I am not a Cisco Certified Anything, but I’ve occasionally needed to tweak router configurations and/or troubleshoot problems related to monitoring the correct application, on the correct ip address, on the correct port, etc., and I’ve picked up a few basic concepts that anyone managing a web application should know.

The typical configuration these days is to have a router AND firewall such as the Cisco Adaptive Security Appliance (ASA) previously known as a PIX. Both devices run the Cisco IOS and may support the same basic commands I will detail below for purposes of setting up network address translation. But you should not be “setting up” anything…you are sitting there with the login information to the router and your new responsibility of keeping it running until the economy improves and you can hire back a network engineer.

The router will have an “outside” network–the public address space for your website. For example, if you ping www.heroix.com, you will see an address like 206.159.134.200. If you were “inside” the company, on the same private network as the web server (or load balancer) you would find the server responding with an address like 10.10.10.200. One of the jobs of the router or firewall is to translate that public address to the private address and allow only certain traffic (e.g. web browsers loading your pages) to pass.

Changing the router configuration should give you serious pause. Bad things happen:

• You learn the right commands to type and save them in a wiki for copying and pasting. Then, when you go to paste, you somehow copy an errant character. When you paste, one command fails and the screen quickly fills with error messages in the midst of your pasted commands and the configuration of the router becomes “unknown” to you. And the site is now offline.
• You reload the router…remotely. After a few minutes of unsuccessful connection attempts, you end up driving to the data center at 3am and hoping you can figure out how to get to the router from a local server or console app.
• You spend hours troubleshooting your configuration on the firewall…so much time wasted that you can’t remember what the right config is supposed to be. Nothing you do works to make the site publically accessible. You power-cycle it manually…still nothing. Then, you remember that the firewall is connected to a router…power cycle that and all is well again.

So those are some of the reasons why you need a network engineer around. But as long as you respect the complexity of the situation and don’t stray from the known path, it is useful to understand the basics:

The command line interface of the firewal or router is accessed by a ssh client like PuTTY. After logging in and ENabling administrator mode, you can type:

show config

to see the list of commands that make up the configuration. A good network administrator has created names for the various address in the configuration to make things easier. First, you should see a mapping for the outside, public ip address of the webserver like this:

name 206.159.134.200 ProductionWeb

further down, there should be some basic assignment of access control rights using an “object-group”

access-list outside_in extended permit tcp any host ProductionWeb object-group WEB

The WEB group is defined:

object-group service WEB tcp
 description HTTP
 port-object eq www
 port-object eq https

This means any addresses in the object group WEB will be allowed to transmit packets on the ports associated with www and https (80 and 443). These are standard ports; not defined in the configuration. This means, for the public address 206.159.134.200, the only traffic allowed is on web ports 80 and 443.

The public address for the website is mapped by a static translation to the server’s ip address on the private 10.10.10.x subnet:

static (Inside,outside) ProductionWeb 10.10.10.200 netmask 255.255.255.255

The static defines a 1:1 mapping from ProductionWeb (206.159.134.200) to 10.10.10.200.

So what can we do with this? I’ll save that for another post…