5 It344 CN

Download as pdf or txt
Download as pdf or txt
You are on page 1of 28

CHAROTAR UNIVERSITY OF SCIENCE & TECHNOLOGY

FACULTY OF TECHNOLOGY AND ENGINEERING


Smt. K. D. Patel Department of Information Technology

Subject Name: Computer Networks Semester: V


Subject Code: IT344 A.Y.: 2019-20
Lab Manual
1 Study of basic network command and Network configuration commands.
1) ping :
 Helps in determining TCP/IP Networks IP address as well as to verify if the device with that
IP address is connected to the pc or not
 Determining issues with the network and assist in resolving them.

2) Tracert :
 Used to visually see a packet being sent and received and amount of hops required for that
packet to get to its destination

Prepared By:
3) ipconfig :
 displays the network settings currently assigned to any or all the network adapters in the
machine
 specially used to verify network connection as well as to verify network settings

4) Pathping :
 Provides information about network latency and network loss at intermediate hops between
source and destination
 Calculates packet loss in every intermediate routers
 It sends echo requests via ICMP(Internet Control Message Protocol) and analyzing the result

5) Nslookup :
 Displays information that can be used to diagnose DNS infrastructure

6) Netstat :
 Displays active TCP connections
 Ports on which the computer is listening
 Ethernet statistics
 IP routing Table
 IPv4 statistics
 IPv6 statistics
Sandip Patel Nehal Patel
7) Arp (Address Routing Protocol) :
 Displays, adds, and removes ARP information from network devices
Arp-a
 Displays current Arp entries by interrogating the current protocol data

2 Performing an Initial Switch Configuration


Objectives

Catalyst 2960 switch.

Background / Preparation

Note: Not all commands are graded by Packet Tracer.

Step 1: Configure the switch host name.

a. From the Customer PC, use a console cable and terminal emulation software to connect to the
console

of the customer Cisco Catalyst 2960 switch.

b. Set the host name on the switch to CustomerSwitch using these commands.

Switch>enable

Switch#configure terminal

Switch(config)#hostname CustomerSwitch
Step 2: Configure the privileged mode password and secret.

a. From global configuration mode, configure the password as cisco.


CustomerSwitch(config)#enable password cisco

b. From global configuration mode, configure the secret as cisco123.


CustomerSwitch(config)#enable secret cisco123

Step 3: Configure the console password.

a. From global configuration mode, switch to configuration mode to configure the console line.

CustomerSwitch(config)#line console 0

b. From line configuration mode, set the password to cisco and require the password to be entered at

login.

CustomerSwitch(config-line)#password cisco

CustomerSwitch(config-line)#login

CustomerSwitch(config-line)#exit

Step 4: Configure the vty password.

a. From global configuration mode, switch to the configuration mode for the vty lines 0 through 15.

CustomerSwitch(config)#line vty 0 15

b. From line configuration mode, set the password to cisco and require the password to be entered at

login.

CustomerSwitch(config-line)#password cisco

CustomerSwitch(config-line)#login

CustomerSwitch(config-line)#exit

Step 5: Configure an IP address on interface VLAN1.

From global configuration mode, switch to interface configuration mode for VLAN1, and assign the
IP address

192.168.1.5 with the subnet mask of 255.255.255.0.


CustomerSwitch(config)#interface vlan 1

CustomerSwitch(config-if)#ip address 192.168.1.5 255.255.255.0

CustomerSwitch(config-if)#no shutdown

CustomerSwitch(config-if)#exit

Step 6: Configure the default gateway.

a. From global configuration mode, assign the default gateway to 192.168.1.1.

CustomerSwitch(config)#ip default-gateway 192.168.1.1

b. Click the Check Results button at the bottom of this instruction window to check your work.

Step 7: Verify the configuration.

The Customer Switch should now be able to ping the ISP Server at 209.165.201.10. The first one or
two pings

may fail while ARP converges.

CustomerSwitch(config)#end

CustomerSwitch#ping 209.165.201.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.165.201.10, timeout is 2 seconds:

..!!!

