EWAN NAT/ACL PT Practice SBA

In this practice Packet Tracer Skills Exam, you are expected to:

· Finish designing the IP addressing scheme.

· Implement the addressing in the network to meet the stated requirements.
· Configure and verify a DHCP server implementation.
· Configure and verify WAN technologies.
· Configure EIGRP to enable communication with the rest of the network.
· Configure NAT to translate addresses for traffic destined to the Internet.
· Implement access control lists as part of a security policy.

Addressing Table

Device Interface Address Subnet Mask Default Gateway

R1 Fa0/0
S0/0/0 172.30.1.1 255.255.255.252 n/a
S0/0/1.101 10.10.10.1 255.255.255.252 n/a

R2 S0/0/0 172.30.1.6 255.255.255.252 n/a

S0/0/1.201 10.10.10.2 255.255.255.252 n/a
S0/1/0 209.165.201.2 255.255.255.252 n/a

R3 Fa0/0 n/a
S0/0/0 172.30.1.2 255.255.255.252 n/a
S0/0/1 172.30.1.5 255.255.255.252 n/a

PC1 NIC

PC3 NIC DHCP Assigned DHCP Assigned DHCP Assigned

NOTE: The password for user EXEC mode is cisco. The password for privileged EXEC mode is
class.
Step 1: Finish the IP Addressing Design and Implementation.
Design an addressing scheme and fill in the Addressing Table based on the following requirements:

a. Subnet the address space 172.16.1.128/25 to provide 50 host addresses for the R3 LAN while
wasting the fewest addresses.

b. Assign the first available subnet to the R3 LAN.

c. Assign the first (lowest) address in this subnet to the Fa0/0 interface on R3.

d. Subnet the remaining address space to provide 30 host addresses for the R1 LAN while
wasting the fewest addresses.

e. Assign the next available subnet to the R1 LAN.

f. Assign the first (lowest) address in this subnet to the Fa0/0 interface on R1.

g. Assign the last (highest) host address in this subnet to PC1.

h. Finish the IP addressing configuration:

· Configure R1 and R3 LAN interfaces with IP addressing.

· Configure PC1 with IP addressing. PC3 will get its address from the DHCP server on R3 in
the next step.

Step 2: Configure and Verify R3 as the DHCP Server.

a. Configure R3 as the DHCP server for the LAN attached to Fa0/0 using the following
guidelines:

· Use the case-sensitive DHCP pool name of R3_LAN.

· Exclude the first three host addresses in the subnet.

b. Verify that PC3 now has full IP addressing. It may be necessary to toggle between “Static”
and “DHCP” on the IP Configuration screen for PC3 before PC3 will send a DHCP request. PC3
should be able to ping the default gateway.

Step 3: Configure WAN Technologies.

a. The link between R3 and R2 uses PPP with CHAP. The password is ciscochap. Verify that
R3 and R2 can ping each other.

b. The link between R3 and R1 uses HDLC. R3 should be able to ping the other side of the link.
Verify that R3 and R1 can ping each other.

c. The link between R1 and R2 uses point-to-point Frame Relay subinterfaces. Verify that R1
and R2 can ping each other.

Step 4: Configure and Verify EIGRP Routing.

a. Configure EIGRP routing on R1, R2, and R3.

· Use AS number 100.

· Do not use the wildcard mask argument.

· Do not advertise the network between R2 and the Internet.

b. Configure R2 with a default route using the outbound interface argument. Use one command
to propagate the default route into the EIGRP routing process.

c. Verify PC1 and PC3 can ping each other as well as R1, R2 and R3. You will not be able to
ping Internet hosts yet.

Step 5: Configure R2 with a NAT.

a. Configure NAT on R2 using the following guidelines:

· Only addresses in the 172.16.1.128/25 address space will be translated.

· Use the number 1 for the access list.

· Configure PAT on the R2 S0/1/0 interface.

b. Verify that PC1 and PC3 can ping the Internet hosts.

