- Equipment List
- General Guidelines
- Setting Up the Lab
- Practice Lab 1 Exercises Section 1.0: Basic Configuration (10 points)
- Section 2.0: Routing Configuration (25 points)
- Section 3.0: ISDN Configuration (8 points)
- Section 4.0: PIX Configuration (5 points)
- Section 5.0: IPSec/GRE Configuration (10 points)
- Section 6.0: IOS Firewall + IOS IDS Configuration(10 points)
- Section 7.0: AAA (7 points)
- Section 8.0: Advanced Security (10 points)
- Section 9.0: IP Services and Protocol-Independent Features (10 points)
- Section 10.0: Security Violations (5 points)
- Verification, Hints, and Troubleshooting Tips
- Section 1.0: Basic Configuration
- Section 2.0: Routing Configuration
- Section 3.0: ISDN Configuration
- Section 4.0: PIX Configuration
- Section 5.0: IPSec/GRE Configuration
- Section 6.0: IOS Firewall Configuration
- Section 7.0: AAA
- Section 8.0: Advanced Security
- Section 9.0: IP Services and Protocol-Independent Features
- Section 10.0: Security Violations
Section 9.0: IP Services and Protocol-Independent Features
9.1: NAT
Configure NAT for Loopback3 192.168.3.1/24.
The objective is that when sourced from Loopback3 to anywhere on the network, it should be translated using the egress interface. For example, if you ping 122.122.122.122, it will use egress interface Serial1/0.3, whereas if you ping 144.144.144.144, it will use egress interface Serial1/0.1. If you ping 166.166.166.166, it will use egress interface FastEthernet0/0. To configure this multihomed NAT, enter the following:
ip nat inside source route-map fastethernet0/0 interface FastEthernet0/0 overload ip nat inside source route-map serial1/0.1 interface Serial1/0.1 overload ip nat inside source route-map serial1/0.3 interface Serial1/0.3 overload ! access-list 102 permit ip 192.168.3.0 0.0.0.255 any ! route-map serial1/0.1 permit 10 match ip address 102 match interface Serial1/0.1 ! route-map serial1/0.3 permit 10 match ip address 102 match interface Serial1/0.3 ! route-map fastethernet0/0 permit 10 match ip address 102 match interface FastEthernet0/0
To test multihomed NAT, enter the following:
! "Debug ip nat" on R3 and ping 122.122.122.122, 144.144.144.144 and 166.166.166.166 ! sourcing from Loopback3: r3#ping ip Target IP address: 122.122.122.122 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: loopback3 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 122.122.122.122, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 68/68/68 ms r3# r3# 4d14h: NAT: s=192.168.3.1->10.50.13.18, d=122.122.122.122 [195] 4d14h: NAT*: s=122.122.122.122, d=10.50.13.18->192.168.3.1 [195] 4d14h: NAT: s=192.168.3.1->10.50.13.18, d=122.122.122.122 [196] 4d14h: NAT*: s=122.122.122.122, d=10.50.13.18->192.168.3.1 [196] 4d14h: NAT: s=192.168.3.1->10.50.13.18, d=122.122.122.122 [197] 4d14h: NAT*: s=122.122.122.122, d=10.50.13.18->192.168.3.1 [197] 4d14h: NAT: s=192.168.3.1->10.50.13.18, d=122.122.122.122 [198] 4d14h: NAT*: s=122.122.122.122, d=10.50.13.18->192.168.3.1 [198] 4d14h: NAT: s=192.168.3.1->10.50.13.18, d=122.122.122.122 [199] 4d14h: NAT*: s=122.122.122.122, d=10.50.13.18->192.168.3.1 [199] r3# r3# r3#ping ip Target IP address: 144.144.144.144 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: loopback3 