CCENT Lab 2 2 Connecting To The Internet v1.0.1

CCENT L A B GUIDE 2 - 2
Interconnecting Cisco Network Devices

version 3.0
DAVID
DAVID
BOMBAL
BOMBAL
David Bombal CCNA Labs Lab 2.2
Lab 2-2 Connecting to the Internet

Task 1: Configure a Manual IP Address and Static Default Route
Task 2: Configure a DHCP obtained IP Address
Task 3: Configure Network Address Translation (NAT)
Task 4: Configure NAT with Port Address Translation (PAT)
Task 5: Configure Static NAT
Task 6: Can you complete the Assessment Lab
Visual Objective for Lab 2-2: Connecting to the Internet
om
l.c
ba
om
db
vi
da
 Configure Static and DHCP assigned IP Addressing

 Configure NAT with PAT
Rev 1.0.1 L2.2-1

NOTE: The following table of commands is reference only. Do not try to type them all
in your lab now. Follow the steps after the table.
Command List Useful Shortcut Description

Command
>enable >en Activates privilege exec

mode
#configure terminal #conf t Activates configuration

Mode from the Terminal
#show ip interface #sh ip int brief Displays the interfaces

brief status
(config)#interface (config)#int f0/0 Enters interface
om
‘type/number’ configuration mode
(config-if)#ip (config-if)#ip add Enters an IP address on
address ‘ip an interface
l.c
address/subnet mask’
(config-if)#no (config-if)#no sh Enables an interface

ba
shutdown
#ping ‘ip address’ Pings an IP address to

om
test connectivity
#show ip route Displays the routing

table entries
db
(config)#ip route Creates a static default

0.0.0.0 0.0.0.0 route
‘interface/ip next
vi
hop’
da
#copy running-config #copy run start Saves a running config

startup-config to NVRAM
(config-if)#ip Enables an interface as
address dhcp a DHCP client
(config-if)#no (config-if)#no sh Enables an interface

shutdown
#show ip route Displays the routing

table entries
#Telnet ‘ip Telnets to an IP address

address/hostname’
Rev 1.0.1 L2.2-2

David Bombal CCNA Lab Lab 2.2
#terminal monitor #term mon Redirect output from

debugging to a telnet
session
#debug ip icmp Enables debugging of

ICMP messages
#debug ip icmp Enables debugging of
ICMP messages
#undebug all #u all disables all debugging
(config)#access-list Creates a standard

‘number’ permit access list that permits a
‘network ‘network network
mask’
om
(config)#ip nat Configures a pool of
inside pool pool- addresses for NAT
name’’start-ip’
l.c
‘end-ip’ netmask
‘mask’
ba
(config-if)#ip nat (config-if)#ip nat Configures an interface
inside in as an inside NAT
interface
om
(config-if)#ip nat config-if)#ip nat Configures an interface

outside out as an outside NAT
db
(config)#ip nat configures a dynamic nat

inside source list rule that translates
’acl-id’ pool ‘pool-
vi
addresses to a pool
id’
da
(config)#ip nat configures a dynamic nat

inside source list rule that translates
’acl-id’ interface addresses to a specific
‘int’ overload interface address
#show ip nat #sh ip nat trans Displays NAT translation

translation tables
#show users #sh ip nat trans Displays information

about the active sessions
Rev 1.0.1 L2.2-3

Initial Lab setup

Open the initial lab topology file using CCENT Lab 2-2: Connecting to the
Internet.pkt
Task 1. Configure a Manual IP Address and static Default Route.

In this task, you will configure a manual IP Address and a static default route on the
Branch Router. You will then verify connectivity between the Branch and HQ Routers
and the Server.
Step 1: Access the Branch router and enter privilege exec mode
om
Branch> enable
l.c
Step 2: Verify the interface status of the Branch router
ba
Branch# sh ip int brief
Interface IP-Address OK? Method Status Protocol

om
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/1 10.1.1.1 YES manual up up

db
Serial0/1/0 unassigned YES unset administratively down down

vi

da
Vlan1 unassigned YES unset administratively down down
Only interface G0/1 should be enabled and configured with an IP Address
Rev 1.0.1 L2.2-4

Step 3: Configure the G0/0 interface with an IP Address.
Manually assign the IP Address of 209.165.201.1 and a subnet mask of

255.255.255.224.
Branch# conf t
Branch(config)# int g0/0
Branch(config-if)# ip address 209.165.201.1 255.255.255.224
Branch(config-if)# no shut
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface

GigabitEthernet0/0, changed state to up
om
l.c
ba
Step 4: Without exiting the interface configuration mode, use the appropriate
commands to verify the new interface status
om
Branch(config-if)# do sh ip int brief

db

vi

Vlan1 unassigned YES unset administratively down down
da
Interfaces G0/0 and G0/1 should also be enabled and configured with an IP Address
Rev 1.0.1 L2.2-5

