.255.128
! Above is the pool of real Internet addresses which will be overloaded
access-list 1 permit 10.0.0.0 0.255.255.255
! Above is the access list which allows who from the local network can use the NAT service
ip nat inside source list 1 pool mypool overload
! Above is the command that brings all the other configs together- it says to DO IT
ip route 0.0.0.0 0.0.0.0 serial0
!the default route to the Internet
IPSEC VPN
Setting Up an IPSEC VPN - VPN between a remote site and a corporate office using Cisco routers
The Main office has a 2620 router (called mainrtr) with 3 ethernet interfaces. One interface is used for the internal network (IP address 172.23.10.1/16) and one is used to connect to the Internet through a DSL service (IP address
207.194.10.198/24).
172.23.10.1/16
207.194.10.198/24
The remote site has a 1751 router
(called remotertr) with 2 ethernet interfaces. One interface
connects to the internal network (IP address 172.25.10.1/16)
and the other connects to the Internet via DSL (IP address
207.194.10.199/24).
172.25.10.1/16
207.194.10.199/24
Both routers are loaded with the latest
version of the IP plus IPSEC 56 IOS image.
The first step is to set up the IKE (Internet Key Exchange) policies on the routers.
The IKE policy states the kind of encryption and hash to use
and the type of authentication that will be implemented.
The parameters need to be the same at either end of the VPN.
On the central office router:
mainrtr(config)# crypto isakmp policy 1
mainrtr(config-isakmp)# encryption des
mainrtr(config-isakmp)# hash sha
mainrtr(config-isakmp)# authentication pre-share
mainrtr(config-isakmp)# lifetime 86400
mainrtr(config-isakmp)# end
job done ------
On the remote site router you would use the exact same
commands. Lines 2 and 3 are used to set the encryption and
hash types. DES encryption and SHA hash algorithm are the
defaults, so those lines could be omitted. Line 4 specifies
that the key used is pre-shared, that is, no certificate
authority (CA) is used. Line 5 states how long the SA is
valid for in seconds (in this case a SA is valid for 1 day).
The next step is to set up the keys that are being used.
Since the keys are pre-shared, you just configure them on the
router itself. Using a CA to issue keys is more complex, but
it is also more secure. To set the pre-shared keys, use the
following commands.
On the central office router:
mainrtr(config)# crypto isakmp identity address
mainrtr(config)# crypto isakmp key key123 address 207.194.10.199
On the remote site router:
remotertr (config)# crypto isakmp identity address
remotertr (config)# crypto isakmp key key123 address 207.194.10.198
The first line indicates the ISAKMP identity the router will
use. The address keyword specifies that the IP address will
be used as the name. The second line states that the key to
be used is 'key123', and the identity of the remote peer (in
the case of mainrtr the remote peer is 207.194.10.199, or
remotertr).
Now the actual IPSEC tunnel needs to be set up. This
involves setting up a crypto access list and defining the
transform sets. Once you have the access list and transforms
in place you can configure the IPSEC tunnel mode.
On the central office router:
mainrtr(config)# access-list 110 permit ip host 207.194.10.198
host 207.194.10.199
This configures access list 110 to encrypt all IP traffic
between the two routers. On the remote site router you
would configure the access list as a mirror image of the
one on the central office router.
On the remote site router:
remotertr (config)# access-list 110 permit ip host 207.194.10.199
host 207.194.10.198
To set up the transform set and configure tunnel mode,
use the following commands.
On the central office router:
mainrtr(config)# crypto ipsec transform-set ts1 ah-sha-hmac esp-des
mainrtr(cfg-ctypto-trans)# mode tunnel
mainrtr(cfg-ctypto-trans)# exit
Line 1 configures the AH transform, the ESP encryption
transform and names the transform set 'ts1'. The same
commands are entered on the remote site router to set up
its transform set. Now a crypto map needs to be created
to define the endpoints of the tunnel.
On the central office router:
mainrtr(config)# cypto map map1 10 ipsec-isakmp
mainrtr(cfg-ctypto-map)# match address 110
mainrtr(cfg-ctypto-map)# set peer 207.194.10.199
mainrtr(cfg-ctypto-map)# set transform-set ts1
mainrtr(cfg-ctypto-map)# exit
The first line defines an IPSEC crypto map called 'map1' and
sets a sequence number of 10. Line 2 applies the access
list we created above to the crypto map. Line 3 defines the
remote peer that can be forwarded IPSEC encrypted traffic,
and line 4 applies the transform set created above to the
crypto map. To set up the crypto map on the remote site
router, you want to set up compatible parameters.
On the remote site router:
remotertr(config)# cypto map map1 10 ipsec-isakmp
remotertr (cfg-ctypto-map)# match address 110
remotertr (cfg-ctypto-map)# set peer 207.194.10.198
remotertr (cfg-ctypto-map)# set transform-set ts1
remotertr (cfg-ctypto-map)# exit
To get it all to work, the crypto map needs to be applied
to an interface on the router.
On the central office router:
mainrtr(config)# interface ethernet 2
mainrtr(config-if)# cypto map map1
mainrtr(config-if)# exit
On the remote site router:
remotertr(config)# interface ethernet 2
remotertr(config-if)# cypto map map1
remotertr(config-if)# exit
You should now have a working IPSEC tunnel between the two
routers. To get traffic to flow between the two networks,
you would need to set up network address translation (NAT)
to resolve the IP addresses of hosts on the internal
network to that of the connected router's external interface.
