Solved: Re: HELP with ACL and PAT

andrzejsewerynwojcik · ‎03-06-2020

Good Evening all I need help. Im trying to deny Manchester site from talking to ISP disable PAT on its addreses. The site itself can still talk to Cambridge and London but not ISP. of course it can bar done by not defining default route on Manchester router but it needs to be done using acl I tried lots of option. please see the graph and full network settings:

Georg Pauwen · ‎03-07-2020

Hello,

here are the working configs for your routers (changes/additions marked in bold). I took the static routes out, for the sake of simplicity. The main problem was a missing 'ip nat inside' interface on one of the serials of the Cambridge router. Also, in order to block ICMP, in Packet Tracer you apparently have to explicitly specify it...

ManchesterR

Current configuration : 1674 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ManchesterR
!
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.4.1
ip dhcp excluded-address 192.168.8.1
!
ip dhcp pool Finance
network 192.168.0.0 255.255.252.0
default-router 192.168.0.1
ip dhcp pool Support
network 192.168.4.0 255.255.252.0
default-router 192.168.4.1
ip dhcp pool ExternalSales
network 192.168.8.0 255.255.252.0
default-router 192.168.8.1
!
no ip cef
no ipv6 cef
!
license udi pid CISCO2901/K9 sn FTX1524X76P-
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.0.1 255.255.252.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.4.1 255.255.252.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.8.1 255.255.252.0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 172.16.3.2 255.255.255.252
clock rate 2000000
!
interface Serial0/0/1
ip address 172.16.2.2 255.255.255.252
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router ospf 10
router-id 3.3.3.3
log-adjacency-changes
network 172.16.2.0 0.0.0.3 area 0
network 172.16.3.0 0.0.0.3 area 0
network 192.168.0.0 0.0.3.255 area 0
network 192.168.4.0 0.0.3.255 area 0
network 192.168.8.0 0.0.3.255 area 0
!
ip classless
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

CambridgeR

Current configuration : 2627 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CambridgeR
!
ip dhcp excluded-address 192.168.18.1
ip dhcp excluded-address 192.168.19.1
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool Support
network 192.168.19.0 255.255.255.0
default-router 192.168.19.1
ip dhcp pool ExternalSales
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
ip dhcp pool Finance
network 192.168.18.0 255.255.255.0
default-router 192.168.18.1
!
no ip cef
no ipv6 cef
!
license udi pid CISCO2901/K9 sn FTX1524N3GZ-
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.18.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.19.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 200.0.113.1 255.255.255.240
ip access-group 101 in
ip nat outside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.16.1.2 255.255.255.252
ip nat inside
!
interface Serial0/0/1
ip address 172.16.3.1 255.255.255.252
ip nat inside
!
interface Vlan1
no ip address
shutdown
!
router ospf 10
router-id 2.2.2.2
log-adjacency-changes
network 192.168.18.0 0.0.0.255 area 0
network 192.168.19.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0
network 172.16.3.0 0.0.0.3 area 0
network 172.16.10.0 0.0.0.3 area 0
network 200.0.113.0 0.0.0.15 area 0
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip classless
!
ip flow-export version 9
!
access-list 1 permit 192.168.0.0 0.0.3.255
access-list 1 permit 192.168.4.0 0.0.3.255
access-list 1 permit 192.168.8.0 0.0.3.255
access-list 1 permit 192.168.18.0 0.0.0.255
access-list 1 permit 192.168.19.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.12.0 0.0.1.255
access-list 1 permit 192.168.14.0 0.0.1.255
access-list 1 permit 192.168.16.0 0.0.1.255
!
access-list 101 deny icmp 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

LondonR

Current configuration : 1665 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname LondonR
!
ip dhcp excluded-address 192.168.12.1
ip dhcp excluded-address 192.168.14.1
ip dhcp excluded-address 192.168.16.1
!
ip dhcp pool Finance
network 192.168.12.0 255.255.254.0
default-router 192.168.12.1
ip dhcp pool Support
network 192.168.14.0 255.255.254.0
default-router 192.168.14.1
ip dhcp pool ExternalSales
network 192.168.16.0 255.255.254.0
default-router 192.168.16.1
!
no ip cef
no ipv6 cef
!
license udi pid CISCO2901/K9 sn FTX1524K05Q-
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.12.1 255.255.254.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.14.1 255.255.254.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.16.1 255.255.254.0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 172.16.1.1 255.255.255.252
clock rate 2000000
!
interface Serial0/0/1
ip address 172.16.2.1 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
router ospf 10
router-id 1.1.1.1
log-adjacency-changes
network 192.168.12.0 0.0.1.255 area 0
network 192.168.14.0 0.0.1.255 area 0
network 192.168.16.0 0.0.1.255 area 0
network 172.16.2.0 0.0.0.3 area 0
network 172.16.1.0 0.0.0.3 area 0
!
ip classless
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