Step 5. Exit interface configuration mode to privilege exec and then verify
connectivity with the ISP router. (The ISP Router is preconfigured for this lab)
Branch(config-if)# ^z
Branch# ping 209.165.201.2 !ISP Router G0/0 interface
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.165.201.2, timeout is 2
seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4
ms
om
The ping should be successful, because the destination IP address is on the directly
connected interface shared with the ISP.
l.c
Remember:
The first ping may timeout as the router needs to resolve ARP (Address
Resolution Protocol) to obtain the layer 2 MAC address of the PC
ba
before the packet can be sent.!
om
Step 6: From the Branch router ping the ISP Internet Gateway Server at
209.165.202.30. This is a network behind the ISP router.
Branch# ping 209.165.202.30

db

vi
seconds:
.....
da
Success rate is 0 percent (0/5)
The ping is NOT successful, because the destination IP address is not on the directly
connected interface shared with the ISP router.
Rev 1.0.1 L2.2-6

Step 7: Examine the Routing table of the Branch Router to see if you can identify
why the ping was not successful
Branch# sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B

- BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
om
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/1
L 10.1.1.1/32 is directly connected, GigabitEthernet0/1
209.165.201.0/24 is variably subnetted, 2 subnets, 2
l.c
masks
ba
om
There is no Route present for the IP Address of the ISP Server. That is why the ping
was unsuccessful.
db
Step 8: On the Branch Router, configure a static default route that points to the
next hop router (HQ)
vi
Branch# conf t
da
Branch(config)# ip route 0.0.0.0 0.0.0.0 209.165.201.2
Rev 1.0.1 L2.2-7

Step 9: Save your running configuration
Branch(config)# exit
Branch# copy run start
Destination filename [startup-config]

Building configuration…
[OK]
Step 10: Ping the ISP Server IP Address once again.
om
Can you remember a keyboard shortcut that would let you recall the last time you
pinged the Server?
l.c
Branch# ping 209.165.202.30
ba
seconds:
!!!!!
om

ms
db
There is now a Route present for the IP Address of the Server. That is why the ping
was successful.
vi
da
Rev 1.0.1 L2.2-8

Step 11: Examine the Routing Table on Branch
What two elements identify that you have a default route?
Branch# sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

ia - IS-IS inter area, * - candidate default, U - per-user
static route
o - ODR, P - periodic downloaded static route, H - NHRP, l -
LISP
+ - replicated route, % - next hop override
Gateway of last resort is 209.165.201.2 to network 0.0.0.0
om
l.c
masks
ba
S* 0.0.0.0/0 [1/0] via 209.165.201.2
om
Answer: Default routes are denoted with the codes S and * (asterisk)
db
Step 12: Remove the previously configured static route to prepare for the next task
vi
and save your current configuration

da
Branch(config)# no ip route 0.0.0.0 0.0.0.0 209.165.201.2
Rev 1.0.1 L2.2-9

Remember!
If you believe a command you are typing is a valid command and the
router or switch is not accepting the command, check that you are in
the correct mode. You may have entered the command in privilege
exec mode! If so, you will need to get back into global mode before you
can enter the command. Also, check that you are configuring the
device you think you are. It is easy to jump between devices and end
up trying to configure as switch with router commands.
Branch(config)# do copy run start
Destination filename [startup-config]

Building configuration…
[OK]
om
l.c
Step 13: Verify the Routing Table on Branch no longer has the default route:
ba
Branch(config)# Ctrl ^z
Branch# sh ip route
om

db
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter

area
vi
Gateway of last resort is not set

da

masks
Rev 1.0.1 L2.2-10

Task 2: Configure a DHCP-Obtained IP Address on interface G0/0

on Branch.
In this task, you will configure the Branch router to obtain an ip address from the HQ
Router. The ISP router has been configured as a DHCP server for this task. Once
configured, you will verify connectivity once again between the Branch and HQ
routers and the Server behind HQ.
Step 1: Access the Branch router
Branch#
Step 2: Configure the G0/0 interface to obtain and IP address by DHCP from the
om
HQ router
l.c
Branch# conf t
Branch(config)# int G0/0
Branch(config-if)# ip address dhcp
ba
om
You should see an output on the console similar to below confirming the dhcp
address assignment after 10 seconds or so:
%DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP
db
address 209.165.201.1, mask 255.255.255.224, hostname Branch

vi
da
Rev 1.0.1 L2.2-11

For your information, listed below is the debug output on the ISP router from a similar
DHCP request and assignment process. This was taken from a ‘real’ router, as
Packet Tracer does not have the ability to run the debug listed below.
ISP# debug ip dhcp server events
DHCP server event debugging is on.
Jul 3 12:46:06.066: DHCPD: Sending notification of DISCOVER:

Jul 3 12:46:06.066: DHCPD: htype 1 chaddr 0012.8018.8878
Jul 3 12:46:06.066: DHCPD: remote id 020a0000d1a5c90201000000
Jul 3 12:46:06.066: DHCPD: circuit id 00000000
Jul 3 12:46:06.066: DHCPD: Seeing if there is an internally
specified pool class:
om
Jul 3 12:46:06.066: DHCPD: Adding binding to radix tree
(209.165.201.1)
Jul 3 12:46:06.066: DHCPD: Adding binding to hash tree
l.c
Jul 3 12:46:08.066: DHCPD: Sending notification of DISCOVER:
ba
Jul 3 12:46:08.066: DHCPD: Seeing if there is an internally
specified pool class:
om

Jul 3 12:46:08.066: DHCPD: Found previous server binding
Jul 3 12:46:08.070: DHCPD: Sending notification of ASSIGNMENT:
db
Jul 3 12:46:08.070: DHCPD: address 209.165.201.1 mask

255.255.255.224
vi
Jul 3 12:46:08.070: DHCPD: lease time remaining (secs) = 86400

da
Step 3: Save the running configuration to the start-up configuration
Branch(config-if)# do copy run start
Destination filename [startup-config]?

