Packet Tracer LAB CISCO

Packet Tracer - Lab 1 : Basic switch setup
LAST UPDATED: 15 AUGUST 2023
Introduction
A new switch just purchased from Cisco contains no default configuration. You need to
configure the switch with setup mode or from scratch using the command line interface (CLI)
before connecting it in your network environment.
As a Cisco CCNA certified professional, it is very important to know the basic Cisco switch
configuration commands to improve the performances and the security of the enterprise network.
Network diagram
READ NEXT :

Download Cisco Packet Tracer 8.2.2 & GNS3
2024-04-09
 Lab 20 - CBAC trafic Inspection with ISR router
2024-02-13
 Lab 17 - Site to site IPSEC VPN with ASA 5505
2023-12-09
 Lab 2 - Switch interfaces configuration
2023-08-15
 Lab 1 - Basic switch setup
2023-08-15
Lab instructions
This lab will test your ability to configure basic settings such as hostname, motd banner,
encrypted passwords, and terminal options on a Cisco Catalyst 2960 switch emulated in Packet
Tracer 8.1.1.
1. Use the local laptop connect to the switch console and configure the laptop with the right
parameters for console access to the Cisco 2960 Catalyst switch
2. Configure Switch hostname as LOCAL-SWITCH
3. Configure the message of the day as "Unauthorized access is forbidden"
4. Configure the password for privileged mode access as "cisco". The password must be md5
encrypted
5. Configure password encryption on the switch using the global configuration command
6. Configure CONSOLE access with the following settings :

- Login enabled
- Password : ciscoconsole
- History size : 15 commands
- Timeout : 6'45''
- Synchronous logging
6. Configure TELNET access with the following settings :

- Login enabled
- Password : ciscotelnet
- History size : 15 commands
- Timeout : 8'20''
- Synchronous logging
7. Configure the IP address of the switch as 192.168.1.2/24 and it's default gateway IP
(192.168.1.1).
8. Test telnet connectivity from the Remote Laptop using the telnet client.
Lab solution
Configure Switch hostname as LOCAL-SWITCH
Switch(config)#hostname LOCAL-SWITCH
Configure the message of the day as "Unauthorized access is forbidden"
Switch(config)#banner motd #
Unauthorized access is forbidden#
Configure the password for privileged mode access as "cisco". The password must be md5
encrypted
Switch(config)#enable secret cisco
Configure password encryption on the switch using the global configuration command
Password encryption is an important setting for securing switch credentials as defaut behavior is
saving clear-text passwords in the running-config. Although useful to avoid naive hacking,be
advised that tools have been released to crack those passwords. Use the service password-
encryption command with additional security measures.
Switch(config)#service password-encryption
Configure CONSOLE access [...]
Switch(config)#line con 0
Switch(config-line)#password ciscoconsole
Switch(config-line)#logging synchronous
Switch(config-line)#login
Switch(config-line)#history size 15
Switch(config-line)#exec-timeout 6 45
Configure TELNET access [...]
Switch(config)#line vty 0 15
Switch(config-line)#exec-timeout 8 20
Switch(config-line)#password ciscotelnet
Switch(config-line)#logging synchronous
Switch(config-line)#login
Switch(config-line)#history size 15
Configure the IP address of the switch as 192.168.1.2/24 and it's default gateway IP
(192.168.1.1).
Switch(config)#interface Vlan1
Switch(config-if)#ip address 192.168.1.2 255.255.255.0

Switch(config-if)#ip default-gateway 192.168.1.1
Packet Tracer lab 2 : Interfaces configuration

LAST UPDATED: 15 AUGUST 2023
Network diagram
This lab will test your ability to configure speed, duplex, and vlan settings on the network
interfaces of a Catalyst 2960 switch using Cisco Packet Tracer 8.1.1 .
READ NEXT :

2024-04-09
2024-02-13
2023-12-09
2023-08-15
2023-08-15
Lab instructions
1. Connect to Switch0 using console interface and configure each Switch0 fastethernet
switchport for operation.
Settings to be configured on each port are :
 Port type : access port

