Home > Articles > Cisco Certification > CCIE > CCIE Security Practice Labs

CCIE Security Practice Labs

Section 9.0: IP Services and Protocol-Independent Features

9.1: NAT

  1. Configure NAT for Loopback3 192.168.3.1/24.

  2. The objective is that when sourced from Loopback3 to anywhere on the network, it should be translated using the egress interface. For example, if you ping 122.122.122.122, it will use egress interface Serial1/0.3, whereas if you ping 144.144.144.144, it will use egress interface Serial1/0.1. If you ping 166.166.166.166, it will use egress interface FastEthernet0/0. To configure this multihomed NAT, enter the following:

  3. ip nat inside source route-map fastethernet0/0 interface FastEthernet0/0 overload
    ip nat inside source route-map serial1/0.1 interface Serial1/0.1 overload
    ip nat inside source route-map serial1/0.3 interface Serial1/0.3 overload
    !
    access-list 102 permit ip 192.168.3.0 0.0.0.255 any
    !
    route-map serial1/0.1 permit 10
     match ip address 102
     match interface Serial1/0.1
    !
    route-map serial1/0.3 permit 10
     match ip address 102
     match interface Serial1/0.3
    !
    route-map fastethernet0/0 permit 10
     match ip address 102
     match interface FastEthernet0/0

    To test multihomed NAT, enter the following:

    ! "Debug ip nat" on R3 and ping 122.122.122.122, 144.144.144.144 and 166.166.166.166 
    ! sourcing from Loopback3:
    r3#ping ip
    Target IP address: 122.122.122.122
    Repeat count [5]: 
    Datagram size [100]: 
    Timeout in seconds [2]: 
    Extended commands [n]: y
    Source address or interface: loopback3
    Type of service [0]: 
    Set DF bit in IP header? [no]: 
    Validate reply data? [no]: 
    Data pattern [0xABCD]: 
    Loose, Strict, Record, Timestamp, Verbose[none]: 
    Sweep range of sizes [n]: 
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 122.122.122.122, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 68/68/68 ms
    r3#
    r3#
    4d14h: NAT: s=192.168.3.1->10.50.13.18, d=122.122.122.122 [195]
    4d14h: NAT*: s=122.122.122.122, d=10.50.13.18->192.168.3.1 [195]
    4d14h: NAT: s=192.168.3.1->10.50.13.18, d=122.122.122.122 [196]
    4d14h: NAT*: s=122.122.122.122, d=10.50.13.18->192.168.3.1 [196]
    4d14h: NAT: s=192.168.3.1->10.50.13.18, d=122.122.122.122 [197]
    4d14h: NAT*: s=122.122.122.122, d=10.50.13.18->192.168.3.1 [197]
    4d14h: NAT: s=192.168.3.1->10.50.13.18, d=122.122.122.122 [198]
    4d14h: NAT*: s=122.122.122.122, d=10.50.13.18->192.168.3.1 [198]
    4d14h: NAT: s=192.168.3.1->10.50.13.18, d=122.122.122.122 [199]
    4d14h: NAT*: s=122.122.122.122, d=10.50.13.18->192.168.3.1 [199]
    r3#
    r3#
    r3#ping ip
    Target IP address: 144.144.144.144
    Repeat count [5]: 
    Datagram size [100]: 
    Timeout in seconds [2]: 
    Extended commands [n]: y
    Source address or interface: loopback3
    Type of service [0]: 
    Set DF bit in IP header? [no]: 
    Validate reply data? [no]: 
    Data pattern [0xABCD]: 
    Loose, Strict, Record, Timestamp, Verbose[none]: 
    Sweep range of sizes [n]: 
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 144.144.144.144, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 96/99/101 ms
    r3#
    r3#
    4d14h: NAT: s=192.168.3.1->10.50.13.2, d=144.144.144.144 [210]
    4d14h: NAT*: s=144.144.144.144, d=10.50.13.2->192.168.3.1 [210]
    4d14h: NAT: s=192.168.3.1->10.50.13.2, d=144.144.144.144 [211]
    4d14h: NAT*: s=144.144.144.144, d=10.50.13.2->192.168.3.1 [211]
    4d14h: NAT: s=192.168.3.1->10.50.13.2, d=144.144.144.144 [212]
    4d14h: NAT*: s=144.144.144.144, d=10.50.13.2->192.168.3.1 [212]
    4d14h: NAT: s=192.168.3.1->10.50.13.2, d=144.144.144.144 [213]
    4d14h: NAT*: s=144.144.144.144, d=10.50.13.2->192.168.3.1 [213]
    4d14h: NAT: s=192.168.3.1->10.50.13.2, d=144.144.144.144 [214]
    4d14h: NAT*: s=144.144.144.144, d=10.50.13.2->192.168.3.1 [214]
    r3#
    r3#
    r3#ping ip
    Target IP address: 166.166.166.166
    Repeat count [5]: 
    Datagram size [100]: 
    Timeout in seconds [2]: 
    Extended commands [n]: y
    Source address or interface: loopback3
    Type of service [0]: 
    Set DF bit in IP header? [no]: 
    Validate reply data? [no]: 
    Data pattern [0xABCD]: 
    Loose, Strict, Record, Timestamp, Verbose[none]: 
    Sweep range of sizes [n]: 
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 166.166.166.166, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
    r3#
    r3#
    4d14h: NAT: s=192.168.3.1->10.50.31.2, d=166.166.166.166 [205]
    4d14h: NAT*: s=166.166.166.166, d=10.50.31.2->192.168.3.1 [205]
    4d14h: NAT: s=192.168.3.1->10.50.31.2, d=166.166.166.166 [206]
    4d14h: NAT*: s=166.166.166.166, d=10.50.31.2->192.168.3.1 [206]
    4d14h: NAT: s=192.168.3.1->10.50.31.2, d=166.166.166.166 [207]
    4d14h: NAT*: s=166.166.166.166, d=10.50.31.2->192.168.3.1 [207]
    4d14h: NAT: s=192.168.3.1->10.50.31.2, d=166.166.166.166 [208]
    4d14h: NAT*: s=166.166.166.166, d=10.50.31.2->192.168.3.1 [208]
    4d14h: NAT: s=192.168.3.1->10.50.31.2, d=166.166.166.166 [209]
    4d14h: NAT*: s=166.166.166.166, d=10.50.31.2->192.168.3.1 [209]

