Cisco Router NAT Overload (PAT)

8:45 PM Add Comment
1. Router KCM

====================ROUTER KCM:

hostname ROUTER-KCM

interface fa0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
 exit

interface se0/0
 ip address 192.168.1.2 255.255.255.252
 no shutdown

--------Default Route:

ip route 0.0.0.0 0.0.0.0 192.168.1.1


--------Static Route:

ip route 10.0.1.0 255.255.255.0 192.168.1.1
ip route 10.2.1.0 255.255.255.0 192.168.1.1
ip route 10.3.1.0 255.255.255.0 192.168.1.1

2. Router BTB

====================ROUTER BTB:

hostname ROUTER-BTB

interface fa0/0
 ip address 192.168.1.10 255.255.255.248
 no shutdown
 exit

interface fa0/1
 ip address 10.2.1.1 255.255.255.0
 no shutdown


--------Static & Default Route:

ip route 10.3.1.0 255.255.255.0 192.168.1.11
ip route 0.0.0.0 0.0.0.0 192.168.1.9

3. Router SRP

====================ROUTER SRP:

hostname ROUTER-SRP

interface fa0/0
 ip address 192.168.1.11 255.255.255.248
 no shutdown
 exit

interface fa0/1
 ip address 10.3.1.1 255.255.255.0
 no shutdown

--------Static & Default Route:

ip route 10.2.1.0 255.255.255.0 192.168.1.10

option a:
ip route 0.0.0.0 0.0.0.0 192.168.1.9

option b:
ip route 10.0.1.0 255.255.255.0 192.168.1.9
ip route 10.1.1.0 255.255.255.0 192.168.1.9

4. Router HQ

====================ROUTER HQ:
hostname ROUTER-HQ

interface fa0/0
 ip address 10.0.1.1 255.255.255.0
 no shutdown

interface fa0/1
 ip address 192.168.1.9 255.255.255.248
 no shutdown

interface serial0/1/0
 ip address 192.168.1.1 255.255.255.252
 clock rate 2000000
 no shutdown

--------Static Route:

ip route 10.1.1.0 255.255.255.0 192.168.1.2 : option 1
ip route 10.1.1.0 255.255.255.0 se0/1/0     : option 2

ip route 10.2.1.0 255.255.255.0 192.168.1.10
ip route 10.3.1.0 255.255.255.0 192.168.1.11

5. Router ISP

hostname ROUTERISP

interface fa0/0
 ip address 8.8.8.1 255.255.255.0
 no shutdown

interface fa0/1
 ip address 9.9.9.1 255.255.255.0
 no shutdown

interface serial0/0/0
 ip address 11.11.11.1 255.255.255.252
 clock rate 4000000
 no shutdown
 exit

------provide 1 more public ip address to customer

ip route 2.2.2.2 255.255.255.255 11.11.11.2

6.  Router HQ Nat Overload (PAT) Configuration

interface serial0/1/1
 ip address 11.11.11.2 255.255.255.252
 no shutdown
 exit

ip route 0.0.0.0 0.0.0.0 11.11.11.1

interface fa0/0
 ip nat inside
interface fa0/1
 ip nat inside
interface serial0/1/0
 ip nat inside

interface serial0/1/1
 ip nat outside

access-list 9 permit 10.0.1.0 0.0.0.255
access-list 9 permit 10.1.1.0 0.0.0.255
access-list 9 permit 10.2.1.0 0.0.0.255
access-list 9 permit 10.3.1.0 0.0.0.255

ip nat inside source list 9 interface serial0/1/1 overload
==========

Verify NAT :
# show ip nat translations : show NAT table
# clear ip nat translation * : clear log from NAT table


********** Or via Extended Access-List*************************************

access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 10.2.1.0 0.0.0.255 any
access-list 100 permit ip 10.3.1.0 0.0.0.255 any
ip nat inside source list 100 interface serial0/1/1 overload

===========static nat

ip nat inside souce static 10.0.1.3 2.2.2.2


===========static nat port forwarding

ip nat inside source static tcp 10.0.1.3 80 2.2.2.2 80
ip nat inside source static tcp 10.2.1.100 443 2.2.2.2 443


*********** Lesson ********************

Data packet can be traveled over internet unless its source and destination
ip address are public ip addresses.


NAT : Network Address Translation
PAT : Port Address Translation

3 types of NAT:

1) Static NAT : translate from 1 private ip address to 1 public ip address.
    (Use in: Server )
2) Dynamic NAT: translate from multiple private ip address to multiple public ip address.
   
3) PAT or NAT Overload: translate from multiple private ip address to one public ip address.

