Reverse-Tunnel Forwarding

Problem

You want to force all packets to use the tunnel to avoid anti-spoofing ACLs in the network.

Solution

You configure Reverse-Tunnel Forwarding on the Mobile Node so that it requests this feature when it registers with the Foreign Node:

RouterMobile#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterMobile(config)#ip mobile router
RouterMobile(mobile-router)#reverse-tunnel
RouterMobile(mobile-router)#exit
RouterMobile(config)#end
RouterMobile#

 

Discussion

When a Mobile Node communicates with another device elsewhere on the network (called the Correspondent Node), the inbound traffic follows a path from the Correspondent Node to the Home Agent, through the tunnel to the Foreign Agent, and from there to the Mobile Node. On the way back from the Mobile Node to the Correspondent Node, the packet goes first to the Foreign Agent, which looks at the destination address, and forwards this packet according to its routing table by using the most direct path.

The trouble is that the source IP address in the packet from the Mobile Node to the Correspondent Node doesn't belong to the Foreign Agent router. It is effectively a spoofed source address. Many networks use ACLs to look at the source addresses of packets and make sure that they are received on an interface that leads back to the source network. This is a good security practice because it helps prevent hackers from deliberately spoofing addresses in packets when launching attacks.

If your network includes this sort of security precaution, you must configure what is called Reverse-Tunnel Forwarding. This means simply that packets from the Mobile Node should be sent through the tunnel to the Home Agent, even if it has a better route to the destination device. Then the illegal source address in the packet is hidden from any ACLs until it reaches the Home Agent, which is a legitimate router for this source address.

This feature is negotiated when the Mobile Node connects to the network, which is why it is only necessary to configure it on the Mobile Node:

RouterMobile(config)#ip mobile router
RouterMobile(mobile-router)#reverse-tunnel

You can then verify that the Foreign Agent is using Reverse-Tunnel Forwarding with the show ip mobile tunnel command:

outerForeign#show ip mobile tunnel
Mobile Tunnels:

Tunnel0:
 src 192.168.110.1, dest 192.168.9.1
 encap IP/IP, mode reverse-allowed, tunnel-users 1
 IP MTU 1480 bytes
 Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never
 outbound interface Serial0/0
 FA created, fast switching enabled, ICMP unreachable enabled
 105 packets input, 8462 bytes, 0 drops
 0 packets output, 0 bytes
RouterForeign#

 

See Also

Recipe 24.2; Recipe 24.3; Recipe 24.4

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net