IP Services

COPYRIGHT INFORMATION
This publication, CCNA LAB WORKBOOK, was developed by Mohamed Ouamer. All rights
reserved. No part of this publication may be reproduced or distributed in any form or by any
means without the prior written permission of Mohamed Ouamer.
Cisco®, Cisco Systems®, CCDA®, CCNA®, CCDP®, CCNP®, CCIE®, CCSI®, the Cisco
Systems logo and the CCIE logo are trademarks or registered trademarks of Cisco Systems,
Inc. in the United States and certain other countries. All other trademarks are trademarks of
their respective owners.
If you have questions or concerns about our Copyright information, please email us at
contact@networkexperttraining.com.
DISCLAIMER
The following publication, CCNA LAB WORKBOOK, is developed to assist candidates in the
preparation for Cisco Systems’ CCNA exam.
While every effort has been made to ensure that all material is as complete and accurate as
possible, the enclosed material is presented on an “as is” basis. Neither the authors nor
networkexperttraining.com assume any liability or responsibility to any person or entity with
respect to loss or damages incurred from the information contained in this workbook.
If you have questions or concerns about our disclaimer, please email us at

contact@networkexperttraining.com.
ERRATA
Although we have taken every care to ensure the accuracy of our contents, mistakes do
happen. If you find a mistake in this workbook—maybe a mistake in text or configuration—we
would be grateful if you would report this to us. By doing this you can save other readers from
frustration, and help to improve subsequent versions of this workbook. If you find any errata,
report them by contacting us at support@networkexperttraning.com. Once your errata have
been verified, your submission will be accepted and the errata added to the list of existing
errata. . The existing errata can be requested by by contacting us at
support@networkexperttraning.com.
TABLE OF CONTENTS:
TELNET…………………………………………………………………...…………………… 4
CONTROLLING TELNET ACCESS USING ACL ………………………………………………. 12
SSH - BASIC CONFIGURATION ..……………………………………………………………. 21
STATIC NAT………………………………………………………..………………………… 34
DYNAMIC NAT ……………………………………………..………………………………... 43
PAT……………………………………..……………………………………………………. 49
DHCP………………………………………………………………………………………… 54
CCNA LAB WORKBOOK IP SERVICES
LAB 1: TELNET
I. Network diagram:
COPYRIGHT © 2009 MOHAMED OUAMER. ALL RIGHTS RESERVED
HTTP://WWW.NETWORKEXPERTTRAINING.COM
PAGE 1/1
II. Initial Configuration:
R1:
hostname R1
!
interface loopback0
ip address 1.1.1.1 255.255.255.255
!
interface fastethernet 0/0
ip address 12.12.12.1 255.255.255.0
no shutdown
!
ip route 2.2.2.2 255.255.255.255 12.12.12.2
R2:
hostname R2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
ip address 12.12.12.2 255.255.255.0
no shutdown
!
ip route 1.1.1.1 255.255.255.255 12.12.12.1
III. Tasks:
1. Configure telnet on R1 using the password cisco.
2. On R2, telnet into R1. Make sure that R2 inserts the loopack0’s IP address in telnet
packets.
3. On R1, try to telnet into R1 using its hostname “R1”.
Use the ip host command to create the mapping between the R1 and one of R1’s IP
addresses.
PAGE 2/2
IV. Solutions:
Task 1:
To configure telnet access, follow these steps:

1. Enter the VTY line configuration mode using the line vty command.
2. Using the password command, configure the password to be used for authentication if
you’ll not authenticate users locally, using a TACACS+ server, or based on an AAA
authentication method.
3. Configure how the router will authenticate users using the login command. The router
can authenticate users based on the line password, its local user database, a
TACACS+ server, or according to a configured AAA authentication method.
R1:
R1#configure terminal
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#end
R1#
Verification:
R2:
After configuring telnet access on R1, you can access R1 through telnet from any device
on the network. Below is the output you’ll get if you telnet into R1 from R2.
R2#telnet 12.12.12.1
Trying 12.12.12.1 ... Open
User Access Verification
Password: //At this step, type the line password

R1>
To display information about open local-area transport (LAT), Telnet, or rlogin

connections, use the show sessions command in EXEC mode.
PAGE 3/3
Local Area Transport (LAT) protocol, a protocol in the DECnet, is designed to handle
multiplexed terminal traffic to/from timesharing hosts.
In our case, the show sessions command displays the parameters of the telnet session
established by R2. This command displays the host name, address, number of unread bytes
for the user to receive, idle time, and connection name.
R2#show sessions
Conn Host Address Byte Idle Conn Name
* 1 12.12.12.1 12.12.12.1 0 0 12.12.12.1
• The asterisk (*) indicates the current terminal session which you can resume by pressing
Enter key once.
• Conn is the name or the address of the remote host to which the connection is made. The
Conn value is used as a parameter of the resume command to resume an active network
connection.
• The host field represents the network address (IP address, IPv6 address...) or the DNS
name of the remote host to which the router is connected.
• Address is the network address (IP address, IPv6 address...) of the remote host.
• Byte is the number of unread bytes displayed for the user to receive.
• Idle is the interval (in minutes) since data was last sent on the line.
• Conn name represents the assigned name of the connection.
R1:
R1#show line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 CTY - - - - - 0 0 0/0 -
97 AUX 9600/9600 - - - - - 0 0 0/0 -
* 98 VTY - - - - - 1 0 0/0 -
99 VTY - - - - - 0 0 0/0 -
100 VTY - - - - - 0 0 0/0 -
101 VTY - - - - - 0 0 0/0 -
102 VTY - - - - - 0 0 0/0 -
PAGE 4/4
The show line command displays the status of the console line, the Auxiliary line and the
VTY lines. It shows you also a couple of parameter associated with these lines. The asterisk
(*) indicates that the line is active. The lines without asterisk (*) are available but not active.
Two lines are active: the VTY line number 98(equivalent to 0) and the console line.
Task 2:
R2:
R2#enable
R2#telnet 12.12.12.1 /source-interface loopback 0
Trying 12.12.12.1 ... Open
Password:
R1>
Using the telnet command with the option /source-interface allows you the specify an
interface as the source of the telnet packets. This means that the IP address of this interface
will be inserted in the source IP address field of the IP packets carrying telnet segments.
Verification:
R1:
R1#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
98 vty 0 idle 00:00:17 2.2.2.2
The show users command displays information about the active lines on the router.
PAGE 5/5
Task 3:
To accomplish this task, create a mapping between the one of the IP addresses
configured on R1 and the string “R1”. Do this using the ip host command in global
configuration mode.
The ip host command defines a static host name-to-address mapping in the host cache.
R2:
R2(config)#ip host R1 1.1.1.1
R1(config)#end
R1#
To telnet into R1 try one the following ways:
1. Type telnet R1 or telnet r1 in the privilege user mode.
R2#telnet r1
Trying R1 (1.1.1.1)... Open
Password:
R1>
2. Type R1 in the EXEC mode

