AGray.Tech

Networking | Security | WebDev

CCNA Packet Tracer Lab | Static PAT and ACL - Can you do it? | AGray.Tech

Home  /  Networking  /  ACL  /  CCNA Packet Tracer Lab | Static PAT and ACL – Can you do it?
CCNA Static PAT Packet Tracer Lab

This CCNA Packet Tracer lab challenge will improve your skills in OSPF, Static PAT, ACLs, and more basic skills such as IP assignment, etc.

You can set this up as a Packet Tracer lab, and if people are interested in this type of thing I can provide file packs with solutions, etc. Let’s start by taking a look at the topology below:

CCNA Packet Tracer Lab OSPF PAT ACL
Set this up in your lab software of choice.

This is the basic topology you need to complete this lab. I will refer to interfaces as they are labeled above, but just adapt it to your needs.

CCNA Skills: The Challenge

  1. Configure a /30 link between R1 and R2 using network 10.1.10.0 /30

  2. Create loopback 1 on R1: 1.1.1.1 and create loopback 1 on R2: 2.2.2.2

  3. Use the IP Address 192.168.1.1 /24 on R1’s e0/1 interface.

  4. Configure PC1 to receive a DHCP address in the 192.168.1.0 /24 Network.

  5. Using OSPF, ensure that all endpoints can ping every address in the topology. Single area OSPF is fine.

  6. Use static PAT in a way that allows you to telnet into R2 by typing <telnet 10.1.10.2 80> in R1 or PC1.

    Hint: Use the loopback on R2.

  7. Configure an access-list on an inbound interface that blocks telnet from the 192.168.1.0 /24 network on the PAT translation you enabled earlier, but permits pings from all nodes and does not destroy the OSPF relationship you created in step 5. Do not <allow ip any any>, and use four statements.

    You should still be able to <telnet 10.1.10.2 80> from R1.

LAB SOLUTION

There is more than one way to peel an orange, but the configurations for how I completed this are below.

Let me know in the comments or email me if you would be interested in more labs like this, with packet tracer files and more. I can create some fun stuff if the demand is there.

ROUTER 1

Current configuration : 1118 bytes
!
! Last configuration change at 19:21:43 EET Sun Mar 8 2020
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone EET 2 0
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool NET192
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1 
!
!
no ip domain-lookup
ip cef
no ipv6 cef
!
!
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
 ip address 10.1.10.1 255.255.255.252
!
interface Ethernet0/1
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!         
router ospf 12
 network 1.1.1.1 0.0.0.0 area 0
 network 10.1.10.0 0.0.0.3 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

ROUTER 2

Current configuration : 1299 bytes
!
! Last configuration change at 19:21:42 EET Sun Mar 8 2020
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone EET 2 0
!
!
no ip domain-lookup
ip cef
no ipv6 cef
!
!
interface Loopback2
 ip address 2.2.2.2 255.255.255.255
 ip nat inside
!
interface Ethernet0/0
 ip address 10.1.10.2 255.255.255.252
 ip access-group 100 in
 ip nat outside
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
router ospf 12
 network 2.2.2.2 0.0.0.0 area 0
 network 10.1.10.0 0.0.0.3 area 0
!
ip nat inside source static tcp 2.2.2.2 23 10.1.10.2 80 extendable
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
access-list 100 permit ospf any any
access-list 100 permit icmp any any
access-list 100 deny   tcp 192.168.1.0 0.0.0.255 host 10.1.10.2 eq www
access-list 100 permit tcp 10.1.10.0 0.0.0.3 host 10.1.10.2 eq www
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 password cisco
 login
!
!
end

PC1

Just enable DHCP 🙂

CONCLUSIONS

In this CCNA style packet tracer lab, we use Router 2’s loopback interface to act as an inside address. We use the command <ip nat inside source static tcp 2.2.2.2 23 10.1.10.2 80> to translate traffic to 10.1.10.2 on port 80, to telnet on the loopback.

The access list uses four commands to permit and deny traffic based on the requirements listed.

Please drop a comment below or send an email with any suggestions and improvements.

Also let me know if you want more labs 🙂 I have a fun one with EIGRP, OSPF, GRE Tunnels, and DHCP Helper.

By : Alex Gray No Comments Categories : ACL,DHCP,Lab Challenges,Networking,OSPF,PAT Tags : , , , , , , ,

Leave a comment

Your email address will not be published. Required fields are marked *