ISP

version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
ip cef
no ipv6 cef
!
license udi pid CISCO2901/K9 sn FTX1524S463-
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
ip address 200.0.113.2 255.255.255.240
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.0.113.1
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login

View solution in original post

Georg Pauwen · ‎03-06-2020

Hello,

post the zipped .pkt file...

Georg Pauwen · ‎03-06-2020

Hello,

it is unclear what you are trying to accomplish. Which IP addresses is the Manchester site not supposed to talk to ?

Georg Pauwen · ‎03-06-2020

Hello,

on the Cambridge router, add the access list below and apply it to the interface going towards the ISP:

access-list 101 deny ip 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 permit ip any any
!
interface GigabitEthernet0/1
ip address 200.0.113.1 255.255.255.240
ip nat outside
ip access-group 101 in
duplex auto

andrzejsewerynwojcik · ‎03-06-2020

Manchester can still talk to ISP unfortunately. PAT is also only increasing misses no hits

Georg Pauwen · ‎03-06-2020

Hello,

can you post the traceroute results from a client on the Manchester network towards the ISP ?

andrzejsewerynwojcik · ‎03-06-2020

Tracing route to 200.0.113.2 over a maximum of 30 hops:

1 0 ms 0 ms 0 ms 192.168.0.1

2 0 ms 0 ms 0 ms 172.16.3.1

3 30 ms 1 ms 0 ms 200.0.113.2

Trace complete.

ACL doesn't seem to work

Georg Pauwen · ‎03-07-2020

Hello,

the access list should block this. Post the full configuration of the Cambridge router with the access list applied...

andrzejsewerynwojcik · ‎03-07-2020

any of these does the blocking:

ip access-list standard Deny-Manchester

remark Allow traffic from 192.168.18.0/24

permit 192.168.18.0 0.0.0.255

remark Allow traffic from 192.168.19.0/24

permit 192.168.19.0 0.0.0.255

remark Allow traffic from 192.168.20.0/24

permit 192.168.20.0 0.0.0.255

remark Allow traffic from 192.168.12.0/23

permit 192.168.12.0 0.0.1.255

remark Allow traffic from 192.168.14.0/23

permit 192.168.14.0 0.0.1.255

remark Allow traffic from 192.168.16.0/23

permit 192.168.16.0 0.0.1.255

remark Do not allow traffic from 192.168.0.0/22

deny 192.168.0.0 0.0.3.255

remark Do not allow traffic from 192.168.4.0/22

deny 192.168.4.0 0.0.3.255

remark Do not allow traffic from 192.168.8.0/22

deny 192.168.8.0 0.0.3.255

access-list 1 permit 192.168.18.0 0.0.0.255

access-list 1 permit 192.168.19.0 0.0.0.255

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.12.0 0.0.1.255

access-list 1 permit 192.168.14.0 0.0.1.255

access-list 1 permit 192.168.16.0 0.0.1.255

access-list 101 deny ip 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 permit ip any any
!
interface GigabitEthernet0/1
ip address 200.0.113.1 255.255.255.240
ip nat outside
ip access-group 101 in
duplex auto

the problem starts when it comes to PAT as when any access list is applied the PAT does not translate any addreses. its like I can't have PAT and ACL on the same interface

here is the config

Building configuration...

Current configuration : 3768 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

service password-encryption

security passwords min-length 8

!

hostname CambridgeR

!

login block-for 100 attempts 3 within 100

!

enable secret 5 $1$mERr$UNr.E/7yZJIkFYsWULMer0

!

ip dhcp excluded-address 192.168.18.1

ip dhcp excluded-address 192.168.19.1

ip dhcp excluded-address 192.168.20.1

!

ip dhcp pool Support

network 192.168.19.0 255.255.255.0

default-router 192.168.19.1

ip dhcp pool ExternalSales

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

ip dhcp pool Finance

network 192.168.18.0 255.255.255.0

default-router 192.168.18.1

!

ip cef

no ipv6 cef

!

username manager password 7 08027E1E3C2D202532

!

