mmawin99 Blog
Published at

LAB 07 - ACL NAT (Packet filter NAT) [Device by device procedures]

LAB 07 - ACL NAT (Packet filter NAT) [Device by device procedures]

Table of Contents

Device-by-Device Lab Procedures

LAB 07 - ACL NAT (Packet filter NAT)

1. PC1 Procedure

  • Step 1.1: Connect your Ethernet cable to SWITCH 1.

  • Step 1.2: Configure your interface and default gateway:

ifconfig eth0 10.0.1.2/24 up
route add default gw 10.0.1.1

  • [WAIT FOR STEP 2.2, 3.2, 4.2] Wait for PC2 (R1), R2, and PC3 to finish their initial IP and routing configurations.

  • Step 1.3: Ping R2 (202.44.1.2) and PC3 (10.0.2.2). This should be successful.

ping -c 3 202.44.1.2
ping -c 3 10.0.2.2

  • [WAIT FOR STEP 2.4, 3.5] Wait for PC2 (R1) and R2 to configure their traffic filtering (ACLs and iptables).

  • Step 1.4: Ping R2 and PC3 again. This time, it should fail due to the new cross-boundary filters.

  • [WAIT FOR STEP 2.5] Wait for PC2 (R1) to set up the NAT table for PC1.

  • Step 1.5: Start Wireshark on your interface (eth0) to capture packets.

  • [WAIT FOR STEP 3.6] Wait for R2 to confirm they have also started Wireshark on their eth1 interface.

  • Step 1.6: Issue three ping packets from PC1 to the public IP interface of R2 (202.44.1.2).

ping -c 3 202.44.1.2

  • Step 1.7: Stop Wireshark and save the packet capture.

  • [WAIT FOR STEP 2.7, 2.10] Wait for PC2 and R2 to finish the rest of their ping tests and NAT configurations, and for PC2 to clear the Cisco router.

  • Step 1.8: Shutdown the PC.

2. PC2 (and R1 Console) Procedure

  • Step 2.1: Connect your PC’s Ethernet cable to SWITCH 1. Connect your console cable to R1 (Cisco Router).

  • Step 2.2: Configure R1’s IP addresses and routing via your terminal:

R1# conf t
R1(config)# no ip routing
R1(config)# ip routing
R1(config)# int g0/0
R1(config-if)# ip address 10.0.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# int g0/1
R1(config-if)# ip address 202.44.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# ip route 0.0.0.0 0.0.0.0 202.44.1.2
  • Step 2.3: Configure PC2’s own interface and default gateway:
ifconfig eth0 10.0.1.3/24 up
route add default gw 10.0.1.1

  • [WAIT FOR STEP 1.3] Wait for PC1, R2, and PC3 to finish their initial IP and routing configurations, and for PC1 to do the first ping test.

  • Step 2.4: Configure R1 to filter transit and locally generated private packets:

R1(config)# access-list 110 deny ip 10.0.0.0 0.255.255.255 any
R1(config)# access-list 110 deny ip any 10.0.0.0 0.255.255.255
R1(config)# access-list 110 permit ip any any
R1(config)# ip local policy route-map FILTER
R1(config)# int g0/1
R1(config-if)# ip access-group 110 out
R1(config-if)# end
R1(config)# ip access-list
R1(config-acl)# show access-lists 110
R1(config-acl)# exit
R1# debug ip policy
R1# show access-lists

  • [WAIT FOR STEP 3.5, 1.4] Wait for R2 to finish setting up its iptables filters and for PC1 to verify pings fail.

  • Step 2.5: Setup the NAT rule for PC1 on R1:

R1> enable
R1# show ip nat translations
R1# conf t
R1(config)# int g0/0
R1(config-if)# ip nat inside
R1(config-if)# int g0/1
R1(config-if)# ip nat outside
R1(config-if)# exit
R1(config)# ip nat inside source static 10.0.1.2 200.0.0.1
R1(config)# end
  • Step 2.6: Display the NAT table and save a screenshot:
R1# show ip nat translations

  • [WAIT FOR STEP 1.6, 3.6] Wait for PC1 and R2 to start Wireshark and for PC1 to finish pinging R2.