Building configuration...
[OK]
Rev 1.0.1 L2.2-12

Step 4: Verify the Interface status on the Branch Router
Branch(config-if)# do sh ip int brief
GigabitEthernet0/0 209.165.201.1 YES DHCP up up
Serial0/1/0 unassigned YES unset administratively

down down

down down

down down
om
down down
Vlan1 unassigned YES unset administratively
l.c
down down ba
Result: The G0/0 interface will show DHCP under the method column as the
assignment method
om
db
vi
da
Rev 1.0.1 L2.2-13

Step 5: Verify the Routing Table on Branch
Branch(config-if)# ^z
Branch# sh ip route

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
om
Gateway of last resort is 209.165.201.2 to network 0.0.0.0

l.c
masks
ba
S* 0.0.0.0/0 [254/0] via 209.165.201.2

om
Question: You should see a default route in the routing table of Branch – Where
db
did that route come from?

vi
Answer: When the router is configured as a DHCP client, it will import the ip address
and default gateway settings from the dhcp pool on the server. The router uses the
da
‘default-gateway’ setting to create a default route in its routing table.
Rev 1.0.1 L2.2-14

Step 6: From Branch, Ping the ISP Router 209.165.201.2 address. The ping should
be successful
Branch# ping 209.165.201.2

seconds:
!!!!!
ms
Step 7: From Branch, ping the ISP Server 209.165.202.30 once again. The ping
om
should be successful as there is a default route injected from the knowledge of the
default gateway in the dhcp obtained address pool.
Branch# ping 209.165.202.30
l.c
ba
seconds:
!!!!!
ms
om
The ping should be successful

db
Step 8: Access PC1
Select the Desktop tab and open the ‘Command Prompt’

vi
da
Rev 1.0.1 L2.2-15

Step 9: Ping the Branch Router at its ’Public’ IP address 209.165.201.1
Note:
If the ping is not successful, check that the PC default gateway is set to
10.1.1.1. Also, note that if you have tried this lab more than once to test the
dhcp assignment of IP addresses, you might have a different IP Address on
the Branch G0/0 interface. If this is the case, verify the IP with the ‘#show ip
int brief command’. Substitute the correct current IP Address in Step 9.
om
l.c
ba
om
db
Result: The Ping should be successful.

vi
da
Rev 1.0.1 L2.2-16

Step 10: Ping the ISP Server at 209.165.202.30
om
Result: The ping should not be successful. The next steps will examine why…
l.c
ba
Step 11: Return to the Branch router and establish a remote telnet session with the
HQ router. Enabling debugging of ICMP packets will highlight the issue. Make sure
to redirect the debug messages to the Telnet session by issuing the appropriate
om
commands.
Branch# telnet 209.165.201.2

db
Trying 209.165.201.2 ... Open
User Access Verification

vi
Username: ccna
da
Password: cisco
ISP# debug ip icmp
ICMP packet debugging is on
ISP# terminal monitor
Rev 1.0.1 L2.2-17

Step 12: Return to PC1 and repeat the ping to the Server 209.165.202.30 address.
Observe the output on the Telnet session with HQ:
ICMP: dst (10.1.1.100) host unreachable sent to 209.165.202.30

ISP#
ISP#
ISP#
Result: You should see one debugging message for each of the four PC ping
requests. The pings are reaching the ISP router, but because the ISP router does not
have a route back to the Inside 10.1.1.0/24 network of PC1, the router discards the
packets. In the next task, you will configure NAT as a solution that could be used to
m
overcome this problem
Note: The Branch router actually has a route to reach the ISP network at this point
l.c
and the echo-request from PC1 is actually being received by the ISP Server.
However, the response that you see from the debug is the ISP router, which is the
default-gateway for the ISP DNS Server, responding back to the Server with a host
ba
unreachable as the 10.1.1.100 IP address is not in the ISP routing table. It is not in
the table because the ISP would not route to any RFC 1918 Private IP addresses (it
would actually drop any packets that did that in the real world). Until you configure
om
NAT and the inside IP addresses are translated to the outside route-able range, then
the echo-reply can not be received on PC1.
db
vi
Step 13: Return to the telnet session, disable debugging, and exit the telnet session.
da
ISP# undebug all
All possible debugging has been turned off
ISP# exit
[Connection to 209.165.201.2 closed by foreign host]
Branch#
Rev 1.0.1 L2.2-18