 Speed : 100 Mbit/s
 Duplex mode : Full Duplex
 Autonegotiation: disabled
2. PC "192.168.1.4" seems to be unable to ping other PCs in the network. Check switch
configuration.
TIP : How many broadcast domains are there in this network ?
3. Choose the right cable to connect :
 Switch0 gigabitethernet 1/1 to Switch1 gigabitethernet 1/1

 Switch1 gigabitethernet 1/2 to Switch2 gigabitethernet 1/2
4. Configure those two links as trunk lines without using trunk negotiation between switches
Solution
1. Connect to Switch0 using console interface and configure each Switch0 fastethernet
switchport for operation.
Explicitly configuring the speed with the speed 100 IOS command of a Cisco Catalyst network
interface disable auto-negociation on this interface
Switch(config)#interface FastEthernet0/1
switchport mode access

duplex full
speed 100
Switch(config-if)#switchport mode access
Switch(config-if)#duplex full
Switch(config-if)#speed 100
2. PC "192.168.1.4" seems to be unable to ping other PCs in the network. Check switch
configuration.
Switch(config-if)#switchport access vlan 1
3. Choose the right cable to connect Switch0 to Switch1 and Switch2
Crossover network cable have to be used to connect two network devices of the same type
together (two network switches, two routers, two PC). Crossed wiring inside the crossover
cable connects the transmit PIN at one end of the cable to the receive PIN at the other end.
4. Configure those two links as trunk lines without using trunk negotiation between
switches
On every interface that has to be configured for trunk operation, configure the following
settings :
Switch(config)#interface GigabitEthernet1/X
Switch(config-if)#switchport mode trunk
Verify interface operational mode using the show interface GigabitEthernet1/X switchport
command :
Name: Gig1/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Another useful IOS command is show interfaces trunk :
Switch#sh interfaces trunk

Port Mode Encapsulation Status Native vlan
Gig1/2 on 802.1q trunking 1
Port Vlans allowed on trunk

Gig1/2 1-1005
Port Vlans allowed and active in management domain

Gig1/2 1
Port Vlans in spanning tree forwarding state and not pruned

Gig1/2 1
Packet Tracer lab 3 : VLAN and VTP
LAST UPDATED: 01 MAY 2023
Network diagram
The aim of this lab is to test your ability to configure VLAN and VTP on a small network of 4
switches using Packet Tracer 7.2.1.
This lab will help you to prepare the VTP testlet and simlet questions of the Cisco ICND1
exam.
READ NEXT :

2024-04-09
2024-02-13
2023-12-09
2023-08-15
2023-08-15
Lab instructions
1.Configure the VTP-SERVER switch as a VTP server
2.Connect to the 3 other switches and configure them as VTP clients.

All links between swiches must be configured as trunk lines.
3.Configure VTP domain name as "TESTDOMAIN" and VTP password as "cisco"
4.Configure VLAN 10 with name "STUDENTS" and VLAN 50 with name "SERVERS"
5. Check propagation on all switches of the VTP domain.
VLAN and VTP lab solution

1. Configure the VTP-SERVER switch as a VTP server
VTP-SERVER(config)#vtp mode server

Verify the VTP operating mode using the show vtp status command
VTP-SERVER#show vtp status

VTP Version :2
Configuration Revision :4
Maximum VLANs supported locally : 255
Number of existing VLANs :7
VTP Operating Mode : Server
VTP Domain Name : TESTDOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xAE 0x4F 0x3F 0xC5 0xD3 0x41 0x9C 0x11
Configuration last modified by 192.168.1.1 at 3-1-93 00:27:41
Local updater ID is 192.168.1.1 on interface Vl1 (lowest numbered VLAN interface found)
2. Connect to the 3 other Catalyst switches and configure them as VTP clients.
All links between swiches must be configured as trunk lines.
VTP-CLIENT3(config)#vtp mode client

VTP-CLIENT3(config)#vtp mode client
Verify the VTP operating mode of the switch using the show vtp status command. The "VTP
Operating Mode" shoud have the"Client" value. Example with VTP-CLIENT3 switch is
provided below.
VTP-CLIENT3#sh vtp status

