cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
751
Views
0
Helpful
0
Replies

Need help with understanding how ACL’s work.

sandman2036
Level 1
Level 1

I am currently working on my CCNA and have had much trouble finding labs that dive deep into many of the subjects that I’m having trouble understanding as well as building upon that knowledge and taking things to the next level.  So, I have decided to define my own lab exercise that should cover most of the knowledge pertaining to NAT/PAT, VLAN’s, trucking and touch of routing.  I would apricate any advice tips ant tricks to achieve the end goal of this lab.

The equipment I’m working with is as follows

1x Cisco 3845 “R1” with a NM-32A, and a 1FE-2W

1x Cisco 2960S ”S1” 48 port switch no POE

1x Cisco WLC 4404 “WLC1”

1x Cisco ASA-5520 “ASA1”  (haven’t decided if I want to use it at this stage or save it for later)

5x available static ip addresses on a /29

                Will refer to as WAN_IP1-5(sorry but I don’t wish to publish my IP’s publicly)

1x SUN X4-2L server with a total of 13 ports running ESXI

4x small hp machines with 5 ports running ESXI/1 of these has a VCSA machine as well.

 

The first goal is I want to get the basics working.

This will be a ROS configuration.

VLAN definitions

VLAN666-this is where the WAN lives. (do not turn your back on this one and most certainly do   not feed after midnight)

VLAN35-Mgt-I would like to have this VLAN routable to VLAN25 but under no circumstances can data pass to or from any other network including wan interfaces.  This will be for thigs such as VCSA, ESXI,SSH management.(basically the keys to the palace) probably going to use some port security later in the project) Small network with a small DHCP pool. Probably a /27.

VLAN25-this is to be for general usage.  Access to the internet I would like to be through WAN_IP1.  /24 with a large DHCP pool.  50 – 100?

VLAN55-This one is for IOT devices. Would like advice on the security concerning this one and the best practices.  This network will be for items such as game consoles, smart tv’s, printers, etc.  I do know some data will have to pass between this VLAN and a few others.  I would like to use WAN_IP2 for wan access for this VLAN.  At the very least to get started with I would like to pass ftp traffic from 25 to 55.  I’m thinking a /26 with DHCP pool of 20-30.

Goals for this stage.

                1)establish VLANS 666,35,25, &55

                2)establish routing between 25&35

                3)establish SSH access to devices in 35 from 25 including the 32 ASYNC ports on R1

                4)establish NAT on 25,55

5)establish FTP from 25 to 55.  I at this time don’t see a need to connections origination from 55 to be allowed to enter 25.

Questions

What is the best way to approach these goals and not make things a nightmare to move forward with adding features such as the WLC with multiple networks and the ability to move outside access to certain networks through the asa.  If I have missed any details that are needed to complete the goals for this stage, please don’t hesitate to inform me of my error.  As well as any suggestions along the way.  Thank you for your time in advance.

 

P.S.

I will be placing all documents in my google drive including config files.  Please expect some redactions. 

 

Google Drive 

0 Replies 0