license udi pid CISCO2901/K9 sn FTX1524WDFG-

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.18.1 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 20

ip address 192.168.19.1 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.20.1 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/1

ip address 200.0.113.1 255.255.255.240

ip nat outside

duplex auto

speed auto

!

interface Serial0/0/0

ip address 172.16.1.2 255.255.255.252

ip nat inside

!

interface Serial0/0/1

ip address 172.16.3.1 255.255.255.252

!

interface Vlan1

no ip address

shutdown

!

router ospf 10

router-id 2.2.2.2

log-adjacency-changes

network 192.168.18.0 0.0.0.255 area 0

network 192.168.19.0 0.0.0.255 area 0

network 192.168.20.0 0.0.0.255 area 0

network 172.16.1.0 0.0.0.3 area 0

network 172.16.3.0 0.0.0.3 area 0

network 172.16.10.0 0.0.0.3 area 0

!

router rip

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip classless

ip route 192.168.12.0 255.255.254.0 172.16.1.1

ip route 192.168.14.0 255.255.254.0 172.16.1.1

ip route 192.168.16.0 255.255.254.0 172.16.1.1

ip route 192.168.0.0 255.255.252.0 172.16.3.2

ip route 192.168.4.0 255.255.252.0 172.16.3.2

ip route 192.168.8.0 255.255.252.0 172.16.3.2

ip route 0.0.0.0 0.0.0.0 200.0.113.2

!

ip flow-export version 9

!

ip access-list extended sl_def_acl

deny tcp any any eq telnet

deny tcp any any eq www

deny tcp any any eq 22

permit tcp any any eq 22

ip access-list standard Deny-Manchester

remark Allow traffic from 192.168.18.0/24

permit 192.168.18.0 0.0.0.255

remark Allow traffic from 192.168.19.0/24

permit 192.168.19.0 0.0.0.255

remark Allow traffic from 192.168.20.0/24

permit 192.168.20.0 0.0.0.255

remark Allow traffic from 192.168.12.0/23

permit 192.168.12.0 0.0.1.255

remark Allow traffic from 192.168.14.0/23

permit 192.168.14.0 0.0.1.255

remark Allow traffic from 192.168.16.0/23

permit 192.168.16.0 0.0.1.255

remark Do not allow traffic from 192.168.0.0/22

deny 192.168.0.0 0.0.3.255

remark Do not allow traffic from 192.168.4.0/22

deny 192.168.4.0 0.0.3.255

remark Do not allow traffic from 192.168.8.0/22

deny 192.168.8.0 0.0.3.255

access-list 1 permit 192.168.18.0 0.0.0.255

access-list 1 permit 192.168.19.0 0.0.0.255

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.12.0 0.0.1.255

access-list 1 permit 192.168.14.0 0.0.1.255

access-list 1 permit 192.168.16.0 0.0.1.255

!

banner motd ^C!!! Unauthorised access or use of this equipment is prohibited.If you are not authorised to access this system, terminate this session immediately otherwise the legal action can be taken against you. !!!^C

!

line con 0

exec-timeout 5 20

login local

!

line aux 0

exec-timeout 5 20

login local

!

line vty 0 4

exec-timeout 5 20

login local

!

end

CambridgeR#conf t

Enter configuration commands, one per line. End with CNTL/Z.

CambridgeR(config)#access-list 101 deny ip 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15

CambridgeR(config)#access-list 101 deny ip 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15

CambridgeR(config)#access-list 101 deny ip 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15

CambridgeR(config)#access-list 101 permit ip any any

CambridgeR(config)#!

CambridgeR(config)#interface GigabitEthernet0/1

CambridgeR(config-if)#ip address 200.0.113.1 255.255.255.240

CambridgeR(config-if)#ip nat outside

CambridgeR(config-if)#ip access-group 101 in

CambridgeR(config-if)#duplex auto

CambridgeR(config-if)#do show run

Building configuration...