R2#R1
Translating "R1"...domain server (255.255.255.255)
(255.255.255.255)Trying R1 (1.1.1.1)... Open
Password:
R1>
3. Type r1 in the privilege user mode

R2#r1
Translating "r1"...domain server (255.255.255.255)
(255.255.255.255)Trying R1 (1.1.1.1)... Open
Password:
R1>
PAGE 6/6
Verification:
The show hosts displays the default domain name, the style of name lookup service, a
list of name server hosts, and the cached list of host names and addresses.
R2:
R2#show hosts
<omitted output>
Host Port Flags Age Type Address(es)

R1 None (perm, OK) 0 IP 1.1.1.1
R2#show sessions
* 1 r1 1.1.1.1 0 0 r1
PAGE 7/7
V. Links
For more information about the commands used in the current lab, open the following links:
1. ip host
http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp
1108949
2. login
http://www.cisco.com/en/US/docs/ios/12_3/termserv/command/reference/ter_l1g.html#
wp998262
3. password
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_i2g.html#w
p1075206
4. show hosts
http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_s1g.html#wp
1079234
5. show line
wp1039571
6. show sessions
http://www.cisco.com/en/US/docs/ios/12_3/dial/command/reference/dia_s5g.html#wp99
8201
7. show users
wp1000969
8. telnet
http://www.cisco.com/en/US/docs/ios/12_3/termserv/command/reference/ter_s1g.html#
wp998287
PAGE 8/8
LAB 2: CONTROLLING TELNET ACCESS USING ACL
I. Network diagram:
PAGE 1/1
R1:
hostname R1
!
interface loopback0
ip address 1.1.1.1 255.255.255.255
!
ip address 12.12.12.1 255.255.255.0
no shutdown
!
ip route 2.2.2.2 255.255.255.255 12.12.12.2
R2:
hostname R2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
ip address 12.12.12.2 255.255.255.0
no shutdown
!
ip route 1.1.1.1 255.255.255.255 12.12.12.1
III. Tasks:
1. Configure Telnet access on R1. The line password is cisc@?.
2. Configure R1 to accept only telnet sessions initiated from the host 12.12.12.3.
3. Configure R1 to reject outcoming telnet session initiated by users connected to its VTY
lines. Only SSH and rLogin outcoming sessions should remain enabled.
PAGE 2/2
IV. Solutions:
Task 1:
To accomplish this task, follow these steps:

1. Enter the VTY line configuration mode using the line vty command.
2. Using the password command, configure the password cisc@?. Press Ctrl+ V before
typing “?”.
3. Using the login command, configure the router to authenticate users based on the line
password.
R1:
R1(config-line)#password cisc@?
R1(config-line)#login
R1(config-line)#end
R1#
Verification:
R2:
After configuring telnet access on R1, you can access R1 through telnet from any device
on the network. Below is the output you’ll get if you telnet into R1 from R2.
R2#telnet 12.12.12.1
Trying 12.12.12.1 ... Open
Password: //At this step, type the line password

R1>
PC:
Follow these steps to telnet into the router from the windows-based PC.
1. Click on startÆ Run
2. Type telnet 12.12.12.1 and press Enter, as shown below.
PAGE 3/3
3. Finally type the line password and press Enter.
R1:
Now, both R2 and the host PC have opened two telnet sessions to R1. To verify this, use
the show users command in R1’s EXEC mode.
R1#show users
* 0 con 0 idle 00:00:00
98 vty 0 idle 00:00:20 12.12.12.2
99 vty 1 idle 00:00:15 12.12.12.3
Interface User Mode Idle Peer Address
As shown in the output of the show users command, the VTY lines number 0 and 1 are active
on R1. The hosts opening the sessions have the IP addresses 12.12.12.2 and 12.12.12.3.
PAGE 4/4
Task 2:
R1:
To meet the requirement of this task, you have to do two things:
1. Configure an ACL that permits only telnet traffic sourced by the IP address 12.12.12.3.
2. Apply the ACL to VTY lines in the inbound direction.
Beginning in the global configuration mode, type the following the statements:
R1(config#access-list 1 permit host 12.12.12.3
R1(config#line vty 0 4
R1(config-line)#access-class 1 in
R1(config-line)#end
R1#
This ACL applies to any incoming VTY session, even using a VTY protocol other than
TELNET.
Verification:
To test our configuration, we’ll initiate two telnet sessions from the router R2 and the host
PC to R1.
R2:
Enable detailed ip packet debugging to see what happens when R2 tries to open a telnet
session with R1.
R2#debug ip packet detail

