CIS-467-Lab-22




Lab Tasks:
1. Configure all routers, switches, and servers with the hostnames, connections, and IP addressing
depicted in the diagram.
a. R2 and R3 will act as the default gateway for the workstation and server segments.
b. Ensure that VLAN’s are used on SW-2 and SW-3 per the diagram.
2. Configure a static default route to the ISP router on R1.
3. Configure static routing for the following on the ISP router:
a. Configure a static route for the workstation network on the ISP router.
b. Configure a static route for the backbone transport network on the ISP router.
4. Configure OSPF connectivity between R1, R2, and R3 using the parameters depicted in the
topology.
a. All routed interfaces (except the ISP segment) should be members of Area 0.
b. R1 should originate a default route for all other routers.
c. Ensure you have full, 100% connectivity between ALL routed networks. Full connectivity
is validated when pings from the ISP router are successful to the following IP addresses:
i. 201.68.109.130 (R2 Outside)
ii. 201.68.109.131 (R3 Outside)
iii. 192.168.84.1 (R2 Inside)
iv. 172.21.35.1 (R3 Inside)
5. On R1 configure and apply an access control list that will prevent all sources from RFC 1918
networks from being sent out to the Internet.
6. Setup static NAT on R1 with the following translations:
a. 192.168.84.45 – 201.68.109.145
b. 192.168.84.53 – 201.68.109.153
c. 192.168.84.74 – 201.68.109.174
d. 192.168.84.80 – 201.68.109.180
7. Setup PAT on R1. Create the PAT entry so that the workstation subnet (172.21.35.0/24) is
translated out as R1’s external interface (201.68.109.98).
8. Configure R3 as a DHCP server with a DHCP pool of 172.21.35.0/24. Ensure clients receive the
correct default gateway for the network, and use the AD server for DNS. Exclude addresses
172.21.35.1 – 172.21.35.25 from being assigned by DHCP.
9. Create and apply an access control list on R1 using the information below. (Remember you used
NAT previously!!!)
a. Allow SMTP from the Internet to Mail.
b. Allow HTTP and HTTPS from the Internet to WWW and File.
c. Allow DNS requests from the Internet to AD.
d. Deny and log all other requests from the Internet to every server.
10. Create and apply access control lists on R3 using the information below.
a. Allow hosts on the workstation network to access LDAP, Kerberos, and RPC services on
AD.
b. Block and log workstation hosts from accessing File and WWW via SSH. Allow and log all
other requests from workstations.
c. Block and log all requests to workstation hosts using the Remote Desktop protocol.
d. Ensure all other services are allowed into the workstation network.
11. Setup AAA on R1, R2, and R3 so that users are authenticated by the active directory / ACS
server (192.168.84.53) for all local and remote management connections. Use Cisco123 as your
RADIUS key. Only permit SSH connections from the server network segment on each router.
Enable SSH and disable all other remote management services.
Once you have completed the lab, save it in softcopy, (the configuration files OR the packet tracer file).
Upload your file(s) to Blackboard.






Configuration R2: 

enable
configure terminal
hostname R2
aaa new-model
aaa authentication login default group radius local
username Cisco123 secret 123
!
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 60
ip domain-name CCNASecurity.com
!

interface GigabitEthernet0/0
 ip address 201.68.109.130 255.255.255.128
 no shutdown
!
interface GigabitEthernet0/1
 ip address 192.168.84.1 255.255.255.0
 no shutdown
!
router eigrp 25
 network 192.168.84.0
 no auto-summary
!
router ospf 100
 log-adjacency-changes
 passive-interface GigabitEthernet0/1
 network 201.68.109.128 0.0.0.127 area 0
!
radius-server host 192.168.84.53 auth-port 1812
radius-server key Cisco123
!
line vty 0 4
 login authentication default
 transport input ssh
!
end



 Configuration ISP:

enable
configure terminal
hostname ISP
interface GigabitEthernet0/1
 ip address 201.68.109.97 255.255.255.252
ip route 172.21.35.0 255.255.255.0 201.68.109.98
ip route 192.168.84.0 255.255.255.0 201.68.109.98
ip route 209.68.109.128 255.255.255.128 201.68.109.98
!


 Configuration R1:


enable
configure terminal
hostname R1
!
aaa new-model
!
aaa authentication login default group radius local
!
username Cisco123 secret 123
!
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 60
ip domain-name CCNASecurity.com
!
interface GigabitEthernet0/0
 ip address 201.68.109.98 255.255.255.252
 ip access-group 110 in
 ip access-group 20 out
 ip nat outside
 no shutdown
!
interface GigabitEthernet0/1
 ip address 201.68.109.129 255.255.255.128
 ip access-group 20 in
 ip access-group 110 out
 ip nat inside
 no shutdown
!
router ospf 100
 log-adjacency-changes
 passive-interface GigabitEthernet0/0
 network 201.68.109.128 0.0.0.127 area 0
 default-information originate
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.84.80 201.68.109.180
ip nat inside source static 192.168.84.74 201.68.109.174
ip nat inside source static 192.168.84.53 201.68.109.153
ip nat inside source static 192.168.84.45 201.68.109.145
ip route 0.0.0.0 0.0.0.0 201.68.109.97
!
access-list 10 permit 172.21.35.0 0.0.0.255
access-list 20 deny 10.0.0.0 0.255.255.255
access-list 20 deny 172.16.0.0 0.15.255.255
access-list 20 deny 192.168.0.0 0.0.255.255
access-list 20 permit any
access-list 110 permit tcp any host 192.168.84.74 eq smtp
access-list 110 permit tcp any host 192.168.84.80 eq www
access-list 110 permit tcp any host 192.168.84.80 eq 443
access-list 110 permit tcp any host 192.168.84.45 eq www
access-list 110 permit tcp any host 192.168.84.45 eq 443
access-list 110 permit udp any host 192.168.84.53 eq domain
access-list 110 deny ip any any
!
radius-server host 192.168.84.53 auth-port 1812
radius-server key Cisco123

line vty 0 4
 transport input ssh
 login local
 exit


Configuration R3:


enable
configure terminal
hostname R3
!
ip dhcp excluded-address 172.21.35.1 172.21.35.25
!
ip dhcp pool WORKSTATIONS
 network 172.21.35.0 255.255.255.0
 default-router 172.21.35.1
 dns-server 192.168.84.53
!
aaa new-model
!
aaa authentication login default group radius local
!
username Cisco123 secret 123
!
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 60
ip domain-name CCNASecurity.com
!