VTP Version :2
Configuration Revision :4
Maximum VLANs supported locally : 255
Number of existing VLANs :7
VTP Operating Mode : Client
VTP Domain Name : TESTDOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xAE 0x4F 0x3F 0xC5 0xD3 0x41 0x9C 0x11
Configuration last modified by 192.168.1.1 at 3-1-93 00:27:41
Configure each link between switches as a trunk line using the switchport mode
truink command
interface GigabitEthernet1/1
switchport mode trunk
interface GigabitEthernet1/2
switchport mode trunk
3. Configure VTP domain name as "TESTDOMAIN" and VTP password as "cisco"
On the VTP server Catalyst switch:
VTP-SERVER(config)#vtp domain TESTDOMAIN

VTP-SERVER(config)#vtp password cisco
On each VTP client switch :
VTP-CLIENT1(config)#vtp password cisco

VTP-CLIENT1(config)#vtp domain TESTDOMAIN
4. Configure VLAN 10 with name "STUDENTS" and VLAN 50 with name "SERVERS"
On the VTP server Catalyst 2960 switch, configure the following commands to create both
"STUDENTS" and "SERVERS" vlans :
VTP-SERVER(config)#vlan 10
VTP-SERVER(config-vlan)#name STUDENTS
VTP-SERVER(config)#vlan 50
VTP-SERVER(config-vlan)#name SERVERS
5. Check propagation of both "STUDENTS" and "SERVERS" vlans on all Catalyst 2960
network switches of the VTP domain.
Use the show vlan brief on each switch to check propagation of the 2 VLANS.
VTP-SERVER#show vlan brief
VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, [...]
10 STUDENTS active
50 SERVERS active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Packet Tracer lab 4 : Port security
Introduction
A growing challenge for network administrators is to be able to control who is allowed - and
who isn't - to access the organization's internal network. This access control is mandatory for
critical infrastructure protection in your network. It is not on public parts of the network where
guest users should be able to connect.
Port security is a feature implemented in Cisco Catalyst switches which helps network engineers
in implementing network security on network boundaries.
In its most basic form, the Port Security feature remembers the MAC address of the device
connected to the switch edge port and allows only that MAC address to be active on that port. If
any other MAC address is detected on that port, port security feature shutdown the switch port.
The switch can be configured to send a SNMP trap to a network monitoring solution to alert that
a port is disabled for security reasons.
READ NEXT :

2024-04-09
2024-02-13
2023-12-09
2023-08-15
2023-08-15
Network diagram
Lab instructions
This lab will test your ability to configure port security on CiscoTM 2960 switch interfaces.
1. Configure port security on interface Fa 0/1 of the switch with the following settings :
- Port security enabled
- Mode : restrict
- Allowed mac addresses : 3
- Dynamic mac address learning.
- Mode : shutdown
- Allowed mac addresses : 3
- Dynamic mac address learning.
- Mode : protect
- Static mac address entry : 00E0.A3CE.3236
4. From LAPTOP 1 :
Try to ping 192.168.1.2 and 192.168.1.3. It should work.
Try to ping 192.168.1.4 and 192.168.1.5. It should work.
5. Connect ROGUE laptop to the hub.
Try to ping 192.168.1.1. It should work.
Try to ping 192.168.1.4. It should fail.