Task 3. Configure NAT

In this task, you will configure NAT on the Branch Router to translate the IP
addresses on the ‘Inside’ network to Public IP addressing. Then you will verify the
NAT configuration and connectivity to the ISP Server from the ‘Inside’ hosts.
Network address translation (NAT) is used to change the source (normally) and
destination (sometimes) addresses between two hosts. The most common
implementation is to allow RFC1918 addresses (private addresses) to communicate
on the Internet.
RFC1918 addresses are:
 10.X.X.X
 172.16.X.X - 172.31.X.X
 192.168.X.X
These addresses are blocked by Internet Service providers (ISPs) and are thus not
om
routable on the Internet.
Step 1: Access the branch router and enter global mode. You will now configure an
l.c
Access control list to identify the Branch ‘LAN’ network as ‘interesting traffic’ for the
NAT statement. Listed below are some pointers about access control lists (ACL’s)
but you will also revisit these features in later labs when you will use ACL’s for the
ba
purpose of permitting and denying certain traffic through the router.
ACL Overview
om
Access list numbers:

 1-99 Standard IP ACL
db
 100-199 Extended IP ACL

 1300-1999 Expanded Standard IP ACL
vi
 2000-2699 Expanded Extended IP ACL

da
Access list matching options:

 Standard - Source address
 Extended - Protocol, source & destination addresses, source & destination
port numbers, types, eq, neq, range and more
Other things to remember:

 Named ACLs can be either standard or extended.
 One ACL per interface, per direction, per protocol.
 Order of statements in ACL is important - put more specific statements at the
beginning
 Last statement in an ACL is an implicit deny any
Rev 1.0.1 L2.2-19

 An ACL needs at least one permit entry (there are exceptions as always)
 Create ACL in global configuration and then apply on an interface - inbound
or outbound
 Place extended ACLs as close to the source as possible
 Place standard ACLs as close to the destination as possible
 Always create the ACL before binding it to an interface.
Branch# conf t
Step 2: Configure a standard ACL that permits the inside network. Use 1 as the ACL
number (This number could be anything from 1-99, but 1 will be used in a later lab)
om
The access-list in this case is being used to ‘identify the 10.1.x.x as interesting’
l.c
Branch(config)# access-list 1 permit 10.1.0.0 0.0.255.255
We also use only the first two octets to match on as this will include setup for a later
ba
lab, but if you wanted you could identify 10.1.1.0 0.0.0.255 as the ACL entry
om
Pool Name NAT_POOL
Starting IP Address 209.165.201.5

db
Ending IP Address 209.165.201.10
Network Mask 255.255.255.224

vi
da
Step 3: Create a NAT pool with the following parameters:
Branch(config)# ip nat pool NAT_POOL 209.165.201.5 209.165.201.10

netmask 255.255.255.224
Rev 1.0.1 L2.2-20

Step 4: Configure the G0/1 interfaces as inside
Real world TIP!

When you configure the ip nat inside command, the router will block for
approx. 30 seconds - 1 minute. After that, you may see the above
message ‘NVI0’ interface going up – this interface is used internally by
the router to perform the NAT functions.
Branch(config)#int g0/1
Branch(config-if)#ip nat inside
om
Step 5: Configure the G0/0 interfaces as outside
l.c
Branch(config-if)#int g0/0
Branch(config-if)#ip nat out

ba
Step 6: In this step you will configure a dynamic NAT source rule that will translate
om
the inside host IP addresses into the IP Addresses that you defined in the configured
NAT_POOL in Step 4 above. You will use the configured ACL from Step 2 to specify
the inside network(s) as interesting enough to be eligible for translation.
db
Branch(config-if)#exit
Branch(config)#ip nat inside source list 1 pool NAT_POOL

vi
da
Step 7: Save your configuration
Branch(config)# ^z

[OK]
Rev 1.0.1 L2.2-21

Activity verification:
Step 1: On the Branch router, using the appropriate command, verify the NAT
configuration.
Branch# sh ip nat statistics

Total translations: 0 (0 static, 0 dynamic, 0 extended)
Outside Interfaces: GigabitEthernet0/0
Inside Interfaces: GigabitEthernet0/1
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 1 pool NAT_POOL refCount 0
pool NAT_POOL: netmask 255.255.255.224
start 209.165.201.5 end 209.165.201.10
type generic, total addresses 6 , allocated 0 (0%),
om
misses 0
l.c
Step 2: Access PC1. Close the desktop, close the Command Prompt. Open the
ba
Web Browser utility by double-clicking the http: icon on the desktop to establish a
remote session with the ISP Server at 209.165.202.30
om
db
vi
da
Rev 1.0.1 L2.2-22

You should be successful and be viewing the default Packet Tracer website details
page
om
Step 3: Return to the Branch router. Using the appropriate commands, verify that
l.c
there are active NAT translations in place:
ba
Branch# sh ip nat translations
Pro Inside global Inside local Outside local
Outside global
om
tcp 209.165.201.5:1035 10.1.1.100:1035 209.165.202.30:80

