This CCNA Packet Tracer lab challenge will improve your skills in OSPF, Static PAT, ACLs, and more basic skills such as IP assignment, etc.
You can set this up as a Packet Tracer lab, and if people are interested in this type of thing I can provide file packs with solutions, etc. Let’s start by taking a look at the topology below:

This is the basic topology you need to complete this lab. I will refer to interfaces as they are labeled above, but just adapt it to your needs.
CCNA Skills: The Challenge
- Configure a /30 link between R1 and R2 using network 10.1.10.0 /30
- Create loopback 1 on R1: 1.1.1.1 and create loopback 1 on R2: 2.2.2.2
- Use the IP Address 192.168.1.1 /24 on R1’s e0/1 interface.
- Configure PC1 to receive a DHCP address in the 192.168.1.0 /24 Network.
- Using OSPF, ensure that all endpoints can ping every address in the topology. Single area OSPF is fine.
- Use static PAT in a way that allows you to telnet into R2 by typing <telnet 10.1.10.2 80> in R1 or PC1.
Hint: Use the loopback on R2. - Configure an access-list on an inbound interface that blocks telnet from the 192.168.1.0 /24 network on the PAT translation you enabled earlier, but permits pings from all nodes and does not destroy the OSPF relationship you created in step 5. Do not <allow ip any any>, and use four statements.
You should still be able to <telnet 10.1.10.2 80> from R1.
LAB SOLUTION
There is more than one way to peel an orange, but the configurations for how I completed this are below.
Let me know in the comments or email me if you would be interested in more labs like this, with packet tracer files and more. I can create some fun stuff if the demand is there.
ROUTER 1
Current configuration : 1118 bytes
!
! Last configuration change at 19:21:43 EET Sun Mar 8 2020
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone EET 2 0
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool NET192
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
no ip domain-lookup
ip cef
no ipv6 cef
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 10.1.10.1 255.255.255.252
!
interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
router ospf 12
network 1.1.1.1 0.0.0.0 area 0
network 10.1.10.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
ROUTER 2
Current configuration : 1299 bytes
!
! Last configuration change at 19:21:42 EET Sun Mar 8 2020
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone EET 2 0
!
!
no ip domain-lookup
ip cef
no ipv6 cef
!
!
interface Loopback2
ip address 2.2.2.2 255.255.255.255
ip nat inside
!
interface Ethernet0/0
ip address 10.1.10.2 255.255.255.252
ip access-group 100 in
ip nat outside
!
interface Ethernet0/1
no ip address
shutdown
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
router ospf 12
network 2.2.2.2 0.0.0.0 area 0
network 10.1.10.0 0.0.0.3 area 0
!
ip nat inside source static tcp 2.2.2.2 23 10.1.10.2 80 extendable
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
access-list 100 permit ospf any any
access-list 100 permit icmp any any
access-list 100 deny tcp 192.168.1.0 0.0.0.255 host 10.1.10.2 eq www
access-list 100 permit tcp 10.1.10.0 0.0.0.3 host 10.1.10.2 eq www
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
password cisco
login
!
!
end
PC1
Just enable DHCP 🙂
CONCLUSIONS
In this CCNA style packet tracer lab, we use Router 2’s loopback interface to act as an inside address. We use the command <ip nat inside source static tcp 2.2.2.2 23 10.1.10.2 80> to translate traffic to 10.1.10.2 on port 80, to telnet on the loopback.
The access list uses four commands to permit and deny traffic based on the requirements listed.
Please drop a comment below or send an email with any suggestions and improvements.
Also let me know if you want more labs 🙂 I have a fun one with EIGRP, OSPF, GRE Tunnels, and DHCP Helper.