Solution
Interface FastEthernet 0/1 configuration - Restrict mode
The port-security restrict mode drops packets with unknown source addresses until you remove
a sufficient number of secure MAC addresses to drop below the maximum value and causes
the SecurityViolation counter to increment.
Port security with sticky MAC addresses provides many of the same benefits as port security
with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port
security with sticky MAC addresses retains dynamically learned MAC addresses during a link-
down condition.
interface FastEthernet0/1
switchport port-security
switchport port-security maximum 3
switchport port-security mac-address sticky
switchport port-security violation restrict
When the rogue laptop is connected to the hub and tries to communicate with 192.168.1.4, the
number of mac-addresses learned ont the fastethernet 0/1 interface exceeds 3. The interface
drops traffic with the new mac-address (not learned by the switch because 3 mac addresses have
already been registered on the fa0/1 interface) and increases the security viloation counter based
on the 'restrict' port-security configuration of the interface.
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 3 3 5 Restrict
Fa0/2 3 1 0 Shutdown
Fa0/3 1 1 0 Protect
----------------------------------------------------------------------
Interface FastEthernet 0/2 configuration - Shutdown mode (default)
The port-security shutdown mode puts the interface into the error-disabled state immediately
and sends an SNMP trap notification.
switchport voice vlan 20
switchport port-security maximum 3
switchport port-security mac-address sticky
Interface FastEthernet 0/3 configuration - Protect mode
The port-security protect mode silently drops packets with unknown source addresses until
you remove a sufficient number of secure MAC addresses todrop below the maximum value. No
counter is incremented
switchport port-security violation protect
{wbamp-hide start}
Published by Packet Tracer Network.
{wbamp-hide end}
1. Labs
2. Lab 4 : Port security
Packet Tracer - Lab 6 : Basic router setup
Introduction
At the first boot of a Cisco ISR router, some basic configuration has to be performed to secure
adminitrative access to the router. This lab will test your ability to configure the basic security
settngs of a Cisco ISR router and help you to get ready for the router configuration simulation
activities in the CCENT / ICND1 certification exam (Chapter 5.0 Infrastructure
Maintenance of Cisco Certified Entry Networking Technician (CCENT) exam)
READ NEXT :

2024-04-09
2024-02-13
2023-12-09
2023-08-15
2023-08-15
Network diagram
Lab instructions
The aim of this lab is to test your ability to perform a basic router setup. You have 15 minutes to
complete this simulation.
1. Configure the LAPTOP terminal software with the right console parameters.
2. Configure the router hostname to "GATEWAY"
3. Configure the enable password and secret to "cisco"
4. Configure password encryption on the router to secure stored passwords
5. Configure the console access :

- Login : yes
- Password : "cisco"
- History : 10 commands
- Logging synchronous
- Timeout : 2 minutes 45 seconds.
Solution
1. Configure the laptop terminal software
The terminal software in not correctly configured on the laptop. You have to change the settings
to 9600 / 8 / None / 1 to connect to the router's console. Remerber this tip as it could help you
answer CCENT questions or achieve CCENT simlet.
2. Configure the router's name
The hostname command has to be used to changethe router's hostname.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname GATEWAY
3. Configure the enable password and secret to "cisco"
The enable secret <password> command stores a MD5 hash of the password required for
privileged mode access. The enable secret password of a Cisco ISR router is used for restricting
access to enable mode and to the global configuration mode (configure terminal) of a router.
GATEWAY(config)#enable secret cisco
4. Configure password encryption for this router
GATEWAY(config)#service password-encryption
5. Configure the console access
Console access is protected by the 'cisco' password and login is required at console access.
The exec-timeout command automatically logs off user from console after defined inactivity
period (2'45'' in this lab)
GATEWAY(config)#line console 0
GATEWAY(config-line)#password cisco
GATEWAY(config-line)#login
GATEWAY(config-line)#logging synchronous
GATEWAY(config-line)#exec-timeout 2 45
GATEWAY(config-line)#history size 10
Video tutorial
Packet Tracer 8.1.1 tutorial - IP telephony basic

configuration
Tutorial description
This tutorial is designed to help you to configure the voice over ip (voip) features available in
Packet Tracer 8.1.1
It will show you the steps required to :
 Configure Call Manager ExpressTM on a 2811 router,

 Use the various telephony devices
 Setup dial peers
 Connect CiscoTM IP phones as well as analogue phone on the network.
Network diagram
Note : Connect only IP Phone 1 at the beginning of the lab. IP Phone 2 must be disconnected.
READ NEXT :

2024-04-09
2024-02-13
2023-12-09
2023-08-15
2023-08-15
Tasks 1 : Configure interface FastEthernet 0/0 and DHCP

server on RouterA (2811 router)
Configure the FastEthernet 0/0 interface with 192.168.10.1/24 ip address. Don't forget to enable
the interface with the no shutdown command !
RouterA>enable
RouterA#configure terminal
RouterA(config)#interface FastEthernet0/0
RouterA(config-if)#ip address 192.168.10.1 255.255.255.0
RouterA(config-if)#no shutdown
The DHCP server is needed to provide each IP phone connected to the network with an IP adress
and the TFTP server location.
RouterA(config)#ip dhcp pool VOICE #Create DHCP pool named VOICE