209.165.202.30:80
tcp 209.165.201.5:1036 10.1.1.100:1036 209.165.202.30:21

209.165.202.30:21
db
tcp 209.165.201.5:1037 10.1.1.100:1037 209.165.202.30:21

209.165.202.30:21
vi
tcp 209.165.201.6:1025 10.1.1.101:1025 209.165.202.30:80

209.165.202.30:80
da
This is the one to take note of:
Pro Inside global Inside local Outside local Outside global

tcp 209.165.201.5:1035 10.1.1.100:1035 209.165.202.30:80 209.165.202.30:80
This active NAT translation identifies the unique session from PC1 with the source IP
of 10.1.1.100 and a source port of 1035 going to the ISP Server at destination
209.165.202.30 and TCP destination port of 80 (the well-known port number for
WWW).
Rev 1.0.1 L2.2-23

Step 4: Return to PC1.
Access the Command Prompt once again, but this time you will open an FTP
session to the ISP server. Credentials for ftp logins are username:ccna with
password:cisco
om
l.c
You should be successful and be viewing the default ftp directory of the Packet
Tracer Server.
ba
Step 5: Return to the Branch router. Using the appropriate commands, verify that
om
there are active NAT translations in place

db

Outside global
tcp 209.165.201.5:1035 10.1.1.100:1035 209.165.202.30:80
209.165.202.30:80
vi
tcp 209.165.201.5:1036 10.1.1.100:1036 209.165.202.30:21

209.165.202.30:21
da
tcp 209.165.201.5:1037 10.1.1.100:1037 209.165.202.30:21

209.165.202.30:21
Summary of output:
Pro Inside global Outside global Inside local Outside local

tcp 209.165.201.5:1035 209.165.202.30:80 10.1.1.100:1035 209.165.202.30:80
tcp 209.165.201.5:1036 209.165.202.30:21 10.1.1.100:1036 209.165.202.30:21
tcp 209.165.201.5:1037 209.165.202.30:21 10.1.1.100:1037 209.165.202.30:21
As well as the original WWW translation entry, you will also see a new active NAT
translation identifies the unique session from PC1 with the source IP of 10.1.1.100
and a source port of 1033/1037 going to the ISP Server at destination
209.165.202.30 and TCP destination port of 21 (the well-known port number for
FTP).
Rev 1.0.1 L2.2-24
Step 6: Access PC2. Open the Web Browser utility by double-clicking the http:
icon on the desktop to establish a remote session with the ISP Server at
209.165.202.30
If PC2 does not have an IP address assign it 10.1.1.101/24, with a Default-gateway

10.1.1.1
om
l.c
You should be successful again. Observe the new translation table entry that
uniquely identifies PC2’s HTTP session:
ba
om

Outside global
tcp 209.165.201.5:1035 10.1.1.100:1035 209.165.202.30:80
209.165.202.30:80
db
tcp 209.165.201.5:1036 10.1.1.100:1036 209.165.202.30:21

209.165.202.30:21
tcp 209.165.201.5:1037 10.1.1.100:1037 209.165.202.30:21
209.165.202.30:21
vi
tcp 209.165.201.6:1025 10.1.1.101:1025 209.165.202.30:80

209.165.202.30:80
da
Summary of output:

tcp 209.165.201.5:1035 209.165.202.30:80 10.1.1.100:1035 209.165.202.30:80
tcp 209.165.201.5:1036 209.165.202.30:21 10.1.1.100:1036 209.165.202.30:21
tcp 209.165.201.5:1037 209.165.202.30:21 10.1.1.100:1037 209.165.202.30:21
tcp 209.165.201.6:1025 209.165.202.30:80 10.1.1.101:1025 209.165.202.30:80
Rev 1.0.1 L2.2-25

Step 7: Close the Web Browser on PC2 and repeat the FTP session to the ISP
Server one last time.
om
Step 8: Return to the Branch router and verify that there are now multiple active NAT
translations from PC1 and PC2. Can you identify the unique ftp and http sessions
from PC1 and PC2?

l.c
ba
Outside global
tcp 209.165.201.5:1035 10.1.1.100:1035 209.165.202.30:80
om
209.165.202.30:80
tcp 209.165.201.5:1036 10.1.1.100:1036 209.165.202.30:21
209.165.202.30:21
tcp 209.165.201.5:1037 10.1.1.100:1037 209.165.202.30:21
209.165.202.30:21
db
tcp 209.165.201.6:1025 10.1.1.101:1025 209.165.202.30:80

209.165.202.30:80
tcp 209.165.201.6:1026 10.1.1.101:1026 209.165.202.30:21
vi
209.165.202.30:21
tcp 209.165.201.6:1027 10.1.1.101:1027 209.165.202.30:21
209.165.202.30:21
da
tcp 209.165.201.6:1028 10.1.1.101:1028 209.165.202.30:21

