CCNA Exploration: Accessing the WAN Demo Practical Exam Topology Diagram

Addressing Table Device
R1

Interface IP Address
Fa0/1 S0/0/0 S0/0/1 Lo0 10.0.0.1 172.16.0.1 172.16.0.9 209.165.200.161 172.16.0.2 172.16.0.5 10.0.0.129 172.16.0.10 172.16.0.6 10.0.0.10 10.0.0.139

Subnet Mask
255.255.255.128 255.255.255.252 255.255.255.252 255.255.255.224 255.255.255.252 255.255.255.252 255.255.255.128 255.255.255.252 255.255.255.252 255.255.255.128 255.255.255.128

Default Gateway
N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.0.0.1 10.0.0.129

R2

S0/0/0 S0/0/1 Fa0/1

R3 PC1 PC3

S0/0/0 S0/0/1 NIC NIC

Scenario
This lab tests you on the skills and knowledge that you learned in Exploration 4. Use cisco for all passwords in this lab, except for the enable secret password, which is class.

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 1 of 16

Configure an EXEC mode password. and R3 routers according to the following guidelines: Configure the router hostname.Task 1: Prepare the Network Step 1: Cable a network that is similar to the one in the topology diagram. Configure a message-of-the-day banner. Configure a password for vty connections. R1 ho R1 no ip domain-lookup enable secret class banner motd #R1# ! ! line con 0 exec-timeout 0 0 logging synchronous password cisco login ! line vty 0 4 password cisco login R2 ho R2 no ip domain-lookup enable secret class banner motd #R2# ! ! line con 0 exec-timeout 0 0 logging synchronous password cisco login ! line vty 0 4 password cisco login R3 ho R3 no ip domain-lookup enable secret class banner motd #R3# ! ! . Step 2: Clear any existing configurations on the routers. Disable DNS lookup. Configure synchronous logging. Configure a password for console connections. R2. Task 2: Perform Basic Device Configurations Configure the R1.

255.0.0. Step 4: Test connectivity between the PCs and routers.16.128 no shutdown ! interface Serial0/0/1 .5 255.255.255.255.0.224 ! ! interface Serial0/0/0 ip address 172.255.1 255.0.200. Step 2: Verify IP addressing and interfaces.255.2 255.255.9 255.252 clock rate 64000 no shutdown R3 ! interface FastEthernet0/1 ip address 10.255.16.252 no shutdown R2 ! interface Loopback0 ip address 209.1 255.0. and R3. Step 3: Configure the PC1 and PC3 Ethernet interfaces.255.16.0.129 255.252 no shutdown clock rate 64000 ! interface Serial0/0/1 ip address 172.255. R2.16.line con 0 exec-timeout 0 0 logging synchronous password cisco login ! line vty 0 4 password cisco login Task 3: Configure and Activate Serial and Ethernet Addresses Step 1: Configure interfaces on R1.255.165.161 255. R1 ! interface FastEthernet0/1 ip address 10.128 no shutdown ! interface Serial0/0/0 ip address 172.255.255.0.0.252 no shutdown ! interface Serial0/0/1 ip address 172.255.

16.252 no shutdown ! interface Serial0/0/0 ip address 172.16.0. R2 interface Serial0/0/1 encapsulation hdlc R3 interface Serial0/0/1 encapsulation hdlc Step 3: Configure Frame Relay between R1 and R3.16.252 no shutdown clock rate 64000 Task 4: Configure Serial Interfaces Step 1: Configure PPP encapsulation with CHAP between R1 and R2 R1 username R2 password cisco interface serial0/0/0 encapsulation ppp ppp authentication chap R2 username R1 password cisco interface serial0/0/0 encapsulation ppp ppp authentication chap Step 2: Configure and verify HDLC encapsulation between R2 and R3.0.0.10 101 broadcast frame-relay map ip 172.16.0.6 255.0.16. R1 interface Serial0/0/1 encapsulation frame-relay frame-relay map ip 172.0.16.ip address 172.10 255.255.9 101 broadcast frame-relay interface-dlci 101 .9 101 broadcast frame-relay map ip 172.255.10 101 broadcast frame-relay interface-dlci 101 no keepalive R3 interface Serial0/0/0 encapsulation frame-relay frame-relay map ip 172.255.255.