IP packet debugging is on (detailed)
R2#telnet 12.12.12.1
Trying 12.12.12.1 ...
% Connection refused by remote host
R2#
IP: tableid=0, s=12.12.12.2 (local), d=12.12.12.1 (FastEthernet0/0), routed via FIB
IP: s=12.12.12.2 (local), d=12.12.12.1 (FastEthernet0/0), len 44, sending
TCP src=56971, dst=23, seq=2997210285, ack=0, win=4128 SYN
PAGE 5/5
IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=12.12.12.2 (FastEthernet0/0), routed via

RIB
IP: s=12.12.12.1 (FastEthernet0/0), d=12.12.12.2 (FastEthernet0/0), len 40, rcvd 3
TCP src=23, dst=56971, seq=0, ack=2997210286, win=0 ACK RST
Telnet protocol uses TCP as a transport protocol. So before establishing the telnet
session, R2 will send a TCP SYN segment to R1 to initiate a TCP connection. At this step,
router R1 will verify if the IP address inserted in the source IP address field of IP packets
carrying the TCP SYN segment is allowed by the ACL configured for incoming VTY
connections. If the IP address is not allowed by the ACL, which is the case here, then R1 will
send an ACK RST segment back to R2 to reset the TCP connection. The output of the debug
ip packets detail command shows you that R2 has sent a TCP SYN segment to R1, and R1
has replied by an ACK RST segment back to R2.
PC:
4. Finally type the line password.
PAGE 6/6
R1:
R1 has accepted incoming telnet session from the PC host because it’s allowed by the ACL 1.
R1#show users
* 0 con 0 idle 00:00:00
98 vty 0 idle 00:00:02 12.12.12.3
Task 3:
R1:
R1(config#line vty 0 4
R1(config-line)#transport output ssh rlogin
R1(config-line)#end
R1#
The transport command determines the allowed protocols used for incoming or outcoming VTY
sessions.
The effect of this configuration is that users connected to R1 via VTY lines cannot initiate
a telnet session to a remote device. Instead, users connected to the router’s console can telnet
into a remote device until otherwise configured. To block the outcoming telnet session initiated
from the router’s console, use the following configuration.
access-list 111 deny tcp any any eq telnet
access-list 111 permit ip any any
line con 0
access-class 111 out
Verification:
To verify the configuration, we’ll telnet into R1 from the PC host, and then we’ll try to
telnet into R2. As show in the output below, R1 has displayed the message “% telnet
connections not permitted from this terminal”.
PAGE 7/7
R1:
5. Finally type the line password.
PAGE 8/8
V. Links
For more information about the VTY line commands, use the following links:
1. access-class
http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_a1g.html#wp
1083361
2. ip host
1108949
3. login
wp998262
4. password
p1075206
5. show hosts
1079234
6. show line
wp1039571
7. show sessions
8201
8. show users
wp1000969
9. telnet
wp998287
10. transport output
http://www.cisco.com/en/US/docs/ios/12_3/termserv/command/reference/ter_t1g.html#
wp1083654
PAGE 9/9
LAB 3: BASIC SSH CONFIGURATION
I. Network diagram:
PAGE 1/1
R1:
hostname R1
!
interface loopback0
ip address 1.1.1.1 255.255.255.255
!
ip address 12.12.12.1 255.255.255.0
no shutdown
!
ip route 2.2.2.2 255.255.255.255 12.12.12.2
R2:
hostname R2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
ip address 12.12.12.2 255.255.255.0
no shutdown
!
ip route 1.1.1.1 255.255.255.255 12.12.12.1
III. Tasks:
1. Configure SSH access on R1 using the following parameters:

• Domain name : networkexperttraining.com
• RSA key size : default value
2. Restrict SSH access on R1 using the following guidelines:
• Hosts on the subnet 12.12.12.0/24 are not allowed to open an SSH session to
R1, with the exception of the host 12.12.12.3. The remaining hosts on the
network still have SSH access to R1.
• All the hosts on the network can telnet into R1.
Make sure to enable TELNET access on R1.
PAGE 2/2
3. Configure SSH access on R2 using the following parameters:

• Domain name : networkexperttraining.com
• SSH Version :2
• Authentication retries: 5
• SSH time-out : 90 seconds
4. Configure R1 to initiate SSH sessions using its loopback 0 interface.
PAGE 3/3
IV. Solutions:
Task 1:
To secure the VTY lines using SSH, you have to:
1. Enable SSH. To do this you have to:

a. Configure the router’s domain name using the ip domain-name command.
b. Create the RSA key pair using the crypto key generate rsa command.
If the domain name is not configured, then SSH cannot be enabled.
2. Create some user accounts using the username command.
3. Configure VTY line authentication based on the local user database. To accomplish this
use the login local command in the VTY line configuration mode.
4. Enable the router to respond to incoming SSH requests. Use the transport input
command in the VTY line configuration mode.
R1:
R1(config)#ip domain-name networkexperttraining.com
R1(config)#
R1(config)#crypto key generate rsa
R1(config)#
R1(config)#username ssh password cisco
R1(config)#
R1(config-line)#transport input ssh
R1(config-line)#login local
R1(config-line)#end
R1#
Using RSA key size of 512 bits enables SSH version 1.5. The modulus needs to be at
least 768 bits to enable SSH version 2. Use the ip ssh version command to change the
version of SSH service.
PAGE 4/4
Verification:
R1:
R1#show hosts
Default domain is networkexperttraining.com
Name/address lookup uses domain service
Name servers are 255.255.255.255
<omitted output>
R1#show users
* 0 con 0 idle 00:00:00
98 vty 0 ssh idle 00:00:29 12.12.12.2
99 vty 1 ssh idle 00:00:25 12.12.12.3
To test our SSH configuration we’ll open two SSH sessions to R1, one from PC1 using the
PuTTY software, and one from R2.
PC1:
Follow these steps to open an SSH connection from PC1:
1. Open the PuTTY software by double-clicking its icon on the desktop, type the one the IP
addresses of R1 in the “Host Name“ textbox, and click on the open botton.
PAGE 5/5
2. The dialog box will appear and ask you to accept or reject RSA key sent by R1. So click
on the Yes button.
3. At this step, type the username/password combination to log in the router.
PAGE 6/6
R2:
In the privileged EXEC mode, use the ssh command to open an SSH session to R2. You
have to specify a username and a hostname of an IP address of the remote device to the ssh
command. If SSH version 1 is enabled, you have to specify the version. The default version is
2.
R2#ssh -v 1 -l ssh 12.12.12.1
Password: // Type the password of the user ssh
R1> // Press Ctrl+Shift+6 and x to return to R2
R2#show sessions
* 1 12.12.12.1 12.12.12.1 0 0 12.12.12.1
Task 2:
To accomplish this task, you have to do two things:

1. Configure an extended ACL. Make sure to put the most specific statement on top of the
ACL.
2. Apply the ACL to the VTY lines in the inbound direction.
3. Enable telnet access by using the transport input command.
Beginning in the global configuration mode, type the following the statements:
R1:
R1(config)#access-list 100 permit tcp host 12.12.12.3 any eq 22
R1(config)#access-list 100 deny tcp 12.12.12.0 0.255.255.255 any eq 22
R1(config)#access-list 100 permit tcp any any eq 22
R1(config)#access-list 100 permit tcp any any eq telnet
R1(config)#
R1(config-line)# access-class 100 in
R1(config-line)#transport input telnet ssh
R1(config)#end
R1#
PAGE 7/7
Verification:
R1:
R1#show users
* 0 con 0 idle 00:00:00
98 vty 0 ssh idle 00:00:41 12.12.12.2
99 vty 1 ssh idle 00:00:36 12.12.12.3
100 vty 2 ssh idle 00:00:26 12.12.12.3
R1#show ssh
Connection Version Encryption State Username
99 1.5 3DES Session started ssh
%No SSHv2 server connections running.
The command show ssh displays the started SSH sessions. As shown in the output of
the show ssh command, one session is open from the host 12.12.12.3(PC1). Because the
show users command output shows three active VTY session, we have two active Telnet
session and one active SSH session.
PC1 has opened a Telnet session and an SSH session to R1. R2 could only open a
Telnet session to R1.
R2:
R2#ssh -v 1 -l ssh 12.12.12.1
% Connection refused by remote host
R2#telnet 12.12.12.1
Trying 12.12.12.1 ... Open
Username: ssh
Password:
R1>
R1 has rejected SSH session initiated by R2 because the IP address used by R2 as

source IP address for SSH packets match the second statement of the ACL 100.
PAGE 8/8
Task 3:
To accomplish this task, you have to:
1. Enable SSH . To do this you have to:

a. Configure the router’s domain name using the ip domain-name command.
b. Create the RSA key pair using the crypto key generate rsa modulus command.
The modulus should be at least 768 to enable SSH version 2.
If the domain name is not configured, then SSH cannot be enabled.
2. Set SSH version to the value of 2 using the ip ssh version command.
3. Set the number of authentication retries to 5 using the ip authentication-retries

command.
4. Set the time-out interval to 90 seconds using the ip ssh time-out command.
5. Create some user accounts using the username command.
6. Configure VTY line authentication based on the local user database. To accomplish this
use the login local command in the VTY line configuration mode.
7. Enable the router to respond to incoming SSH requests. Use the transport input
command in the VTY line configuration mode.
R2:
R2(config)#ip domain-name networkexperttraining.com
R2(config)#
R2(config)#username ssh_user password 0 cisco
R2(config)#
R2(config)#ip ssh time-out 90
R2(config)#ip ssh authentication-retries 5
R2(config)#ip ssh version 2
R2(config)#
R2(config-line)# login local
R2(config-line)# transport input ssh
R2(config-line)#end
R2#
PAGE 9/9
Verification:
The show crypto key mypubkey rsa command displays the RSA public keys of the router.
It is accessible in the privileged EXEC mode.
R2#show crypto key mypubkey rsa

% Key pair was generated at: 00:19:24 UTC Mar 1 2009
Key name: R2.networkexperttraining.com
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D88535
103B402F 02457881 F2B3B180 BFA21114 F4634742 E4C3BF6A E2773737 A67711BB
D9EBAC0C 2D9BC830 390EE1B1 142DE7EB 4C311BD8 F594ACA3 6D01DD3B 2907287D
EA4A88DB 3F469F16 CE5DAD2C EE09BE62 926F54BF 8F7CA0A4 4DB7D1BE 75C47005
EC87D978 121CC0E1 60443F13 8B7D5926 4CEE38C0 A9AE187C FE8E894A 41020301
0001
% Key pair was generated at: 00:19:27 UTC Mar 1 2009
Key name: R2.networkexperttraining.com.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A4BC70 C60B88ED
FF0B1BF1 9FB8BF60 7482EA1B A232E5F7 F7AD4B45 11395F68 811E51D3 85ED069E
9A5AC613 D3477A2F 75166C7F 5B89FA3D AF156DFF 05856C97 C4B70ED6 5C1551E6
E1B42C5D A6EB66D1 878F492F 872CFB6C 76430FE9 5A9E2E61 07020301 0001
R2#show ip ssh
SSH Enabled - version 2
Authentication timeout: 90 secs; Authentication retries: 5
R2#show users
* 0 con 0 idle 00:00:00
98 vty 0 ssh_user idle 00:00:23 12.12.12.1
PAGE 10/10
Task 4:
R1:
R1#conf t
R1(config)#ip ssh source-interface loopback 0
Verification:
As shown in the outputs of the show users and show ssh command, R1 has initiate an SSH
session to R2 using its loopback0’s IP address.
R2:
R2#show users
* 0 con 0 idle 00:00:00
98 vty 0 ssh_user idle 00:00:19 1.1.1.1
R2#show ssh
Connection Version Mode Encryption Hmac State Username
98 2.0 IN aes128-cbc hmac-sha1 Session started ssh_user
98 2.0 OUT aes128-cbc hmac-sha1 Session started ssh_user
%No SSHv1 server connections running.
PAGE 11/11
V. Links:
For more information about the related VTY line commands, use the following links:
1. access-class
http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_a1g.html#wp
1083361
2. crypto key generate rsa
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_c2g.html#
wp1104892
3. ip domain-name
1081400
4. ip ssh
p1110109
5. ip ssh source-interface
p1110445
6. login
wp998262
7. show crypto key mypubkey rsa
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_s1g.html#
wp1100280
8. show hosts
1079234
9. show ip ssh
wp1070647
10. show line
wp1039571
11. show sessions
8201
12. show ssh
wp1071692
PAGE 12/12
13. show users