RouterA(dhcp-config)#network 192.168.10.0 255.255.255.0 #DHCP network network 192.168.10 with /24 mask#
RouterA(dhcp-config)#default-router 192.168.10.1 #The default router IP address#
RouterA(dhcp-config)#option 150 ip 192.168.10.1 #Mandatory for voip configuration.
After configuring the ISR router, wait a moment and check that ‘IP Phone 1’ has received an IP
address by placing your cursor over the phone until a configuration summary appears.
Tasks 2 : Configure the Call Manager Express telephony
service on RouterA
You must now configure the Call Manager Express telephony service on RouterA to enable voip
on your network.
RouterA(config)#telephony-service #Configuring the router for telephony services#

RouterA(config-telephony)#max-dn 5 #Define the maximum number of directory numbers#
RouterA(config-telephony)#max-ephones 5 #Define the maximum number of phones#
RouterA(config-telephony)#ip source-address 192.168.10.1 port 2000 #IP Address source#
RouterA(config-telephony)#auto assign 4 to 6 #Automatically assigning ext numbers to buttons#
RouterA(config-telephony)#auto assign 1 to 5 #Automatically assigning ext numbers to buttons#
Task 4 : Configure a voice vlan on SwitchA

Apply the following configuration on SwitchA interfaces. This configuration will separate voice
and data traffic in different vlans on SwitchA. data packets will be carried on the access vlan.
SwitchA(config)#interface range fa0/1 – 5 #Configure interface range#

SwitchA(config-if-range)#switchport mode access
SwitchA(config-if-range)#switchport voice vlan 1 #Define the VLAN on which voice packets will be handled#
Task 5 : Configure the phone directory for IP Phone 1

Although ‘IP Phone 1’ is already connected to SwitchA, it needs additionnal configuration
before beeing able to communicate. You need to configure RouterA CME to assign a phone
number to this IP phone.
RouterA(config)#ephone-dn 1 #Defining the first directory entry#

RouterA(config-ephone-dn)#number 54001 #Assign the phone number to this entry#
Task 5 : Verify the configuration

Ensure that the IP Phone receives an IP Address and a the phone number 54001 from RouterA
(this can take a short while).
Task 6 : Configure the phone directory for IP Phone 2
Connect IP Phone 2 to SwitchA and power the phone ON using the power adapter (Physical tab).
RouterA(config)#ephone-dn 2 #Defining the first directory entry#

RouterA(config-ephone-dn)#number 54002 #Assign the phone number to this entry#
Task 7 : Verify the configuration

Ensure that the IP Phone 2 receives an IP Address and a the phone number 54002 from RouterA
(this can take a short while). Same procedure as task n°5.
Dial 54001 and check if IP phone 1 correctly receives the call.
Packet Tracer 8.1.1 tutorial - IP telephony

advanced configuration
Tutorial description
This tutorial will guide you for advanced voip configuration in Cisco Packet Tracer 8.1.1
network simulation software. Based on the Cisco's Hierarchical Network Design Model, this
simulated network has voip call routing features enabled between two campus buildings with
network services (DNS, DHCP ...) centralized in the datacenter.
In a real world environment, the CUCME router would also be located in the datacenter.
However, Packet Tracer doesn't seems to support this configuration as IP phones don't register
and receive a valid phone number.
Network diagram
Download lab (Packet Tracer >= 6.2)
READ NEXT :