--------Sample config of Static NAT   ( configure camera-security )
step 1: Define Inside Interfaces
(config)# interface nameofinsidelan
(config-if)# ip nat inside

step 2: Define Outside Interfaces
(config)# interface nameofoutside
(config-if)# ip nat outside

step 3: Perform NAT Action
(config)# ip nat inside source static private-ip public-ip
===========================================================================
--------Sample config of Dynamic NAT
step 1: Define Inside Interfaces
(config)# interface nameofinsidelan
(config-if)# ip nat inside

step 2: Define Outside Interfaces
(config)# interface nameofoutside
(config-if)# ip nat outside

step 3: Define Standard Access Control List
(config)# access-list acl-id permit source-ip wildcard-mask

step 4: Define NAT Pool 1 range of public ip address
(config)# ip nat pool pool-name start-public-ip end-public-ip netmask subnet-mask

step 5: Perform Dynamic NAT Action
(config)# ip nat inside source list acl-id pool pool-name
=============================================================================
--------Sample config of NAT Overload (PAT)
step 1: Define Inside Interfaces
(config)# interface nameofinsidelan
(config-if)# ip nat inside

step 2: Define Outside Interfaces
(config)# interface nameofoutside
(config-if)# ip nat outside

step 3: Define Standard Access Control List
(config)# access-list acl-id permit source-ip wildcard-mask

step 4: Perform NAT Overload Action
(config)# ip nat inside source list acl-id interface nameofoutside overload

Router Extended Acess Control List

8:30 PM Add Comment

1. Router HQ

====================ROUTER HQ:
hostname ROUTER-HQ

interface fa0/0
 ip address 10.0.1.1 255.255.255.0
 no shutdown

interface fa0/1
 ip address 192.168.1.9 255.255.255.248
 no shutdown

interface serial0/1/0
 ip address 192.168.1.1 255.255.255.252
 clock rate 2000000
 no shutdown

--------Static Route:

ip route 10.1.1.0 255.255.255.0 192.168.1.2 : option 1
ip route 10.1.1.0 255.255.255.0 se0/1/0     : option 2

ip route 10.2.1.0 255.255.255.0 192.168.1.10
ip route 10.3.1.0 255.255.255.0 192.168.1.11


show ip route : check routing table on this router

2. Router KCM

====================ROUTER KCM:

hostname ROUTER-KCM

interface fa0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
 exit

interface se0/0
 ip address 192.168.1.2 255.255.255.252
 no shutdown

--------Default Route:

ip route 0.0.0.0 0.0.0.0 192.168.1.1


--------Static Route:

ip route 10.0.1.0 255.255.255.0 192.168.1.1
ip route 10.2.1.0 255.255.255.0 192.168.1.1
ip route 10.3.1.0 255.255.255.0 192.168.1.1


3. Router BTB

====================ROUTER BTB:

hostname ROUTER-BTB

interface fa0/0
 ip address 192.168.1.10 255.255.255.248
 no shutdown
 exit

interface fa0/1
 ip address 10.2.1.1 255.255.255.0
 no shutdown


--------Static & Default Route:

ip route 10.3.1.0 255.255.255.0 192.168.1.11
ip route 0.0.0.0 0.0.0.0 192.168.1.9

4. Router SRP

====================ROUTER SRP:

hostname ROUTER-SRP

interface fa0/0
 ip address 192.168.1.11 255.255.255.248
 no shutdown
 exit

interface fa0/1
 ip address 10.3.1.1 255.255.255.0
 no shutdown

--------Static & Default Route:

ip route 10.2.1.0 255.255.255.0 192.168.1.10

option a:
ip route 0.0.0.0 0.0.0.0 192.168.1.9

option b:
ip route 10.0.1.0 255.255.255.0 192.168.1.9
ip route 10.1.1.0 255.255.255.0 192.168.1.9


5. Extended Access Control List Configuration

Requirement 1:
Block laptop 1 (10.0.1.2) in LAN HQ from accessing all laptops
in LAN SRP (10.3.1.0/24). But other laptops in LAN HQ allowed.

( can be use with standard access-list (router-SRP applying )
    ans:    access-list 10 deny host 10.0.1.2
        access-list 10 permit any
        int f0/1 
        ip access-group 10 out
)

Extended Access-List

ROUTER HQ:

(formula: access-list acl-id permit/deny protocol1 src-ip dst-ip)



access-list 100 deny ip     host 10.0.1.2     10.3.1.0 0.0.0.255
access-list 100 permit ip     any         any

======= filter inbound (apply)
interface fa0/0
 ip access-group 100 in

======= filter inbound (remove)

no access-list 100

interface fa0/0
 no ip access-group 100 in

------------------------------

======= filter outbound (apply)

access-list 100 deny ip host 10.0.1.2 10.3.1.0 0.0.0.255
access-list 100 permit ip any any

interface fa0/1
 ip access-group 100 out
==============================================================================

+( + add-1 more block webserver 10.0.1.3 access to Lan SRP(10.3.1.0/24) into acl-id 100 )

-->
    RouterHQ(config)# do show access-list
    RouterHQ(config)#ip access-list extended 100
    RouterHQ(config-ext-nacl)#15 deny ip host 10.0.1.3 10.3.1.0 0.0.0.255
==============================================================================
****Remove index(15) from acl-id 100 *********************
--> RouterHQ(config)# do show access-list
    RouterHQ(config)#ip access-list extended 100
    RouterHQ(config-ext-nacl)#no 15
==============================================================================
+( Remove acl-id 100)

--> RouterHQ(config)#no ip access-list extended 100

######################################################

Requirement 2:

Block laptop 2 (10.1.1.2) in LAN KCM from ping to web server (10.0.1.3)
But it can use web browser to access web server
and ping laptop 6 (10.3.1.2).
Other traffic from laptop 2 denied.