0.0.no keepalive Task 5: Configure RIP Step 1: Configure RIP on R1. Step 3: Verify the routing table with the appropriate command.16.0 network 172.0.0.0 no auto-summary ! R2 router rip version 2 network 10.16. and R3.0 network 172.0. R1 router rip version 2 passive-interface FastEthernet0/1 network 10. Step 2: Disable unused services and interfaces on R2. R2 username cisco password cisco aaa new-model aaa authentication login LOCAL_AUTH local line vty 0 4 login authentication LOCAL_AUTH transport input ssh sau aaa new-model .0.200.0.0.0 network 209.0.0 passive-interface Lo0 no auto-summary ! R3 router rip version 2 passive-interface FastEthernet0/1 network 10.0 no auto-summary ! Task 6: Configure Basic Router Security Step 1: Enable a secure Telnet login using a local database on R2. Step 2: Test connectivity with the ping command.16. Step 3: Confirm that R2 is secured.165.0 network 172. R2.

1 0.2 0.0.0.5 0.16.3 172. and FTP traffic from the Internet to PC1.0.3 172.16.5 0.0.0.10 access-list 102 deny tcp any eq 20 host 10.0.6 0.3 eq telnet R3(config)#access-list 101 deny tcp any any eq telnet R3(config)#access-list 101 permit ip any any ! access-list 101 permit tcp 172.0.0.0.0.0.3 eq telnet access-list 101 deny tcp any any eq telnet access-list 101 permit ip any any interface Serial0/0/0 ip access-group 101 in ! interface Serial0/0/1 ip access-group 101 in ! Step 2: Do not allow HTTP.10 access-list 102 permit ip any any interface fa0/1 ip access-group 102 out .16.0.16.username cisco password 0 cisco line vty 0 4 transport input SSH sau o fi SSH simplu???? Task 7: Configure Access Control Lists Step 1: Allow telnet to R1 and R3 from R2 only.0.0.3 172.10 access-list 102 deny tcp any eq 23 host 10. R1 access-list 101 permit tcp 172. FTP port 20 si 21 Telnet port 23 R1 access-list 102 deny tcp any eq 80 host 10.3 eq telnet access-list 101 deny tcp any any eq telnet access-list 101 permit ip any any ! interface Serial0/0/0 ip access-group 101 in ! interface Serial0/0/1 ip access-group 101 in R3 R3(config)#access-list 101 permit tcp 172.0.16.0.0.0.0.0.0.10 access-list 102 deny tcp any eq 21 host 10. Telnet.16.0.6 0.0.0.0.0.

128 /25 network. Step 1: Configure NAT to allow PC3 to ping PC1.0.255.10 access-list 103 permit ip any any interface fa0/1 ip access-group 103 in Step 4: Verify that PC3 cannot ping PC1.128 0. but can ping 10.0.0.0.128 access-list 110 permit icmp any any ip nat inside source list 110 pool ping overload interface fa0/1 ip access-group 110 in ip nat inside interface s0/0/0 ip nat outside interface s0/0/1 ip nat outside .254 netmask 255.1. Step 2: Verify that PC3 can reach PC1.0.255.0.0.0.0.0.127 host 10.0. Task 8: Configure NAT.0.0. R3 ip nat pool ping 10.0.Step 3: Do not allow PC1 to receive traffic from the 10. R3 access-list 103 deny ip 10.129 10.

9 255.0.1 255.128 ip access-group 102 out duplex auto speed auto ! interface Serial0/0/0 ip address 172.255.255.255.16.252 encapsulation ppp ppp authentication chap ip access-group 101 in clock rate 64000 ! interface Serial0/0/1 ip address 172.255.16.255.ZeCi1 ! ! ! ! ! ! username R2 password 0 cisco ! ! ! ! ! no ip domain-lookup ! ! ! ! ! ! interface FastEthernet0/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet0/1 ip address 10.1 255.0.0.0.! hostname R1 ! ! ! enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.252 .255.