Success rate is 60 percent (3/5), round-trip min/avg/max = 181/189/197 ms

CustomerSwitch#

Reflection

a. What is the significance of assigning the IP address to the VLAN1 interface instead of any of the
Fast
Ethernet interfaces?

b. What command is necessary to enforce password authentication on the console and vty lines?

c. How many gigabit ports are available on the Cisco Catalyst 2960 switch that you used in the
activity?

3 Routing Static vs Dynamic( RIP OSPF)

Objectives

the RIP
configuration.

Background / Preparation

A simple routed network has been set up to assist in reviewing RIP routing behavior. In this activity,
you will

configure RIP across the network and set up end devices to communicate on the network.

Step 1: Configure the SVC01 router and enable RIP.

a. From the CLI, configure interface Fast Ethernet 0/0 using the IP address 10.0.0.254 /8.

b. Configure interface serial 0/0/0 using the first usable IP address in network 192.168.1.0 /24 to

connect to the RTR01 router. Set the clock rate at 64000.


c. Configure interface serial 0/0/1 using the first usable IP address in network 192.168.2.0 /24 with a

clock rate of 64000.

d. Using the no shutdown command, enable the configured interfaces.

e. Configure RIP to advertise the networks for the configured interfaces.

f. Configure the end devices.

i. Server0 uses the first usable IP address in network 10.0.0.0 /8. Specify the appropriate default

gateway and subnet mask.

ii. Printer0 uses the second usable IP address in network 10.0.0.0 /8. Specify the appropriate

default gateway and subnet mask.

Step 2: Configure the RTR01 router and enable RIP.

a. Configure interface Fast Ethernet 0/0 using the first usable IP address in network 192.168.0.0 /24

to connect to the RTR02 router.

b. Configure interface serial 0/0/0 using the second usable IP address in network 192.168.1.0 /24 to

connect to the SVC01 router.

c. Configure interface Fast Ethernet 0/1 using the IP address 172.16.254.254 /16.

d. Using the no shutdown command, enable the configured interfaces.

e. Configure RIP to advertise the networks for the configured interfaces.

f. Configure the end devices.

i. PC0 uses the first usable IP addresses in network 172.16.0.0 /16.

ii. PC1 uses the second usable IP address in network 172.16.0.0 /16.

iii. Specify the appropriate default gateway and subnet mask on each PC.
Step 3: Configure the RTR02 router and enable RIP.

a. Configure interface Fast Ethernet 0/0 using the second usable IP address in network 192.168.0.0

/24 to connect to the RTR01 router.

b. Configure interface serial 0/0/0 using the second usable IP address in network 192.168.2.0 /24 to

connect to the SVC01 router.

c. Configure interface Fast Ethernet 0/1 using the IP address 172.17.254.254 /16.

d. Using the no shutdown command, enable the configured interfaces.

e. Configure RIP to advertise the networks for the configured interfaces.

f. Configure the end devices.

i. PC2 uses the first usable IP addresses in network 172.17.0.0 /16.

ii. PC3 uses the second usable IP address in network 172.17.0.0 /16.

iii. Specify the appropriate default gateway and subnet mask on each PC.

Step 4: Verify the RIP configuration on each router.

a. At the command prompt for each router, issue the commands show ip protocols and show ip route
to

verify RIP routing is fully converged. The show ip protocols command displays the networks the

router is advertising and the addresses of other RIP routing neighbors. The show ip route command

output displays all routes know to the local router including the RIP routes which are indicated by
an

“R”.

b. Every device should now be able to successfully ping any other device in this activity.

c. Click the Check Results button at the bottom of this instruction window to check your work.