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 144.144.144.144, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/99/101 ms r3# r3# 4d14h: NAT: s=192.168.3.1->10.50.13.2, d=144.144.144.144 [210] 4d14h: NAT*: s=144.144.144.144, d=10.50.13.2->192.168.3.1 [210] 4d14h: NAT: s=192.168.3.1->10.50.13.2, d=144.144.144.144 [211] 4d14h: NAT*: s=144.144.144.144, d=10.50.13.2->192.168.3.1 [211] 4d14h: NAT: s=192.168.3.1->10.50.13.2, d=144.144.144.144 [212] 4d14h: NAT*: s=144.144.144.144, d=10.50.13.2->192.168.3.1 [212] 4d14h: NAT: s=192.168.3.1->10.50.13.2, d=144.144.144.144 [213] 4d14h: NAT*: s=144.144.144.144, d=10.50.13.2->192.168.3.1 [213] 4d14h: NAT: s=192.168.3.1->10.50.13.2, d=144.144.144.144 [214] 4d14h: NAT*: s=144.144.144.144, d=10.50.13.2->192.168.3.1 [214] r3# r3# r3#ping ip Target IP address: 166.166.166.166 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: loopback3 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 166.166.166.166, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms r3# r3# 4d14h: NAT: s=192.168.3.1->10.50.31.2, d=166.166.166.166 [205] 4d14h: NAT*: s=166.166.166.166, d=10.50.31.2->192.168.3.1 [205] 4d14h: NAT: s=192.168.3.1->10.50.31.2, d=166.166.166.166 [206] 4d14h: NAT*: s=166.166.166.166, d=10.50.31.2->192.168.3.1 [206] 4d14h: NAT: s=192.168.3.1->10.50.31.2, d=166.166.166.166 [207] 4d14h: NAT*: s=166.166.166.166, d=10.50.31.2->192.168.3.1 [207] 4d14h: NAT: s=192.168.3.1->10.50.31.2, d=166.166.166.166 [208] 4d14h: NAT*: s=166.166.166.166, d=10.50.31.2->192.168.3.1 [208] 4d14h: NAT: s=192.168.3.1->10.50.31.2, d=166.166.166.166 [209] 4d14h: NAT*: s=166.166.166.166, d=10.50.31.2->192.168.3.1 [209]
The preceding test from R3 confirms NATing loopback3 with respective egress interface as per the route map:
Ping 122.122.122.122 NATed with 10.50.13.18 egress Serial1/0.3 Ping 144.144.144.144 NATed with 10.50.13.2 egress Serial1/0.1 Ping 166.166.166.166 NATed with 10.50.31.2 egress FastEthernet0/0
9.2: NTP
Configure R2 as NTP Server and R1 as NTP Client.
Configure authentication using the md5 key. NTP status and authentication on R2 is as follows:
In some IOS it is necessary to enter the NTP authentication commands in a particular order. Below is the exact order that confirms operation:
Remember that you have an inbound access list applied to the serial link on R2; you need to allow NTP.
r1# show ntp status Clock is synchronized, stratum 9, reference is 10.50.13.34 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24 reference time is C1D5BFAA.20689871 (00:22:02.126 UTC Mon Jan 20 2003) clock offset is 1.6778 msec, root delay is 64.39 msec root dispersion is 126.82 msec, peer dispersion is 0.12 msec r1# r1# r1#show ntp associations detail 10.50.13.34 configured, authenticated, our_master, sane, valid, stratum 8 ref ID 127.127.7.1, time C1D5BF88.FE740124 (00:21:28.993 UTC Mon Jan 20 2003) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 125.03, reach 377, sync dist 157.349 delay 64.39 msec, offset 1.6778 msec, dispersion 0.12 precision 2**16, version 3 org time C1D5BFAA.188E6A78 (00:22:02.095 UTC Mon Jan 20 2003) rcv time C1D5BFAA.20689871 (00:22:02.126 UTC Mon Jan 20 2003) xmt time C1D5BFAA.0FC3685F (00:22:02.061 UTC Mon Jan 20 2003) filtdelay = 64.67 64.39 64.50 64.45 64.67 64.39 64.80 67.99 filtoffset = 1.66 1.68 1.60 1.55 1.57 1.55 1.66 -0.13 filterror = 0.02 0.03 0.05 0.06 0.08 0.09 0.11 0.12 r1# r1# r1#show clock 00:25:19.586 UTC Mon Jan 20 2003 r1# r1#