    The preceding test from R3 confirms NATing loopback3 with respective egress interface as per the route map:

    Ping 122.122.122.122 NATed with 10.50.13.18 egress Serial1/0.3 
    Ping 144.144.144.144 NATed with 10.50.13.2 egress Serial1/0.1
    Ping 166.166.166.166 NATed with 10.50.31.2 egress FastEthernet0/0

9.2: NTP

  1. Configure R2 as NTP Server and R1 as NTP Client.

  2. Configure authentication using the md5 key. NTP status and authentication on R2 is as follows:

  3. r1# show ntp status 
    Clock is synchronized, stratum 9, reference is 10.50.13.34
    nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
    reference time is C1D5BFAA.20689871 (00:22:02.126 UTC Mon Jan 20 2003)
    clock offset is 1.6778 msec, root delay is 64.39 msec
    root dispersion is 126.82 msec, peer dispersion is 0.12 msec
    r1#
    r1# 
    r1#show ntp associations detail
    10.50.13.34 configured, authenticated, our_master, sane, valid, stratum 8
    ref ID 127.127.7.1, time C1D5BF88.FE740124 (00:21:28.993 UTC Mon Jan 20 2003)
    our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
    root delay 0.00 msec, root disp 125.03, reach 377, sync dist 157.349
    delay 64.39 msec, offset 1.6778 msec, dispersion 0.12
    precision 2**16, version 3
    org time C1D5BFAA.188E6A78 (00:22:02.095 UTC Mon Jan 20 2003)
    rcv time C1D5BFAA.20689871 (00:22:02.126 UTC Mon Jan 20 2003)
    xmt time C1D5BFAA.0FC3685F (00:22:02.061 UTC Mon Jan 20 2003)
    filtdelay = 64.67 64.39 64.50 64.45 64.67 64.39 64.80 67.99
    filtoffset = 1.66 1.68 1.60 1.55 1.57 1.55 1.66 -0.13
    filterror =  0.02 0.03 0.05 0.06 0.08 0.09 0.11 0.12
    r1#
    r1#
    r1#show clock
    00:25:19.586 UTC Mon Jan 20 2003
    r1#
    r1#
  4. In some IOS it is necessary to enter the NTP authentication commands in a particular order. Below is the exact order that confirms operation:

  5. For R2 (master) enter commands in the following sequence:

    ntp authentication-key 1 md5 cisco 
    ntp master 2

    For R1 (Client) enter commands in the following sequence:

    ntp authentication-key 1 md5 cisco 
    ntp authenticate
    ntp trusted-key 1
    ntp server 10.50.13.34 key 1
  6. Remember that you have an inbound access list applied to the serial link on R2; you need to allow NTP.