Must apply ACL into ROUTER KCM.
protocol1 are: ip, icmp, rip, ospf, eigrp, tcp, udp

ROUTER KCM:

access-list 110 deny icmp host 10.1.1.2 host 10.0.1.3
access-list 110 permit tcp host 10.1.1.2 host 10.0.1.3 eq 80
access-list 110 permit tcp host 10.1.1.2 host 10.0.1.3 eq 443
access-list 110 permit icmp host 10.1.1.2 host 10.3.1.2
access-list 110 deny ip host 10.1.1.2 any
access-list 110 permit ip any any

======= filter outbound (apply)

interface se0/0
 ip access-group 110 out


---------SPLIT NEW ACL STATEMENT INTO THE EXISTING ACL ID 110

Allow laptop 2 (10.1.1.2) in LAN KCM can use web browser & ping to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

ip access-list extended 110
 41 permit icmp host 10.1.1.2 host 10.3.1.3
 42 permit tcp host 10.1.1.2 host 10.3.1.3 eq 80
 no 40


######################################################
Requirement 2:
Block laptop 2 (10.1.1.2) in LAN KCM from ping to web server (10.0.1.3)
But it can use web browser to access web server and ping laptop 6 (10.3.1.2).
Other traffic from laptop 2 denied.

Named ACL: For Requirement 2
(checklaptop2: is acl-name=acl-id)

(config#) ip access-list extended checklaptop2
       deny icmp host 10.1.1.2 host 10.0.1.3
       permit tcp host 10.1.1.2 host 10.0.1.3 eq 80
       permit tcp host 10.1.1.2 host 10.0.1.3 eq 443
      permit icmp host 10.1.1.2 host 10.3.1.2
      deny ip host 10.1.1.2 any

======= filter outbound (apply)

interface se0/0
 ip access-group checklaptop2 out

---------SPLIT NEW ACL STATEMENT INTO THE EXISTING NAMED ACL:

Allow laptop 2 (10.1.1.2) in LAN KCM can use web browser & ping to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

(config#) ip access-list extended checklaptop2
      41 permit icmp host 10.1.1.2 host 10.3.1.3
      42 permit tcp host 10.1.1.2 host 10.3.1.3 eq 80
      no 40



*************** Lesson ********************


Apply Extended Access Control List (ACL):
- Permit or deny traffic of data flow
- Check Source, Destination, and Protocol
- acl-id = 100 ---> 199 or 2000 --->2699
- apply it into router near to the source

Sample config:

Step 1A: create Extended acl statements:

(config)# access-list acl-id permit/deny protocol1 src-ip dst-ip

if protocol1 are: ip, icmp, rip, ospf, eigrp, tcp, udp

-icmp: command for ping (ex: ping 1.1.1.1 )
-rip : command for routing

==========
Step 1B: create Extended acl statements:

(config)# access-list acl-id permit/deny protocol2 src-ip dst-ip eq port-number

if protocol2 are: tcp, udp

(tcp: application of web that have (ftp,ssh,telnet,smtp,imap4,pop3,http, https ....)
(udp: application of server like (DNS,SNMP,TFTP,DHCP)

port-number:
3 type of Port Number:
1) Well-known Port: 1     ---> 1023  : for server used (80: web server,
2) Register Port:   1024  ---> 49151
3) Dynamic Port:    49152 ---> 65535 : for client used

Application Protocol: TCP : Transmission Control Protocol
- FTP (File Transfer Protocol) : 20/tcp (for download/upload file) & 21/tcp (for establish connection)
- SSH (Secure SHell Protocol) OR SFTP (Secure File Transfer Protocol) : 22/tcp
- Telnet (Telnet Protocol)     : 23/tcp
- SMTP (Simple Mail Transfer Protocol) : 25/tcp (use for send email)
- IMAP4 (Internet Message Access Protcol) : 143/tcp (use for recieve email)
- POP3 (Post Office Protocol)  : 110/tcp (use for recieve email)
- HTTP (Hyper Text Transfer Protocol) : 80/tcp
- HTTPS (Hyper Text Transfer Protocol for Secure) : 443/tcp

Application Protocol: UDP : User Datagram Protocol
- DNS (Domain Name System)  : 53/udp
- SNMP (Simple Network Management Protocol) : 161/udp
- TFTP (Trivial File Transfer Protocol) : 69/udp
- DHCP (Dymanic Host Configuration Protocol) : 67/udp & 68/udp

Register-Port and Dynamic-Port
- RDP (Remote Desktop Protocol) : 3389/tcp
- Lotusnote email              : 1352/tcp
- TightVNC                     : 5900/tcp

Step 2: apply standard acl into interface

(config)# interface name
(config-if)# ip access-group acl-id in/out


******************* Exercise *********************


Requirement 1:

Block laptop X (10.0.1.150) in LAN HQ from accessing all laptops
in LAN BTB (10.2.1.0/24). But other laptops in LAN HQ allowed.

ROUTER HQ:
????
access-list 100 deny ip host 10.0.1.150 10.2.1.0 0.0.0.255
access-list 100 permit ip any any

======= filter inbound (apply)
???
int f0/0
ip access-group 100 in

======= filter inbound (remove)

???

no access-list 100
int f0/0
no ip access-group 100 in

------------------------------

======= filter outbound (apply)

????

int f0/1
ip access-group 100 out
exit


######################################################

Requirement 2:

Block laptop 5 (10.2.1.3) in LAN BTB from ping to web server (10.0.1.3) in lan HQ
But it can use web browser to access web server and can ping laptop 6 (10.3.1.2).
Other traffic from laptop 5 denied.