4 Configuring WEP on a Wireless Router


Objectives

Background / Preparation
You have been asked to go back to a business customer and install a new Linksys wireless router for
the
customer office. The company has some new personnel who will be using wireless computers to
save money on
adding additional wired connections to the building. The business is concerned about the security of
the
network because they have financial and highly classified data being transmitted over the network.
Your job is
to configure the security on the router to protect the data.
In this activity, you will configure WEP security on both a Linksys wireless router and a
workstation.
Step 1: Configure the Linksys wireless router to require WEP.

a. Click the Customer Wireless Router icon. Then, click the GUI tab to access the router web
management interface.
b. Click the Wireless menu option and change the Network Name (SSID) from Default to
CustomerWireless. Leave the other settings with their default options.
c. Click the Save Settings button at the bottom of the Basic Wireless Settings window.
d. Click the Wireless Security submenu under the Wireless menu to display the current wireless
security parameters.
e. From the Security Mode drop-down menu, select WEP. f. In the Key1 text box, type 1a2b3c4d5e.
This will be the new WEP pre-shared key to access the
wireless network.
g. Click the Save Settings button at the bottom of the Wireless Security window.
Step 2: Configure WEP on the customer wireless workstation.
a. Click the Customer Wireless Workstation. b. Click the Config tab.
c. Click the Wireless button to display the current wireless configuration settings on the workstation.
d. Change the SSID to CustomerWireless. e. Change the Security Mode to WEP. Enter 1a2b3c4d5e
in the Key text box, and then close the
window.
Step 3: Verify the configuration.
After you configure the correct WEP key and SSID on the customer wireless workstation, notice
that there is a
wireless connection between the workstation and the wireless router.
a. Click the Customer Wireless Workstation.
b. Click the Desktop tab to view the applications that are available.
c. Click on the Command Prompt application to bring up the command prompt.
d. Type ipconfig /all and press Enter to view the current network configuration settings.
e. Type ping 192.168.2.1 to verify connectivity to the LAN interface of the customer wireless router.
f. Close the command prompt window.
g. Open a web browser.
h. In the address bar of the web browser window, type http://192.168.1.10. Press Enter. The Intranet
web page that is running on the customer server appears. You have just verified that the customer
wireless workstation has connectivity to the rest of the customer network.
i. Click the Check Results button at the bottom of this instruction window to check your work.
Reflection
a. What is the purpose of using WEP on a wireless network?
b. What is the significance of the key that you used to secure WEP?
c. Is WEP the best choice for wireless security?
5 Placing ACLs
Background / Preparation
This activity demonstrates how the flow of network traffic is affected by applying an ACL to permit
or
deny traffic in the network. The network administrator has decided that all external web traffic goes
only
to the Web server. Also, in order to protect the data o their employees, the HR server is only
accessible to
HR employees. Therefore, ACLs will need to be implemented on the network. Another network
technician has already configured the necessary ACLs on both the Gateway and Distribution2
routers.
However, the ACLs have not been applied to an interface. You have been asked to apply the ACLs
and
verify that the appropriate traffic is permitted or denied.
Required file: Placing ACLs
Step 1: Verify network connectivity
a. Verify that all of the PCs can communicate with each other and with the servers.
b. Verify that the Internet Host can access the Web server (192.168.0.3), Sales server (192.168.10.2)
and HR server (192.168.40.2) using the browser.
Step 2: Examine the Access Control Lists that are configured on the routers
a. Access the Distribution1 router. Use the following commands to view the ACL that has been
-config
-lists 1
b. Access the Gateway router. Use the following commands to view the ACL that has been
-config
-lists 100

Step 3: Determine the appropriate interface to apply the ACLs


a. After examining the ACLs determine on which interface the ACLs should be applied
b. The ACL must be applied to an interface or subinterface before it will affect the network traffic
c. The extended ACL should be placed closest to the source and the standard ACL should be closest
to the destination.
d. Remember that only one ACL per port, per protocol, per direction is allowed.
e. Apply the ACL to the appropriate interface or subinterface.
Step 4: Examine the affects of the ACL
a. Internet Host should be able to ping any device in the network, except HR1 or HR server.
b. Internet Host should be able to access Web server (192.168.0.3) using the browser.
c. Internet Host should not be able to access either the HR server (192.168.40.1) or Sales server
(192.168.10.2) using the browser.
d. HR2 should be able to access HR server (192.168.40.1) using ping or the browser.
e. RandD2 should not be able to access HR server (192.168.40.1) using ping or the browser.