2024-04-09
2024-02-13
2023-12-09
2023-08-15
2023-08-15
Configuration tasks
CME-3 configuration
IP configuration
hostname CME-3
!
ip address 192.168.69.254 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.69.1
!
Telephony service configuration
telephony-service
max-ephones 5
max-dn 5
ip source-address 192.168.69.254 port 2000
auto assign 4 to 6
auto assign 1 to 5
Ephone declaration and number assignment
ephone-dn 1
number 2001
!
ephone-dn 2
number 2002
!
ephone 1
device-security-mode none
mac-address 0090.0C57.C85E
type 7960
!
ephone 2
mac-address 0090.0C20.BA20
type 7960
!
ephone 3
mac-address 0005.5E9E.2AC5
type 7960
button 1:2
!
ephone 4
mac-address 0060.5C2D.6220
type 7960
button 1:1
CME configuration
IP configuration
hostname CME
!
ip address 192.168.65.3 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.69.1
!
Telephony service configuration
telephony-service
max-ephones 42
max-dn 144
ip source-address 192.168.65.3 port 2000
auto assign 4 to 6
auto assign 1 to 5
Ephone declaration and number assignment
ephone-dn 1
number 1101
!
ephone-dn 2
number 1102
!
ephone-dn 3
number 1103
!
ephone-dn 4
number 1104
!
ephone-dn 5
number 1105
!
ephone-dn 6
number 1106
!
ephone 1
mac-address 0090.0C57.C85E
type 7960
button 1:1
!
ephone 2
mac-address 0090.0C20.BA20
type 7960
button 1:2
!
ephone 3
mac-address 00E0.A340.E430
type 7960
button 1:3
!
ephone 4
mac-address 0060.4710.AE01
type 7960
button 1:4
!
ephone 5
mac-address 000C.8521.0C20
type 7960
button 1:5
!
ephone 6
mac-address 00D0.D31A.7EE9
type CIPC
button 1:6
Call routing configuration between CME routers

Dial peers are used to identify call source and destination endpoints and to define the
characteristics applied between two CME routers. The destination pattern, configured in a dial
peer by using the destination-pattern command, associates a dialed string with a specific
telephony device. If the dialed string matches the destination pattern, the call is routed to the
remote dial peers. You have to configure a destination pattern for each voice-network dial peer
that you define on your network routers.
The destination pattern can be either a complete telephone number or a partial telephone number
with wildcard digits, represented by a period (.) character. Each "." represents a wildcard for an
individual digit that the originating router expects to match. For example, if the destination
pattern for a dial peer is defined as "555....", then any dialed string beginning with 555, plus at
least four additional digits, matches this dial peer.
CME-3 dial-peer configuration
dial-peer voice 1 voip

destination-pattern 1...
session target ipv4:192.168.65.254
!
CME dial-peer configuration
dial-peer voice 2 voip

destination-pattern 2...
session target ipv4:192.168.69.254
!
Packet Tracer lab 18 : ASA 5506-X DMZ
configuration
Network diagram
Lab instructions
1. Configure NAT to allow LAN users to access the INTERNET
2. Configure NAT to allow DMZ servers to access the INTERNET
3. Configure inbound NAT rule to allow access to the 172.16.1.10 DMZ webserver from the
Internet with 148.12.56.68 public IP address.
4. Configure ICMP rules to allow laptop1 to ping 148.12.56.1 internet router and any internet
resource. An access-list, named OUTSIDE, will be configured to allow incoming echo-reply and
unreachable ICMP replies
5.Configure the required access-lists on the internet facing interface to allow incoming trafic to
the DMZ webserver
6.Test HTTP connectivity from the Public laptop to the DMZ webserver (http://148.12.56.68)
READ NEXT :

2024-04-09
2024-02-13
2023-12-09
2023-08-15
2023-08-15
Lab Solution
1. Configure NAT to allow LAN users to access the INTERNET
In this lab, the AutoNAT feature of ASA 5506-X firewall is used to configure the NAT rules
that allow the hosts on the LAN segments to connect to the Internet. Network Address
Translation is needed because these internal hosts use private IP addresses which are not routable
on the Internet. Network Address Translation makes the addresses so that they look like the
ASA's outside interface IP address. AutoNAT suits best if the ASA external IP changes
frequently (DHCP).
AutoNAT configuration for the LAN subnet is done by creating a network object representing
each LAN subnet. In each of these objects, a dynamic nat rule is configured to conduct Port
Address Translation (PAT) on these clients as they pass from the inside to the outside interface.
The name of each interface, configured with nameif, is used in the AutoNAT command : nat
(inside,outside) dynamic interface
object network LAN

subnet 192.168.20.0 255.255.255.0
nat (inside,outside) dynamic interface
2. Configure NAT to allow DMZ servers to access the INTERNET