Must apply ACL into ROUTER BTB.

ROUTER BTB:

???

access-list 199 deny icmp host 10.2.1.3 host 10.0.1.3
access-list 199 permit tcp host 10.2.1.3 host 10.0.1.3 eq 80
access-list 199 permit tcp host 10.2.1.3 host 10.0.1.3 eq 443
access-list 199 permit icmp host 10.2.1.3 host 10.3.1.2
access-list 199 deny ip host 10.2.1.3     any
access-list 199 permit ip any any

======= filter inbound (apply)

???

int f0/1
ip access-group 199 in

---------SPLIT NEW ACL STATEMENT INTO THE EXISTING ACL ID 199

Allow laptop 5 (10.2.1.3) in LAN BTB can use web browser to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

???

RouterBTB(config)#ip access-list extended 199
        45 permit tcp host 10.2.1.3 host 10.3.1.3 eq 80
        46 permit tcp host 10.2.1.3 host 10.3.1.3 eq 443
         no 40


######################################################
Requirement 2:
Block laptop 5 (10.2.1.3) in LAN BTB from ping to web server (10.0.1.3)
But it can use web browser to access web server and ping laptop 6 (10.3.1.2).
Other traffic from laptop 5 denied.

Named ACL: For Requirement 2: we have to remove access number above first.

???

======= filter outbound (apply)

???

---------SPLIT NEW ACL STATEMENT INTO THE EXISTING NAMED ACL:

Allow laptop 5 (10.2.1.3) in LAN BTB can use web browser to access
web server (10.3.1.3) in LAN SRP.
And remove ping access to laptop 6 (10.3.1.2).

???

Router Standard Access-List

2:18 AM Add Comment
1./ Router HQ

hostname ROUTER-HQ

interface fa0/0
 ip address 10.0.1.1 255.255.255.0
 no shutdown
 exit

interface fa0/1
 ip address 192.168.12.1 255.255.255.0
 no shutdown
 exit

interface serial0/1/0
 ip address 192.168.11.1 255.255.255.0
 clock rate 2000000
 no shutdown
 exit


ip route 10.1.1.0 255.255.255.0 192.168.11.2
ip route 10.2.1.0 255.255.255.0 192.168.12.2
ip route 10.3.1.0 255.255.255.0 192.168.12.3


2./ Router KCM


hostname ROUTER-KCM

interface fa0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
 exit

interface s0/0
 ip address 192.168.11.2 255.255.255.0
 no shutdown
ip route 10.0.1.0 255.255.255.0 192.168.11.1
ip route 10.2.1.0 255.255.255.0 192.168.11.1
ip route 10.3.1.0 255.255.255.0 192.168.11.1


3./ Router BTB


hostname ROUTER-BTB

interface fa0/0
 ip address 10.2.1.1 255.255.255.0
 no shutdown
 exit

interface fa0/1
 ip address 192.168.12.2 255.255.255.0
 no shutdown
 exit

ip route 10.0.1.0 255.255.255.0 192.168.12.1
ip route 10.1.1.0 255.255.255.0 192.168.12.1
ip route 10.3.1.0 255.255.255.0 192.168.12.3


4./ Router SRP


hostname ROUTER-SRP

interface fa0/0
 ip address 10.3.1.1 255.255.255.0
 no shutdown
 exit

interface fa0/1
 ip address 192.168.12.3 255.255.255.0
 no shutdown
 exit

ip route 10.0.1.0 255.255.255.0 192.168.12.1
ip route 10.1.1.0 255.255.255.0 192.168.12.1
ip route 10.2.1.0 255.255.255.0 192.168.12.2


5./ Standard Access Control List (ACL):

===============================================

Excercise 1:

Block laptop 1 (10.0.1.2) in LAN HQ from accessing other
laptops at other networks.
But allow other laptops and server in this LAN HQ.

ROUTER HQ:

access-list 20 deny host 10.0.1.2
access-list 20 permit any
access-list 20 deny any

interface fa0/0
 ip access-group 20 in


1. remove standard acl 20

no access-list 20 deny host 10.0.1.2


2. remove  filter inbound from fa0/0

interface fa0/0
 no ip access-group 20 in



3./ apply to filter outbound of access-list 20

interface serial0/1/0
 ip access-group 20 out

interface fa0/1
 ip access-group 20 out


===============================================

Excercise 2:

Block laptop 6 (10.3.1.2) in LAN SRP from access all hosts in LAN HQ.
Block all laptop in LAN KCM from access all hosts in LAN HQ.
But other laptops allowed. Must apply ACL into ROUTER HQ.


ROUTER HQ:

access-list 99 deny host 10.3.1.2
access-list 99 deny 10.1.1.0 0.0.0.255
access-list 99 permit any

interface f0/0
 ip access-group 99 out

--------split access list statement into the existing access list number.
Block laptop 4 (10.2.1.2) in LAN BTB from access all hosts in LAN HQ.

--------check the ACL sequence number:

# show access-list

ip access-list standard 99
 25 deny host 10.2.1.2


===============================================

REQUIREMENT 3:

Allow web server (10.0.1.3) & LAN KCM (10.1.1.0/24) to access LAN BTB (10.2.1.0/24)
But other laptops denied.
Must apply ACL into ROUTER BTB.

