Assignment 4

A. Configuring Static NAT in Cisco Packet Tracer.

[https://www.youtube.com/watch?v=ohvGuTPQ1SM]

The submission file in word format should include the following:

1. The steps followed in configuring each device [Two PCs, one Switch, one

router, one router (NAT).

2. Add screenshot of the final network setup.

3. Include the screenshots of verifying the network by pinging the IP address of

NAT router (both g0/0 and g0/1) and PC1 from PC0.
4. Add screenshot of NAT configuration in NAT router, where you have to

mention nat inside and nat outside

Router#en
Router#conf t
Router(config)#int g0/0
Router(config-if)#ip nat inside
Router(config-if)#exit

Router(config)#int g0/1
Router(config-if)#ip nat outside
Router(config-if)#end

Router#wr
Building configuration…
[OK]
Router#
5. Add screenshot of NAT configuration in NAT router, where you have to

mention the translation from the private IP address to public IP address on PC0.

Router(config)#ip nat inside source ?

list Specify access list describing local addresses

static Specify static local->global mapping

Router(config)#ip nat inside source static ?

A.B.C.D Inside local IP address

tcp Transmission Control Protocol

udp User Datagram Protocol

Router(config)#ip nat inside source static 192.168.10.10 ?

A.B.C.D Inside global IP address

Router(config)#ip nat inside source static 192.168.10.10 10.0.0.1

Router(config)#end

6. Include the screenshots of pinging the router1 address from PC0 and show

the address translations

Router#show ip nat translations

 Pro Inside global Inside local Outside local Outside global

icmp 10.0.0.1:16 192.168.10.10:16 10.0.0.2:16 10.0.0.2:16

icmp 10.0.0.1:17 192.168.10.10:17 10.0.0.2:17 10.0.0.2:17

icmp 10.0.0.1:18 192.168.10.10:18 10.0.0.2:18 10.0.0.2:18

icmp 10.0.0.1:19 192.168.10.10:19 10.0.0.2:19 10.0.0.2:19

icmp 10.0.0.1:20 192.168.10.10:20 10.0.0.2:20 10.0.0.2:20

--- 10.0.0.1 192.168.10.10 --- ---

7. Enable the debug option and include the screenshots of the translations.

Router#debug ip ?
eigrp IP-EIGRP information
icmp ICMP transactions
nat NAT events
ospf OSPF information
packet Packet information
rip RIP protocol transactions
routing Routing table events
Router#debug ip nat
IP NAT debugging is on
Router#
NAT: s=192.168.10.10->10.0.0.1, d=10.0.0.2 [25]
NAT*: s=10.0.0.2, d=10.0.0.1->192.168.10.10 [17]
NAT: s=192.168.10.10->10.0.0.1, d=10.0.0.2 [26]
NAT*: s=10.0.0.2, d=10.0.0.1->192.168.10.10 [18]
NAT: s=192.168.10.10->10.0.0.1, d=10.0.0.2 [27]
NAT*: s=10.0.0.2, d=10.0.0.1->192.168.10.10 [19]
 NAT: s=192.168.10.10->10.0.0.1, d=10.0.0.2 [28]
NAT*: s=10.0.0.2, d=10.0.0.1->192.168.10.10 [20]
NAT: expiring 10.0.0.1 (192.168.10.10) icmp 20 (20)
NAT: expiring 10.0.0.1 (192.168.10.10) icmp 21 (21)
NAT: expiring 10.0.0.1 (192.168.10.10) icmp 22 (22)
NAT: expiring 10.0.0.1 (192.168.10.10) icmp 23 (23)

8. Add screenshot of NAT configuration in NAT router, where you have to

mention the translation from the private IP address to public IP address on PC1.
Router#configure terminal

Router(config)#ip nat ?
inside Inside address translation
outside Outside address translation
pool Define pool of addresses

Router(config)#ip nat inside ?

source Source address translation

Router(config)#ip nat inside source static ?