  • Step 2.7: Issue three ping packets from PC2 to the public IP interface of R2 (202.44.1.2).

  • Step 2.8: Add the additional NAT rule for PC2:

R1(config)# ip nat inside source static 10.0.1.3 200.0.0.2

  • Step 2.9: Display the NAT table again and save the screenshot.

  • [WAIT FOR STEP 3.11] Wait for R2 to finish its ping tests to PC2.

  • Step 2.10: Clear all ACL and NAT configurations in R1:

R1# write erase
R1# reload

(Answer ‘No’ when asked to save configurations).

  • Step 2.11: Shutdown PC2, roll up the cables, and turn off the Cisco router.

3. R2 (Linux Router) Procedure

  • Step 3.1: Connect your cables. Use a USB-to-Ethernet adapter to create the interface eth1 connected to R1. eth0 connects to PC3.

  • Step 3.2: Configure your interfaces and default gateway:

ifconfig eth0 10.0.2.1/24 up
ifconfig eth1 202.44.1.2/24 up
route add default gw 202.44.1.1

  • [WAIT FOR STEP 1.3] Wait for PC1, PC2 (R1), and PC3 to finish their initial IP configurations and for PC1 to perform the initial successful ping test.

  • Step 3.3: Configure iptables to drop private packets over the public interface:

iptables -F
iptables -X
iptables -N valid-src
iptables -N valid-dst
iptables -A valid-src -s 10.0.0.0/8 -j DROP
iptables -A valid-dst -d 10.0.0.0/8 -j DROP
  • Step 3.4: Apply rules to the FORWARD chain (transit traffic):
iptables -A FORWARD -o eth1 -j valid-src
iptables -A FORWARD -o eth1 -j valid-dst
  • Step 3.5: Apply rules to OUTPUT/INPUT chains (locally generated traffic):
iptables -A OUTPUT -o eth1 -j valid-dst
iptables -A INPUT -i eth0 -j valid-src

  • [WAIT FOR STEP 2.5] Wait for PC2 (R1) to configure NAT for PC1.

  • Step 3.6: Start Wireshark on interface eth1 to capture packets.

  • [WAIT FOR STEP 1.6, 2.7] Wait for PC1 to also start Wireshark and finish pinging R2. Also wait for PC2 to ping R2.

  • Step 3.7: Issue three ping packets from R2 to the private IP address of PC1 (10.0.1.2).

  • Step 3.8: Issue three ping packets from R2 to the NAT public IP of PC1 (200.0.0.1).

  • Step 3.9: Stop Wireshark and save the packet capture.

  • [WAIT FOR STEP 2.8] Wait for PC2 (R1) to configure the second NAT rule for PC2 (200.0.0.2).

  • Step 3.10: Ping from R2 to the private address of PC2 (10.0.1.3).

  • Step 3.11: Ping from R2 to the NAT public IP of PC2 (200.0.0.2).

  • Step 3.12: Save screenshots of the ping outputs.

  • [WAIT FOR STEP 2.10] Wait for PC2 to wipe R1’s configuration.

  • Step 3.13: Shutdown R2.

4. PC3 Procedure

  • Step 4.1: Connect your Ethernet cable directly to eth0 on R2 (or via a switch if managing one, though no switch commands are required for this lab).

  • Step 4.2: Configure your interface and default gateway:

ifconfig eth0 10.0.2.2/24 up
route add default gw 10.0.2.1

  • [WAIT FOR STEP 1.3] Wait for PC1, PC2 (R1), and R2 to finish their configurations. You will be the target of PC1’s initial ping tests.

  • [WAIT FOR STEP 2.4, 3.5, 2.5, 1.6, 3.6, 2.7, 2.8, 3.11] Stand by while the rest of the group configures ACLs, iptables, NAT rules, and performs Wireshark captures.

  • [WAIT FOR STEP 2.10] Wait for PC2 to confirm R1 is erased and the lab is concluded.

  • Step 4.3: Shutdown PC3 and roll up your cables.

Sharing is caring!