ROUTER BTB:

access-list 3 permit host 10.0.1.3
access-list 3 permit 10.1.1.0 0.0.0.255
access-list 3 deny any

interface fa0/1
 ip access-group 3 in

===============================================

REQUIREMENT 4:

Allow only LaptopX (10.0.1.10) in LAN HQ to remote telnet ROUTER HQ.
But other laptops denied. Must apply ACL into ROUTER HQ.

line vty 0 4
 password telnetpass
 login
 exit

enable secret secretpass

access-list 66 permit host 10.0.1.10
line vty 0 4
 access-class 66 in


************ Lesson ****************

Access Control List (ACL)

Standard ACL characteristic:
- Permit or deny traffic of data flow
- check source ip address
- apply entire protocols
- Cisco recommend to apply standard ACL into the router near to the destination

Sample config:

Step 1: create standard acl statements:

(config)# access-list acl-id permit/deny src-ip-address

acl-id = 1 ---> 99 or 1300 --->1999

src-ip-address:
 1) host ip address: 10.0.1.2/32     (host is class full 32 bit mask bit)
     /32 --> subnet mask: 255.255.255.255
         --> wildcard mask= 255.255.255.255 - subnet mask=
                          =  0.0.0.0

---> src-ip-address:     host 10.0.1.2 OR 10.0.1.2 0.0.0.0
(config)# access-list acl-id permit/deny host 10.0.1.2
(config)# access-list acl-id permit/deny 10.0.1.2 0.0.0.0

src-ip-address:
 2) network address: 10.0.1.0/24           (network block)
     /24 --> subnet mask: 255.255.255.0
         --> wildcard mask= 255.255.255.255 - subnet mask=
                          =  0.0.0.255

---> src-ip-address: 10.0.1.0 0.0.0.255
(config)# access-list acl-id permit/deny 10.0.1.0 0.0.0.255

src-ip-address:
 3) unspecified: 0.0.0.0/0
     /0 --> subnet mask: 0.0.0.0
         --> wildcard mask= 255.255.255.255 - subnet mask=
                          =  255.255.255.255

---> src-ip-address: 0.0.0.0 255.255.255.255 OR any
(config)# access-list acl-id permit/deny 0.0.0.0 255.255.255.255
(config)# access-list acl-id permit/deny any



Step 2: apply standard acl into interface

(config)# interface name
(config-if)# ip access-group acl-id in/out


************* Exercise *******************


REQUIREMENT 1:

Block Web Server (10.0.1.3) in LAN HQ from accessing other
laptops at other networks.
But allow other laptops and server in this LAN HQ.

ROUTER HQ:

???

access-list 10 deny host 10.0.1.3
access-list 10 permit any

======= filter outbound (apply)
???

int se0/1/0
ip access-group 10 out
exit
int f0/1
ip access-group 10 out

======= remove from interface
???


int se0/1/0
no ip access-group 10 out
exit

int f0/1
no ip access-group 10 out
exit

no access-list 10

######################################################

REQUIREMENT 2:

Block laptop 7 (10.3.1.3) in LAN SRP from access all hosts in LAN HQ.
Block all laptop in LAN BTB(10.2.1.0/24) from access all hosts in LAN HQ.
But other laptops allowed. Must apply ACL into ROUTER HQ.


ROUTER HQ:

???

access-list 20 deny host 10.3.1.3
access-list 20 deny 10.2.1.0 0.0.0.255
access-list 20 permit any

int f0/0
ip access-group 20 out



--------split access list statement into the existing access list number.
Block laptop 6 (10.3.1.2) in LAN SRP from access all hosts in LAN HQ.

???


ip access-list standard 20
15 deny host 10.3.1.2


######################################################

REQUIREMENT 3:

Allow only Laptop3 (10.1.1.3) in LAN KCM to remote telnet ROUTER HQ.
But other laptops denied. Must apply ACL into ROUTER HQ.
set telnet password: telnetpwd
set enable secret password : secretpwd


Router HQ

???


line vty 0 4
password telnetpwd
login
exit

enable secret secretpwd

access-list 30 permit host 10.1.1.3
line vty 0
access-class 30 in

Administrative authorize accessing for router cisco

1:12 AM Add Comment
1/- Set enable OR secret password: Protect Privilege Exec Mode

enable password myPassword


2/- Set enable OR secret password: Protect Privilege Exec Mode

enable secret mysecretpass


3/- Set Console password(console): When login via console, required console password

enable
configur terminal
line console 0
 password consolepass
 login


4/- Set username password(console): When login via console, required username password

username user1 secret user1pass
line console 0
 login local


5/- Set username password(console): When login via console, required username password
   (cmd: privilege is login without prilege-mode)

username user1 privilege 15 secret user1pass
line console 0
 login local




6/- Set Telnet password(telnet): When login via telnet remote access, required telnet password
    Ex: IP router: 192.168.2.1/24

line vty 0 4
 password telnetpass
 login



7/- Set username password(telnet): When login via telnet remote access, required username password


interface fa0/0
 ip address 192.168.2.1 255.255.255.0
 no shutdown
 exit
username user1 secret user1pass
line vty 0 4
 login local
enable secret secretpass