The same configuration as for the LAN subnet is done for the DMZ servers subnet. The source
interface name is replaced by the DMZ named interface.
object network DMZ

subnet 172.16.1.0 255.255.255.0
nat (DMZ,outside) dynamic interface
3. Configure inbound NAT rule for 172.16.1.10 DMZ webserver access

The following NAT rule statically maps the DMZ 172.16.1.10 webserver address to the
148.12.56.68 external address. Rule is bi-directional.
object network webserver

host 172.16.1.10
nat (DMZ,outside) static 148.12.56.68
4. Configure ICMP rules
Configure an extended access-list with the required rules to accept incoming echo replies.
access-list OUTSIDE extended permit icmp any any echo-reply

access-list OUTSIDE extended permit icmp any any unreachable
5.Configure the required ACL to allow incoming trafic to the DMZ webserver
Complete the previous access-list with the rules to allow inbound HTTP trafic and apply the
ACL to the outside interface.
object network webserver-external-ip

host 148.12.56.68
access-list OUTSIDE extended permit tcp any object webserver eq www
access-list OUTSIDE extended permit tcp any host 148.12.56.68 eq www
access-group ICMP-REPLY in interface outside
6.Test HTTP connectivity Internet to the DMZ webserver

Open a web browser on the "Public LAPTOP" located on the right of the network diagram.
The connection to http://148.12.56.67 should display the following welcome page.
ASA 5505 and 5506-X comparison

ASA 5506-X - Layer 3 interfaces
The new ASA 5506-X firewall provided in Packet Tracer 7.2 is configured with 8 layer 3
network interfaces. Each interface can be configured with it's own name and security level.
ASA 5506-X is configured with the Security Plus license by default which unlocks unlimited
usage of the layer 3 physical interfaces, 30 vlans (50% more than ASA 5505), and 50 VPN peers
(100% more than ASA 5505)
Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 30 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers :4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 50 perpetual
Total VPN Peers : 50 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total UC Proxy Sessions : 160 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5506 Security Plus license.
ASA 5505 - Vlan interfaces and basic license bundle problems with DMZ
creation
The ASA 5505 firewall provided in Packet Tracer 7.1.1 was shipped and installed by default
with the basic license bundle. The content of this license package is displayed below :
Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.

The ASA 5505 is configured by default with 2 vlans :
 VLAN 1 : Inside VLAN (interfaces E0/1 -> E0/7)

 VLAN 2 : Outside VLAN (interface E0/0)
If you try to configure a third vlan to host your DMZ,the ASA device will return the following
error because of the limited licence :
ERROR: This license does not allow configuring more than 2 interfaces with nameif and without
a "no forward" command on this interface or on 1 interface(s) with nameif already configured.
You have to limit communications between two vlan interfaces to make the creation of the third
vlan interface possible. This can be done for example using the command no forward interface
vlan 1 on the "interface vlan 3" to deny communications betwen the inside network and the
DMZ
The "security plus" license bundle which remove this limitation in the ASA 5505 (available
from Packet Tracer 7.1.1) and can be unlocked with the activation-key 0x1321CF73
0xFCB68F7E 0x801111DC 0xB554E4A4 0x0F3E008D command. Up to 20 vlans can now be
configured in the ASA 5505.
References
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/115904-asa-config-dmz-00.html
Packet Tracer lab 19 - DPI with ASA 5505

Network diagram
Lab instructions
Configure the ASA firewall to allow HTTP traffic from the laptop (inside network) to the HTTP
server located on the other side of the firewall. The traffic will be deeply inspected by the
firewall to make sure it contains real HTTP instead of rogue traffic.
All the communication from the outside to the inside network have to remain denied. Only the
statefull sessions established from the inside network have to be allowed by the firewall.
Interfaces and vlans default configuration is provided below. The default vlan security levels
have been manually added in the picture.
READ NEXT :

2024-04-09
2024-02-13
2023-12-09
2023-08-15
2023-08-15
Lab Solution
The default ASA 5505 firewall behavior is to allow traffic to flow from interfaces with higher
security levels ("inside" interfaces) to interfaces with lower security levels ("outside" interfaces),
but to deny traffic on the other way. Access-lists must be configured to allow the traffic flow
from lower security levels to higher security levels.
Default ASA 5505 security levels :
 Inside vlan : Security level 100