Reflection
1. How can ACLs be used to control the flow of network traffic?
2. By default, what is always the last statement in an ACL?
6 To configure DHCP and HTTP server.
Objectives

Background / Preparation
In this activity, you will continue to configure the Cisco 1841 ISR router for the customer network
by
configuring the DHCP service. The customer has several workstations that need to be automatically
configured
with IP addresses on the local subnet and appropriate DHCP options to allow access to the Internet.
The DHCP pool will use the 192.168.1.0/24 network but the first 49 addresses are excluded. The
default
gateway and DNS server also need to be configured as 192.168.1.1 and 192.168.1.10.
For this activity, both the user and privileged EXEC passwords are cisco. Note: Packet Tracer does
not currently support the domain name and lease period options. These options are not
used in this activity.
Step 1: Configure the DHCP service.
a. From the customer workstation, use a console cable and terminal emulation software to connect to
the
console of the customer Cisco1841 ISR.
b. Log in to the console of the Cisco 1841 ISR and enter global configuration mode.
c. Before creating a DHCP pool, configure the addresses that are excluded. The range is from
192.168.1.1 to
192.168.1.49.
CustomerRouter(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.49

d. Create a DHCP pool called pool1.

CustomerRouter(config)#ip dhcp pool pool1


e. Define the network address range for the DHCP pool.

CustomerRouter(dhcp-config)#network 192.168.1.0 255.255.255.0

f. Define the DNS server as 192.168.1.10.

CustomerRouter(dhcp-config)#dns-server 192.168.1.10

g. Define the default gateway as 192.168.1.1.

CustomerRouter(dhcp-config)#default-router 192.168.1.1
h. Add an exclusion range of 192.168.1.1 to 192.168.1.49 to the DHCP pool.

CustomerRouter(dhcp-config)#exit
CustomerRouter(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.49

i. Exit the terminal.


Step 2: Verify the DHCP configuration.

a. From the customer workstation, open the Command Prompt window.


b. Type ipconfig /release to release the current IP address.
c. Type ipconfig /renew to request a new IP address on the local network.
d. Verify that the IP address has been correctly assigned by pinging the LAN IP address of the Cisco
1841 ISR.
e. Click the Check Results button at the bottom of this instruction window to check your work.

Reflection
a. What is the purpose of DHCP on the customer network?
b. What IP address is assigned to the workstation after its IP address is renewed?
c. What other DHCP options can be defined on the Cisco 1841 ISR router that are not
configured in this activity?
7 Implement VLAN Configuration
Creating VLAN

In practice lab network Office1 Switch is configured as VTP Server. Office2 and Office3
switches are configured as VTP clients. We only need to create VLANs in VTP Server. VTP
Server will propagate this information to all VTP clients automatically.

vlan vlan number command is used to create the VLAN.

Office 1 Switch
S1(config)#vlan 10
S1(config-vlan)#exit
S1(config)#vlan 20
S1(config-vlan)#exit
S1(config)#
Assigning VLAN Membership

VLAN can be assigned statically or dynamically. CCNA exam only includes static method;
therefore we will also use static method to assign VLAN membership. switchport access
vlan [vlan number ] command is used to assign VLAN to the interface. Following
commands will assign VLANs to the interfaces.

Office 1 Switch
S1(config)#interface fastEthernet 0/1
S1(config-if)#switchport access vlan 10
S1(config-if)#interface fastEthernet 0/2
S1(config-if)#switchport access vlan 20
Office 2 Switch
S2(config)#interface fastEthernet 0/1
S2(config-if)#switchport access vlan 10
S2(config-if)#interface fastEthernet 0/2
S2(config-if)#switchport access vlan 20
Office 3 Switch
S3(config)#interface fastEthernet 0/1
S3(config-if)#switchport access vlan 10
S3(config-if)#interface fastEthernet 0/2
S3(config-if)#switchport access vlan 20
We have successfully assigned VLAN membership. It's time to test our configuration. To test
this configuration, we will use ping command. ping command is used to test connectivity
between two devices. As per our configuration, devices from same VLAN can communicate.
Devices from different VLANs must not be able to communicate with each other without
router.