A.B.C.D Inside local IP address
tcp Transmission Control Protocol
udp User Datagram Protocol

Router(config)#ip nat inside source static 192.168.10.20 10.0.0.3

Router(config)#ipnat_add_static_cfg: id 2, flag 6

id 2, flags 0, domain 0, lookup 0, from_addr C0A80A14,

from_mask FFFFFFFF, from_port 0, to_addr 0A000003, to_port 0
to_mask FFFFFFFF, proto 0

Router(config)#exit

9. Include the screenshots of pinging the router1 address from PC1 and show the
address translations.
 Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 10.0.0.3:1 192.168.10.20:1 10.0.0.3:1 10.0.0.3:1

icmp 10.0.0.3:2 192.168.10.20:2 10.0.0.2:2 10.0.0.2:2

icmp 10.0.0.3:3 192.168.10.20:3 10.0.0.2:3 10.0.0.2:3

icmp 10.0.0.3:4 192.168.10.20:4 10.0.0.2:4 10.0.0.2:4

icmp 10.0.0.3:5 192.168.10.20:5 10.0.0.2:5 10.0.0.2:5

--- 10.0.0.1 192.168.10.10 --- ---

--- 10.0.0.3 192.168.10.20 --- ---

10. Enable the debug option and include the screenshots of the translations.
Router#debug ip nat

IP NAT debugging is on

Router#

NAT: expiring 10.0.0.3 (192.168.10.20) icmp 1 (1)

NAT: s=192.168.10.20->10.0.0.3, d=10.0.0.2 [14]

NAT*: s=10.0.0.2, d=10.0.0.3->192.168.10.20 [25]

NAT: s=192.168.10.20->10.0.0.3, d=10.0.0.2 [15]

NAT*: s=10.0.0.2, d=10.0.0.3->192.168.10.20 [26]

NAT: s=192.168.10.20->10.0.0.3, d=10.0.0.2 [16]

NAT*: s=10.0.0.2, d=10.0.0.3->192.168.10.20 [27]

NAT: expiring 10.0.0.3 (192.168.10.20) icmp 2 (2)

NAT: s=192.168.10.20->10.0.0.3, d=10.0.0.2 [17]

NAT*: s=10.0.0.2, d=10.0.0.3->192.168.10.20 [28]

NAT: expiring 10.0.0.3 (192.168.10.20) icmp 3 (3)

NAT: expiring 10.0.0.3 (192.168.10.20) icmp 4 (4)

NAT: expiring 10.0.0.3 (192.168.10.20) icmp 5 (5)

Router#

NAT: expiring 10.0.0.3 (192.168.10.20) icmp 6 (6)

NAT: expiring 10.0.0.3 (192.168.10.20) icmp 7 (7)

NAT: expiring 10.0.0.3 (192.168.10.20) icmp 8 (8)

NAT: expiring 10.0.0.3 (192.168.10.20) icmp 9 (9)

B. Configuring Dynamic NAT in Cisco Packet Tracer

The submission file in word format should include the following:

1. The steps followed in configuring each device [Two PCs, one Switch, one

router, one router (NAT).

2. Add screenshot of the final network setup.

3. Include the screenshots of verifying the network by pinging the IP address of

NAT router (both g0/0 and g0/1), router 1 and PC1 from PC0.
4. Add screenshot of NAT configuration in NAT router, where you have to

mention nat inside and nat outside

Router#en
Router#conf t
Router(config)#int g0/0
Router(config-if)#ip nat inside
Router(config-if)#exit

Router(config)#int g0/1
Router(config-if)#ip nat outside
Router(config-if)#end

Router#wr
Building configuration…
[OK]
Router#
5. Create a standard access list to permit the PCs [PC1 & PC2]

Router#en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment

Router(config)#access-list 10 permit ?
A.B.C.D Address to match
any Any source host
host A single host address

Router(config)#access-list 10 permit 192.168.10.0 ?

A.B.C.D Wildcard bits
<cr>

Router(config)#access-list 10 permit 192.168.10.0 0.0.0.255

6. Create a nat pool of IP addresses.

Router(config)#ip nat ?
inside Inside address translation
outside Outside address translation
pool Define pool of addresses

Router(config)#ip nat pool ?

WORD Pool name

Router(config)#ip nat pool DYNAMICNAT ?

A.B.C.D Start IP address

Router(config)#ip nat pool DYNAMICNAT 10.0.0.10 ?

A.B.C.D End IP address

Router(config)#ip nat pool DYNAMICNAT 10.0.0.10 10.0.0.20 ?

netmask Specify the network mask

Router(config)#ip nat pool DYNAMICNAT 10.0.0.10 10.0.0.20 netmask ?