- Cisco White Paper on IPSEC VPN best practices
- Cisco IOS Enterprise VPN Configuration Guide
- Cisco VPN Top Issues
The Main office has a 2620 router (called mainrtr) with 3 ethernet interfaces. One interface is used for the internal network (IP address 172.23.10.1/16) and one is used to connect to the Internet through a DSL service (IP address
207.194.10.198/24).
172.23.10.1/16
207.194.10.198/24
The remote site has a 1751 router
(called remotertr) with 2 ethernet interfaces. One interface
connects to the internal network (IP address 172.25.10.1/16)
and the other connects to the Internet via DSL (IP address
207.194.10.199/24).
172.25.10.1/16
207.194.10.199/24
Both routers are loaded with the latest
version of the IP plus IPSEC 56 IOS image.
The first step is to set up the IKE (Internet Key Exchange) policies on the routers.
The IKE policy states the kind of encryption and hash to use
and the type of authentication that will be implemented.
The parameters need to be the same at either end of the VPN.
On the central office router:
mainrtr(config)# crypto isakmp policy 1
mainrtr(config-isakmp)# encryption des
mainrtr(config-isakmp)# hash sha
mainrtr(config-isakmp)# authentication pre-share
mainrtr(config-isakmp)# lifetime 86400
mainrtr(config-isakmp)# end
job done ------
On the remote site router you would use the exact same
commands. Lines 2 and 3 are used to set the encryption and
hash types. DES encryption and SHA hash algorithm are the
defaults, so those lines could be omitted. Line 4 specifies
that the key used is pre-shared, that is, no certificate
authority (CA) is used. Line 5 states how long the SA is
valid for in seconds (in this case a SA is valid for 1 day).
The next step is to set up the keys that are being used.
Since the keys are pre-shared, you just configure them on the
router itself. Using a CA to issue keys is more complex, but
it is also more secure. To set the pre-shared keys, use the
following commands.
On the central office router:
mainrtr(config)# crypto isakmp identity address
mainrtr(config)# crypto isakmp key key123 address 207.194.10.199
On the remote site router:
remotertr (config)# crypto isakmp identity address
remotertr (config)# crypto isakmp key key123 address 207.194.10.198
The first line indicates the ISAKMP identity the router will
use. The address keyword specifies that the IP address will
be used as the name. The second line states that the key to
be used is 'key123', and the identity of the remote peer (in
the case of mainrtr the remote peer is 207.194.10.199, or
remotertr).
Now the actual IPSEC tunnel needs to be set up. This
involves setting up a crypto access list and defining the
transform sets. Once you have the access list and transforms
in place you can configure the IPSEC tunnel mode.
On the central office router:
mainrtr(config)# access-list 110 permit ip host 207.194.10.198
host 207.194.10.199
This configures access list 110 to encrypt all IP traffic
between the two routers. On the remote site router you
would configure the access list as a mirror image of the
one on the central office router.
On the remote site router:
remotertr (config)# access-list 110 permit ip host 207.194.10.199
host 207.194.10.198
To set up the transform set and configure tunnel mode,
use the following commands.
On the central office router:
mainrtr(config)# crypto ipsec transform-set ts1 ah-sha-hmac esp-des
mainrtr(cfg-ctypto-trans)# mode tunnel
mainrtr(cfg-ctypto-trans)# exit
Line 1 configures the AH transform, the ESP encryption
transform and names the transform set 'ts1'. The same
commands are entered on the remote site router to set up
its transform set. Now a crypto map needs to be created
to define the endpoints of the tunnel.
On the central office router:
mainrtr(config)# cypto map map1 10 ipsec-isakmp
mainrtr(cfg-ctypto-map)# match address 110
mainrtr(cfg-ctypto-map)# set peer 207.194.10.199
mainrtr(cfg-ctypto-map)# set transform-set ts1
mainrtr(cfg-ctypto-map)# exit
The first line defines an IPSEC crypto map called 'map1' and
sets a sequence number of 10. Line 2 applies the access
list we created above to the crypto map. Line 3 defines the
remote peer that can be forwarded IPSEC encrypted traffic,
and line 4 applies the transform set created above to the
crypto map. To set up the crypto map on the remote site
router, you want to set up compatible parameters.
On the remote site router:
remotertr(config)# cypto map map1 10 ipsec-isakmp
remotertr (cfg-ctypto-map)# match address 110
remotertr (cfg-ctypto-map)# set peer 207.194.10.198
remotertr (cfg-ctypto-map)# set transform-set ts1
remotertr (cfg-ctypto-map)# exit
To get it all to work, the crypto map needs to be applied
to an interface on the router.
On the central office router:
mainrtr(config)# interface ethernet 2
mainrtr(config-if)# cypto map map1
mainrtr(config-if)# exit
On the remote site router:
remotertr(config)# interface ethernet 2
remotertr(config-if)# cypto map map1
remotertr(config-if)# exit
You should now have a working IPSEC tunnel between the two
routers. To get traffic to flow between the two networks,
you would need to set up network address translation (NAT)
to resolve the IP addresses of hosts on the internal
network to that of the connected router's external interface.
- Cisco White Paper on IPSEC VPN best practices
- Cisco IOS Enterprise VPN Configuration Guide
- Cisco VPN Top Issues
Subscribe to:
Posts (Atom)
beach
cottesloe beach restaurant
City of Perth
view from King's park
Houston TX
San antonio
