ICND 2 - Nat Sim Question

Here you will find answers to SIMULATION Questions 

Question:

A network associate is configuring a router for the weaver company to provide internet access. The ISP has provided the company six public IP addresses of 198.18.184.105 198.18.184.110. The company has 14 hosts that need to access the internet simultaneously. The hosts in the company LAN have been assigned private space addresses in the range of 192.168.100.17 – 192.168.100.30.

The following have already been configured on the router： - The basic router configuration - The appropriate interfaces have been configured for NAT inside and NAT outside - The appropriate static routes have also been configured (since the company will be a stub network, no routing protocol will be required.) - All passwords have been temporarily set to "cisco"

Solution:

The company has 14 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18.184.105 to 198.18.184.110/29. Therefore we have to use NAT overload (or PAT)
Double click on the Weaver router to open it

Router>enable

Router#configure terminal

First you should change the router's name to Weaver

Router(config)#hostname Weaver

Create a NAT pool of global addresses to be allocated with their netmask.

Weaver(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248

Create a standard access control list that permits the addresses that are to be translated

Weaver(config)#access-list 1 permit 192.168.100.16 0.0.0.15

Establish dynamic source translation, specifying the access list that was defined in the prior step
Weaver(config)#ip nat inside source list 1 pool mypool overload
This command translates all source addresses that pass access list 1, which means a source address from 192.168.100.17 to 192.168.100.30, into an address from the pool named mypool (the pool contains addresses from 198.18.184.105 to 198.18.184.110)
Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports

The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements.
This is how to configure the NAT inside and NAT outside, just for your understanding:

Weaver(config)#interface fa0/0

Weaver(config-if)#ip nat inside

Weaver(config-if)#exit

Weaver(config)#interface s0/0

Weaver(config-if)#ip nat outside

Weaver(config-if)#end

Finally, we should save all your work with the following command:

Weaver#copy running-config startup-config

Check your configuration by going to "Host for testing" and type:

C:\>ping 192.0.2.114

The ping should work well and you will be replied from 192.0.2.114 more.

Backing Up and Restoring Cisco Configuration

Backing Up the Cisco Router Configuration
To copy the router’s configuration from a router to a TFTP server, you can use either the copy running-config tftp or the copy startup-config tftp command. Either one will back up the router configuration that’s currently running in DRAM, or that’s stored in NVRAM.
Verifying the Current Configuration
To verify the configuration in DRAM, use the show running-config command (sh run for short) like this:

Router#sh run
Building configuration…
Current configuration:
!
version 12.0

The current configuration information indicates that the router is now running version 12.0 of the IOS.
Verifying the Stored Configuration
Next, you should check the configuration stored in NVRAM. To see this, use the show startup-config command (sh start for short) like this:

Router#sh start
Using 366 out of 32762 bytes
!
version 11.2

The second line shows you how much room your backup configuration is using. Here, we can see that NVRAM is 32KB and that only 366 bytes of it are used.
Copying the Current Configuration to NVRAM
By copying running-config to NVRAM as a backup, as shown in the following output, you’re assured that your running-config will always be reloaded if the router gets rebooted. In the new IOS version 12.0, you’re prompted for the filename you want to use. And since the version of IOS was 11.2 the last time a copy run start was performed, the router will tell us that it’s going to replace that file with the new 12.0 version:

Router#copy run start
Destination filename [startup-config]?[Enter]
Warning: Attempting to overwrite an NVRAM configuration previously written by a different version of the system image.
Overwrite the previous NVRAM configuration?[confirm][Enter]
Building configuration… [OK]

Now when you run show startup-config, the version shows 12.0:

Router#sh start
Using 487 out of 32762 bytes
!
version 12.0

Copying the Configuration to a TFTP Server
Once the file is copied to NVRAM, you can make a second backup to a TFTP server by using the copy running-config tftp command (copy run tftp for short), like this:

Router#copy run tftp
Address or name of remote host []?192.168.0.120
Destination filename [router-confg]?backup-config
!!
487 bytes copied in 12.236 secs (40 bytes/sec)
Router#