For R2 (master) enter commands in the following sequence:
ntp authentication-key 1 md5 cisco ntp master 2
For R1 (Client) enter commands in the following sequence:
ntp authentication-key 1 md5 cisco ntp authenticate ntp trusted-key 1 ntp server 10.50.13.34 key 1
9.3: SNMP
Configure R3 to send SNMP traps when a configuration change happens for BGP:
snmp-server community public RO snmp-server community private RW snmp-server enable traps config snmp-server enable traps bgp snmp-server host 10.50.31.99 public config bgp ! snip from R3 test using debug snmp packet; r3#debug snmp packets SNMP packet debugging is on r3# r3#config terminal Enter configuration commands, one per line. End with CNTL/Z. r3(config)# r3(config)# 5d00h: SNMP: Queuing packet to 10.50.31.99 5d00h: SNMP: V1 Trap, ent ciscoConfigManMIB.2, addr 10.50.31.2, gentrap 6, spectrap 1 ccmHistoryEventEntry.3.162 = 1 ccmHistoryEventEntry.4.162 = 2 ccmHistoryEventEntry.5.162 = 3 5d00h: SNMP: Packet sent via UDP to 10.50.31.99 r3(config)# r3(config)#end r3# r3#clear ip bgp * r3# 5d00h: %BGP-5-ADJCHANGE: neighbor 10.50.13.1 Down User reset 5d00h: SNMP: Queuing packet to 10.50.31.99 5d00h: SNMP: V1 Trap, ent bgp, addr 10.50.31.2, gentrap 6, spectrap 2 bgpPeerEntry.14.10.50.13.1 = 00 00 bgpPeerEntry.2.10.50.13.1 = 1 5d00h: %BGP-5-ADJCHANGE: neighbor 10.50.13.17 Down User reset 5d00h: SNMP: Queuing packet to 10.50.31.99 5d00h: SNMP: V1 Trap, ent bgp, addr 10.50.31.2, gentrap 6, spectrap 2 bgpPeerEntry.14.10.50.13.17 = 00 00 bgpPeerEntry.2.10.50.13.17 = 1 5d00h: %BGP-5-ADJCHANGE: neighbor 10.50.31.22 Down User reset r3# 5d00h: SNMP: Queuing packet to 10.50.31.99 5d00h: SNMP: V1 Trap, ent bgp, addr 10.50.31.2, gentrap 6, spectrap 2 bgpPeerEntry.14.10.50.31.22 = 04 00 bgpPeerEntry.2.10.50.31.22 = 1 5d00h: SNMP: Packet sent via UDP to 10.50.31.99 5d00h: SNMP: Packet sent via UDP to 10.50.31.99 5d00h: SNMP: Packet sent via UDP to 10.50.31.99 r3# r3# ! Snip from PIX config and ACL; pix# show access-list outside access-list outside permit udp host 10.50.31.2 host 10.50.31.99 eq snmptrap (hitcnt=44) pix# show static static (inside,outside) 10.50.31.99 192.168.6.99 netmask 255.255.255.255 0 0 pix#
9.4: Policy Routing
Configure policy routing on R1 to change the next hop for mail and web server off R3:
interface Serial2/0.2 point-to-point ip address 10.50.13.33 255.255.255.240 ip policy route-map server ! interface Serial2/0.3 point-to-point ip address 10.50.13.1 255.255.255.240 ip policy route-map server ! ! ip local policy route-map server ! access-list 101 permit ip any host 10.50.31.98 access-list 102 permit ip any host 10.50.31.99 ! route-map server permit 10 match ip address 101 set ip next-hop 10.50.13.34 ! route-map server permit 20 match ip address 102 set ip next-hop 10.50.13.2 ! route-map server permit 30 ! Verify with traceroute; r1#traceroute 10.50.31.98 Type escape sequence to abort. Tracing the route to 10.50.31.98 1 10.50.13.34 !A * !A r1#traceroute 10.50.31.99 Type escape sequence to abort. Tracing the route to 10.50.31.99 1 10.50.13.2 32 msec 32 msec 32 msec 2 * * *