209.165.202.30:21
Rev 1.0.1 L2.2-26

Summary of output:

tcp 209.165.201.5:1035 209.165.202.30:80 10.1.1.100:1035 209.165.202.30:80
tcp 209.165.201.5:1036 209.165.202.30:21 10.1.1.100:1036 209.165.202.30:21
tcp 209.165.201.5:1037 209.165.202.30:21 10.1.1.100:1037 209.165.202.30:21
tcp 209.165.201.6:1025 209.165.202.30:80 10.1.1.101:1025 209.165.202.30:80
tcp 209.165.201.6:1026 209.165.202.30:21 10.1.1.101:1026 209.165.202.30:21
tcp 209.165.201.6:1027 209.165.202.30:21 10.1.1.101:1027 209.165.202.30:21
tcp 209.165.201.6:1028 209.165.202.30:21 10.1.1.101:1028 209.165.202.30:21
One of the most confusing topics for most engineers is Cisco's definition of
addresses:
 Inside Local address
 Inside Global address
om
 Outside Local address
 Outside Global address
l.c
Inside addresses belong to "insiders" - in other words, hosts or devices that are
inside your organization, building or network. These devices physically reside on
ba
your inside network.
Outside addresses belong to "outsiders" - those physical devices that are outside
om
your organization, building or network. These devices physically reside outside your
network.
Local addresses are Local to your Local Area Network (LAN) - this is how an
address appears when traversing the local network.
db
Global Addresses are on the Global Internet - this is how an address appears on the
internet.
vi
Step 9: Close the sessions on PC1, PC2 and the ISP Server.
da
Rev 1.0.1 L2.2-27

TASK 4. Configure NAT with PAT (Port Address Translation)

In this task you will configure dynamic NAT with PAT on the Branch router to
translate the inside hosts to public IP addressing. Then you will verify NAT
configuration and connectivity to the ISP Server from the ‘Inside’ hosts.
What is the difference between NAT & PAT?
NAT - single address to single address translation (One-to-One)

PAT - multiple addresses to single address translation (Many-to-One). Port numbers
are used to differentiate between the original addresses
Step 1: Return to the Branch router and enter global mode
om
Branch# conf t
l.c
Branch(config)# ba
Step 2: Remove the previously configure NAT rule
om
Branch(config)# no ip nat inside source list 1 pool NAT_POOL

db
You may receive a message stating that a Dynamic mapping in use, do you want to
delete all entries? [no]: yes
vi
da
Step 3: Configure a dynamic NAT/PAT (NAT with Overload) rule that translates the
inside hosts addresses with the Branch router ‘outside’ interface IP address. Use the
same ACL previously configured to do this.
Branch(config)# ip nat inside source list 1 int g0/0 overload
Rev 1.0.1 L2.2-28

Step 4: Save your configuration
Branch(config)# ^z

[OK]
Activity Verification:
om
icon on the desktop tab to establish a remote session with the ISP Server at
209.165.202.30
l.c
ba
om
db
vi
da
Rev 1.0.1 L2.2-29

om
Result: You should be successful and be viewing the default Packet Tracer website
details page
l.c
icon on the desktop tab to establish a remote session with the ISP Server at
ba
209.165.202.30
If PC2 does not have an IP address assign it 10.1.1.101/24, with a Default-gateway

om
10.1.1.1
db
vi
da
Result: You should be successful again.
Rev 1.0.1 L2.2-30

Step 3: Return to PC1
Access the Command Prompt once again, but this time you will open an FTP
session to the ISP server. Credentials for ftp logins are username:ccna with
password:cisco (username: cisco and paswword: cisco also works)
om
l.c
ba
om
Result: You should be successful and be viewing the default FTP directory of the
Packet Tracer Server.
db
Step 4: Close the Web Browser on PC2 and repeat the FTP session to the ISP
Server one last time.
vi
da
Result: You should be successful and be viewing the default ftp directory of the
Packet Tracer Server.
Rev 1.0.1 L2.2-31

Step 5: From the Branch Router verify the NAT translations taking place.

Outside global
tcp 209.165.201.1:1029 10.1.1.101:1029 209.165.202.30:80
209.165.202.30:80
tcp 209.165.201.1:1030 10.1.1.101:1030 209.165.202.30:21

209.165.202.30:21
tcp 209.165.201.1:1039 10.1.1.100:1039 209.165.202.30:80

209.165.202.30:80
tcp 209.165.201.1:1040 10.1.1.100:1040 209.165.202.30:21
om
209.165.202.30:21
l.c
Summary of output: ba
tcp 209.165.201.1:1029 209.165.202.30:80 10.1.1.101:1029 209.165.202.30:80
tcp 209.165.201.1:1030 209.165.202.30:21 10.1.1.101:1030 209.165.202.30:21
om
tcp 209.165.201.1:1039 209.165.202.30:80 10.1.1.100:1039 209.165.202.30:80

tcp 209.165.201.1:1040 209.165.202.30:21 10.1.1.100:1040 209.165.202.30:21
db
Notice that two inside local addresses are translated to the same inside global
address. In order to maintain uniqueness, the router maintains unique port numbers
for these sessions.
vi
Remember there are 65,536 port numbers – the lower 1024 are referred to as the
da
well-known port numbers, For example:
Protocol Port
HTTP 80
HTTPS 443
DNS 53
TFTP 69
FTP 20/21
SSH 22
Rev 1.0.1 L2.2-32