wp1000969
14. telnet
wp998287
15. transport input
wp1083564
16. transport output
wp1083654
PAGE 13/13
LAB 4: STATIC NAT
I. Network diagram:
PAGE 1/1

ISP:
hostname ISP
!
interface Loopback0
ip address 12.12.12.12 255.255.255.0
!
interface fastethernet0/0
ip address 196.12.12.2 255.255.255.0
no shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
end
R1:
hostname R1
!
!
!
ip address 196.12.12.1 255.255.255.0
no shutdown
!
interface Serial 1/0
ip address 172.19.1.1 255.255.255.0
clock rate 2000000
no shutdown
!
ip address 10.1.2.1 255.255.255.0
no shutdown
!
line con 0
exec-timeout 0 0
PAGE 2/2
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
!
end
R2:
hostname R2
!
interface Serial 0/0
ip address 172.19.1.2 255.255.255.0
no shutdown
!
!
ip route 0.0.0.0 0.0.0.0 s0/0
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
!
end
III. Tasks:
1. Configure R1 to route traffic with addresses destined for the subnet122.1.0.0/16 to the
router ISP.
2. Configure R1 to map the private IP address of PC1 to the public ip address
196.12.12.10.
3. Configure r1 to translate the private IP address into the public IP addresses
196.12.12.11,196.12.12.12,and 196.12.12.13.
PAGE 3/3
IV. Solutions:
Task 1:
R1:
R1(config)#ip route 0.0.0.0 0.0.0.0 f0/0
Or
R1(config)#ip route 0.0.0.0 0.0.0.0 196.12.12.2
Verification:
R1:
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
196.12.12.0/30 is subnetted, 1 subnets

C 196.12.12.0 is directly connected, FastEthernet0/0
C 172.19.1.0 is directly connected, Serial1/0
C 10.1.2.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 is directly connected, FastEthernet0/0
R1#ping 12.12.12.12
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 12.12.12.12, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/99/252 ms
PAGE 4/4
Task 2:
Static NAT maps statically one private IP address to one registered IP address.
Static Nat translations do not timeout. They can be deleted only using the no ip nat inside
command.
By configuring a static Nat entry you reserve one global IP address to one private IP
address. This means you cannot use the same global IP address in inure than one static NAT
configuration.
To configure a static NAT entry, follow these steps:

Step 1: Map the private IP address to the global IP address using the ip net inside source
static command.
Step 2: Define the inside interface (s) using the ip nat inside command
Step 3: Define the outside interface (s) using the ip nat outside command
So the configuration will look like:

R1(config)#interface FastEthernet0/0
R1(config-if)#ip nat outside
R1(config-if)#interface FastEthernet0/1
R1(config-if)# ip nat inside
R1(config-if)#exit
R1(config)#ip nat inside source static 10.1.2.2 196.12.12.3
R1(config)#end
R1#
Verification:
R1:
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 196.12.12.3 10.1.2.2 --- ---
PAGE 5/5
R1#
*Mar 1 00:17:38.935: NAT*: i: icmp (10.1.2.2, 768) -> (12.12.12.12, 768) [12071]
*Mar 1 00:17:38.939: NAT*: i: icmp (10.1.2.2, 768) -> (12.12.12.12, 768) [12071]
*Mar 1 00:17:38.939: NAT*: s=10.1.2.2->196.12.12.3, d=12.12.12.12 [12071]
*Mar 1 00:17:39.107: NAT*: o: icmp (12.12.12.12, 768) -> (196.12.12.3, 768) [12071]
*Mar 1 00:17:39.107: NAT*: s=12.12.12.12, d=196.12.12.3->10.1.2.2 [12071]
*Mar 1 00:17:39.523: NAT*: i: icmp (10.1.2.2, 768) -> (12.12.12.12, 768) [12100]
*Mar 1 00:17:39.523: NAT*: s=10.1.2.2->196.12.12.3, d=12.12.12.12 [12100]
*Mar 1 00:17:39.587: NAT*: o: icmp (12.12.12.12, 768) -> (196.12.12.3, 768) [12100]
R1#
*Mar 1 00:17:39.587: NAT*: s=12.12.12.12, d=196.12.12.3->10.1.2.2 [12100]
R1#
*Mar 1 00:17:41.015: NAT*: i: icmp (10.1.2.2, 768) -> (12.12.12.12, 768) [12151]
*Mar 1 00:17:41.015: NAT*: s=10.1.2.2->196.12.12.3, d=12.12.12.12 [12151]
*Mar 1 00:17:41.131: NAT*: o: icmp (12.12.12.12, 768) -> (196.12.12.3, 768) [12151]
*Mar 1 00:17:41.131: NAT*: s=12.12.12.12, d=196.12.12.3->10.1.2.2 [12151]
R1#
*Mar 1 00:17:42.031: NAT*: i: icmp (10.1.2.2, 768) -> (12.12.12.12, 768) [12214]
*Mar 1 00:17:42.031: NAT*: s=10.1.2.2->196.12.12.3, d=12.12.12.12 [12214]
*Mar 1 00:17:42.099: NAT*: o: icmp (12.12.12.12, 768) -> (196.12.12.3, 768) [12214]
*Mar 1 00:17:42.099: NAT*: s=12.12.12.12, d=196.12.12.3->10.1.2.2 [12214]
R1#
*Mar 1 00:18:06.099: NAT: expiring 196.12.12.3 (10.1.2.2) icmp 2 (2)
R1#
PAGE 6/6
ISP
ISP#ping 196.12.12.3