Current configuration : 4027 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

service password-encryption

security passwords min-length 8

!

hostname CambridgeR

!

login block-for 100 attempts 3 within 100

!

enable secret 5 $1$mERr$UNr.E/7yZJIkFYsWULMer0

!

ip dhcp excluded-address 192.168.18.1

ip dhcp excluded-address 192.168.19.1

ip dhcp excluded-address 192.168.20.1

!

ip dhcp pool Support

network 192.168.19.0 255.255.255.0

default-router 192.168.19.1

ip dhcp pool ExternalSales

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

ip dhcp pool Finance

network 192.168.18.0 255.255.255.0

default-router 192.168.18.1

!

ip cef

no ipv6 cef

!

username manager password 7 08027E1E3C2D202532

!

license udi pid CISCO2901/K9 sn FTX1524WDFG-

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.18.1 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 20

ip address 192.168.19.1 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.20.1 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/1

ip address 200.0.113.1 255.255.255.240

ip access-group 101 in

ip nat outside

duplex auto

speed auto

!

interface Serial0/0/0

ip address 172.16.1.2 255.255.255.252

ip nat inside

!

interface Serial0/0/1

ip address 172.16.3.1 255.255.255.252

!

interface Vlan1

no ip address

shutdown

!

router ospf 10

router-id 2.2.2.2

log-adjacency-changes

network 192.168.18.0 0.0.0.255 area 0

network 192.168.19.0 0.0.0.255 area 0

network 192.168.20.0 0.0.0.255 area 0

network 172.16.1.0 0.0.0.3 area 0

network 172.16.3.0 0.0.0.3 area 0

network 172.16.10.0 0.0.0.3 area 0

!

router rip

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip classless

ip route 192.168.12.0 255.255.254.0 172.16.1.1

ip route 192.168.14.0 255.255.254.0 172.16.1.1

ip route 192.168.16.0 255.255.254.0 172.16.1.1

ip route 192.168.0.0 255.255.252.0 172.16.3.2

ip route 192.168.4.0 255.255.252.0 172.16.3.2

ip route 192.168.8.0 255.255.252.0 172.16.3.2

ip route 0.0.0.0 0.0.0.0 200.0.113.2

!

ip flow-export version 9

!

ip access-list extended sl_def_acl

deny tcp any any eq telnet

deny tcp any any eq www

deny tcp any any eq 22

permit tcp any any eq 22

ip access-list standard Deny-Manchester

remark Allow traffic from 192.168.18.0/24

permit 192.168.18.0 0.0.0.255

remark Allow traffic from 192.168.19.0/24

permit 192.168.19.0 0.0.0.255

remark Allow traffic from 192.168.20.0/24

permit 192.168.20.0 0.0.0.255

remark Allow traffic from 192.168.12.0/23

permit 192.168.12.0 0.0.1.255

remark Allow traffic from 192.168.14.0/23

permit 192.168.14.0 0.0.1.255

remark Allow traffic from 192.168.16.0/23

permit 192.168.16.0 0.0.1.255

remark Do not allow traffic from 192.168.0.0/22

deny 192.168.0.0 0.0.3.255

remark Do not allow traffic from 192.168.4.0/22

deny 192.168.4.0 0.0.3.255

remark Do not allow traffic from 192.168.8.0/22

deny 192.168.8.0 0.0.3.255

access-list 1 permit 192.168.18.0 0.0.0.255

access-list 1 permit 192.168.19.0 0.0.0.255

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.12.0 0.0.1.255

access-list 1 permit 192.168.14.0 0.0.1.255

access-list 1 permit 192.168.16.0 0.0.1.255

access-list 101 deny ip 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15

access-list 101 deny ip 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15

access-list 101 deny ip 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15

access-list 101 permit ip any any

!

banner motd ^C!!! Unauthorised access or use of this equipment is prohibited.If you are not authorised to access this system, terminate this session immediately otherwise the legal action can be taken against you. !!!^C

!

line con 0

exec-timeout 5 20

login local

!

line aux 0

exec-timeout 5 20

login local

!

line vty 0 4

exec-timeout 5 20

login local

--More--

Georg Pauwen · ‎03-07-2020

Hello,

this is getting a bit confusing. The networks you are blocking:

192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15

192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15

192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15

are not being translated because you did not specify them in access list 1 (which determines the NAT sources)...

andrzejsewerynwojcik · ‎03-07-2020

andrzejsewerynwojcik · ‎03-06-2020

Anyone?

andrzejsewerynwojcik · ‎03-06-2020

Georg Pauwen · ‎03-07-2020

Hello,

here are the working configs for your routers (changes/additions marked in bold). I took the static routes out, for the sake of simplicity. The main problem was a missing 'ip nat inside' interface on one of the serials of the Cambridge router. Also, in order to block ICMP, in Packet Tracer you apparently have to explicitly specify it...

