CSC241 Practical Exam Answer Key

CCNA Exploration: Accessing the WAN Student Skills Based Assessment Lab (Answer Key)

Topology Diagram

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway

R1

Fa0/1 192.168.1.1 255.255.255.0 N/A

S0/0/0 172.16.0.1 255.255.255.252 N/A

S0/0/1 172.16.0.9 255.255.255.252 N/A

R2

Lo0 209.165.200.161 255.255.255.224 N/A

S0/0/0 172.16.0.2 255.255.255.252 N/A

S0/0/1 172.16.0.5 255.255.255.252 N/A

R3 Fa0/1 192.168.3.1 255.255.255.0 N/A

S0/0/0 172.16.0.10 255.255.255.252 N/A

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 9

CCNA ExplorationAccessing the WAN: Skills Based Assessment Student Skills Based Assessment Answer Key

Device Interface IP Address Subnet Mask Default Gateway

S0/0/1 172.16.0.6 255.255.255.252 N/A

PC1 NIC 192.168.1.2 255.255.255.128 192.168.1.1

PC3 NIC 192.168.3.2 255.255.255.128 192.168.3.1

Learning Objectives

This lab practical is preconfigured as outlined in the topology diagram and table above.

To complete this lab:

Configure basic router security

Configure ACLs

Configure basic NAT

Scenario

This lab tests you on the skills and knowledge that you learned in Exploration 4.

Task 1: Configure Basic Router Security

Step 1: Enable a secure Telnet login using a local database on R2.

aaa new-model!aaa authentication login Auth_Local local!line con 0 login authentication Auth_Local logging synchronousline vty 0 4 login authentication Auth_Local

Step 2: Disable unused services and interfaces on R2.

no service padno service fingerno service tcp-small-serverno service udp-small-serverno ip http serverno ip bootp serverno ip fingerno ip source-routeno ip gratuitous-arpsinterface FastEthernet0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast shutdown!interface FastEthernet0/1



no ip address no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast shutdown!interface Serial0/0/0 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast!interface Serial0/0/1 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast!

Step 3: Confirm that R2 is secured.

R1#telnet 172.16.0.2Trying 172.16.0.2 ... Open

User Access Verification

Username: R1Password: cisco

% Authentication failed

Username: R1Password: ciscoR2#

Task 2: Configure Access Control Lists

Step 1: Allow telnet to R1 and R3 from R2 only.

R1:ip access-list standard telnet permit 172.16.0.5 permit 172.16.0.1 permit 172.16.0.2! line vty 0 4 access-class telnet in!R3:ip access-list standard telnet permit 172.16.0.5 permit 172.16.0.1 permit 172.16.0.2!



line vty 0 4 access-class telnet in!

Step 2: Do not allow HTTP, Telnet, and FTP traffic from the Internet to PC1.

!Students should recognize that an extended access list is needed and that it should be placed on the Internet facing interface.

R2:ip access-list extended PC1-in deny tcp any host 192.168.1.2 eq ftp deny tcp any host 192.168.1.2 eq ftp-data deny tcp any host 192.168.1.2 eq telnet deny tcp any host 192.168.1.2 eq www permit ip any any!interface Loopback0 ip access-group PC1-in in!

Step 3: Do not allow PC1 to receive traffic from the 192.168.3.0 /25 network.

R1:ip access-list extended pc3-out deny ip 192.168.3.0 0.0.0.255 any permit ip any any!interface FastEthernet0/1 ip access-group pc3-out out!

Step 4: Verify that PC3 cannot ping PC1, but can ping 10.0.0.1.

C:\ >ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Request timed out.Request timed out.Request timed out.Request timed out.

Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\ >ping 192.168.1.1


Reply from 192.168.1.1: bytes=32 time=1ms TTL=255Reply from 192.168.1.1: bytes=32 time=2ms TTL=255Reply from 192.168.1.1: bytes=32 time=1ms TTL=255Reply from 192.168.1.1: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),



Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 2ms, Average = 1ms

Task 3: Configure NAT.

Step 1: Configure NAT to allow PC3 to ping PC1.

R3:ip nat inside source list NAT interface Serial0/0/1 overload!ip access-list standard NAT permit 192.168.3.0 0.0.0.255!interface FastEthernet0/1 ip nat insideinterface Serial0/0/0 ip nat outside!interface Serial0/0/1 ip nat outside!

Step 2: Verify that PC3 can reach PC1.