8/- Set username password(telnet): When login via telnet remote access, required username password
  (cmd: privilege is login withou privilege-mode)


interface fa0/0
 ip address 192.168.2.1 255.255.255.0
 no shutdown
 exit
username user1 privilege 15 secret user1pass
line vty 0 4
 login local
enable secret secretpass



---------------------------------
4) Set SSH remote to Router or Switch (Secure SHell, 22/tcp) password:

Ex: R1-> IP: 192.168.2.1


interface fa0/0
 ip address 192.168.2.1 255.255.255.0
 no shutdown
 exit

hostname R1
enable secret secretpass
username user1 secret user1pass
ip domain-name www.cambodia.com
crypto key generate rsa

1024

ip ssh version 2
line vty 0 4
 login local
 transport input ssh


(remote PC> ssh -l user1 192.168.2.1)


----------------------------------------------

How to ssh remote access from Cisco Router1 to Cisco Router2

# ssh -v 2 -l [username1] [ipofrouter2]
# ssh -l [username1] [ipofrouter2]

---------------------------------
5) Set banner to inform when login:

banner motd "Access for authorized users only. Please enter your username and password."  : option 1
banner motd #Access for authorized users only. Please enter your username and password.#  : option 2
banner motd ^Access for authorized users only. Please enter your username and password.^  : option 3

+ to encrypt password using with keyword password:

service password-encryption

+ to abort when type wrong command input.

 no ip domain-lookup


************** Lesson *************


1/- Set enable OR secret password: Protect Privilege Exec Mode

enable password myPassword


2/- Set enable OR secret password: Protect Privilege Exec Mode

enable secret mysecretpass


3/- Set Console password(console): When login via console, required console password

line console 0
 password consolepass
 login


4/- Set username password(console): When login via console, required username password (**************************************************)

username user1 secret user1pass
username user2 secret user2pass
line console 0
 login local


5/- Set username password(console): When login via console, required username password
   (cmd: privilege is login without prilege-mode)

username user1 privilege 15 secret user1pass
line console 0
 login local




6/- Set Telnet password(telnet): When login via telnet remote access, required telnet password
    Ex: IP router: 192.168.2.1/24

line vty 0 4
 password telnetpass
 login



7/- Set username password(telnet): When login via telnet remote access, required username password


interface fa0/0
 ip address 192.168.2.1 255.255.255.0
 no shutdown
 exit
username user1 secret user1pass
line vty 0 4
 login local
enable secret secretpass


8/- Set username password(telnet): When login via telnet remote access, required username password
  (cmd: privilege is login withou privilege-mode)


interface fa0/0
 ip address 192.168.2.1 255.255.255.0
 no shutdown
 exit
username user1 privilege 15 secret user1pass
line vty 0 4
 login local
enable secret secretpass



---------------------------------
4) Set SSH remote to Router or Switch (Secure SHell, 22/tcp) password:

Ex: R1-> IP: 192.168.2.1


interface fa0/0
 ip address 192.168.2.1 255.255.255.0
 no shutdown
 exit
hostname R1 

username mengheang secret Passw0rd
interface fa0/0
username user2    secret user2pass
ip domain-name www.cambodia.com
crypto key generate rsa

1024

ip ssh version 2
line vty 0 4
 login local
 transport input ssh
exit
enable secret secretpass     ***** put enable secret for using enable config *****

(remote PC> ssh -l mengheang 192.168.2.1)

# ssh -v 2 -l [username1] [ipofrouter2]

----------------------------------------------

How to ssh remote access from Cisco Router1 to Cisco Router2

# ssh -v 2 -l [username1] [ipofrouter2]
# ssh -l [username1] [ipofrouter2]

---------------------------------
5) Set banner to inform when login:

banner motd "Access for authorized users only. Please enter your username and password."  : option 1
banner motd #Access for authorized users only. Please enter your username and password.#  : option 2
banner motd ^Access for authorized users only. Please enter your username and password.^  : option 3

+ to encrypt password using with keyword password:

service password-encryption

+ to abort when type wrong command input.

 no ip domain-lookup

************** Exercise ***************

###SET PASSWORD ON ROUTER HQ###

1) Set secret password (secretpwd$) : Protect Privilege Exec Mode

???

enable secrete secretpwd$

----------------------------

2) Set Console password (consolepwd$) : When login via console, required console password

???

line console 0
password consolepwd$
login


----------------------

3) Set Telnet password (telnetpwd$) : When login via telnet remote access, required telnet password

???


line vty 0
password telnetpwd$
login


################################################
###SET PASSWORD ON ROUTER KCM###
--------------------------------
4) Enable SSH version 2: by create
Username: john
Password: johnpwd$
And set secret password (secretpwd$)

???


enable secret secretpass

username john secret johnpwd$

ip domain-name www.cambodia.com

crypto key generate rsa

1024


ip ssh version 2
line vty 0 4
login local
transport input ssh

Administrative authorize accessing for switch cisco

12:16 AM Add Comment
1- Command Set enable OR secret password: Protect Privilege Exec Mode


switch>enable
switch#configure terminal
switch(config)#enable password myPassword
switch(config)#enable secret mySecret