Testing VLAN configuration

Access PC's command prompt to test VLAN configuration. Double click PC-PT and
click Command Prompt

We have two VLAN configurations VLAN 10 and VLAN 20. Let's test VLAN 10 first. In VLAN
10 we have three PCs with IP addresses 10.0.0.2, 10.0.0.3 and 10.0.0.4. These PCs must be
able to communicate with each other's. At this point PCs from VLAN 10 should not be
allowed to access PCs from VLAN 20. VLAN 20 also has three PCs 20.0.0.2, 20.0.0.3 and
20.0.0.4.

We have successfully implemented VLAN 10 now test VLAN 20.


Same as VLAN 10, PCs from VLAN 20 must be able to communicate with other PCs of same
VLAN while they should not be able to access VLAN 10.

Congratulations we have successfully achieved one more mile stones of this article.

Configure Router on Stick


Typically routers are configured to receive data on one physical interface and forward that
data from another physical interface based on its configuration. Each VLAN has a layer 3
address that should be configured as default gateway address on all its devices. In our
scenario we reserved IP address 10.0.0.1 for VLAN 10 and 20.0.0.1 for VLAN 20.

With default configuration we need two physical interfaces on router to make this intra VLAN
communication. Due to price of router, it’s not a cost effective solution to use a physical
interface of router for each VLAN. Usually a router has one or two Ethernet interface. For
example if we have 50 VLANs, we would need nearly 25 routers in order to make intra VLANs
communications. To deal with situation we use Router on Stick.

Router on Stick is router that supports trunk connection and has an ability to switch frames
between the VLANs on this trunk connection. On this router, single physical interface is
sufficient to make communication between our both VLANs.

Access command prompt of Router

To configure Router on Stick we have to access CLI prompt of Router. Click Router and
Click CLI from menu items and Press Enter key to access the CLI
Run following commands in same sequence to configure Router on Stick

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#no ip address
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastEthernet 0/0.10
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 10.0.0.1 255.0.0.0
Router(config-subif)#exit
Router(config)#interface fastEthernet 0/0.20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 20.0.0.1 255.0.0.0
Router(config-subif)#exit

 In above configuration we broke up single physical interface [FastEthernet 0/0] into two logical
interfaces, known as sub-interfaces. Router supports up to 1000 interfaces including both physical
and logical.
 By default interface link works as access link. We need to change it into trunk link. encapsulation
commands specify the trunk type and associate VLAN with sub-interface.
 In next step we assigned IP address to our sub-interface.

That's all configuration we need to switch VLANs. Now we can test different VLAN
communications. To test intra VLANs communication open command prompt of PC and ping
the PC of other VLAN.

PC [10.0.0.3] from VLAN 10 can now access PC [20.0.0.2] from VLAN 20.
Spanning Tree Protocol (STP)

STP is a layer 2 protocol, used for removing loops. For backup purpose we typically create
backup links for important resources. In our scenario, all offices have backup links that create
loops in topology. STP automatically removes layer 2 loops. STP multicasts frame that contain
information about switch interfaces. These frames are called BPDU (Bridge Protocol Data
Units). Switch use BPDUs to learn network topology. If it found any loop, it will automatically
remove that. To remove loop, STP disables port or ports that are causing it.
8 Inter VLAN Routing Configuration

SW1(config)#interface fa0/3
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk allowed vlan 10,20

This is how we configure SW1. Make interface fa0/3 a trunk port and for security measures I
made sure that only VLAN 10 and 20 are allowed.

R1(config)#interface fa0/0.10
R1(config-subif)#encapsulation dot1Q 10
R1(config-subif)#ip address 192.168.10.254 255.255.255.0
R1(config)#interface fa0/0.20
R1(config-subif)#encapsulation dot1Q 20
R1(config-subif)#ip address 192.168.20.254 255.255.255.0

Create two sub-interfaces on the router and tell it to which VLAN they belong. Don’t forget to
add an IP address for each VLAN.