!!!!!
ISP#
R1#
*Mar 1 00:20:31.735: NAT*: s=196.12.12.2, d=196.12.12.3->10.1.2.2 [14]
*Mar 1 00:20:31.787: NAT*: s=10.1.2.2->196.12.12.3, d=196.12.12.2 [19966]
*Mar 1 00:20:31.927: NAT*: s=196.12.12.2, d=196.12.12.3->10.1.2.2 [15]
*Mar 1 00:20:31.975: NAT*: s=10.1.2.2->196.12.12.3, d=196.12.12.2 [19981]
*Mar 1 00:20:32.047: NAT*: s=196.12.12.2, d=196.12.12.3->10.1.2.2 [16]
*Mar 1 00:20:32.103: NAT*: s=10.1.2.2->196.12.12.3, d=196.12.12.2 [19988]
*Mar 1 00:20:32.147: NAT*: s=196.12.12.2, d=196.12.12.3->10.1.2.2 [17]
*Mar 1 00:20:32.159: NAT*: s=10.1.2.2->196.12.12.3, d=196.12.12.2 [19998]
*Mar 1 00:20:32.187: NAT*: s=196.12.12.2, d=196.12.12.3->10.1.2.2 [18]
R1#
*Mar 1 00:20:32.259: NAT*: s=10.1.2.2->196.12.12.3, d=196.12.12.2 [20006]
R1#
Task 3:
R1:
R1(config)#interface s1/0
R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#ip nat Inside source static 172.19.1.2 196.12.12.10
R1(config)#end
R1#
Verification:
R1:
icmp 196.12.12.3:768 10.1.2.2:768 12.12.12.12:768 12.12.12.12:768
--- 196.12.12.3 10.1.2.2 --- ---
--- 196.12.12.10 172.19.1.2 --- ---
PAGE 7/7
R1# show ip nat statistics

Total active translations: 2 (2 static, 0 dynamic; 0 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1, Serial1/0
Hits: 84 Misses: 0
CEF Translated packets: 84, CEF Punted packets: 0
Expired translations: 7
Dynamic mappings:
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R2:
R2#ping 12.12.12.12

!!!!!
R2#
ISP:
ISP#ping 196.12.12.10

!!!!!
ISP#
PAGE 8/8
V. Links:
1. ip nat
1078863
2. ip nat inside source
1079180
3. show ip nat translations
1082204
PAGE 9/9
LAB 5: DYNAMIC NAT
I. Network diagram:
PAGE 1/1

ISP:
hostname ISP
!
interface Loopback0
ip address 12.12.12.12 255.255.255.0
!
ip address 196.12.12.2 255.255.255.0
!
line con 0
exec-timeout 0 0
logging synchronous
!
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
end
R1:
hostname R1
!
ip address 196.12.12.1 255.255.255.0
ip address 195.16.1.1 255.255.255.240 secondary
!
ip address 10.1.2.1 255.255.255.0
!
line con 0
exec-timeout 0 0
logging synchronous
!
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
end
PAGE 2/2
III. Tasks:
1. Configure R1 to route all traffic destined to the Internet out of the interface f0/0.
Additionally, configure the question the router ISP to reach the subnet 195.16.1.0/24
2. PC1 through PC6 cannot access the Internet. Configure R1 to circumvent this situation.
Use the pool of IP addresses 195.16.1.1 through 195.16.1.6.
PAGE 3/3
IV. Solution
Task 1:
R1:
R1(config)#ip route 0.0.0.0 0.0.0.0 196.12.12.2
R1(config)# end
R1#
ISP:
ISP#configure terminal
ISP(config)#ip route 195.16.1.0 255.255.255.240 196.12.12.1
ISP(config)# end
ISP#
Verification:
R1:
R1#show ip route static
S* 0.0.0.0/0 [1/0] via 196.12.12.2
R1#ping 12.12.12.12

!!!!!
R1#
ISP:
ISP#show ip route static
S 195.16.1.0 [1/0] via 196.12.12.1
ISP#
ISP#ping 195.16.1.1

!!!!!
ISP#
PAGE 4/4
Task 2:
Because the question dictates that the configuration must be done on R1, you cannot
configure ip routing on R2 to accomplish this ask .The unique solution is to configure Dynamic
NAT using the global IP addresses mentioned above.
Dynamic NAT creates a one-to-one mapping between an inside local IP address an

inside global IP address. However, this mapping is done dynamically as opposed to static
NAT. Each time the router receives an IP packet that must have NAT applied, and its source
IP address do not figure out in the NAT translation table, The router map it to on IP address
from a pre-configured pool of global IP addresses and forwards the packet after its source IP
address has been translated. If all the IP address of the pool have been used, the router will
not forward the packet and an ICMP message is sent back to the host generating the IP packet
R1:
R1(config)#ip nat pool NAT_POOL 195.16.1.1 195.16.1.6 netmask 255.255.255.240
R1(config)#
R1(config)#access-list 1 permit 10.1.2.0 0.0.0.255
R1(config)#
R1(config)#ip nat inside source list 1 pool NAT_POOL
R1(config)#
R1(config)#interface f0/0
R1(config-if)#
R1(config-if)#interface f0/1
R1(config-if)#^Z
R1#
Verification:
R1:
--- 195.16.1.1 10.1.2.2 --- ---
--- 195.16.1.2 10.1.2.3 --- ---
--- 195.16.1.3 10.1.2.4 --- ---
--- 195.16.1.4 10.1.2.5 --- ---
--- 195.16.1.5 10.1.2.6 --- ---
--- 195.16.1.6 10.1.2.7 --- ---
R1#
PAGE 5/5
V. Links
1. ip nat
1078863
1079180
3. ip nat pool
1079697
1082204
PAGE 6/6
LAB 6: PAT
I. Network diagram:
PAGE 1/1