+ To encrypt password --> using with keyword password:

switch(config)#service password-encryption


2- Set Telnet password:When login via telnet remote access, required telnet password


switch>enable
switch#configure terminal
switch(config)#line vty 0 4
switch(config)# password telnetPassword
switch(config)# login


3- Set username password: When login via telnet remote access, required username password

switch>enable
switch#configure terminal
switch(config)#interface vlan1
switch(config-if)# ip address 192.168.2.5 255.255.255.0
switch(config-if)#no shutdown
switch(config-if)#exit
switch(config)#ip default-gateway 192.168.2.1
switch(config)#username User secret 123
switch(config)#line vty 0 4
switch(config)#login local
switch(config)#enable secret secretpass


4- Set SSH remote via Switch (Secure SHell, 22/tcp) password:

Ex: Switch --> IP: 192.168.2.2

switch>enable
switch#configure terminal
switch(config)#interface vlan1
switch(config-if)# ip address 192.168.2.2 255.255.255.0
switch(config-if)#no shutdown
switch(config-if)#exitswitch(config)#enable secret secretpass
switch(config)#username User secret Userpass
switch(config)#ip domain-name www.cambodia.com
switch(config)#crypto key generate rsa
switch(config)#1024

switch(config)#ip ssh version 2
switch(config)#line vty 0 4
switch(config)# login local
switch(config)#transport input ssh



==> login PC> ssh -l User192.168.2.2


********** Lesson **************

1/- Set enable OR secret password: Protect Privilege Exec Mode

enable password myPassword


2/- Set enable OR secret password: Protect Privilege Exec Mode

enable secret mysecretpass



3/- Set Telnet password(telnet): When login via telnet remote access, required telnet password
    Ex: IP router: 192.168.2.1/24

line vty 0 4
 password telnetpass
 login



4/- Set username password(telnet): When login via telnet remote access, required username password


interface vlan 1
 ip address 192.168.2.5 255.255.255.0
 no shutdown
 exit
ip default-gateway 192.168.2.1
username user1 secret user1pass
line vty 0 4
 login local
enable secret secretpass


5/- Set username password(telnet): When login via telnet remote access, required username password
   (cmd: privilege is login withou privilege-mode)


interface vlan 1
 ip address 192.168.2.5 255.255.255.0
 no shutdown
 exit
ip default-gateway 192.168.2.1
username user1 privilege 15 secret user1pass
line vty 0 4
 login local
enable secret secretpass


6/- Set SSH remote to Router or Switch (Secure SHell, 22/tcp) password:

Ex: Sw1--> IP: 192.168.2.5

hostname R1_Sw1
config ter
int vlan 1
ip add 192.168.2.5 255.255.255.0
no shut
exit
ip default-gateway 192.168.2.1

username mengheang secret Passw0rd
ip domain-name www.cambodia.com
crypto key generate rsa
1024

ip ssh version 2
line vty 0 4
 login local
 transport input ssh
exit
enable secret secretpass


(copy pass into R1 or Sw1 )

(remote PC> ssh -l dara 192.168.2.1)
# ssh -v 2 -l [username1] [ipofrouter2]

----------------------------------------------

How to ssh remote access from Cisco Router1 to Cisco Router2

# ssh -v 2 -l [username1] [ipofrouter2]
# ssh -l [username1] [ipofrouter2]

---------------------------------
5) Set banner to inform when login:

banner motd "Access for authorized users only. Please enter your username and password."  : option 1
banner motd #Access for authorized users only. Please enter your username and password.#  : option 2
banner motd ^Access for authorized users only. Please enter your username and password.^  : option 3

+ to encrypt password using with keyword password:

service password-encryption

+ to abort when type wrong command input.

 no ip domain-lookup

Static route and Default route of Cisco Router

3:01 AM Add Comment
1. Router BTB


Router>enable
Router#hostname ROUTER-BTB
ROUTER-BTB#config terminal
ROUTER-BTB(config)#interface fa0/0
ROUTER-BTB(config-if)#ip address 192.168.1.10 255.255.255.248
ROUTER-BTB(config-if)#no shutdown
ROUTER-BTB(config-if)#exit
ROUTER-BTB(config)#interface fa0/1
ROUTER-BTB(config-if)#ip address 10.2.1.1 255.255.255.0
ROUTER-BTB(config-if)#no shutdown
ROUTER-BTB(config-if)#exit
ROUTER-BTB(config)#ip route 10.3.1.0 255.255.255.0 192.168.1.11
ROUTER-BTB(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.9


2. Router HQ


Router>enable
Router#hostname ROUTER-HQ
ROUTER-HQ#config terminal
ROUTER-HQ(config)#interface fa0/0
ROUTER-HQ(config-if)#ip address 10.0.1.1 255.255.255.0
ROUTER-HQ(config-if)#no shutdown
ROUTER-HQ(config-if)#exit
ROUTER-HQ(config)#interface fa0/1
ROUTER-HQ(config-if)#ip address 192.168.1.9 255.255.255.248
ROUTER-HQ(config-if)#no shutdown
ROUTER-HQ(config)#exit
ROUTER-HQ(config)#interface serial0/1/0
ROUTER-HQ(config-if)#ip address 192.168.1.1 255.255.255.252
ROUTER-HQ(config-if)#clock rate 2000000
ROUTER-HQ(config-if)#no shutdown
ROUTER-HQ(config-if)#exit
ROUTER-HQ(config)#ip route 10.1.1.0 255.255.255.0 192.168.1.2
ROUTER-HQ(config)#ip route 10.2.1.0 255.255.255.0 192.168.1.10
ROUTER-HQ(config)#ip route 10.3.1.0 255.255.255.0 192.168.1.11