A.B.C.D Network mask

Router(config)#ip nat pool DYNAMICNAT 10.0.0.10 10.0.0.20 netmask 255.0.0.0

7. Configure the Dynamic NAT pool to the NAT router, where you have to
mention the translation from the private IP address to public IP address on PC0

Router(config)#ip nat inside ?

source Source address translation

Router(config)#ip nat inside source ?

list Specify access list describing local addresses
static Specify static local->global mapping

Router(config)#ip nat inside source list ?

<1-199> Access list number for local addresses
WORD Access list name for local addresses

Router(config)#ip nat inside source list 10 ?

interface Specify interface for global address
pool Name pool of global addresses

Router(config)#ip nat inside source list 10 pool ?

WORD Name pool of global addresses

Router(config)#ip nat inside source list 10 pool DYNAMICNAT

Router(config)# end

8. Include the screenshots of pinging the router1 address from PC0 and show the
address translations

Router#sh ip ?
access-lists List access lists
 arp IP ARP table
bgp BGP information
cache IP fast-switching route cache
cef Cisco Express Forwarding
dhcp Show items in the DHCP database
eigrp IP-EIGRP show commands
interface IP interface status and configuration
nat IP NAT information
nbar Network-Based Application Recognition
ospf OSPF information
protocols IP routing protocol process parameters and statistics
rip IP RIP show commands
route IP routing table
ssh Information on SSH

Router#sh ip nat ?
statistics Translation statistics
translations Translation entries

Router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global
icmp 10.0.0.10:18 192.168.10.10:18 10.0.0.2:18 10.0.0.2:18
icmp 10.0.0.10:19 192.168.10.10:19 10.0.0.2:19 10.0.0.2:19
icmp 10.0.0.10:20 192.168.10.10:20 10.0.0.2:20 10.0.0.2:20

9. Enable the debug option and include the screenshots of the translations.
Router#
Router#debug ?
aaa AAA Authentication, Authorization and Accounting
custom-queue Custom output queueing
eigrp EIGRP Protocol information
frame-relay Frame Relay
ip IP information
ipv6 IPv6 information
ntp NTP information
ppp PPP (Point to Point Protocol) information
standby Hot Standby Router Protocol (HSRP)

Router#debug ip ?
eigrp IP-EIGRP information
icmp ICMP transactions
nat NAT events
ospf OSPF information
packet Packet information
 rip RIP protocol transactions
routing Routing table events

Router#debug ip nat
IP NAT debugging is on
Router#
NAT: s=192.168.10.10->10.0.0.10, d=10.0.0.2 [21]
NAT*: s=10.0.0.2, d=10.0.0.10->192.168.10.10 [8]
NAT: s=192.168.10.10->10.0.0.10, d=10.0.0.2 [22]
NAT*: s=10.0.0.2, d=10.0.0.10->192.168.10.10 [9]
NAT: s=192.168.10.10->10.0.0.10, d=10.0.0.2 [23]
NAT*: s=10.0.0.2, d=10.0.0.10->192.168.10.10 [10]
NAT: s=192.168.10.10->10.0.0.10, d=10.0.0.2 [24]
NAT*: s=10.0.0.2, d=10.0.0.10->192.168.10.10 [11]

C. Configure IOS Intrusion Prevention System (IPS) Using the CLI in Cisco Packet
Tracer. [https://www.youtube.com/watch?v=_nPwKE72QHk]

Objectives
• Enable IOS IPS.
• Configure logging.
• Modify an IPS signature.
• Verify IPS.

Background / Scenario
Your task is to enable IPS on R1 to scan traffic entering the 192.168.1.0 network.
The server labeled Syslog is used to log IPS messages. You must configure the router to
identify the syslog server to receive logging messages. Displaying the correct time and date
in syslog messages is vital when using syslog to monitor the network. Set the clock and
configure the timestamp service for logging on the routers. Finally, enable IPS to produce an
alert and drop ICMP echo reply packets inline.

The submission file in word format should include the following:

1. The steps followed in configuring each device [One Server (Syslog), Two PCs, two
Switches, two routers, one router (IPS).
2. Add screenshot of the final network setup.
3. Add Screenshots of the following steps:
Step 1: Enable the Security Technology package.
a. On R1, issue the show version command to view the Technology Package license
information.
b. If the Security Technology package has not been enabled, use the following command
to enable the package.
c. R1(config)# license boot module c1900 technology-package securityk9
d. Accept the end user license agreement.
e. Save the running-config and reload the router to enable the security license.
f. Verify that the Security Technology package has been enabled by using the show
version command.