9.3: SNMP

  1. Configure R3 to send SNMP traps when a configuration change happens for BGP:

  2. snmp-server community public RO
    snmp-server community private RW
    snmp-server enable traps config
    snmp-server enable traps bgp
    snmp-server host 10.50.31.99 public config bgp
    
    ! snip from R3 test using debug snmp packet;
    
    r3#debug snmp packets 
    SNMP packet debugging is on
    r3#
    r3#config terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    r3(config)#
    r3(config)#
    5d00h: SNMP: Queuing packet to 10.50.31.99
    5d00h: SNMP: V1 Trap, ent ciscoConfigManMIB.2, addr 10.50.31.2, gentrap 6, spectrap 1 
     ccmHistoryEventEntry.3.162 = 1 
     ccmHistoryEventEntry.4.162 = 2 
     ccmHistoryEventEntry.5.162 = 3
    5d00h: SNMP: Packet sent via UDP to 10.50.31.99
    r3(config)#
    r3(config)#end
    r3# 
    r3#clear ip bgp *
    r3#
    5d00h: %BGP-5-ADJCHANGE: neighbor 10.50.13.1 Down User reset
    5d00h: SNMP: Queuing packet to 10.50.31.99
    5d00h: SNMP: V1 Trap, ent bgp, addr 10.50.31.2, gentrap 6, spectrap 2 
     bgpPeerEntry.14.10.50.13.1 = 00 00 
     bgpPeerEntry.2.10.50.13.1 = 1
    5d00h: %BGP-5-ADJCHANGE: neighbor 10.50.13.17 Down User reset
    5d00h: SNMP: Queuing packet to 10.50.31.99
    5d00h: SNMP: V1 Trap, ent bgp, addr 10.50.31.2, gentrap 6, spectrap 2 
     bgpPeerEntry.14.10.50.13.17 = 00 00 
     bgpPeerEntry.2.10.50.13.17 = 1
    5d00h: %BGP-5-ADJCHANGE: neighbor 10.50.31.22 Down User reset
    r3#
    5d00h: SNMP: Queuing packet to 10.50.31.99
    5d00h: SNMP: V1 Trap, ent bgp, addr 10.50.31.2, gentrap 6, spectrap 2 
     bgpPeerEntry.14.10.50.31.22 = 04 00 
     bgpPeerEntry.2.10.50.31.22 = 1
    5d00h: SNMP: Packet sent via UDP to 10.50.31.99
    5d00h: SNMP: Packet sent via UDP to 10.50.31.99
    5d00h: SNMP: Packet sent via UDP to 10.50.31.99
    r3#
    r3#
    ! Snip from PIX config and ACL;
    pix# show access-list outside
    access-list outside permit udp host 10.50.31.2 host 10.50.31.99 eq snmptrap (hitcnt=44) 
    pix# show static
    static (inside,outside) 10.50.31.99 192.168.6.99 netmask 255.255.255.255 0 0 
    pix#

9.4: Policy Routing

  1. Configure policy routing on R1 to change the next hop for mail and web server off R3:

  2. interface Serial2/0.2 point-to-point
     ip address 10.50.13.33 255.255.255.240
     ip policy route-map server
    !
    interface Serial2/0.3 point-to-point
     ip address 10.50.13.1 255.255.255.240
     ip policy route-map server
    !
    !
    ip local policy route-map server
    !
    access-list 101 permit ip any host 10.50.31.98
    access-list 102 permit ip any host 10.50.31.99
    !
    route-map server permit 10
     match ip address 101
     set ip next-hop 10.50.13.34
    !
    route-map server permit 20
     match ip address 102
     set ip next-hop 10.50.13.2
    !
    route-map server permit 30
    
    
    ! Verify with traceroute;
    r1#traceroute 10.50.31.98
    Type escape sequence to abort.
    Tracing the route to 10.50.31.98
    
     1 10.50.13.34 !A * !A 
    
    
    r1#traceroute 10.50.31.99
    Type escape sequence to abort.
    Tracing the route to 10.50.31.99
    
     1 10.50.13.2 32 msec 32 msec 32 msec
     2 * * * 
24. Section 10.0: Security Violations | Next Section Previous Section