3. Router KCM

Router>enable
Router#hostname ROUTER-KCM
ROUTER-KCM#config terminal
ROUTER-KCM(config)#interface fa0/0
ROUTER-KCM(config-if)#ip address 10.1.1.1 255.255.255.0
ROUTER-KCM(config-if)#no shutdown
ROUTER-KCM(config-if)#exit
ROUTER-KCM(config)#interface se0/0
ROUTER-KCM(config-if)#ip address 192.168.1.2 255.255.255.252
ROUTER-KCM(config-if)#no shutdown
ROUTER-KCM(config-if)#exit
ROUTER-KCM(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

4. Router SRP

Router>enable
Router#hostname ROUTER-SRP
ROUTER-SRP#config terminal
ROUTER-SRP(config)#interface fa0/0
ROUTER-SRP(config-if)#ip address 192.168.1.11 255.255.255.248
ROUTER-SRP(config-if)#no shutdown
ROUTER-SRP(config-if)#exit
ROUTER-SRP(config)#interface fa0/1
ROUTER-SRP(config-if)#ip address 10.3.1.1 255.255.255.0
ROUTER-SRP(config-if)#no shutdown
ROUTER-SRP(config-if)#exit
ROUTER-SRP(config)#ip route 10.2.1.0 255.255.255.0 192.168.1.10
ROUTER-SRP(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.9

Default route and Static route of Cisco

1:48 AM Add Comment
1- Router TV3

Router>enable
Router#configure terminal
Router(config)#Hostname TV3
TV3(config)#interface fa0/0
TV3(config-if)#ip add 192.2.2.1 255.255.255.0
TV3(config-if)#no shut
TV3(config-if)#exit
TV3(config)#int f0/1
TV3(config-if)#ip add 12.0.2.5 255.255.255.252
TV3(config-if)#no shut
TV3(config-if)#exit
TV3(config)#ip route 0.0.0.0 0.0.0.0 12.0.2.6
TV3(config)#exit

2- Router TV11

Router>enable
Router#configure terminal
Router(config)#Hostname TV11
TV11(config)#int f0/0
TV11(config-if)#ip add 129.27.201.2 255.255.255.252
TV11(config-if)#no shut
TV11(config-if)#exit
TV11(config)#int f0/1
TV11(config-if)#ip add 195.5.5.1 255.255.255.0
TV11(config-if)#no shut
TV11(config-if)#exit
TV11(config)#ip route 0.0.0.0 0.0.0.0 129.27.201.1
TV11(config)#exit

3- Router TV9


Router>enable
Router#configure terminal
Router(config)#Hostname TV9
TV9(config)#int f0/0
TV9(config-if)#ip add 196.6.6.1 255.255.255.0
TV9(config-if)#no shut
TV9(config-if)#ex
TV9(config)#int s0/1
TV9(config-if)#ip add 205.129.31.14 255.255.255.252
TV9(config-if)#clock rate 9600
TV9(config-if)#bandwidth 256
TV9(config-if)#no shut
TV9(config-if)#exit
TV9(config)#ip route 0.0.0.0 0.0.0.0 205.129.131.13
TV9(config)#exit

4- Router TVK


Router>enable
Router#configure terminal
Router(config)#Hostname TVK
TVK(config)#int f0/0
TVK(config-if)#ip add 193.3.3.1 255.255.255.0
TVK(config-if)#no shut
TVK(config-if)#exit
TVK(config)#int s0/0
TVK(config-if)#ip add 213.152.31.10 255.255.255.252
TVK(config-if)#clock rate 9600
TVK(config-if)#bandwidth 256
TVK(config-if)#no shut
TVK(config-if)#exit
TVK(config)#copy run start
TVK(config)#ip route 0.0.0.0 0.0.0.0 213.152.31.9
TVK(config)#exit


5. Router CTN


Router>enable
Router#configure terminal
Router(config)#Hostname CTN
CTN(config)#int f0/0
CTN(config-if)#ip add 129.27.201.1 255.255.255.252
CTN(config-if)#no shut
CTN(config-if)#exit
CTN(config)#int f0/1
CTN(config-if)#ip add 12.0.2.6 255.255.255.252
CTN(config-if)#no shut
CTN(config-if)#exit
CTN(config)#int s0/0
CTN(config-if)#ip add 213.152.31.9 255.255.255.252
CTN(config-if)#no shut
CTN(config-if)#exit
CTN(config)#int s0/1
CTN(config-if)#ip add 205.129.131.13 255.255.255.252
CTN(config-if)#no shut
CTN(config-if)#ex
CTN(config)#ip route 192.2.2.0 255.255.255.0 12.0.2.5
CTN(config)#ip route 195.5.5.0 255.255.255.0 129.27.201.2
CTN(config)#ip route 196.6.6.0 255.255.255.0 205.129.31.14
CTN(config)#ip route 193.3.3.0 255.255.255.0 213.152.31.10
CTN(config)#exit
Subscribe to: Posts (Atom)

Kategori

Kategori