Notice that this took only two exclamation points (!!)–which means that 20 packets have been transferred (10 for each exclamation point).
Restoring the Cisco Router Configuration
If you’ve changed your router’s running-config file and want to restore the configuration to the version in the startup-config file, the easiest way to do this is to use the copy startup-config running-config command (copy start run for short). You can also use the older Cisco command config mem to restore a configuration. Of course, this will work only if you first copied running-config into NVRAM before making any changes!
If you did copy the router’s configuration to a TFTP server as a second backup, you can restore the configuration using the copy tftp running-config command (copy tftp run for short) or the copy tftp startup-config command (copy tftp start for short), as shown below (remember that the old command that provides this function is config net):
Router#copy tftp run
Address or name of remote host []?192.168.0.120
Source filename []?backup-config
Destination filename [running-config]?[Enter]
Accessing tftp://192.168.0.120/backup-config…
Loading backup-config from 192.168.0.120 (via Ethernet0):
!!
[OK - 487/4096 bytes]
487 bytes copied in 5.400 secs (97 bytes/sec)
Router#
00:38:31: %SYS-5-CONFIG: Configured from
tftp://192.168.0.120/backup-config
Router#
The configuration file is an ASCII text file, meaning that before you copy the configuration stored on a TFTP server back to a router, you can make changes to the file with any text editor.
Erasing the Configuration
To delete the startup-config file on a Cisco router, use the command erase startup-config, like this:

Router#erase startup-config
Erasing the nvram filesystem will remove all files! Continue? [confirm][Enter]
[OK]
Erase of nvram: complete
Router#

This command deletes the contents of NVRAM on the router, so the next time the router boots, it’ll run the setup mode.

more.

Cisco Router Interfaces

To make changes to an interface, you use the interface command from global configuration mode:

Router(config)#interface ?
Async	Async interface
BVI	Bridge-Group Virtual Interface
CTunnel	CTunnel interface
Dialer	Dialer interface
FastEthernet	FastEthernet IEEE 802.3
Group-Async	Async Group interface
Lex	Lex interface
Loopback	Loopback interface
MFR	Multilink Frame Relay bundle interface
Multilink	Multilink-group interface
Null	Null interface
Serial	Serial Interface
Tunnel	Tunnel interface
Vif	PGM Multicast Host interface
Virtual-Template	Virtual Template interface
Virtual-TokenRing	Virtual TokenRing Interface
range	interface range command

Router(config)#interface fastethernet 0/0
Router(config-if)#

Did you notice that the prompt changed to Router(config-if)#? This tells you that you’re in interface configuration mode. And wouldn’t it be nice if the prompt also gave you an indication of what interface you were configuring? Well, at least for now we’ll have to live without the prompt information, because it doesn’t. more.