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP


D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.10.0/24 is directly connected, FastEthernet0/0.10


C 192.168.20.0/24 is directly connected, FastEthernet0/0.20

The router will be able to route because these two networks are directly connected.

C:\Documents and Settings\H1>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :


IP Address. . . . . . . . . . . . : 192.168.10.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.254
C:\Documents and Settings\H2>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :


IP Address. . . . . . . . . . . . : 192.168.20.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.254

Don’t forget to set your IP address and gateway on the computers.

Let’s try a ping:

C:\Documents and Settings\H1>ping 192.168.20.1

Pinging 192.168.20.1 with 32 bytes of data:

Reply from 192.168.20.1: bytes=32 time<1ms TTL=128


Reply from 192.168.20.1: bytes=32 time<1ms TTL=128
Reply from 192.168.20.1: bytes=32 time<1ms TTL=128
Reply from 192.168.20.1: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.2:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

That’s how you do it. So why would you want to use a solution like this? It’s cheap! You don’t
need a multilayer switch for your routing. Any layer 2 switch will do.

The Cisco Catalyst 2960 is a layer 2 switch; the cheapest multilayer switch is the Cisco
Catalyst 3560. Compare the price on those two and you’ll see what I’m talking about.
Some of the disadvantages of this solution is that your router is a single point of failure and that
traffic flows up and down on the same link which might cause congestion.

9 Planning Network-based Firewalls

Objectives

Background / Preparation
You are a technician who provides network support for a medium-sized business. The business has
grown and
includes a research and development department working on a new, very confidential project. The
livelihood of
the project depends on protecting the data used by the research and development team.
Your job is to install firewalls to help protect the network, based on specific requirements. The
Packet Tracer
topology that you will use includes two preconfigured firewalls. In the two scenarios presented, you
will replace
the existing routers with the firewalls. The firewalls need to be configured with the appropriate IP
address
configurations, and the firewalls should be tested to ensure that they are installed and configured
correctly.
Scenario 1: Protecting the Network from Hackers
Because the company is concerned about security, you recommend a firewall to protect the network
from
hackers on the Internet. It is very important that access to the network from the Internet is restricted.
Firewall_1 has been preconfigured with the appropriate rules to provide the security required. You
will install it
on the network and confirm that it is functioning as expected.

Step 1: Replace Router_A with Firewall_1.

a. Remove Router_A and replace it with Firewall_1. b. Connect the Fast Ethernet 0/0 interface on
Firewall_1 to the Fast Ethernet 0/1 interface on
Switch_A. Connect the Fast Ethernet 0/1 interface on Firewall_1 to the Ethernet 6 interface of the
ISP cloud. (Use straight-through cables for both connections.)
c. Confirm that the host name of Firewall_1 is Firewall_1. d. On Firewall_1, configure the WAN IP
address and subnet mask for the FastEthernet 0/1 interface
as 209.165.200.225 and 255.255.255.224. e. Configure the LAN IP address and subnet mask for the
Fast Ethernet 0/0 interface on Firewall_1

as 192.168.1.1 and 255.255.255.0. Step 2: Verify the Firewall_1 configuration.


a. Use the show run command to verify your configuration. This is a partial example of the output.

Firewall_1#show run
Building configuration...
hostname Firewall_1
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 209.165.200.225 255.255.255.224
ip access-group 100 in
ip nat outside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 192.168.2.0 255.255.255.0 192.168.1.2
ip route 192.168.3.0 255.255.255.0 192.168.1.3
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 deny ip any host 209.165.200.225
<output omitted>
!
end

b. From PC_B, ping 209.165.200.225 to verify that the internal computer can access the Internet.