Some operating systems randomly generate their source port above 1025 whilst
others generate their port numbers using the high ‘ephemeral’ port numbers above
49152. You can see from the output in step 5 that Packet Tracer uses the lower port
number scheme.
Step 6: Close the sessions on PC1 and PC2.
TASK 5. Configure Static NAT

In this task you will configure static NAT on the Branch router to translate the inside
email and DNS servers to public IP addressing. The servers should to be known by a
static IP address so ‘outside’ servers know the address to which they will always
communicate with.
For the purpose of the exercise, you will use SW1 and SW2 to simulate the servers
in the network. Then you will verify NAT configuration and connectivity to the ISP
om
Server from the ‘Inside’ hosts.
l.c
Step 1: Return to the Branch router and enter global mode
ba
Branch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
om
Branch(config)#
db
Step 2: Configure two static NAT translations for the two switches. SW1 (10.1.1.11)
should translate to an address of 209.165.201.11 and SW2 (10.1.1.12) should
vi
translate to an address of 209.165.201.11

da
Branch(config)# ip nat inside source static 10.1.1.11

209.165.201.11
Branch(config)# ip nat inside source static 10.1.1.12
209.165.201.12
Rev 1.0.1 L2.2-33


Outside global
--- 209.165.201.11 10.1.1.11 --- ---
--- 209.165.201.12 10.1.1.12 --- ---
tcp 209.165.201.1:1029 10.1.1.101:1029 209.165.202.30:80

209.165.202.30:80
tcp 209.165.201.1:1030 10.1.1.101:1030 209.165.202.30:21
209.165.202.30:21
tcp 209.165.201.1:1039 10.1.1.100:1039 209.165.202.30:80
om
209.165.202.30:80
tcp 209.165.201.1:1040 10.1.1.100:1040 209.165.202.30:21

209.165.202.30:21
l.c
Summary of output:
ba
om
--- 209.165.201.11 10.1.1.11 ---

--- 209.165.201.12 10.1.1.12 ---
tcp 209.165.201.1:1029 209.165.202.30:80 10.1.1.101:1029 209.165.202.30:80
tcp 209.165.201.1:1030 209.165.202.30:21 10.1.1.101:1030 209.165.202.30:21
tcp 209.165.201.1:1039 209.165.202.30:80 10.1.1.100:1039 209.165.202.30:80
db
tcp 209.165.201.1:1040 209.165.202.30:21 10.1.1.100:1040 209.165.202.30:21

vi
With no active connections in place, you should just see the static entries in the
table. These will always be visible, even with no sessions taking place.
da
Rev 1.0.1 L2.2-34

Step 4: From SW1, telnet to the ISP router on 209.165.201.2
SW1> telnet 209.165.201.2

Trying 209.165.201.2 ...Open
Username: ccna
Password: cisco
ISP#
Result: The connection should be successful.
om
Step 5: From SW2, telnet to the ISP router on 209.165.201.2
l.c
SW2> telnet 209.165.201.2
Trying 209.165.201.2 ...Open
ba
Username: ccna
om
Password: cisco
ISP#
db
Result: The connection should be successful.

vi
da
Rev 1.0.1 L2.2-35


Outside global
--- 209.165.201.11 10.1.1.11 --- ---

--- 209.165.201.12 10.1.1.12 --- ---
tcp 209.165.201.1:1029 10.1.1.101:1029 209.165.202.30:80

209.165.202.30:80
tcp 209.165.201.1:1030 10.1.1.101:1030 209.165.202.30:21
209.165.202.30:21
tcp 209.165.201.1:1039 10.1.1.100:1039 209.165.202.30:80
om
209.165.202.30:80
tcp 209.165.201.1:1040 10.1.1.100:1040 209.165.202.30:21
209.165.202.30:21
l.c
tcp 209.165.201.11:1025 10.1.1.11:1025 209.165.201.2:23
209.165.201.2:23
ba
tcp 209.165.201.12:1025 10.1.1.12:1025 209.165.201.2:23
209.165.201.2:23
om
db
Summary of output:

vi
--- 209.165.201.11 10.1.1.11 ---

--- 209.165.201.12 10.1.1.12 ---
da
tcp 209.165.201.1:1029 209.165.202.30:80 10.1.1.101:1029 209.165.202.30:80

tcp 209.165.201.1:1030 209.165.202.30:21 10.1.1.101:1030 209.165.202.30:21
tcp 209.165.201.1:1039 209.165.202.30:80 10.1.1.100:1039 209.165.202.30:80
tcp 209.165.201.1:1040 209.165.202.30:21 10.1.1.100:1040 209.165.202.30:21
tcp 209.165.201.11:1025 209.165.201.2:23 10.1.1.11:1025 209.165.201.2:23
tcp 209.165.201.12:1025 209.165.201.2:23 10.1.1.12:1025 209.165.201.2:23
Along with the static entries, you should now be able to see the established telnet
sessions from both switches to the ISP router. With no active connections in place,
you should just see the static entries in the table. These will always be visible, even
with no sessions taking place.
In all instances, the outside local address will always be seen as the same as the
outside global address – part of the functions of NAT is to hide the outside
organizations inside Local IP addressing.
Rev 1.0.1 L2.2-36