interface GigabitEthernet0/0
 ip address 201.68.109.131 255.255.255.128
 ip access-group 125 in
 ip access-group 120 out
 no shutdown
!
interface GigabitEthernet0/1
 ip address 172.21.35.1 255.255.255.0
 ip access-group 120 in
 ip access-group 125 out
 no shutdown
!
router ospf 100
 log-adjacency-changes
 passive-interface GigabitEthernet0/1
 network 201.68.109.128 0.0.0.127 area 0
 network 172.21.35.0 0.0.0.255 area 0
 exit
!
access-list 120 permit tcp 172.21.35.0 0.0.0.255 host 192.168.84.53 eq 389
access-list 120 permit tcp 172.21.35.0 0.0.0.255 host 192.168.84.53 eq 88
access-list 120 permit tcp 172.21.35.0 0.0.0.255 host 192.168.84.53 eq 135
access-list 120 permit tcp 172.21.35.0 0.0.0.255 host 192.168.84.53 eq 2101
access-list 120 permit tcp 172.21.35.0 0.0.0.255 host 192.168.84.53 eq 2103
access-list 120 permit tcp 172.21.35.0 0.0.0.255 host 192.168.84.53 eq 2105
access-list 120 deny tcp host 172.21.35.26 host 192.168.84.45 eq 22
access-list 120 deny tcp host 172.21.35.27 host 192.168.84.45 eq 22
access-list 120 deny tcp host 172.21.35.26 host 192.168.84.80 eq 22
access-list 120 deny tcp host 172.21.35.27 host 192.168.84.80 eq 22
access-list 120 permit ip any any
access-list 125 deny tcp any host 172.21.35.26 eq 3389
access-list 125 deny tcp any host 172.21.35.27 eq 3389
access-list 125 permit ip any 172.21.35.0 0.0.0.255
!
radius-server host 192.168.84.53 auth-port 1812
radius-server key Cisco123
!
line vty 0 4
 login authentication default
 transport input ssh

!
end


Not Finish!!!


END !~!




Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

[CCNAv6 S2] 2.2.2.4 Packet Tracer - Configuring IPv4 Static and Default Routes

Hình ảnh
Packet Tracer - Configuring IPv4 Static and Default Routes Addressing Table Objectives Part 1: Examine the Network and Evaluate the Need for Static Routing Part 2: Configure Static and Default Routes Part 3: Verify Connectivity Background In this activity, you will configure static and default routes. A static route is a route that is entered manually by the network administrator to create a reliable and safe route. There are four different static routes that are used in this activity: a recursive static route, a directly attached static route, a fully specified static route, and a default route. Part 1:     Examine the Network and Evaluate the Need for Static Routing a.     Looking at the topology diagram, how many networks are there in total? b.    How many networks are directly connected to R1, R2, and R3? c.     How many static routes are required by each router to reach networks that are not directly connected? d.    Test connectivity to the R2 and R3
Đọc thêm

[CCNAv6 S3] 7.2.3.5 Packet Tracer - Troubleshooting EIGRP for IPv4

Hình ảnh
Packet Tracer – Troubleshooting EIGRP for IPv4 Addressing Table Scenario In this activity, you will troubleshoot EIGRP neighbor issues. Use show commands to identify errors in the network configuration. Then, you will document the errors you discover and implement an appropriate solution. Finally, you will verify full end-to-end connectivity is restored. Troubleshooting Process 1.     Use testing commands to discover connectivity problems in the network and document the problem in the Documentation Table. 2.     Use verification commands to discover the source of the problem and devise an appropriate solution to implement. Document the proposed solution in the Documentation Table. 3.     Implement each solution one at a time and verify if the problem is resolved. Indicate the resolution status in the Documentation Table. 4.     If the problem is not resolved, it may be necessary to first remove the implemented solution before returning to Step 2. 5.     Once al
Đọc thêm

[CCNAv6 S2] 8.3.1.2 Packet Tracer - Skills Integration Challenge

Hình ảnh
Packet Tracer – Skills Integration Challenge Addressing Table VLAN Port Assignments and DHCP Information Scenario In this culminating activity, you will configure VLANs, trunks, DHCP Server, DHCP relay agents, and configure a router as a DHCP client. Requirements Using the information in the tables above, implement the following requirements: ·         Create VLANs on S2 and assign VLANs to appropriate ports. Names are case-sensitive ·         Configure S2 ports for trunking. ·         Configure all non-trunk ports on S2 as access ports. ·         Configure R1 to route between VLANs. Subinterface names should match the VLAN number. ·         Configure R1 to act as a DHCP server for the VLANs attached to S2. -       Create a DHCP pool for each VLAN. Names are case-sensitive. -       Assign the appropriate addresses to each pool. -       Configure DHCP to provide the default gateway address -       Configure the DNS server 209.165.201.14 for each pool. - 
Đọc thêm