Step 6: Configure Access Control Lists to Satisfy a Security Policy.

a. Configure and apply an ACL with the number 50 that implements the following policy:

· Deny any host from the R3 LAN from accessing hosts on the R1 LAN.

· Hosts on the R3 LAN should be able to ping any other destination.

b. Verify that ACL 50 is operating as intended.

c. Configure and apply a named ACL with the case-sensitive name FIREWALL that
implements the following policy:

· Deny ping requests sourced from the Internet.

· Deny Telnet and HTTP traffic sourced from the Internet.

· Allow all other traffic.

d. Verify the FIREWALL ACL is operating as intended.

SOLUTION
IP pool received 172.16.1.128 /25
Address calculation for R3
Network 172.16.1.128 /26
FA00 172.16.1.129 255.255.255.192

Address calculation for R1

Network 172.16.1.192 /27
FA00 172.16.1.193 255.255.255.224
PC1 172.16.1.222 255.255.255.224
R1#sh run
Building configuration...

Current configuration : 1309 bytes

!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
!
!
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.193 255.255.255.224
ip access-group 50 out
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 172.30.1.1 255.255.255.252
clock rate 2000000
!
interface Serial0/0/1
no ip address
encapsulation frame-relay
!
interface Serial0/0/1.101 point-to-point
ip address 10.10.10.1 255.255.255.252
frame-relay interface-dlci 101
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
passive-interface FastEthernet0/0
network 172.16.0.0
network 172.30.0.0
network 10.0.0.0
no auto-summary
!
ip classless
!
!
access-list 50 deny 172.16.1.128 0.0.0.63
access-list 50 permit any
!
banner motd ^CAuthorized Access Only!^C
!
!
!
!
logging trap debugging
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 5 15
exec-timeout 0 0
password cisco
logging synchronous
login
!
!
ntp update-calendar
!
end

R2#sh run
Building configuration...

Current configuration : 1718 bytes

!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
!
!
!
username R3 password 0 ciscochap
!
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 172.30.1.6 255.255.255.252
encapsulation ppp
ppp authentication chap
ip nat inside
!
interface Serial0/0/1
no ip address
encapsulation frame-relay
!
interface Serial0/0/1.201 point-to-point
ip address 10.10.10.2 255.255.255.252
frame-relay interface-dlci 201
ip nat inside
!
interface Serial0/1/0
ip address 209.165.201.2 255.255.255.252
ip access-group FIREWALL in
ip nat outside
!
interface Serial0/1/1
 no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
redistribute static
passive-interface Serial0/1/0
network 172.30.0.0
network 10.0.0.0
no auto-summary
!
ip nat inside source list 1 interface Serial0/1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
!
!
access-list 1 permit 172.16.1.128 0.0.0.127
ip access-list extended FIREWALL
deny icmp any any echo
deny tcp any any eq telnet
deny tcp any any eq www
permit ip any any
!
banner motd ^CAuthorized Access Only!^C
!
!
!
!
logging trap debugging
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 5 15
exec-timeout 0 0
password cisco
logging synchronous
login
!
!
ntp update-calendar
!
End

R3#sh run
Building configuration...
Current configuration : 1299 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
!
!
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
ip dhcp excluded-address 172.16.1.129 172.16.1.131
!
ip dhcp pool R3_LAN
network 172.16.1.128 255.255.255.192
default-router 172.16.1.129
!
!
!
username R2 password 0 ciscochap
!
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.129 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 172.30.1.2 255.255.255.252
!
interface Serial0/0/1
ip address 172.30.1.5 255.255.255.252
encapsulation ppp
ppp authentication chap
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
passive-interface FastEthernet0/0
network 172.16.0.0
network 172.30.0.0
no auto-summary
!
ip classless
!
!
!
banner motd ^CAuthorized Access Only!^C
!
!
!
!
logging trap debugging
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 5 15
exec-timeout 0 0
password cisco
logging synchronous
login
!
!
ntp update-calendar
!
end