Step 7: Close the sessions on SW1 and SW2.
You have completed the lab tasks.
Task 6: Can you complete the Assessment Lab

CCENT Lab 2-1 Packet Tracer Assessment - Connecting to the Internet
Assessment File: CCENT Lab 2-2 Connecting to the Internet PTSA.pka
Acme Engineering has contracted with your company to provision their new network
with Internet connectivity. You will be the network engineer providing the support for
this contract.
om
Access Credentials:
Username: ccna
Password: cisco
Enable Password: secret123
You are tasked with ensuring the following:
l.c
ba
1. Ensure devices can successfully connect the Internet from the LAN devices.
2. The Branch router must have the first available IP address of the ISP scope
manually assigned on the interface facing the ISP.
om
3. Ensure that the ISP does not dynamically learn about your device or
operating system.
4. Ensure that the Branch router can successfully connect to the Internet.
db
Testing connectivity to www.cisco.com and www.google.com should be

successful.
5. SW1 and SW2 must be able to connect to cisco.com for software updates.
vi
a. SW1 should always connect with the 3 rd available IP address from the
ISP scope
da
b. SW2 should always connect with the 4 th available IP address from the
ISP scope
c. ISP provided scope is 209.165.201.0 /27
6. LAN Clients should be able to connect to the Internet using a pool
INTERNET, with a range of addresses starting from 209.165.201.11 and
ending 209.165.201.30.
7. Only Clients from the existing LAN network are to be able to connect to the
internet. New ‘secure’ networks are planned for in time, but these will not be
allowed to connect to the internet. Using an IOS traffic identifier number 1,
ensure that you only allow the existing network to connect. You should be
able to test that clients can reach both www.cisco.com and www.google .com
web pages.
8. SW1 and SW2 should connect to cisco.com using IP addressing only
Rev 1.0.1 L2.2-37

CCENT Lab 2 2 Connecting To The Internet v1.0.1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCENT Lab 2 2 Connecting To The Internet v1.0.1

Uploaded by

Copyright:

Available Formats

CCENT L A B GUIDE 2 - 2

Interconnecting Cisco Network Devices

Lab 2-2 Connecting to the Internet

Task 2: Configure a DHCP obtained IP Address

Task 3: Configure Network Address Translation (NAT)

Task 4: Configure NAT with Port Address Translation (PAT)

Task 5: Configure Static NAT

Task 6: Can you complete the Assessment Lab

Visual Objective for Lab 2-2: Connecting to the Internet

 Configure Static and DHCP assigned IP Addressing

Rev 1.0.1 L2.2-1

Command List Useful Shortcut Description

>enable >en Activates privilege exec

#configure terminal #conf t Activates configuration

#show ip interface #sh ip int brief Displays the interfaces

(config-if)#no (config-if)#no sh Enables an interface

#ping ‘ip address’ Pings an IP address to

#show ip route Displays the routing

(config)#ip route Creates a static default

#copy running-config #copy run start Saves a running config

(config-if)#no (config-if)#no sh Enables an interface

#show ip route Displays the routing

#Telnet ‘ip Telnets to an IP address

Rev 1.0.1 L2.2-2

#terminal monitor #term mon Redirect output from

#debug ip icmp Enables debugging of

#undebug all #u all disables all debugging

(config)#access-list Creates a standard

(config-if)#ip nat config-if)#ip nat Configures an interface

(config)#ip nat configures a dynamic nat

(config)#ip nat configures a dynamic nat

#show ip nat #sh ip nat trans Displays NAT translation

#show users #sh ip nat trans Displays information

Rev 1.0.1 L2.2-3

Initial Lab setup

Task 1. Configure a Manual IP Address and static Default Route.

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES unset administratively down down

GigabitEthernet0/1 10.1.1.1 YES manual up up

Serial0/1/0 unassigned YES unset administratively down down

Serial0/1/1 unassigned YES unset administratively down down

Serial0/2/0 unassigned YES unset administratively down down

Serial0/2/1 unassigned YES unset administratively down down

Vlan1 unassigned YES unset administratively down down

Only interface G0/1 should be enabled and configured with an IP Address

Rev 1.0.1 L2.2-4

Step 3: Configure the G0/0 interface with an IP Address.

Manually assign the IP Address of 209.165.201.1 and a subnet mask of

Branch(config)# int g0/0

Branch(config-if)# ip address 209.165.201.1 255.255.255.224

%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface

Branch(config-if)# do sh ip int brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/1 10.1.1.1 YES manual up up

Serial0/2/0 unassigned YES unset administratively down down

Rev 1.0.1 L2.2-5

Branch# ping 209.165.201.2 !ISP Router G0/0 interface

Type escape sequence to abort.

Branch# ping 209.165.202.30

Type escape sequence to abort.

Success rate is 0 percent (0/5)