0.0.0 0.0.0.0.10 access-list 102 deny tcp any eq telnet host 10.0 0.16.0 network 172.0.10 access-list 102 deny tcp any eq 20 host 10.16.0.16.10 access-list 102 deny tcp any eq ftp host 10.0.0.0.0.3 172.0.3 eq telnet access-list 101 deny tcp any any eq telnet access-list 101 permit ip any any access-list 102 deny tcp any eq www host 10.0.0.encapsulation frame-relay frame-relay map ip 172.0.0.0.10 access-list 102 permit ip any any ! banner motd ^CR1^C ! ! ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line vty 0 4 password cisco login ! ! ! .10 101 broadcast frame-relay interface-dlci 101 no keepalive ip access-group 101 in ! interface Vlan1 no ip address shutdown ! router rip version 2 passive-interface FastEthernet0/1 network 10.9 101 broadcast frame-relay map ip 172.0.16.0.0 no auto-summary ! ip classless ! ! access-list 101 permit tcp 172.16.

end .

255.0.16.ZeCi1 ! aaa new-model ! aaa authentication login LOCAL_AUTH local ! username R1 password 0 cisco username cisco password 0 cisco ! no ip domain-lookup ! interface Loopback0 ip address 209.255.! hostname R2 ! enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.224 ! interface FastEthernet0/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Serial0/0/0 ip address 172.255.0 network 172.0.0.165.161 255.0 .16.200.16.255.5 255.2 255.255.252 clock rate 64000 ! interface Vlan1 no ip address shutdown ! router rip version 2 network 10.255.0.252 encapsulation ppp ppp authentication chap ! interface Serial0/0/1 ip address 172.0.

no auto-summary ! ip classless ! banner motd #R2# ! line con 0 exec-timeout 0 0 password cisco logging synchronous login authentication LOCAL_AUTH line vty 0 4 password cisco login authentication LOCAL_AUTH transport input ssh ! ! ! end .

0 no auto-summary ! ip classless ! banner motd #R3# .129 255.0.16.16.255.252 encapsulation frame-relay frame-relay map ip 172.0.255.16.0.0.0.255.0.255.0.252 ip access-group 101 in ! interface Vlan1 no ip address shutdown ! router rip version 2 passive-interface FastEthernet0/1 network 10.128 duplex auto speed auto ! interface Serial0/0/0 ip address 172.16.16.! hostname R3 ! enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.10 255.0.6 255.ZeCi1 ! no ip domain-lookup ! interface FastEthernet0/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet0/1 ip address 10.255.255.9 101 broadcast frame-relay interface-dlci 101 no keepalive ip access-group 101 in clock rate 64000 ! interface Serial0/0/1 ip address 172.0.0 network 172.10 101 broadcast frame-relay map ip 172.

! line con 0 exec-timeout 0 0 password cisco logging synchronous login line vty 0 4 password cisco login ! ! ! end .

255.0.255.! hostname R3 ! enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.16.255.255.10 255.10 101 broadcast frame-relay map ip 172.0.6 255.255.252 encapsulation frame-relay frame-relay map ip 172.0 .0.128 ip access-group 110 in ip nat inside duplex auto speed auto ! interface Serial0/0/0 ip address 172.0.0.9 101 broadcast frame-relay interface-dlci 101 no keepalive ip access-group 101 in ip nat outside clock rate 64000 ! interface Serial0/0/1 ip address 172.252 ip access-group 101 in ip nat outside ! interface Vlan1 no ip address shutdown ! router rip version 2 passive-interface FastEthernet0/1 network 10.129 255.0.16.16.16.0.ZeCi1 ! no ip domain-lookup ! interface FastEthernet0/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet0/1 ip address 10.255.0.

3 172.0.network 172.10 access-list 103 permit ip any any access-list 110 permit icmp any any ! banner motd #R3# ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line vty 0 4 password cisco login ! end .0.0.0.0.0.0 no auto-summary ! ip nat pool ping 10.0.127 host 10.0.129 10.0.0.0.16.128 0.255.3 eq telnet access-list 101 deny tcp any any eq telnet access-list 101 permit ip any any access-list 103 deny ip 10.0.0.254 netmask 255.128 ip nat inside source list 110 pool ping overload ip classless ! ! access-list 101 permit tcp 172.0.4 0.16.0.0.0.16.4 0.255.

Sign up to vote on this title
UsefulNot useful