ISP
hostname ISP
!
!
interface Loopback0
ip address 12.12.12.12 255.255.255.0
!
ip address 196.12.12.2 255.255.255.0
no shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
!
end
R1:
hostname R1
!
ip address 196.12.12.1 255.255.255.0
no shutdown
!
!
ip address 10.1.2.1 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 f0/0
!
line con 0
exec-timeout 0 0
logging synchronous
PAGE 2/2
line aux 0
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
!
!
end
III. Tasks:
1. Configure R1 to map all private IP addresses to the F0/0’s IP address.
PAGE 3/3
IV. Solutions:
Task 1:
One of the reasons to implement NAT is to slowdown the depletion of the public IP address
on the Internet. Static & dynamic NAT do not remedy this problem because we still need as
many registered IP address as the number of internal hosts needing Internet access increases.
PAT allows the translation of all internal IP address using one or multiple public IP address.
R1:
R1(config)#access-list 1 permit 10.1.2.0 0.0.0.255
R1(config)#
R1(config)#ip nat inside source list 1 interface FastEthernet0/0 overload
R1(config)#
R1(config)#int F0/0
R1(config-if)#
R1(config-if)#interface f0/1
R1(config-if)#^Z
R1#
Verification:
R1:
icmp 196.12.12.1:768 10.1.2.2:768 12.12.12.12:768 12.12.12.12:768
R1#
PAGE 4/4
V. Links:
1. ip nat
1078863
1079180
1082204
PAGE 5/5
LAB 7: DHCP
I. Network diagram:
PAGE 1/1
R1:
hostname R1
!
interface serial 0/0
encapsulation ppp
ip address 173.2.13.1 255.255.255.0
!
router eigrp 123
network 173.2.0.0
!
!
line con 0
exec-timeout 0 0
logging synchronous
!
line vty 0 4
exec-timeout 0 0
logging synchronous
password cisco
login
!
end
R2:
hostname R2
!
ip address 173.2.23.2 255.255.255.0
!
ip address 173.2.2.2 255.255.255.0
!
router eigrp 123
network 173.2.0.0
!
line con 0
exec-timeout 0 0
logging synchronous
!
line vty 0 4
exec-timeout 0 0
PAGE 2/2
logging synchronous
password cisco
login
!
end
R3:
hostname R3
!
ip address 173.2.23.3 255.255.255.0
!
ip address 173.2.3.3 255.255.255.0
!
interface serial 1/0
encapsulation ppp
ip address 173.2.13.3 255.255.255.0
!
router eigrp 123
network 173.2.0.0
!
line con 0
exec-timeout 0 0
logging synchronous
!
line vty 0 4
exec-timeout 0 0
logging synchronous
password cisco
login
!
end
PAGE 3/3
III. Tasks:
1. Configure the DHCP service on R1 to supply the dynamic configuration. Create two DHCP
pools using the following parameters:
First DHCP Pool:

Name : R2_Pool
IP addressing space : 173.2.2.0/24
Default gateway : 173.2.2.2
Excluded address : 173.2.2.2
Second DHCP Pool:

Name : R3_Pool
IP addressing space : 173.2.3.0/24
Default gateway : 173.2.3.3
Excluded address : 173.2.3.3
2. Configure R2 and R3 to forward DHCP requests received from PC2 and PC1 respectively
to R1.
PAGE 4/4
IV. Solutions:
Task 1:
The DHCP service is enabled by default. You can verify this by using the show udp
command in the privileged EXEC mode. In this task, you have to configure two DHCP pools,
and exclude two IP addresses from being assigned by the DHCP server.
To configured a DHCP pool use the ip dhcp pool command in the global configuration
mode. To exclude an IP address from being use the ip dhcp exclude command in the global
configuration mode.
R1:
R1#conf t
R1(config)#ip dhcp pool R2_PooL
R1(dhcp-config)# network 173.2.2.0 /24
R1(dhcp-config)# default-router 173.2.2.2
R1(dhcp-config)#
R1(dhcp-config)#ip dhcp pool R3_PooL
R1(dhcp-config)# network 173.2.3.0 /24
R1(dhcp-config)# default-router 173.2.3.3
R1(dhcp-config)#
R1(dhcp-config)#ip dhcp excluded-address 173.2.2.2
R1(config)#ip dhcp excluded-address 173.2.3.3
R1(config)#end
R1#
Verification:
R1:
R1#show ip dhcp pool
Pool R2_PooL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) :0/0
Total addresses : 254
Leased addresses :0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
173.2.2.1 173.2.2.1 - 173.2.2.254 00000000
PAGE 5/5
Pool R3_PooL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) :0/0
Total addresses : 254
Leased addresses :0
Pending event : none
1 subnet is currently in the pool:
Current index IP address range Leased addresses
173.2.3.1 173.2.3.1 - 173.2.3.254 0 0
Task 2:
DHCP requests are sent to the broadcast IP address 255.255.255.255. So R2 and R3 will
not forward DHCP request to R1 because Cisco routers de not forward IP broadcasts by
default.
To circumvent this issue, you can configure R2 & R3 to forward DHCP request as unicast
IP packets to R1. R2 and R3 will insert the IP address of the interface on which the DHCP
requests are received as the source for the unicast DHCP requests sent to the server. This will
help the DHCP server choose the appropriate DHCP pool to be used to configure the DHCP
clients.
As a result PC1 will be configured using the DHCP pool named R3_Pool, and PC2 will be
configured using the DHCP pool named R2_Pool
To accomplish this task, use the ip helper-address command in the interface

