Lab: ACLs, NAT, PAT

Aims

Obtaining practical skills of building a protected network, examining the principles of TCP/IP stack operating, improving practical skills of using Microsoft Windows command-line tools for network administration.

Tasks

  • Create an initial configuration of a router, necessary for remote administration (using telnet or SSH protocol).
  • Create standard and extended access lists.
  • Create static NAT, create PAT.

Equipment

Router 1605, Switch Catalyst 2960 (for performing one router and two ports of switch are enough). Using GNS3 emulator is also possible.

Presetting

  • Router should have factory default settings.
  • Switch should be configured for remote access to it from a classroom local network.
  • One of the computers of the classroom (for example, a tutor’s computer) should be connected to a switch port assigned to a different VLAN than the port, connected to the local network.

Task time

1 double class

Criteria of grading

Some task points suppose either some research for a student or check, how well a student has understood a work done. For example, some of the points are impossible to carry out without configuring routing tables at computers, which is not mentioned in the task itself. A student should detect a problem and correct it by him/herself. A student should also demonstrate skills of working with Wireshark while showing the correctness of NAT/PAT operating.

Therefore, the work should be grated according to the terms below.

  • General orientation in the range of questions. TCP/IP stack (IP addresses, TCP ports), NAT/PAT technology, routing
  • Skills of working with administrative command-line tools and Wireshark
  • Ability to keep all one’s wits about him/her
  • Additional questions and conversation

Lab progress

  • Using a console-port configure a router so that it could be connected remotely via telnet protocol.

To get an access to a router is possible through console interface via RS-232 protocol. For that PuTTy or HyperTerminal (Programs|Accessories|Communications|) programs can be used. Settings of RS-232 protocol: bits per second 9600, data bits 8, parity none, stop bits. To get an access to cisco router via telnet protocol the following steps should be carried out.

a) Set an IP-address for an Ethernet 0 interface (in interface configuration mode).

ip address ip_address mask

b) Turn on the interface (in interface configuration mode).

no shu
exit

c) Set up a password for getting an access via telnet (in a global configuration mode).

line vty 0 4 
pass password
exit

d) Set up a password for entering privileged mode (in a global configuration mode).

enable secret password
  • Establish telnet session

If previous settings were performed correctly, after establishing a telnet session router will demand a password entering. A password, which was configured at line vty, should be entered.

a) Then, for entering privileged mode type a command

enable

b) Enter a password, which was configured earlier.

  • Set up a logical interface with arbitrary IP address and “host” mask (there can be only one IP-address in a subnetwork). For this execute the following commands in a global configuration mode.
interface loopback 0 
ip address ip_address mask
exit
  • Escape telnet session – consecutive commands
exit
exit
  • Try to get an access to a logical interface of a router via telnet. Why did you get such a result? Do something so that the command is executed successfully.
  • Create an access list, allowing only the packets with source ip address of your computer.

For this so-called “standard” access-list can be used. For creating such a list the following commands are executed in a global configuration mode.

access-list number permit | deny {any} | {host ip_adrress_host } | {ip_address_host} | { ip_address_network invert_mask }
number – a number of access list (1-99).
permit – forward
deny – reject
ip_adrress_host – IP address of a host
ip_address_network –network identifier
invert_mask – inverted mask
| - or
{} – aggregates commands

These commands are typed consequently and are handled by a processor top-down. If there is no explicit permit any at the end, then all packets having no matches in the list are rejected.

Example (forwards packets from hosts 1.1.1.1, 2.2.2.2, rejects from network 3.0.0.0 255.0.0.0, forwards all the rest, log – turning on logging for the given line).

access-list 1 permit 1.1.1.1
access-list 1 permit host 2.2.2.2
access-list 1 deny 3.0.0.0 0.0.0.255
accee-list 1 permit any log
  • Apply an access list to the interface.

An access list can be applied to in or to out. For a router in matches an inbound packet, out – an outbound packet. Command in interface configuration mode:

ip access-group number in | out 
number – a number of an access list.

If everything is done correctly, telnet session won’t abort. If it has aborted, a student should use console to find a mistake and correct it. For this, for example, the following diagnostic commands may be used in privileged mode:

sh run 
sh access-list number
sh inter e 0
sh ip inter e 0
term mon
term nomon
deb ip packet
no deb all

In case of failing of understanding what the problem is or facing difficulties with understanding the diagnostics – ask a tutor for help. After fulfilling the task – show it to a tutor.

  • A student creates an access lists permitting only telnet, only to interface loopback 0 address (which was configured earlier) and only from his/her computer. In the process it is supposed that the session is established at loopback 0 interface.

For this an access list, called “extended”, is used. This access list allows using not only source IP address while filtering, but also destination IP address and information of the fourth level – TCP/UDP ports numbers, flags of TCP protocol. For an extended access list numbers from 100 to 199 are used or named access lists can be created. An example (in a global configuration mode) is shown below.

ip access-list extend 100 
permit ip 1.1.1.1 0.0.0.0 192.168.5.0 0.0.0.255
permit tcp host 2.2.2.2 192.168.5.1 0.0.0.0 eq 80
deny ip any host 192.168.5.1
deny udp any any eq rip
permit ip any any log

While typing a command use “?” command.

  • Apply this access list to interface e 0 for in direction. If everything is done correctly, telnet session won’t abort. If it has aborted, use console to find and correct the mistake.

a) Check out that with another IP address telnet doesn’t work.

b) Check that ping doesn’t work.

c) Check that telnet for Ethernet 0 doesn’t work.

d) Show tutor the results.

  • Delete all access lists.

All configured lines should be deleted by issuing the same commands with “no” prefix.

  • A student asks a tutor for address of a switch and the passwords. Get an access to it via telnet.

Enter a privileged mode (password – from a tutor).

  • Configure another Ethernet port (Ethernet 1) of a router.

It should be at the same network as a dedicated (ref. “Presetting”) computer (inquire a tutor).

  • Connect this router port to a switch. Do it so that ping command from a router to IP address of a dedicated computer works successfully.

a) A port of a switch should be configured correctly.

b) Suggest an algorithm of actions. If it is correct, a tutor will point the commands which are necessary to use.

c) After fulfilling this point the following network topology should be achieved. Two interfaces of a router are connected to different local segments. In one segment there is a student’s computer (and the entire local network), in the other – a tutor’s computer.

  • Configure static NAT so that you could establish telnet connection with an open TCP-port at a dedicated computer (tutor’s computer), so that only packets with source IP address – IP address of a logical interface of a router could reach a dedicated computer.

a) For this it is necessary to define which local segment will be considered as inside and which as outside. At the interface, which is connected to inside segment the following command should be entered.

ip nat inside 

b) At the interface, which is connected to outside segment the following command should be entered.

ip nat outside

c) For static NAT configuration the following command should be used.

ip nat inside source static inside_local_address inside_global_address

Use “?” command.

  • Get a result. At a tutor’s computer show that packets really come from loopback IP-address.

While performing this point, you will possibly need to change some settings at a tutor’s computer.

  • Configure PAT so that the entire local network of the classroom has an access to an open TCP-port of a dedicated computer via telnet.

a) First of all, delete a command of static NAT

b) Create an access list, where define which IP addresses are allowed to “pat”.

c) In a global configuration mode type the following command.

ip nat inside source list number interface loopback 0 overload
  • Show a tutor that everything is operating correctly.

Add comment


Security code
Refresh

Found a typo? Please select it and press Ctrl + Enter.