PC>ping 209.165.200.225
Pinging 209.165.200.225 with 32 bytes of data:

Reply from 209.165.200.225: bytes=32 time=107ms TTL=120


Reply from 209.165.200.225: bytes=32 time=98ms TTL=120
Reply from 209.165.200.225: bytes=32 time=104ms TTL=120
Reply from 209.165.200.225: bytes=32 time=95ms TTL=120
Ping statistics for 209.165.200.225:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 95ms, Maximum = 107ms, Average = 101ms

c. From privileged EXEC mode on Firewall_1, save the running configuration to the startup
configuration
using the copy run start command. Scenario 2: Securing the Research and Development Network
Now that the entire network is secured from traffic originating from the Internet, secure the research
and
development network, Subnet C, from potential breaches from inside the network. The research and
development team needs access to both the server on Subnet B and the Internet to conduct research.
Computers
on Subnet B should be denied access to the research and development subnet.
Firewall_2 has been preconfigured with the appropriate rules to provide the security required. You
will install it
on the network and confirm that it is functioning as expected.
Step 1: Replace Router_C with Firewall_2.

a. Remove Router_C and replace it with Firewall_2. b. Connect the Fast Ethernet 0/1 interface on
Firewall_2 to the Fast Ethernet 0/3 interface on
Switch_A. Connect the Fast Ethernet 0/0 interface on Firewall_2 to the Fast Ethernet 0/1 interface
on Switch_C. (Use straight-through cables for both connections.)
c. Confirm that the host name of Firewall_2 is Firewall_2. d. On Firewall_2, configure the WAN IP
address and subnet mask for the Fast Ethernet 0/1 interface
as 192.168.1.3 and 255.255.255.0. e. Configure the LAN IP address and subnet mask for the Fast
Ethernet 0/0 interface of Firewall_2

as 192.168.3.1 and 255.255.255.0. Step 2: Verify the Firewall_2 configuration.


a. Use the show run command to verify the configuration. This is a partial example of the output.

Firewall_2#show run
Building configuration...
... !
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.3 255.255.255.0
ip access-group 100 in
ip nat outside
duplex auto
speed auto
!
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 100 permit ip host 192.168.2.10 any
access-list 100 permit ip host 192.168.1.1 any
<output omitted>
!
end

b. From the command prompt on PC_B, use the ping command to verify that the computers on
Subnet B
cannot access the computers on Subnet C.
PC>ping 192.168.3.10
Pinging 192.168.3.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.3.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

c. From the command prompt on PC_C, use the ping command to verify that the computers on
Subnet C can
access the server on Subnet B.
PC>ping 192.168.2.10
Pinging 192.168.2.10 with 32 bytes of data:
Request timed out.
Reply from 192.168.2.10: bytes=32 time=164ms TTL=120
Reply from 192.168.2.10: bytes=32 time=184ms TTL=120
Reply from 192.168.2.10: bytes=32 time=142ms TTL=120
Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 142ms, Maximum = 184ms, Average = 163ms
d. From the command prompt on PC_C, use the ping command to verify that the computers on
Subnet C can
access the Internet.

PC>ping 209.165.200.225
Pinging 209.165.200.225 with 32 bytes of data:
Reply from 209.165.200.225: bytes=32 time=97ms TTL=120
Reply from 209.165.200.225: bytes=32 time=118ms TTL=120
Reply from 209.165.200.225: bytes=32 time=100ms TTL=120
Reply from 209.165.200.225: bytes=32 time=110ms TTL=120
Ping statistics for 209.165.200.225:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:


Minimum = 97ms, Maximum = 118ms, Average = 106ms

e. From privileged EXEC mode on Firewall_2, save the running configuration to the startup
configuration
using the copy run start command. f. Click the Check Results button at the bottom of this instruction
window to check your work.
Reflection
a. Why would you install a firewall on the internal network?
b. How does a router that is configured to use NAT help protect computer systems on the inside of
the NAT
router?
c. Examine the location of Firewall_1 and Firewall_2 in the completed network topology. Which
networks
are considered trusted and untrusted for Firewall_1? Which networks are considered trusted and
untrusted
for Firewall_2?

You might also like