ManchesterR

Current configuration : 1674 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ManchesterR
!
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.4.1
ip dhcp excluded-address 192.168.8.1
!
ip dhcp pool Finance
network 192.168.0.0 255.255.252.0
default-router 192.168.0.1
ip dhcp pool Support
network 192.168.4.0 255.255.252.0
default-router 192.168.4.1
ip dhcp pool ExternalSales
network 192.168.8.0 255.255.252.0
default-router 192.168.8.1
!
no ip cef
no ipv6 cef
!
license udi pid CISCO2901/K9 sn FTX1524X76P-
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.0.1 255.255.252.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.4.1 255.255.252.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.8.1 255.255.252.0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 172.16.3.2 255.255.255.252
clock rate 2000000
!
interface Serial0/0/1
ip address 172.16.2.2 255.255.255.252
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router ospf 10
router-id 3.3.3.3
log-adjacency-changes
network 172.16.2.0 0.0.0.3 area 0
network 172.16.3.0 0.0.0.3 area 0
network 192.168.0.0 0.0.3.255 area 0
network 192.168.4.0 0.0.3.255 area 0
network 192.168.8.0 0.0.3.255 area 0
!
ip classless
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

CambridgeR

Current configuration : 2627 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CambridgeR
!
ip dhcp excluded-address 192.168.18.1
ip dhcp excluded-address 192.168.19.1
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool Support
network 192.168.19.0 255.255.255.0
default-router 192.168.19.1
ip dhcp pool ExternalSales
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
ip dhcp pool Finance
network 192.168.18.0 255.255.255.0
default-router 192.168.18.1
!
no ip cef
no ipv6 cef
!
license udi pid CISCO2901/K9 sn FTX1524N3GZ-
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.18.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.19.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/1
ip address 200.0.113.1 255.255.255.240
ip access-group 101 in
ip nat outside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 172.16.1.2 255.255.255.252
ip nat inside
!
interface Serial0/0/1
ip address 172.16.3.1 255.255.255.252
ip nat inside
!
interface Vlan1
no ip address
shutdown
!
router ospf 10
router-id 2.2.2.2
log-adjacency-changes
network 192.168.18.0 0.0.0.255 area 0
network 192.168.19.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.3 area 0
network 172.16.3.0 0.0.0.3 area 0
network 172.16.10.0 0.0.0.3 area 0
network 200.0.113.0 0.0.0.15 area 0
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip classless
!
ip flow-export version 9
!
access-list 1 permit 192.168.0.0 0.0.3.255
access-list 1 permit 192.168.4.0 0.0.3.255
access-list 1 permit 192.168.8.0 0.0.3.255
access-list 1 permit 192.168.18.0 0.0.0.255
access-list 1 permit 192.168.19.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.12.0 0.0.1.255
access-list 1 permit 192.168.14.0 0.0.1.255
access-list 1 permit 192.168.16.0 0.0.1.255
!
access-list 101 deny icmp 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny icmp 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.0.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.4.0 0.0.3.255 200.0.113.0 0.0.0.15
access-list 101 deny ip 192.168.8.0 0.0.3.255 200.0.113.0 0.0.0.15
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

LondonR

Current configuration : 1665 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname LondonR
!
ip dhcp excluded-address 192.168.12.1
ip dhcp excluded-address 192.168.14.1
ip dhcp excluded-address 192.168.16.1
!
ip dhcp pool Finance
network 192.168.12.0 255.255.254.0
default-router 192.168.12.1
ip dhcp pool Support
network 192.168.14.0 255.255.254.0
default-router 192.168.14.1
ip dhcp pool ExternalSales
network 192.168.16.0 255.255.254.0
default-router 192.168.16.1
!
no ip cef
no ipv6 cef
!
license udi pid CISCO2901/K9 sn FTX1524K05Q-
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.12.1 255.255.254.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.14.1 255.255.254.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.16.1 255.255.254.0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 172.16.1.1 255.255.255.252
clock rate 2000000
!
interface Serial0/0/1
ip address 172.16.2.1 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
router ospf 10
router-id 1.1.1.1
log-adjacency-changes
network 192.168.12.0 0.0.1.255 area 0
network 192.168.14.0 0.0.1.255 area 0
network 192.168.16.0 0.0.1.255 area 0
network 172.16.2.0 0.0.0.3 area 0
network 172.16.1.0 0.0.0.3 area 0
!
ip classless
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

ISP

version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
ip cef
no ipv6 cef
!
license udi pid CISCO2901/K9 sn FTX1524S463-
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface GigabitEthernet0/1
ip address 200.0.113.2 255.255.255.240
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.0.113.1
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login

Georg Pauwen · ‎03-07-2020

Working file attached...