Setting Up Cisco Router Passwords

There are five passwords used to secure your Cisco routers: console, auxiliary, telnet (VTY), enable password, and enable secret. Just as you learned earlier in the chapter, the first two passwords are used to set your enable password that’s used to secure privileged mode. This will prompt a user for a password when the enable command is used. The other three are used to configure a password when user mode is accessed either through the console port, through the auxiliary port, or via Telnet.
Enable Passwords
You can set the enable passwords from global configuration mode like this:
Router(config)#enable ?
last-resort Define enable action if no TACACS servers respond
password Assign the privileged level password
secret Assign the privileged level secret
use-tacacs Use TACACS to check enable passwords
The following points describe the enable password parameters:
Last-resort Allows you to still enter the router if you set up authentication through a TACACS server and it’s not available. But it isn’t used if the TACACS server is working.
Password Sets the enable password on older, pre-10.3 systems, and isn’t ever used if an enable secret is set.
Secret Is the newer, encrypted password that overrides the enable password if it’s set.
Use-tacacs This tells the router to authenticate through a TACACS server. It’s convenient if you have anywhere from a dozen to multitudes of routers, because, well, would you like to face the fun task of changing the password on all those routers? If you’re sane, no, you wouldn’t. So instead, just go through the TACACS server, and you only have to change the password once—yeah!
Here’s an example of setting the enable passwords:
Router(config)#enable secret your-password
Router(config)#enable password your-password
The enable password you have chosen is the same as your enable secret. This is not recommended. Re-enter the enable password.
If you try to set the enable secret and enable passwords the same, the router will give you a nice, polite warning to change the second password. If you don’t have older legacy routers, don’t even bother to use the enable password.
User-mode passwords are assigned by using the line command:
Router(config)#line ?
<0-70> First Line number
aux Auxiliary line
console Primary terminal line
tty Terminal controller
vty Virtual terminal
x/y Slot/Port for Modems
Here are the lines to be concerned with:
aux Sets the user-mode password for the auxiliary port. It’s usually used for attaching a modem to the router, but it can be used as a console as well.
console Sets a console user-mode password.
vty Sets a Telnet password on the router. If this password isn’t set, then Telnet can’t be used by default.
To configure the user-mode passwords, you configure the line you want and use either the login or no login command to tell the router to prompt for authentication.
Auxiliary Password
To configure the auxiliary password, go into global configuration mode and type line aux ?.
You can see here that you only get a choice of 0–0 (that’s because there’s only one port):
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux ?
<0-0> First Line number
Router(config)#line aux 0
Router(config-line)#login
Router(config-line)#password your-password
Console Password
To set the console password, use the line console 0 command. But look at what happened when I tried to type line console 0 ? from the aux line configuration–I received an error. You can still type line console 0 and it will accept it, but the help screens just don’t work from that prompt. Type exit to get back one level and you’ll find that your help screens now work. This is a “feature.” Really.
Here’s the example:
Router(config-line)#line console ?
% Unrecognized command
Router(config-line)#exit
Router(config)#line console ?
<0-0> First Line number
Router(config)#line console 0
Router(config-line)# password your-password
Router(config-line)# login
For one, the exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, which basically means to never time out. The default timeout is 10 minutes. (If you’re feeling mischievous, try this on people at work: Set it to 0 1. That will make the console time out in 1 second! And to fix it, you have to continually press the Down arrow key while changing the timeout time with your free hand!) logging synchronous is a very cool command, and it should be a default command, but it’s not. It stops annoying console messages from popping up and disrupting the input you’re trying to type. The messages still pop up, but you are returned to your router prompt without your input interrupted. This makes your input messages oh-so-much easier to read.
Here’s an example of how to configure both commands:
Router(config)#line con 0
Router(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
Router(config-line)#exec-timeout 0 ?
<0-2147483> Timeout in seconds

Router(config-line)#exec-timeout 0 0
Router(config-line)#logging synchronous
Telnet Password
To set the user-mode password for Telnet access into the router, use the line vty command.
Routers that aren’t running the Enterprise edition of the Cisco IOS default to five VTY lines, 0 through 4. But if you have the Enterprise edition, you’ll have significantly more. The best way to find out how many lines you have is to use that question mark:
Router(config-line)#line vty 0 ?
<1-4> Last Line Number

Router(config-line)#line vty 0 4
Router(config-line)# password your-password
Router(config-line)# login
Encrypting Your Passwords
Because only the enable secret password is encrypted by default, you’ll need to manually configure the user-mode and enable passwords for encryption.
To manually encrypt your passwords, use the service password-encryption command. Here’s an example of how to do it:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#service password-encryption
Router(config)#^Z
Here is an example of how you might set and encrypt your Telnet password under the CCNA objectives:
1. Enter the mode to configure telnet access: line vty 0 4
2. Enable Telnet login: login
3. Set the password to cisco: password cisco
4. Return to global configuration mode: exit
5. Encrypt password in show run/start output: service password-encryption
Here are the commands in order:
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco
Router(config)#exit
Router#service password-encryption
Remember that the CCNA objectives may require that you use the login command before you set the VTY password, or you may just need to set it after the password.

more.