 Outside vlan : Security level 0
Despite this default behavior, the simulated ASA 5505 available in Packet Tracer 6.1 does not
allow the laptop to establish a working TCP connection with the HTTP server located in the
outside network. The TCP SYN is allowed to flow from the laptop to the server, but the TCP
ACK is blocked by the firewall.
The following configuration has to be applied to the firewall to establish a working TCP session
between the laptop and the HTTP server. This configuration uses the Modular Policy Framework
available in Cisco PIX/ASA products :
 Configure a class-map to define the traffic flow having to be inspected
 Define a policy-map to define the particular policy having to be applied to this traffic
flow
 Assign the policy to a specific interface (inside interface in the lab)
class-map HTTP
match default-inspection-traffic
!
policy-map TestPolicy
class HTTP
inspect http
!
service-policy TestPolicy interface inside

Packet Tracer LAB CISCO

Uploaded by

Copyright:

Available Formats

Packet Tracer LAB CISCO

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Packet Tracer LAB CISCO

Uploaded by

Copyright:

Available Formats

Packet Tracer - Lab 1 : Basic switch setup

LAST UPDATED: 15 AUGUST 2023

 Lab 17 - Site to site IPSEC VPN with ASA 5505

 Lab 2 - Switch interfaces configuration

 Lab 1 - Basic switch setup

3. Configure the message of the day as "Unauthorized access is forbidden"

6. Configure CONSOLE access with the following settings :

6. Configure TELNET access with the following settings :

Configure the message of the day as "Unauthorized access is forbidden"

Switch(config)#enable secret cisco

Configure CONSOLE access [...]

Configure TELNET access [...]

Switch(config-if)#ip address 192.168.1.2 255.255.255.0

Packet Tracer lab 2 : Interfaces configuration

 Lab 17 - Site to site IPSEC VPN with ASA 5505

 Lab 2 - Switch interfaces configuration

 Lab 1 - Basic switch setup

Settings to be configured on each port are :

 Port type : access port

3. Choose the right cable to connect :

 Switch0 gigabitethernet 1/1 to Switch1 gigabitethernet 1/1

switchport mode access

3. Choose the right cable to connect Switch0 to Switch1 and Switch2

Switch#sh interfaces trunk

Port Vlans allowed on trunk

Port Vlans allowed and active in management domain

Port Vlans in spanning tree forwarding state and not pruned

 Lab 17 - Site to site IPSEC VPN with ASA 5505

 Lab 2 - Switch interfaces configuration

 Lab 1 - Basic switch setup

2.Connect to the 3 other switches and configure them as VTP clients.

3.Configure VTP domain name as "TESTDOMAIN" and VTP password as "cisco"

VLAN and VTP lab solution

VTP-SERVER(config)#vtp mode server

VTP-SERVER#show vtp status

VTP-CLIENT3(config)#vtp mode client

VTP-CLIENT3#sh vtp status

3. Configure VTP domain name as "TESTDOMAIN" and VTP password as "cisco"

On the VTP server Catalyst switch:

VTP-SERVER(config)#vtp domain TESTDOMAIN

VTP-CLIENT1(config)#vtp password cisco

VTP-SERVER#show vlan brief

VLAN Name Status Ports

 Lab 17 - Site to site IPSEC VPN with ASA 5505

 Lab 2 - Switch interfaces configuration

 Lab 1 - Basic switch setup

- Allowed mac addresses : 3

- Dynamic mac address learning.

- Port security enabled

- Allowed mac addresses : 3

- Dynamic mac address learning.

- Port security enabled

- Static mac address entry : 00E0.A3CE.3236

Try to ping 192.168.1.2 and 192.168.1.3. It should work.

Try to ping 192.168.1.4 and 192.168.1.5. It should work.

5. Connect ROGUE laptop to the hub.

Try to ping 192.168.1.1. It should work.

Try to ping 192.168.1.4. It should fail.

Interface FastEthernet 0/2 configuration - Shutdown mode (default)

Published by Packet Tracer Network.