C:\ >ping 192.168.1.2


Reply from 192.168.1.2: bytes=32 time=1ms TTL=255Reply from 192.168.1.2: bytes=32 time=2ms TTL=255Reply from 192.168.1.2: bytes=32 time=1ms TTL=255Reply from 192.168.1.2: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 2ms, Average = 1ms

Task 4: Document the Router Configurations

On each device, issue the show run command and capture the configurations.

Copy the captured output on the flash drive provided.

R1:!hostname R1!boot-start-markerboot-end-marker!enable secret class!ip cef!no ip domain lookup



!username R2 password 0 cisco!interface FastEthernet0/0 no ip address shutdown!interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group PC3-out out!interface Serial0/0/0 ip address 172.16.0.1 255.255.255.252 encapsulation ppp clockrate 125000 ppp authentication chap!interface Serial0/0/1 ip address 172.16.0.9 255.255.255.252 encapsulation frame-relay frame-relay map ip 172.16.0.9 103 frame-relay map ip 172.16.0.10 103 broadcast!router rip version 2 passive-interface default no passive-interface Serial0/0/0 no passive-interface Serial0/0/1 network 192.168.1.0 network 172.16.0.0 no auto-summary!ip access-list standard telnet permit 172.16.0.5 permit 172.16.0.2!ip access-list extended pc3-out deny ip 192.168.3.0 0.0.0.255 any permit ip any any!line con 0 exec-timeout 5 0 password cisco logging synchronousline aux 0line vty 0 4 access-class telnet in password cisco!end

R2:no service padservice password-encryption!hostname R2



!boot-start-markerboot-end-marker!enable secret class!aaa new-model!!aaa authentication login Auth_Local local!aaa session-id common!no ip source-routeno ip gratuitous-arpsip cef!no ip bootp serverno ip domain lookup!username R1 password 0 ciscousername ccna password 0 cisco!interface Loopback0 ip address 209.165.200.161 255.255.255.224 ip access-group PC1-in in!interface FastEthernet0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast shutdown!interface FastEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast shutdown!interface Serial0/0/0 ip address 172.16.0.2 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp no ip directed-broadcast encapsulation ppp ppp authentication chap!interface Serial0/0/1 ip address 172.16.0.5 255.255.255.252 no ip redirects no ip unreachables



no ip proxy-arp no ip directed-broadcast clockrate 125000!router rip passive-interface default no passive-interface Serial0/0/0 no passive-interface Serial0/0/1 network 172.16.0.0 network 209.165.200.0 no auto-summary!no ip http server!ip access-list extended PC1-in deny tcp any host 192.168.1.2 eq ftp deny tcp any host 192.168.1.2 eq ftp-data deny tcp any host 192.168.1.2 eq telnet deny tcp any host 192.168.1.2 eq www permit ip any any!no cdp run!line con 0 exec-timeout 5 0 logging synchronousline aux 0line vty 0 4 exec-timeout 5 0 login authentication Auth_Local!end

R3:hostname R3!no ip domain lookupframe-relay switching!interface FastEthernet0/0 no ip address shutdown!interface FastEthernet0/1 ip address 192.168.3.1 255.255.255.0 ip nat inside!interface Serial0/0/0 ip address 172.16.0.10 255.255.255.252 ip nat outside encapsulation frame-relay clockrate 125000 frame-relay map ip 172.16.0.9 103 broadcast frame-relay map ip 172.16.0.10 103 no frame-relay inverse-arp frame-relay intf-type dce



!interface Serial0/0/1 ip address 172.16.0.6 255.255.255.252 ip nat outside!router rip version 2 passive-interface default no passive-interface Serial0/0/0 no passive-interface Serial0/0/1 network 192.168.3.0 network 172.16.0.0 no auto-summary!ip nat inside source list NAT interface Serial0/0/1 overload!ip access-list standard NAT permit 192.168.3.0 0.0.0.255ip access-list standard telnet permit 172.16.0.5 permit 172.16.0.2!line con 0 exec-timeout 5 0 password cisco logging synchronousline aux 0line vty 0 4 access-class telnet in password cisco!end

Task 5: Clean Up

Copy the lab router configurations from the flash media on the on the router and then reload the routers. The configuration file is called startup_config.E4_SBA_R# (where # is the router number).

Leave all cables and PC connections as you found them.


Documents

CSC241 Practical Exam Answer Key