configuration mode.
R2:
R2# configure terminal
R2(config-if)#ip helper-address 173.2.13.1
R2(config-if)#end
R3#
R3:
R3# configure terminal
R3(config-if)#ip helper-address 173.2.13.1
R3(config-if)#end
R3#
PAGE 6/6
Verification:
R1:
R1#debug ip dhcp server events
*Mar 1 00:04:55.291: DHCPD: Sending notification of DISCOVER:
*Mar 1 00:04:55.291: DHCPD: htype 1 chaddr 0200.4c4f.4f50
*Mar 1 00:04:55.295: DHCPD: circuit id 00000000
*Mar 1 00:04:55.295: DHCPD: Seeing if there is an internally specified pool class:
R1#
*Mar 1 00:04:57.303: DHCPD: Adding binding to radix tree (173.2.2.1)
*Mar 1 00:04:57.303: DHCPD: Adding binding to hash tree
*Mar 1 00:04:57.307: DHCPD: assigned IP address 173.2.2.1 to client
0102.004c.4f4f.50.
*Mar 1 00:04:57.651: DHCPD: Sending notification of ASSIGNMENT:
*Mar 1 00:04:57.655: DHCPD: address 173.2.2.1 mask 255.255.255.0
*Mar 1 00:04:57.659: DHCPD: lease time remaining (secs) = 86400
R1#
*Mar 1 00:06:25.731: DHCPD: checking for expired leases.
R1#
*Mar 1 00:07:19.011: DHCPD: Sending notification of DISCOVER:
*Mar 1 00:07:19.015: DHCPD: htype 1 chaddr 0050.56c0.0001
*Mar 1 00:07:19.019: DHCPD: Seeing if there is an internally specified pool class:
R1#
*Mar 1 00:07:21.027: DHCPD: Adding binding to radix tree (173.2.3.1)
*Mar 1 00:07:21.031: DHCPD: Adding binding to hash tree
*Mar 1 00:07:21.031: DHCPD: assigned IP address 173.2.3.1 to client
0100.5056.c000.01.
*Mar 1 00:07:21.683: DHCPD: Sending notification of ASSIGNMENT:
*Mar 1 00:07:21.687: DHCPD: address 173.2.3.1 mask 255.255.255.0
*Mar 1 00:07:21.691: DHCPD: lease time remaining (secs) = 86400
R1#show ip dhcp binding

Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
173.2.2.1 0102.004c.4f4f.50 Mar 02 2002 12:04 AM Automatic
173.2.3.1 0100.5056.c000.01 Mar 02 2002 12:07 AM Automatic
PAGE 7/7
R2:
R2#show ip interface fastethernet 0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 173.2.2.2/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is 173.2.13.1
Directed broadcast forwarding is disabled
<omitted output>
R3:
R3# show ip interface fastethernet 0/1
FastEthernet0/1 is up, line protocol is up
Internet address is 173.2.3.3/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is 173.2.13.1
Directed broadcast forwarding is disabled
PC1:
ipconfig command output:
PAGE 8/8
Route print command output:
PC2:
ipconfig command output:
PAGE 9/9
Route print command output:
PAGE 10/10
V. Links
1. ip dhcp excluded-address
1080791
2. ip dhcp pool
1080966
3. ip helper-address
1084408
4. show ip dhcp pool
1096976
5. show ip interface
1096472
PAGE 11/11

IP Services

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

IP Services

Загружено:

Авторское право:

Доступные форматы

COPYRIGHT INFORMATION

If you have questions or concerns about our disclaimer, please email us at

II. Initial Configuration:

To configure telnet access, follow these steps:

User Access Verification

Password: //At this step, type the line password

To display information about open local-area transport (LAT), Telnet, or rlogin

• Conn name represents the assigned name of the connection.

User Access Verification

To telnet into R1 try one the following ways:

1. Type telnet R1 or telnet r1 in the privilege user mode.

User Access Verification

2. Type R1 in the EXEC mode

User Access Verification

3. Type r1 in the privilege user mode

User Access Verification

Host Port Flags Age Type Address(es)

LAB 2: CONTROLLING TELNET ACCESS USING ACL

II. Initial Configuration:

To accomplish this task, follow these steps:

User Access Verification

Password: //At this step, type the line password

3. Finally type the line password and press Enter.

R2#debug ip packet detail

IP: tableid=0, s=12.12.12.1 (FastEthernet0/0), d=12.12.12.2 (FastEthernet0/0), routed via

4. Finally type the line password.

Interface User Mode Idle Peer Address

5. Finally type the line password.

LAB 3: BASIC SSH CONFIGURATION

II. Initial Configuration:

1. Configure SSH access on R1 using the following parameters:

3. Configure SSH access on R2 using the following parameters:

To secure the VTY lines using SSH, you have to:

1. Enable SSH. To do this you have to:

2. Create some user accounts using the username command.

3. At this step, type the username/password combination to log in the router.

R2#ssh -v 1 -l ssh 12.12.12.1

Password: // Type the password of the user ssh

R1> // Press Ctrl+Shift+6 and x to return to R2

To accomplish this task, you have to do two things:

User Access Verification

R1 has rejected SSH session initiated by R2 because the IP address used by R2 as

To accomplish this task, you have to:

1. Enable SSH . To do this you have to:

3. Set the number of authentication retries to 5 using the ip authentication-retries

5. Create some user accounts using the username command.

R2#show crypto key mypubkey rsa

Interface User Mode Idle Peer Address

13. show users

LAB 4: STATIC NAT

II. Initial Configuration:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

196.12.12.0/30 is subnetted, 1 subnets

Type escape sequence to abort.

To configure a static NAT entry, follow these steps:

So the configuration will look like:

Type escape sequence to abort.

R1# show ip nat statistics

Type escape sequence to abort.

Type escape sequence to abort.

LAB 5: DYNAMIC NAT

II. Initial Configuration:

Type escape sequence to abort.

Type escape sequence to abort.