Step 2: Verify network connectivity.

a. Ping from PC-C to PC-A. The ping should be successful.
b. Ping from PC-A to PC-C. The ping should be successful.

Step 3: Create an IOS IPS configuration directory in flash. On R1, create a directory in flash
using the mkdir command. Name the directory ipsdir. [The flash file system (default) is a
single flash device on which you can store files].
R1# mkdir ipsdir
create directory filename [ipsdir]? <Enter> Created
dir flash:ipsdir

Step 4: Configure the IPS signature storage location. On R1, configure the IPS
signature storage location to be the directory you just created.
R1(config)# ip ips config location flash:ipsdir

Step 5: Create an IPS rule.

On R1, create an IPS rule name using the ip ips name name command in global
configuration mode. Name the IPS rule iosips.
R1(config)# ip ips name iosips

Step 6: Enable logging.

IOS IPS supports the use of syslog to send event notification. Syslog notification is
enabled by default. If logging console is enabled, IPS syslog messages display.
a. Enable syslog if it is not enabled.
R1(config)# ip ips notify log
b. If necessary, use the clock set command from privileged EXEC mode to reset the clock.
R1# clock set 10:20:00 10 march 2024
c. Verify that the timestamp service for logging is enabled on the router using the show
run command.
Enable the timestamp service if it is not enabled.
R1(config)# service timestamps log datetime msec
d. Send log messages to the syslog server at IP address 192.168.1.20.
R1(config)# logging host 192.168.1.20

Step 7: Configure IOS IPS to use the signature categories.

Retire the all-signature category with the retired true command (all signatures within the
signature release). Unretire the IOS_IPS Basic category with the retired false command.
 R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired true
R1(config-ips-category-action)# exit
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false
R1(config-ips-category-action)# exit
R1(config-ips-cateogry)# exit
Do you want to accept these changes? [confirm] <Enter>

Step 8: Apply the IPS rule to an interface.

Apply the IPS rule to an interface with the ip ips name direction command in interface
configuration mode. Apply the rule outbound on the G0/1 interface of R1. After you enable
IPS, some log messages will be sent to the console line indicating that the IPS engines are
being initialized.
Note: The direction in means that IPS inspects only traffic going into the interface. Similarly,
out means that IPS inspects only traffic going out of the interface.
R1(config)# interface g0/1
R1(config-if)# ip ips iosips out

Step 9: Change the event-action of a signature.

Un-retire the echo request signature (signature 2004, subsig ID 0), enable it, and change the
signature action to alert and drop.
R1(config)# ip ips signature-definition
R1(config-sigdef)# signature 2004 0
R1(config-sigdef-sig)# status
R1(config-sigdef-sig-status)# retired false
R1(config-sigdef-sig-status)# enabled true
R1(config-sigdef-sig-status)# exit
R1(config-sigdef-sig)# engine
R1(config-sigdef-sig-engine)# event-action produce-alert
R1(config-sigdef-sig-engine)# event-action deny-packet-inline
R1(config-sigdef-sig-engine)# exit
R1(config-sigdef-sig)# exit
R1(config-sigdef)# exit
Do you want to accept these changes? [confirm] <Enter>

Step 10: Use show commands to verify IPS.

Use the show ip ips all command to view the IPS configuration status summary.
To which interfaces and in which direction is the iosips rule applied?
___________________________________________________________________________________
____ G0/1 outbound.

Step 11: Verify that IPS is working properly.

a. From PC-C, attempt to ping PC-A. Were the pings successful? Explain.
The pings should fail. This is because the IPS rule for event-action of an echo request
was set to “deny- packet-inline”.
b. From PC-A, attempt to ping PC-C. Were the pings successful? Explain
 The ping should be successful. This is because the IPS rule does not cover echo reply.
When PC-A pings PC-C, PC-C responds with an echo reply

Step 12: View the syslog messages.

a. Click the Syslog server.
b. Select the Services tab.
c. In the left navigation menu, select SYSLOG to view the log file.

Step 13: Check results.

Your completion percentage should be 100%. Click Check Results to see feedback and
verification of which required components have been completed.