EWAN NAT/ACL PT Practice SBA

A few things to keep in mind while completing this activity:

1. Do not use the browser Back button or close or reload any exam windows during the exam.
2. Do not close Packet Tracer when you are done it will close automatically.
3. !lick the Submit Assessment button to submit your work.
Introduction
"n this Packet Tracer Practice #kills $ased Assessment you are expected to do as follows:
"mplement the addressing in the network to meet the stated re%uirements.
!onfigure and verify a D&!P server implementation.
!onfigure and verify 'A( technologies.
!onfigure )"*+P to enable communication with the rest of the network.
!onfigure (AT to translate addresses for traffic that is destined to the "nternet.
"mplement access control lists as part of a security policy.
Addressing Table
Device Interace Address Subnet !ask Deault "ate#a$
)A#T
,a-.- /-./-./-.01 222.222.222.23- n.a
#-.-.- /-.222././ 222.222.222.222 n.a
#-.-./.22 /02./45.2-./ 222.222.222.222 n.a
(6+T&
#-.-.- /-.222./.4 222.222.222.222 n.a
#-.-./.72 /02./45.2-.2 222.222.222.222 n.a
#-./.- /05./77.2/0.2 222.222.222.222 n.a
#68T&
,a-.- /-./-./-.42 222.222.222.223 n.a
#-.-.- /-.222./.2 222.222.222.222 n.a
#-.-./ /-.222./.2 222.222.222.222 n.a
)9P!/ ("! /-./-./-.//- 222.222.222.23- /-./-./-.01
#9P!/ ("! D&!P Assigned D&!P Assigned D&!P Assigned
N%TE& The password for user ):)! mode is cisco. The password for privileged ):)! mode
is class.
Ste' (& Conigure and )eri$ S%*T+ as t,e D+CP Server-
a. !onfigure #68T& as the D&!P server for the ;A( attached to ,a-.- using the following
guidelines:
8se the case9sensitive D&!P pool name of S%*T+.D+CP.
)xclude the first five host addresses in the subnet.
b. <erify that #9P!/ now has full "P addressing. "t may be necessary to toggle between =#tatic> and
=D&!P> on the "P !onfiguration screen for #9P!/ before #9P!/ will send a D&!P re%uest. #9
P!/ should be able to ping the default gateway.
Ste' /& Conigure WAN Tec,nologies-
a. The link between #68T& and (6+T& uses PPP with !&AP. The password is NSc,a'. <erify
that #68T& and (6+T& can ping each other.
b. The link between #68T& and )A#T uses &D;!. #68T& should be able to ping the other side of
the link. <erify that #68T& and )A#T can ping each other.
c. The link between )A#T and (6+T& uses point9to9point ,rame +elay subinterfaces. <erify that
)A#T and (6+T& can ping each other.
Ste' 0& Conigure and )eri$ EI"1P 1outing-
a. !onfigure )"*+P routing on )A#T (6+T& and #68T&.
8se A# number 2-.
Do not use the wildcard mask argument.
Do not advertise the network between (6+T& and the "nternet.
b. !onfigure (6+T& with a default route using the outbound interace argument. 8se one
command to propagate the default route into the )"*+P routing process.
c. <erify )9P!/ and #9P!/ can ping each other as well as )A#T (6+T& and #68T&. ?ou will not
be able to ping "nternet hosts yet.
Ste' 2& Conigure N%1T+ #it, a NAT-
a. !onfigure (AT on (6+T& using the following guidelines:
6nly addresses in the /-./-./-.43.24 address space will be translated.
8se the number 3 for the access list.
!onfigure PAT on the (6+T& #-./.- interface.
b. <erify that )9P!/ and #9P!/ can ping the "nternet hosts.
Ste' 3& Conigure Access Control Lists to Satis$ a Securit$ Polic$-
a. !onfigure and apply an A!; with the number 45 that implements the following policy:
Prevent all hosts from the #68T& ;A( from accessing hosts on the )A#T ;A(.
b. <erify that A!; 45 is operating as intended.
c. !onfigure and apply a named A!; with the case9sensitive name 6ILTE17IN that implements the
following policy:
Deny ping re%uests sourced from the "nternet.
Deny Telnet and &TTP traffic sourced from the "nternet.
Allow all other traffic.
d. <erify that the 6ILTE17IN A!; is operating as intended.

Version 1.0
Created in Packet Tracer 5.3.2 and Marvel 1.0.1
All contents are Copyright 12 ! 2011 Cisco "yste#s$ %nc. All rights reserved. This doc&#ent is Cisco P&'lic %n(or#ation.